github/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-04-15 07:06:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use duration and renewBefore to control API cert rotation

Browse Source 
These configuration knobs are much more human-understandable than the
previous percentage-based threshold flag.

We now allow users to set the lifetime of the serving cert via a ConfigMap.
Previously this was hardcoded to 1 year.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler
2020-08-20 15:17:18 -04:00
parent 3929fa672e
commit 39c299a32d
14 changed files with 190 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
pkg/config/api/types.go
View File

@@ -9,9 +9,10 @@ package api
type Config struct {
WebhookConfig WebhookConfigSpec `json:"webhook"`
DiscoveryInfo DiscoveryInfoSpec `json:"discovery"`
APIConfig APIConfigSpec `json:"api"`
}
// WebhookConfig contains configuration knobs specific to Pinniped's use
// WebhookConfig contains configuration knobs specific to pinniped's use
// of a webhook for token validation.
type WebhookConfigSpec struct {
// URL contains the URL of the webhook that pinniped will use
@@ -31,3 +32,26 @@ type DiscoveryInfoSpec struct {
// URL contains the URL at which pinniped can be contacted.
URL *string `json:"url,omitempty"`
}
// APIConfigSpec contains configuration knobs for the pinniped API.
//nolint: golint
type APIConfigSpec struct {
ServingCertificateConfig ServingCertificateConfigSpec `json:"servingCertificate"`
}
// ServingCertificateConfigSpec contains the configuration knobs for the API's
// serving certificate, i.e., the x509 certificate that it uses for the server
// certificate in inbound TLS connections.
type ServingCertificateConfigSpec struct {
// DurationSeconds is the validity period, in seconds, of the API serving
// certificate. By default, the serving certificate is issued for 31536000
// seconds (1 year).
DurationSeconds *int64 `json:"durationSeconds,omitempty"`
// RenewBeforeSeconds is the period of time, in seconds, that pinniped will
// wait before rotating the serving certificate. This period of time starts
// upon issuance of the serving certificate. This must be less than
// DurationSeconds. By default, pinniped begins rotation after 23328000
// seconds (about 9 months).
RenewBeforeSeconds *int64 `json:"renewBeforeSeconds,omitempty"`
}