in pkg/cert/request.go [30:77]
func NewServerCertificateManager(kubeClient clientset.Interface, namespace, secretName string, csr *x509.CertificateRequest) (certificate.Manager, error) {
clientsetFn := func(_ *tls.Certificate) (clientset.Interface, error) {
return kubeClient, nil
}
certificateStore := NewSecretCertStore(
namespace,
secretName,
kubeClient,
)
var certificateRotation = prometheus.NewHistogram(
prometheus.HistogramOpts{
Subsystem: "certificate_manager",
Name: "server_rotation_seconds",
Help: "Histogram of the lifetime of a certificate. The value is the time in seconds the certificate lived before getting rotated",
},
)
prometheus.MustRegister(certificateRotation)
m, err := certificate.NewManager(&certificate.Config{
ClientsetFn: clientsetFn,
Template: csr,
Usages: []certificates.KeyUsage{
// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
//
// Digital signature allows the certificate to be used to verify
// digital signatures used during TLS negotiation.
certificates.UsageDigitalSignature,
// KeyEncipherment allows the cert/key pair to be used to encrypt
// keys, including the symmetric keys negotiated during TLS setup
// and used for data transfer.
certificates.UsageKeyEncipherment,
// ServerAuth allows the cert to be used by a TLS server to
// authenticate itself to a TLS client.
certificates.UsageServerAuth,
},
// Hard coding this since LegacyUnknownSignerName is no longer available in certificates/v1
// https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers.
SignerName: "kubernetes.io/legacy-unknown",
CertificateStore: certificateStore,
CertificateRotation: certificateRotation,
})
if err != nil {
return nil, fmt.Errorf("failed to initialize server certificate manager: %v", err)
}
return m, nil
}