istio: istio.io/istio/pkg/spiffe Index | Files

package spiffe

import "istio.io/istio/pkg/spiffe"

Index

Package Files

spiffe.go

Constants

const (
    Scheme = "spiffe"

    URIPrefix = Scheme + "://"
)

func DetermineTrustDomain Uses

func DetermineTrustDomain(commandLineTrustDomain string, isKubernetes bool) string

func GenCustomSpiffe Uses

func GenCustomSpiffe(identity string) string

GenCustomSpiffe returns the spiffe string that can have a custom structure

func GenSpiffeURI Uses

func GenSpiffeURI(ns, serviceAccount string) (string, error)

GenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate.

func GetTrustDomain Uses

func GetTrustDomain() string

func GetTrustDomainFromURISAN Uses

func GetTrustDomainFromURISAN(uriSan string) (string, error)

GetTrustDomainFromURISAN extracts the trust domain part from the URI SAN in the X.509 certificate.

func MustGenSpiffeURI Uses

func MustGenSpiffeURI(ns, serviceAccount string) string

MustGenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.

func RetrieveSpiffeBundleRootCerts Uses

func RetrieveSpiffeBundleRootCerts(config map[string]string, extraTrustedCerts []*x509.Certificate) (
    map[string][]*x509.Certificate, error)

RetrieveSpiffeBundleRootCerts retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints.

func RetrieveSpiffeBundleRootCertsFromStringInput Uses

func RetrieveSpiffeBundleRootCertsFromStringInput(inputString string, extraTrustedCerts []*x509.Certificate) (
    map[string][]*x509.Certificate, error)

RetrieveSpiffeBundleRootCertsFromStringInput retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints. The input endpointTuples should be in the format of: "foo|URL1||bar|URL2||baz|URL3..."

func SetTrustDomain Uses

func SetTrustDomain(value string)

type PeerCertVerifier Uses

type PeerCertVerifier struct {
    // contains filtered or unexported fields
}

PeerCertVerifier is an instance to verify the peer certificate in the SPIFFE way using the retrieved root certificates.

func NewPeerCertVerifier Uses

func NewPeerCertVerifier() *PeerCertVerifier

NewPeerCertVerifier returns a new PeerCertVerifier.

func (*PeerCertVerifier) AddMapping Uses

func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)

AddMapping adds a new trust domain to certificates mapping to the certPools map.

func (*PeerCertVerifier) AddMappings Uses

func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)

AddMappings merges a trust domain to certs map to the certPools map.

func (*PeerCertVerifier) GetGeneralCertPool Uses

func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool

GetGeneralCertPool returns generalCertPool containing all root certs.

func (*PeerCertVerifier) VerifyPeerCert Uses

func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCert is an implementation of tls.Config.VerifyPeerCertificate. It verifies the peer certificate using the root certificates associated with its trust domain.

Package spiffe imports 12 packages (graph) and is imported by 33 packages. Updated 2020-07-01. Refresh now. Tools for package owners.