istio: istio.io/istio/security/pkg/k8s/controller Index | Files

package controller

import "istio.io/istio/security/pkg/k8s/controller"

Index

Package Files

casecret.go customdnsname.go monitoring.go workloadsecret.go

Constants

const (
    // The Istio secret annotation type
    IstioSecretType = "istio.io/key-and-cert"

    // NamespaceManagedLabel (string, with namespace as value) and NamespaceOverrideLabel (boolean) contribute to determining
    // whether or not a given Citadel instance should operate on a namespace. The behavior is as follows:
    // 1) If NamespaceOverrideLabel exists and is valid, follow what this label tells us
    // 2) If not, check NamespaceManagedLabel. If the value matches the Citadel instance's NS, then it should be active
    // 3) If NamespaceManagedLabel nonexistent or invalid, follow enableNamespacesByDefault, set from "CITADEL_ENABLE_NAMESPACES_BY_DEFAULT" envvar
    // 4) If enableNamespacesByDefault is "true", the Citadel instance should operate on unlabeled namespaces, otherwise should not
    NamespaceManagedLabel  = "ca.istio.io/env"
    NamespaceOverrideLabel = "ca.istio.io/override"

    // The ID/name for the certificate chain file.
    CertChainID = "cert-chain.pem"
    // The ID/name for the private key file.
    PrivateKeyID = "key.pem"
    // The ID/name for the CA root certificate file.
    RootCertID = "root-cert.pem"
    // The key to specify corresponding service account in the annotation of K8s secrets.
    ServiceAccountNameAnnotationKey = "istio.io/service-account.name"

    // CASecret stores the key/cert of self-signed CA for persistency purpose.
    CASecret = "istio-ca-secret"
)

#nosec: disable gas linter

func ConstructCustomDNSNames Uses

func ConstructCustomDNSNames(serviceAccounts []string, serviceNames []string,
    namespace string, customDNSNames string) map[string]*DNSNameEntry

ConstructCustomDNSNames creates DNS entries for given service accounts and allows customization of the DNS names used in the certificate SAN field. By default the DNS name used in the SAN field are in the form of service.namespace and service.namespace.svc. When a custom DNS is specified, we set an additional DNS SAN for the service account. The customDNSNames string contains a list of comma separated entries, with each entry formatted as <service-account-name>:<custom-DNS-value-for-SAN>

func GetSecretName Uses

func GetSecretName(saName string) string

GetSecretName returns the secret name for a given service account name.

type CaSecretController Uses

type CaSecretController struct {
    // contains filtered or unexported fields
}

CaSecretController manages the self-signed signing CA secret.

func NewCaSecretController Uses

func NewCaSecretController(core corev1.CoreV1Interface) *CaSecretController

NewCaSecretController returns a pointer to a newly constructed SecretController instance.

func (*CaSecretController) LoadCASecretWithRetry Uses

func (csc *CaSecretController) LoadCASecretWithRetry(secretName, namespace string,
    retryInterval, timeout time.Duration) (*v1.Secret, error)

LoadCASecretWithRetry reads CA secret with retries until timeout.

func (*CaSecretController) UpdateCASecretWithRetry Uses

func (csc *CaSecretController) UpdateCASecretWithRetry(caSecret *v1.Secret,
    retryInterval, timeout time.Duration) error

UpdateCASecretWithRetry updates CA secret with retries until timeout.

type DNSNameEntry Uses

type DNSNameEntry struct {
    // ServiceName is the name of the service account to match
    ServiceName string

    // Namespace restricts to a specific namespace.
    Namespace string

    // CustomDomain allows adding a user-defined domain.
    CustomDomains []string
}

DNSNameEntry stores the service name and namespace to construct the DNS id. Service accounts matching the ServiceName and Namespace will have additional DNS SANs: ServiceName.Namespace.svc, ServiceName.Namespace and optional CustomDomain. This is intended for control plane and trusted services.

type SecretController Uses

type SecretController struct {
    // contains filtered or unexported fields
}

SecretController manages the service accounts' secrets that contains Istio keys and certificates.

func NewSecretController Uses

func NewSecretController(ca certificateAuthority, enableNamespacesByDefault bool,
    certTTL time.Duration, gracePeriodRatio float32, minGracePeriod time.Duration,
    dualUse bool, core corev1.CoreV1Interface, forCA bool, pkcs8Key bool, namespaces []string,
    dnsNames map[string]*DNSNameEntry, istioCaStorageNamespace, rootCertFile string) (*SecretController, error)

NewSecretController returns a pointer to a newly constructed SecretController instance.

func (*SecretController) Run Uses

func (sc *SecretController) Run(stopCh chan struct{})

Run starts the SecretController until a value is sent to stopCh.

Package controller imports 21 packages (graph) and is imported by 1 packages. Updated 2019-10-18. Refresh now. Tools for package owners.