istio: istio.io/istio/security/pkg/caclient Index | Files | Directories

package caclient

import "istio.io/istio/security/pkg/caclient"

Index

Package Files

client.go config.go keycertbundlerotator.go

func SaveKeyCert Uses

func SaveKeyCert(keyFile, certFile string, privKey, cert []byte) error

SaveKeyCert stores the specified key/cert into file specified by the path. TODO(incfly): move this into CAClient struct's own method later.

type CAClient Uses

type CAClient struct {
    // contains filtered or unexported fields
}

CAClient is a client to provision key and certificate from the upstream CA via CSR protocol.

func NewCAClient Uses

func NewCAClient(pltfmc platform.Client, protocolClient protocol.CAProtocol, maxRetries int, interval time.Duration) (*CAClient, error)

NewCAClient creates a new CAClient instance.

func (*CAClient) Retrieve Uses

func (c *CAClient) Retrieve(options *pkiutil.CertOptions) (newCert []byte, certChain []byte, privateKey []byte, err error)

Retrieve sends the CSR to Istio CA with automatic retries. When successful, it returns the generated key and cert, otherwise, it returns error. This is a blocking function.

type Config Uses

type Config struct {
    // Address of the CA which the CA client calls to
    CAAddress string

    // Organization presented in the certificates
    Org string

    // Requested TTL of the certificates
    RequestedCertTTL time.Duration

    // Size of RSA private key
    RSAKeySize int

    // The environment this CA client is running on.
    Env string

    // The cluster management platform this ndoe agent is running on.
    Platform string

    // Whether the certificate is for CA
    ForCA bool

    // CSRInitialRetrialInterval is the retrial interval for certificate requests.
    CSRInitialRetrialInterval time.Duration

    // CSRMaxRetries is the number of retries for certificate requests.
    CSRMaxRetries int

    // CSRGracePeriodPercentage indicates the length of the grace period in the
    // percentage of the entire certificate TTL.
    CSRGracePeriodPercentage int

    // CertFile defines the cert of the CA client.
    CertFile string

    // CertChainFile defines the cert chain file of the CA client, including the client's cert.
    CertChainFile string

    // KeyFile defines the private key of the CA client.
    KeyFile string

    // RootCertFile defines the root cert of the CA client.
    RootCertFile string
}

Config is configuration for the CA client.

type KeyCertBundleRotator Uses

type KeyCertBundleRotator struct {
    // contains filtered or unexported fields
}

KeyCertBundleRotator automatically updates the key and cert bundle by interacting with upstream CA.

func NewKeyCertBundleRotator Uses

func NewKeyCertBundleRotator(cfg *Config, keyCertBundle pkiutil.KeyCertBundle) (*KeyCertBundleRotator, error)

NewKeyCertBundleRotator is constructor for keyCertBundleRotatorImpl based on the provided configuration.

func (*KeyCertBundleRotator) Start Uses

func (c *KeyCertBundleRotator) Start(errCh chan<- error)

Start periodically rotates the KeyCertBundle by interacting with the upstream CA. It is a blocking function that should run as a go routine. Thread safe.

func (*KeyCertBundleRotator) Stop Uses

func (c *KeyCertBundleRotator) Stop()

Stop stops the loop. Thread safe.

type KeyCertRetriever Uses

type KeyCertRetriever interface {
    Retrieve(opt *pkiutil.CertOptions) (newCert, certChain, privateKey []byte, err error)
}

KeyCertRetriever is the interface responsible for retrieve new key and certificate from upstream CA.

Directories

PathSynopsis
protocolPackage protocol defines the interface of CA client protocol.
protocol/mock

Package caclient imports 10 packages (graph) and is imported by 1 packages. Updated 2019-11-16. Refresh now. Tools for package owners.