mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-02-14 10:00:11 +00:00
9d1a993e2c
Some checks failed
Post / images (amd64, placement) (push) Failing after 50s
Post / images (amd64, registration) (push) Failing after 41s
Post / images (amd64, registration-operator) (push) Failing after 40s
Post / images (amd64, work) (push) Failing after 44s
Post / images (arm64, addon-manager) (push) Failing after 41s
Post / images (arm64, placement) (push) Failing after 42s
Post / images (arm64, registration) (push) Failing after 41s
Post / images (amd64, addon-manager) (push) Failing after 5m29s
Post / images (arm64, registration-operator) (push) Failing after 43s
Post / images (arm64, work) (push) Failing after 5m35s
Post / image manifest (addon-manager) (push) Has been skipped
Post / image manifest (placement) (push) Has been skipped
Post / image manifest (registration) (push) Has been skipped
Post / image manifest (registration-operator) (push) Has been skipped
Post / image manifest (work) (push) Has been skipped
Post / trigger clusteradm e2e (push) Has been skipped
Post / coverage (push) Failing after 40m4s
Scorecard supply-chain security / Scorecard analysis (push) Failing after 4m1s
Signed-off-by: Yang Le <yangle@redhat.com>
100 lines
2.9 KiB
Go
100 lines
2.9 KiB
Go
package csr
|
|
|
|
import (
|
|
"crypto/x509/pkix"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/spf13/pflag"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/tools/cache"
|
|
|
|
"open-cluster-management.io/sdk-go/pkg/basecontroller/factory"
|
|
|
|
"open-cluster-management.io/ocm/pkg/registration/register"
|
|
)
|
|
|
|
// CSROption includes options that is used to create and monitor csrs
|
|
type CSROption struct {
|
|
// ObjectMeta is the ObjectMeta shared by all created csrs. It should use GenerateName instead of Name
|
|
// to generate random csr names
|
|
ObjectMeta metav1.ObjectMeta
|
|
// Subject represents the subject of the client certificate used to create csrs
|
|
Subject *pkix.Name
|
|
// DNSNames represents DNS names used to create the client certificate
|
|
DNSNames []string
|
|
// SignerName is the name of the signer specified in the created csrs
|
|
SignerName string
|
|
|
|
// EventFilterFunc matches csrs created with above options
|
|
EventFilterFunc factory.EventFilterFunc
|
|
}
|
|
|
|
// Option is the option set from flag
|
|
type Option struct {
|
|
// ExpirationSeconds is the requested duration of validity of the issued
|
|
// certificate.
|
|
// Certificate signers may not honor this field for various reasons:
|
|
//
|
|
// 1. Old signer that is unaware of the field (such as the in-tree
|
|
// implementations prior to v1.22)
|
|
// 2. Signer whose configured maximum is shorter than the requested duration
|
|
// 3. Signer whose configured minimum is longer than the requested duration
|
|
//
|
|
// The minimum valid value for expirationSeconds is 3600, i.e. 1 hour.
|
|
ExpirationSeconds int32
|
|
}
|
|
|
|
// Ensure Option implements register.CSRConfiguration interface at compile time
|
|
var _ register.CSRConfiguration = &Option{}
|
|
|
|
func NewCSROption() *Option {
|
|
return &Option{}
|
|
}
|
|
|
|
func (o *Option) AddFlags(fs *pflag.FlagSet) {
|
|
fs.Int32Var(&o.ExpirationSeconds, "client-cert-expiration-seconds", o.ExpirationSeconds,
|
|
"The requested duration in seconds of validity of the issued client certificate. If this is not set, "+
|
|
"the value of --cluster-signing-duration command-line flag of the kube-controller-manager will be used.")
|
|
}
|
|
|
|
func (o *Option) Validate() error {
|
|
if o.ExpirationSeconds != 0 && o.ExpirationSeconds < 3600 {
|
|
return errors.New("client certificate expiration seconds must greater or qual to 3600")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (o *Option) GetExpirationSeconds() int32 {
|
|
return o.ExpirationSeconds
|
|
}
|
|
|
|
func haltCSRCreationFunc(indexer cache.Indexer, clusterName string) func() bool {
|
|
return func() bool {
|
|
items, err := indexer.ByIndex(indexByCluster, clusterName)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if len(items) >= clusterCSRThreshold {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
}
|
|
|
|
func haltAddonCSRCreationFunc(indexer cache.Indexer, clusterName, addonName string) func() bool {
|
|
return func() bool {
|
|
items, err := indexer.ByIndex(indexByAddon, fmt.Sprintf("%s/%s", clusterName, addonName))
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if len(items) >= addonCSRThreshold {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
}
|