var certificateWaitTimeout … var kubeletServingUsagesWithEncipherment … var kubeletServingUsagesNoEncipherment … var DefaultKubeletServingGetUsages … var kubeletClientUsagesWithEncipherment … var kubeletClientUsagesNoEncipherment … var DefaultKubeletClientGetUsages … type Manager … type Config … type Store … type Gauge … type Histogram … type Counter … type NoCertKeyError … type ClientsetFunc … func (e *NoCertKeyError) Error() string { … } type manager … // NewManager returns a new certificate manager. A certificate manager is // responsible for being the authoritative source of certificates in the // Kubelet and handling updates due to rotation. func NewManager(config *Config) (Manager, error) { … } // Current returns the currently selected certificate from the certificate // manager. This can be nil if the manager was initialized without a // certificate and has not yet received one from the // CertificateSigningRequestClient, or if the current cert has expired. func (m *manager) Current() *tls.Certificate { … } // ServerHealthy returns true if the cert manager believes the server // is currently alive. func (m *manager) ServerHealthy() bool { … } // Stop terminates the manager. func (m *manager) Stop() { … } // Start will start the background work of rotating the certificates. func (m *manager) Start() { … } func getCurrentCertificateOrBootstrap( store Store, bootstrapCertificatePEM []byte, bootstrapKeyPEM []byte) (cert *tls.Certificate, shouldRotate bool, errResult error) { … } func (m *manager) getClientset() (clientset.Interface, error) { … } // RotateCerts is exposed for testing only and is not a part of the public interface. // Returns true if it changed the cert, false otherwise. Error is only returned in // exceptional cases. func (m *manager) RotateCerts() (bool, error) { … } // rotateCerts attempts to request a client cert from the server, wait a reasonable // period of time for it to be signed, and then update the cert on disk. If it cannot // retrieve a cert, it will return false. It will only return error in exceptional cases. // This method also keeps track of "server health" by interpreting the responses it gets // from the server on the various calls it makes. // TODO: return errors, have callers handle and log them correctly func (m *manager) rotateCerts() (bool, error) { … } // Check that the current certificate on disk satisfies the requests from the // current template. // // Note that extra items in the certificate's SAN or orgs that don't exist in // the template will not trigger a renewal. // // Requires certAccessLock to be locked. func (m *manager) certSatisfiesTemplateLocked() bool { … } func (m *manager) certSatisfiesTemplate() bool { … } // nextRotationDeadline returns a value for the threshold at which the // current certificate should be rotated, 80%+/-10% of the expiration of the // certificate. func (m *manager) nextRotationDeadline() time.Time { … } var jitteryDuration … // updateCached sets the most recent retrieved cert and returns the old cert. // It also sets the server as assumed healthy. func (m *manager) updateCached(cert *tls.Certificate) *tls.Certificate { … } // updateServerError takes an error returned by the server and infers // the health of the server based on the error. It will return nil if // the error does not require immediate termination of any wait loops, // and otherwise it will return the error. func (m *manager) updateServerError(err error) error { … } func (m *manager) generateCSR() (template *x509.CertificateRequest, csrPEM []byte, keyPEM []byte, key interface{ … } func (m *manager) getLastRequest() (context.CancelFunc, *x509.CertificateRequest) { … } func (m *manager) setLastRequest(cancel context.CancelFunc, r *x509.CertificateRequest) { … } func hasKeyUsage(usages []certificates.KeyUsage, usage certificates.KeyUsage) bool { … }