import "istio.io/istio/security/pkg/k8s/chiron"
const (
// The Istio DNS secret annotation type
IstioDNSSecretType = "istio.io/dns-key-and-cert"
)#nosec: disable gas linter
GenCsrName : Generate CSR Name for K8s system
func GenKeyCertK8sCA(certClient certclient.CertificateSigningRequestInterface, dnsName, secretName, secretNamespace, caFilePath string) ([]byte, []byte, []byte, error)
GenKeyCertK8sCA : Generates a key pair and gets public certificate signed by K8s_CA Options are meant to sign DNS certs 1. Generate a CSR 2. Call SignCSRK8sCA to finish rest of the flow
func SignCSRK8s(certClient certclient.CertificateSigningRequestInterface, csrName string, csrSpec *cert.CertificateSigningRequestSpec, dnsName, caFilePath string, appendCaCert bool) ([]byte, []byte, error)
SignCSRK8sCA generates a certificate from CSR using the K8s CA 1. Submit a CSR 2. Approve a CSR 3. Read the signed certificate 4. Clean up the artifacts (e.g., delete CSR)
type WebhookController struct {
// Current CA certificate
CACert []byte
// contains filtered or unexported fields
}WebhookController manages the service accounts' secrets that contains Istio keys and certificates.
func NewWebhookController(gracePeriodRatio float32, minGracePeriod time.Duration, core corev1.CoreV1Interface, admission admissionv1beta1.AdmissionregistrationV1beta1Interface, certClient certclient.CertificatesV1beta1Interface, k8sCaCertFile string, secretNames, dnsNames, serviceNamespaces []string) (*WebhookController, error)
NewWebhookController returns a pointer to a newly constructed WebhookController instance.
func (wc *WebhookController) Run(stopCh <-chan struct{})
Run starts the WebhookController until stopCh is notified.
Package chiron imports 27 packages (graph) and is imported by 3 packages. Updated 2020-11-14. Refresh now. Tools for package owners.