import "istio.io/istio/security/pkg/nodeagent/cache"
Package cache is the in-memory secret store.
helper.go monitoring.go secretcache.go
const (
TokenExchange = "token_exchange"
CSR = "csr"
)const (
// RootCertReqResourceName is resource name of discovery request for root certificate.
RootCertReqResourceName = "ROOTCA"
// WorkloadKeyCertResourceName is the resource name of the discovery request for workload
// identity.
// TODO: change all the pilot one reference definition here instead.
WorkloadKeyCertResourceName = "default"
)var (
RequestType = monitoring.MustCreateLabel("request_type")
)type ConnKey struct {
ConnectionID string
// ResourceName of SDS request, get from SDS.DiscoveryRequest.ResourceName
// Current it's `ROOTCA` for root cert request, and 'default' for normal key/cert request.
ResourceName string
}ConnKey is the key of one SDS connection.
type SecretCache struct {
// contains filtered or unexported fields
}SecretCache is the in-memory cache for secrets.
func NewSecretCache(fetcher *secretfetcher.SecretFetcher, notifyCb func(ConnKey, *security.SecretItem) error, options *security.Options) *SecretCache
NewSecretCache creates a new secret cache.
func (sc *SecretCache) Close()
Close shuts down the secret cache.
func (sc *SecretCache) DeleteK8sSecret(secretName string)
DeleteK8sSecret deletes all entries that match secretName. This is called when a K8s secret for gateway is deleted.
func (sc *SecretCache) DeleteSecret(connectionID, resourceName string)
DeleteSecret deletes a secret by its key from cache.
func (sc *SecretCache) GenerateSecret(ctx context.Context, connectionID, resourceName, token string) (*security.SecretItem, error)
GenerateSecret generates new secret and cache the secret, this function is called by SDS.StreamSecrets and SDS.FetchSecret. Since credential passing from client may change, regenerate secret every time instead of reading from cache.
func (sc *SecretCache) SecretExist(connectionID, resourceName, token, version string) bool
SecretExist checks if secret already existed. This API is used for sds server to check if coming request is ack request.
func (sc *SecretCache) ShouldWaitForGatewaySecret(connectionID, resourceName, token string, fileMountedCertsOnly bool) bool
ShouldWaitForGatewaySecret returns true if node agent is working in gateway agent mode and needs to wait for gateway secret to be ready.
func (sc *SecretCache) UpdateK8sSecret(secretName string, ns security.SecretItem)
UpdateK8sSecret updates all entries that match secretName. This is called when a K8s secret for gateway is updated.
type SecretManager interface {
// GenerateSecret generates new secret and cache the secret.
// Current implementation constructs the SAN based on the token's 'sub'
// claim, expected to be in the K8S format. No other JWTs are currently supported
// due to client logic. If JWT is missing/invalid, the resourceName is used.
GenerateSecret(ctx context.Context, connectionID, resourceName, token string) (*security.SecretItem, error)
// ShouldWaitForGatewaySecret indicates whether a valid gateway secret is expected.
ShouldWaitForGatewaySecret(connectionID, resourceName, token string, fileMountedCertsOnly bool) bool
// SecretExist checks if secret already existed.
// This API is used for sds server to check if coming request is ack request.
SecretExist(connectionID, resourceName, token, version string) bool
// DeleteSecret deletes a secret by its key from cache.
DeleteSecret(connectionID, resourceName string)
}SecretManager defines secrets management interface which is used by SDS.
| Path | Synopsis |
|---|---|
| mock |
Package cache imports 26 packages (graph) and is imported by 6 packages. Updated 2020-08-05. Refresh now. Tools for package owners.