mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-11-04 10:21:13 +01:00
Code Issues Packages Projects Releases Wiki Activity
talos/pkg/resources/secrets/kubernetes.go
Andrey Smirnov 31e56e63db fix: update in-cluster kubeconfig validity to match other certs 
Talos generates in-cluster kubeconfig for the kube-scheduler and
kube-controller-manager to authenticate to kube-apiserver. Bug was that
validity of that kubeconfig was set to 24h by mistake. Fix that by
bumping validity to default for other Kubernetes certs (1 year).

Add a certificate refresh at 50% of the validity.

Fix bugs with copying secret resources which was leading to updates not
being propagated correctly.

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
2021-03-01 11:16:04 -08:00

85 lines
2.3 KiB
Go
Raw Blame History

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package secrets
import (
"fmt"
"github.com/talos-systems/crypto/x509"
"github.com/talos-systems/os-runtime/pkg/resource"
"github.com/talos-systems/os-runtime/pkg/resource/core"
)
// KubernetesType is type of Kubernetes resource.
const KubernetesType = resource.Type("secrets/kubernetes")
// KubernetesID is a resource ID of singleton instance.
const KubernetesID = resource.ID("k8s-certs")
// Kubernetes contains K8s generated secrets.
type Kubernetes struct {
md resource.Metadata
spec *KubernetesCertsSpec
}
// KubernetesCertsSpec describes generated Kubernetes certificates.
type KubernetesCertsSpec struct {
APIServer *x509.PEMEncodedCertificateAndKey `yaml:"apiServer"`
APIServerKubeletClient *x509.PEMEncodedCertificateAndKey `yaml:"apiServerKubeletClient"`
FrontProxy *x509.PEMEncodedCertificateAndKey `yaml:"frontProxy"`
AdminKubeconfig string `yaml:"adminKubeconfig"`
}
// NewKubernetes initializes a Kubernetes resource.
func NewKubernetes() *Kubernetes {
r := &Kubernetes{
md: resource.NewMetadata(NamespaceName, KubernetesType, KubernetesID, resource.VersionUndefined),
spec: &KubernetesCertsSpec{},
}
r.md.BumpVersion()
return r
}
// Metadata implements resource.Resource.
func (r *Kubernetes) Metadata() *resource.Metadata {
return &r.md
}
// Spec implements resource.Resource.
func (r *Kubernetes) Spec() interface{} {
return r.spec
}
func (r *Kubernetes) String() string {
return fmt.Sprintf("secrets.Kubernetes(%q)", r.md.ID())
}
// DeepCopy implements resource.Resource.
func (r *Kubernetes) DeepCopy() resource.Resource {
specCopy := *r.spec
return &Kubernetes{
md: r.md,
spec: &specCopy,
}
}
// ResourceDefinition implements core.ResourceDefinitionProvider interface.
func (r *Kubernetes) ResourceDefinition() core.ResourceDefinitionSpec {
return core.ResourceDefinitionSpec{
Type: KubernetesType,
Aliases: []resource.Type{"k8sSecret", "k8sSecrets"},
DefaultNamespace: NamespaceName,
}
}
// Certs returns .spec.
func (r *Kubernetes) Certs() *KubernetesCertsSpec {
return r.spec
}
Reference in New Issue View Git Blame Copy Permalink