package spiffe

import "istio.io/istio/pkg/spiffe"

Index ¶

• Constants
• func ExpandWithTrustDomains(spiffeIdentities, trustDomainAliases []string) map[string]struct{}
• func GenSpiffeURI(ns, serviceAccount string) (string, error)
• func GetTrustDomain() string
• func GetTrustDomainFromURISAN(uriSan string) (string, error)
• func MustGenSpiffeURI(ns, serviceAccount string) string
• func RetrieveSpiffeBundleRootCerts(config map[string]string, extraTrustedCerts []*x509.Certificate) ( map[string][]*x509.Certificate, error)
• func RetrieveSpiffeBundleRootCertsFromStringInput(inputString string, extraTrustedCerts []*x509.Certificate) ( map[string][]*x509.Certificate, error)
• func SetTrustDomain(value string)
• type Identity
• func ParseIdentity(s string) (Identity, error)
• func (i Identity) String() string
• type PeerCertVerifier
• func NewPeerCertVerifier() *PeerCertVerifier
• func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)
• func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error
• func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)
• func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool
• func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error

Package Files ¶

spiffe.go

Constants ¶

const (
    Scheme = "spiffe"

    URIPrefix    = Scheme + "://"
    URIPrefixLen = len(URIPrefix)

    ServiceAccountSegment = "sa"
    NamespaceSegment      = "ns"
)

func ExpandWithTrustDomains ¶ Uses

func ExpandWithTrustDomains(spiffeIdentities, trustDomainAliases []string) map[string]struct{}

ExpandWithTrustDomains expands a given spiffe identities, plus a list of truts domain aliases. We ensure the returned list does not contain duplicates; the original input is always retained. For example, ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/def"}, {"td1", "td2"}) returns

{"spiffe://td1/ns/def/sa/def", "spiffe://td2/ns/def/sa/def"}.

ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/a", "spiffe://td1/ns/def/sa/b"}, {"td2"}) returns

{"spiffe://td1/ns/def/sa/a", "spiffe://td2/ns/def/sa/a", "spiffe://td1/ns/def/sa/b", "spiffe://td2/ns/def/sa/b"}.

func GenSpiffeURI ¶ Uses

func GenSpiffeURI(ns, serviceAccount string) (string, error)

GenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate.

func GetTrustDomain ¶ Uses

func GetTrustDomain() string

func GetTrustDomainFromURISAN ¶ Uses

func GetTrustDomainFromURISAN(uriSan string) (string, error)

GetTrustDomainFromURISAN extracts the trust domain part from the URI SAN in the X.509 certificate.

func MustGenSpiffeURI ¶ Uses

func MustGenSpiffeURI(ns, serviceAccount string) string

MustGenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.

func RetrieveSpiffeBundleRootCerts ¶ Uses

func RetrieveSpiffeBundleRootCerts(config map[string]string, extraTrustedCerts []*x509.Certificate) (
    map[string][]*x509.Certificate, error)

RetrieveSpiffeBundleRootCerts retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints.

func RetrieveSpiffeBundleRootCertsFromStringInput ¶ Uses

func RetrieveSpiffeBundleRootCertsFromStringInput(inputString string, extraTrustedCerts []*x509.Certificate) (
    map[string][]*x509.Certificate, error)

RetrieveSpiffeBundleRootCertsFromStringInput retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints. The input endpointTuples should be in the format of: "foo|URL1||bar|URL2||baz|URL3..."

func SetTrustDomain ¶ Uses

func SetTrustDomain(value string)

type Identity ¶ Uses

type Identity struct {
    TrustDomain    string
    Namespace      string
    ServiceAccount string
}

func ParseIdentity ¶ Uses

func ParseIdentity(s string) (Identity, error)

func (Identity) String ¶ Uses

func (i Identity) String() string

type PeerCertVerifier ¶ Uses

type PeerCertVerifier struct {
    // contains filtered or unexported fields
}

PeerCertVerifier is an instance to verify the peer certificate in the SPIFFE way using the retrieved root certificates.

func NewPeerCertVerifier ¶ Uses

func NewPeerCertVerifier() *PeerCertVerifier

NewPeerCertVerifier returns a new PeerCertVerifier.

func (*PeerCertVerifier) AddMapping ¶ Uses

func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)

AddMapping adds a new trust domain to certificates mapping to the certPools map.

func (*PeerCertVerifier) AddMappingFromPEM ¶ Uses

func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error

AddMappingFromPEM adds multiple RootCA's to the spiffe Trust bundle in the trustDomain namespace

func (*PeerCertVerifier) AddMappings ¶ Uses

func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)

AddMappings merges a trust domain to certs map to the certPools map.

func (*PeerCertVerifier) GetGeneralCertPool ¶ Uses

func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool

GetGeneralCertPool returns generalCertPool containing all root certs.

func (*PeerCertVerifier) VerifyPeerCert ¶ Uses

func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCert is an implementation of tls.Config.VerifyPeerCertificate. It verifies the peer certificate using the root certificates associated with its trust domain.