istio: istio.io/istio/pkg/spiffe Index | Files

package spiffe

import "istio.io/istio/pkg/spiffe"

Index

Package Files

spiffe.go

Constants

const (
    Scheme = "spiffe"

    URIPrefix    = Scheme + "://"
    URIPrefixLen = len(URIPrefix)

    ServiceAccountSegment = "sa"
    NamespaceSegment      = "ns"
)

func ExpandWithTrustDomains Uses

func ExpandWithTrustDomains(spiffeIdentities, trustDomainAliases []string) map[string]struct{}

ExpandWithTrustDomains expands a given spiffe identities, plus a list of truts domain aliases. We ensure the returned list does not contain duplicates; the original input is always retained. For example, ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/def"}, {"td1", "td2"}) returns

{"spiffe://td1/ns/def/sa/def", "spiffe://td2/ns/def/sa/def"}.

ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/a", "spiffe://td1/ns/def/sa/b"}, {"td2"}) returns

{"spiffe://td1/ns/def/sa/a", "spiffe://td2/ns/def/sa/a", "spiffe://td1/ns/def/sa/b", "spiffe://td2/ns/def/sa/b"}.

func GenSpiffeURI Uses

func GenSpiffeURI(ns, serviceAccount string) (string, error)

GenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate.

func GetTrustDomain Uses

func GetTrustDomain() string

func GetTrustDomainFromURISAN Uses

func GetTrustDomainFromURISAN(uriSan string) (string, error)

GetTrustDomainFromURISAN extracts the trust domain part from the URI SAN in the X.509 certificate.

func MustGenSpiffeURI Uses

func MustGenSpiffeURI(ns, serviceAccount string) string

MustGenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.

func RetrieveSpiffeBundleRootCerts Uses

func RetrieveSpiffeBundleRootCerts(config map[string]string, extraTrustedCerts []*x509.Certificate) (
    map[string][]*x509.Certificate, error)

RetrieveSpiffeBundleRootCerts retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints.

func RetrieveSpiffeBundleRootCertsFromStringInput Uses

func RetrieveSpiffeBundleRootCertsFromStringInput(inputString string, extraTrustedCerts []*x509.Certificate) (
    map[string][]*x509.Certificate, error)

RetrieveSpiffeBundleRootCertsFromStringInput retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints. The input endpointTuples should be in the format of: "foo|URL1||bar|URL2||baz|URL3..."

func SetTrustDomain Uses

func SetTrustDomain(value string)

type Identity Uses

type Identity struct {
    TrustDomain    string
    Namespace      string
    ServiceAccount string
}

func ParseIdentity Uses

func ParseIdentity(s string) (Identity, error)

func (Identity) String Uses

func (i Identity) String() string

type PeerCertVerifier Uses

type PeerCertVerifier struct {
    // contains filtered or unexported fields
}

PeerCertVerifier is an instance to verify the peer certificate in the SPIFFE way using the retrieved root certificates.

func NewPeerCertVerifier Uses

func NewPeerCertVerifier() *PeerCertVerifier

NewPeerCertVerifier returns a new PeerCertVerifier.

func (*PeerCertVerifier) AddMapping Uses

func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)

AddMapping adds a new trust domain to certificates mapping to the certPools map.

func (*PeerCertVerifier) AddMappingFromPEM Uses

func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error

AddMappingFromPEM adds multiple RootCA's to the spiffe Trust bundle in the trustDomain namespace

func (*PeerCertVerifier) AddMappings Uses

func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)

AddMappings merges a trust domain to certs map to the certPools map.

func (*PeerCertVerifier) GetGeneralCertPool Uses

func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool

GetGeneralCertPool returns generalCertPool containing all root certs.

func (*PeerCertVerifier) VerifyPeerCert Uses

func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCert is an implementation of tls.Config.VerifyPeerCertificate. It verifies the peer certificate using the root certificates associated with its trust domain.

Package spiffe imports 13 packages (graph) and is imported by 29 packages. Updated 2020-10-21. Refresh now. Tools for package owners.