mirror of
https://github.com/rancher/dynamiclistener.git
synced 2026-07-01 06:45:21 +00:00
02e46989f28e52bcfcbbb8ee89ad387124d1c70a
Add PruneExistingCN bool to Config (alongside the existing FilterCN). When true, FilterCN is also applied to the set of CNs already recorded on the secret via its listener.cattle.io/cn-* annotations at every operation that reads or merges that set: AddCN, Merge, Renew, Regenerate, and certificate generation. Any existing CN that FilterCN would reject is dropped from the certificate the next time it is written. This gives callers a way to keep the stored CN set trimmed to a known-valid subset — for example, pruning IP addresses that are no longer valid endpoints after a rolling restart — without requiring an explicit delete-and-regenerate cycle. false (the default) preserves all existing CNs as before (backwards compatible). No separate filter callback is needed: the same FilterCN that gates new additions also governs what is kept when PruneExistingCN is true. Merge is updated to call generateCert instead of returning an existing cert unchanged when the cert contains CNs that FilterCN would remove, ensuring stale entries are pruned on the next storage sync rather than silently propagated. The pruneAnnotations call inside generateCert is moved to after populateCN so the cert and its annotation set stay in sync. PruneExistingCN is wired through NewListenerWithChain; SANs pre-seeded in Config.SANs are always preserved via allowDefaultSANs regardless of the filter. Add unit tests covering hasStaleCNs, pruneAnnotations, Merge (stale in target, stale in additional, no stale, PruneExistingCN=false, static target), Renew, Regenerate, and AddCN.
dynamiclistener
DynamicListener allows you to setup a server with automatically generated (and re-generated) TLS certs with kubernetes secrets integration.
This README is a work in progress; aimed towards providing information for navigating the contents of this repository.
Changing the Expiration Days for Newly Signed Certificates
By default, a newly signed certificate is set to expire 365 days (1 year) after its creation time and date.
You can use the CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS environment variable to change this value.
Please note: the value for the aforementioned variable must be a string representing an unsigned integer corresponding to the number of days until expiration (i.e. X509 "NotAfter" value).
Versioning
See VERSION.md.
Description
Languages
Go
100%