istio: Index | Files | Directories

package caclient

import ""


Package Files

client.go config.go keycertbundlerotator.go

func SaveKeyCert Uses

func SaveKeyCert(keyFile, certFile string, privKey, cert []byte) error

SaveKeyCert stores the specified key/cert into file specified by the path. TODO(incfly): move this into CAClient struct's own method later.

type CAClient Uses

type CAClient struct {
    // contains filtered or unexported fields

CAClient is a client to provision key and certificate from the upstream CA via CSR protocol.

func NewCAClient Uses

func NewCAClient(pltfmc platform.Client, protocolClient protocol.CAProtocol, maxRetries int, interval time.Duration) (*CAClient, error)

NewCAClient creates a new CAClient instance.

func (*CAClient) Retrieve Uses

func (c *CAClient) Retrieve(options *pkiutil.CertOptions) (newCert []byte, certChain []byte, privateKey []byte, err error)

Retrieve sends the CSR to Istio CA with automatic retries. When successful, it returns the generated key and cert, otherwise, it returns error. This is a blocking function.

type Config Uses

type Config struct {
    // Address of the CA which the CA client calls to
    CAAddress string

    // Organization presented in the certificates
    Org string

    // Requested TTL of the certificates
    RequestedCertTTL time.Duration

    // Size of RSA private key
    RSAKeySize int

    // The environment this CA client is running on.
    Env string

    // The cluster management platform this ndoe agent is running on.
    Platform string

    // Whether the certificate is for CA
    ForCA bool

    // CSRInitialRetrialInterval is the retrial interval for certificate requests.
    CSRInitialRetrialInterval time.Duration

    // CSRMaxRetries is the number of retries for certificate requests.
    CSRMaxRetries int

    // CSRGracePeriodPercentage indicates the length of the grace period in the
    // percentage of the entire certificate TTL.
    CSRGracePeriodPercentage int

    // CertFile defines the cert of the CA client.
    CertFile string

    // CertChainFile defines the cert chain file of the CA client, including the client's cert.
    CertChainFile string

    // KeyFile defines the private key of the CA client.
    KeyFile string

    // RootCertFile defines the root cert of the CA client.
    RootCertFile string

Config is configuration for the CA client.

type KeyCertBundleRotator Uses

type KeyCertBundleRotator struct {
    // contains filtered or unexported fields

KeyCertBundleRotator automatically updates the key and cert bundle by interacting with upstream CA.

func NewKeyCertBundleRotator Uses

func NewKeyCertBundleRotator(cfg *Config, keyCertBundle pkiutil.KeyCertBundle) (*KeyCertBundleRotator, error)

NewKeyCertBundleRotator is constructor for keyCertBundleRotatorImpl based on the provided configuration.

func (*KeyCertBundleRotator) Start Uses

func (c *KeyCertBundleRotator) Start(errCh chan<- error)

Start periodically rotates the KeyCertBundle by interacting with the upstream CA. It is a blocking function that should run as a go routine. Thread safe.

func (*KeyCertBundleRotator) Stop Uses

func (c *KeyCertBundleRotator) Stop()

Stop stops the loop. Thread safe.

type KeyCertRetriever Uses

type KeyCertRetriever interface {
    Retrieve(opt *pkiutil.CertOptions) (newCert, certChain, privateKey []byte, err error)

KeyCertRetriever is the interface responsible for retrieve new key and certificate from upstream CA.


protocolPackage protocol defines the interface of CA client protocol.

Package caclient imports 10 packages (graph) and is imported by 1 packages. Updated 2020-01-25. Refresh now. Tools for package owners.