package certwatcher
import "sigs.k8s.io/controller-runtime/pkg/certwatcher"
Package certwatcher is a helper for reloading Certificates from disk to be used
with tls servers. It provides a helper func `GetCertificate` which can be
called from `tls.Config` and passed into your tls.Listener. For a detailed
example server view pkg/webhook/server.go.
Code:play
Example¶
package main
import (
"context"
"crypto/tls"
"net/http"
"time"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/certwatcher"
)
type sampleServer struct {
}
func main() {
// Setup Context
ctx := ctrl.SetupSignalHandler()
// Initialize a new cert watcher with cert/key pair
watcher, err := certwatcher.New("ssl/tls.crt", "ssl/tls.key")
if err != nil {
panic(err)
}
// Start goroutine with certwatcher running against supplied cert
go func() {
if err := watcher.Start(ctx); err != nil {
panic(err)
}
}()
// Setup TLS listener using GetCertficate for fetching the cert when changes
listener, err := tls.Listen("tcp", "localhost:9443", &tls.Config{
GetCertificate: watcher.GetCertificate,
MinVersion: tls.VersionTLS12,
})
if err != nil {
panic(err)
}
// Initialize your tls server
srv := &http.Server{
Handler: &sampleServer{},
ReadHeaderTimeout: 5 * time.Second,
}
// Start goroutine for handling server shutdown.
go func() {
<-ctx.Done()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
if err := srv.Shutdown(ctx); err != nil {
panic(err)
}
}()
// Serve t
if err := srv.Serve(listener); err != nil && err != http.ErrServerClosed {
panic(err)
}
}
func (s *sampleServer) ServeHTTP(http.ResponseWriter, *http.Request) {
}
Index ¶
- type CertWatcher
- func New(certPath, keyPath string) (*CertWatcher, error)
- func (cw *CertWatcher) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
- func (cw *CertWatcher) ReadCertificate() error
- func (cw *CertWatcher) RegisterCallback(callback func(tls.Certificate))
- func (cw *CertWatcher) Start(ctx context.Context) error
- func (cw *CertWatcher) Watch()
- func (cw *CertWatcher) WithWatchInterval(interval time.Duration) *CertWatcher
Examples ¶
Types ¶
type CertWatcher ¶
CertWatcher watches certificate and key files for changes. It always returns the cached version, but periodically reads and parses certificate and key for changes and calls an optional callback with the new certificate.
func New ¶
func New(certPath, keyPath string) (*CertWatcher, error)
New returns a new CertWatcher watching the given certificate and key.
func (*CertWatcher) GetCertificate ¶
func (cw *CertWatcher) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate fetches the currently loaded certificate, which may be nil.
func (*CertWatcher) ReadCertificate ¶
func (cw *CertWatcher) ReadCertificate() error
ReadCertificate reads the certificate and key files from disk, parses them, and updates the current certificate on the watcher if updated. If a callback is set, it is invoked with the new certificate.
func (*CertWatcher) RegisterCallback ¶
func (cw *CertWatcher) RegisterCallback(callback func(tls.Certificate))
RegisterCallback registers a callback to be invoked when the certificate changes.
func (*CertWatcher) Start ¶
func (cw *CertWatcher) Start(ctx context.Context) error
Start starts the watch on the certificate and key files.
func (*CertWatcher) Watch ¶
func (cw *CertWatcher) Watch()
Watch reads events from the watcher's channel and reacts to changes.
func (*CertWatcher) WithWatchInterval ¶
func (cw *CertWatcher) WithWatchInterval(interval time.Duration) *CertWatcher
WithWatchInterval sets the watch interval and returns the CertWatcher pointer
Source Files ¶
certwatcher.go doc.go
Directories ¶
| Path | Synopsis |
|---|---|
| pkg/certwatcher/metrics |
- Version
- v0.21.0 (latest)
- Published
- May 20, 2025
- Platform
- linux/amd64
- Imports
- 13 packages
- Last checked
- 26 minutes ago –
Tools for package owners.