github/dynamiclistener
1
0
Fork 1
mirror of https://github.com/rancher/dynamiclistener.git synced 2025-08-10 09:41:34 +00:00
Code Issues Projects Releases Wiki Activity
165 Commits 23 Branches 45 Tags 2.7 MiB
release/v0.6
Commit Graph

29 Commits

Author SHA1 Message Date
Brad Davidson
2ee4a16846
Check certificate fingerprint when deciding if memory store needs to be updated (#180) 
When using a chained store of Kubernetes -> Memory -> File, a file-backed cert with a valid ResourceVersion could not be updated when the Kubernetes store was offline, as the Memory store was skipping the update if the ResourceVersion was not changed.
The Kubernetes store passes through the secret update without a modified ResourceVersion if the Secret controller is not yet available to round-trip the secret through the apiserver, as the apiserver is what handles updating the ResourceVersion when the Secret changes.
In RKE2, this caused a deadlock on startup when the certificate is expired, as the apiserver cannot be started until the cert is updated, but the cert cannot be updated until the apiserver is up.

Fix this by also considering the certificate hash annotation when deciding if the update can be skipped.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 242c2af2db)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2025-06-11 18:41:32 +00:00
Jonas Wagner
6cc9a670e1
Prevent Panic for empty Arrays on Error 
Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: Jonas Wagner <jwagner@knoppiks.de>
 2023-07-14 08:28:48 +02:00
Jonas Wagner
02304047cf
Enable intermediate CA Certificates 
Signed-off-by: Jonas Wagner <jwagner@knoppiks.de>
 2023-07-10 09:42:17 +02:00
Brad Davidson
8ebd77f8a4 Raise default ExpirationDaysCheck to 90 and extend into cert factory 
Most of our products actually renew at 90 days, so make that the default.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-07-21 14:08:16 -07:00
Brad Davidson
fdf983a935 Don't merge expired certs over the top of an unexpired cert 
Fixes an issue where an expired Kubernetes secret would replace the renewed locally-cached cert after cluster startup.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-07-21 14:08:16 -07:00
Brad Davidson
a30741bb53 Send complete certificate chain, not just the leaf cert 
Also, print a warning when signing may change the issuer.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-20 12:21:30 -07:00
Brad Davidson
b1d65efb6f Move Kubernetes Secrets storage update to goroutine 
Fixes issue where apiserver outages can block dynamiclistener from accepting new connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-02 18:48:48 -07:00
Brad Davidson
43f9c3ae0a Fix handling of IPv6 addresses and long hostnames 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-11-23 23:38:49 -08:00
Brad Davidson
284cc004e8 Fix listenAndServe certificate expiration by preloading certs 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-11-23 23:38:49 -08:00
Nick Gerace
f147aa4166 Fix defaultNewSignedCertExpirationDays const 
This a quick fix for 2644a6ed16
 2021-11-19 12:31:47 -05:00
Kinara Shah
63157c59ce
Merge pull request #46 from nickgerace/days 
Allow for default expiration days to be loaded from env
 2021-11-19 08:59:57 -08:00
Nick Gerace
2644a6ed16 Allow for default expiration days to be loaded from env 2021-11-18 12:38:35 -05:00
Brian Downs
27f4642299
Add ability to force cert regeneration (#43) 
* add ability to force cert regeneration
 2021-11-15 13:50:26 -07:00
Darren Shepherd
ff22834bde Avoid panic when secret is nil 2021-06-15 22:42:42 -07:00
Sjoerd Simons
dc7452dbb8 Accept IPv6 address as CN names 
Expand the cnRegexp to also accept ipv6 addresses such as:
  * ::1
  * 2a00:1450:400e:80e::
  * 2a00:1450:400e:80e::200e

Fixes: #37

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
 2021-06-14 11:07:13 -07:00
Dan Ramich
f373fc1c7c Update IsStatic to check for nil annotations 2021-04-23 14:56:14 -06:00
Darren Shepherd
a60200ab9e Merge tag 'v0.2.3' 2021-04-12 15:00:05 -07:00
Darren Shepherd
85f32491cb Add dumb hook to set the organization in the client cert 2020-09-10 13:32:14 -07:00
Brad Davidson
53f6b38760 Allow forcing cert reissuance (#28) 
Refreshing the cert should force renewal as opposed to returning
early if the SANs aren't changing. This is currently breaking refresh
of expired certs as per:
https://github.com/rancher/k3s/issues/1621#issuecomment-669464318

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-08-10 17:12:39 -07:00
Darren Shepherd
479ab335d6 Add LoadOrGenClient to handle client cert generation 2020-08-10 17:12:39 -07:00
Darren Shepherd
ebebb82b9b Add LoadOrGenClient to handle client cert generation 2020-08-01 23:37:51 -07:00
Darren Shepherd
c992ce309c Reject bad CNs that will prevent the secret from being saved. 2020-04-02 22:07:45 -07:00
Darren Shepherd
05d7922a86 Add ability to limit the maximum number of SANs 2020-03-18 23:16:38 -07:00
Darren Shepherd
bc68bf5499 Fix merging of the k8s secret to reduce the number of writes 2020-02-04 12:48:38 -07:00
Darren Shepherd
a75e84bc81 Add more helpers 2020-01-30 22:41:19 -07:00
Darren Shepherd
f1484a07b3 Add static storage and listener opts 2019-12-04 11:32:00 -07:00
Darren Shepherd
3c2990b7c5 Support old or imported RSA keys 2019-11-15 23:45:14 +00:00
Darren Shepherd
02b97e01f1 Attempt to minimize additional cert gens 2019-11-13 14:46:32 +00:00
Darren Shepherd
af04867843 Refactor to not include a server by default 2019-10-30 19:14:34 -07:00