istio: istio.io/istio/security/pkg/nodeagent/cache Index | Files | Directories

package cache

import "istio.io/istio/security/pkg/nodeagent/cache"

Package cache is the in-memory secret store.

Index

Package Files

helper.go monitoring.go secretcache.go

Constants 

const (
    TokenExchange = "token_exchange"
    CSR           = "csr"
)
const (

    // RootCertReqResourceName is resource name of discovery request for root certificate.
    RootCertReqResourceName = "ROOTCA"

    // WorkloadKeyCertResourceName is the resource name of the discovery request for workload
    // identity.
    // TODO: change all the pilot one reference definition here instead.
    WorkloadKeyCertResourceName = "default"
)

Variables 

var (

    // ExistingRootCertFile is the well-known path for an existing root certificate file
    ExistingRootCertFile = defaultRootCertFilePath
)
var (
    RequestType = monitoring.MustCreateLabel("request_type")
)

type ConnKey Uses

type ConnKey struct {
    ConnectionID string

    // ResourceName of SDS request, get from SDS.DiscoveryRequest.ResourceName
    // Current it's `ROOTCA` for root cert request, and 'default' for normal key/cert request.
    ResourceName string
}

ConnKey is the key of one SDS connection.

type Options Uses

type Options struct {
    // secret TTL.
    SecretTTL time.Duration

    // The initial backoff time in millisecond to avoid the thundering herd problem.
    InitialBackoffInMilliSec int64

    // secret should be rotated if:
    // time.Now.After(<secret ExpireTime> - <secret TTL> * SecretRotationGracePeriodRatio)
    SecretRotationGracePeriodRatio float64

    // Key rotation job running interval.
    RotationInterval time.Duration

    // Cached secret will be removed from cache if (time.now - secretItem.CreatedTime >= evictionDuration), this prevents cache growing indefinitely.
    EvictionDuration time.Duration

    // TrustDomain corresponds to the trust root of a system.
    // https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
    TrustDomain string

    // authentication provider specific plugins.
    Plugins []plugin.Plugin

    // Set this flag to true for if token used is always valid(ex, normal k8s JWT)
    AlwaysValidTokenFlag bool

    // Set this flag to true if skip validate format for certificate chain returned from CA.
    SkipValidateCert bool

    // Whether to generate PKCS#8 private keys.
    Pkcs8Keys bool

    // OutputKeyCertToDir is the directory for output the key and certificate
    OutputKeyCertToDir string
}

Options provides all of the configuration parameters for secret cache.

type SecretCache Uses

type SecretCache struct {
    // contains filtered or unexported fields
}

SecretCache is the in-memory cache for secrets.

func NewSecretCache Uses

func NewSecretCache(fetcher *secretfetcher.SecretFetcher, notifyCb func(ConnKey, *model.SecretItem) error, options Options) *SecretCache

NewSecretCache creates a new secret cache.

func (*SecretCache) Close Uses

func (sc *SecretCache) Close()

Close shuts down the secret cache.

func (*SecretCache) DeleteK8sSecret Uses

func (sc *SecretCache) DeleteK8sSecret(secretName string)

DeleteK8sSecret deletes all entries that match secretName. This is called when a K8s secret for ingress gateway is deleted.

func (*SecretCache) DeleteSecret Uses

func (sc *SecretCache) DeleteSecret(connectionID, resourceName string)

DeleteSecret deletes a secret by its key from cache.

func (*SecretCache) GenerateSecret Uses

func (sc *SecretCache) GenerateSecret(ctx context.Context, connectionID, resourceName, token string) (*model.SecretItem, error)

GenerateSecret generates new secret and cache the secret, this function is called by SDS.StreamSecrets and SDS.FetchSecret. Since credential passing from client may change, regenerate secret every time instead of reading from cache.

func (*SecretCache) SecretExist Uses

func (sc *SecretCache) SecretExist(connectionID, resourceName, token, version string) bool

SecretExist checks if secret already existed. This API is used for sds server to check if coming request is ack request.

func (*SecretCache) ShouldWaitForIngressGatewaySecret Uses

func (sc *SecretCache) ShouldWaitForIngressGatewaySecret(connectionID, resourceName, token string) bool

ShouldWaitForIngressGatewaySecret returns true if node agent is working in ingress gateway agent mode and needs to wait for ingress gateway secret to be ready.

func (*SecretCache) UpdateK8sSecret Uses

func (sc *SecretCache) UpdateK8sSecret(secretName string, ns model.SecretItem)

UpdateK8sSecret updates all entries that match secretName. This is called when a K8s secret for ingress gateway is updated.

type SecretManager Uses

type SecretManager interface {
    // GenerateSecret generates new secret and cache the secret.
    GenerateSecret(ctx context.Context, connectionID, resourceName, token string) (*model.SecretItem, error)

    // ShouldWaitForIngressGatewaySecret indicates whether a valid ingress gateway secret is expected.
    ShouldWaitForIngressGatewaySecret(connectionID, resourceName, token string) bool

    // SecretExist checks if secret already existed.
    // This API is used for sds server to check if coming request is ack request.
    SecretExist(connectionID, resourceName, token, version string) bool

    // DeleteSecret deletes a secret by its key from cache.
    DeleteSecret(connectionID, resourceName string)
}

SecretManager defines secrets management interface which is used by SDS.

Directories

PathSynopsis
mock

Package cache imports 22 packages (graph) and is imported by 3 packages. Updated 2020-04-07. Refresh now. Tools for package owners.