import "istio.io/istio/security/pkg/nodeagent/cache"
Package cache is the in-memory secret store.
helper.go monitoring.go secretcache.go
const ( // RootCertReqResourceName is resource name of discovery request for root certificate. RootCertReqResourceName = "ROOTCA" // WorkloadKeyCertResourceName is the resource name of the discovery request for workload // identity. // TODO: change all the pilot one reference definition here instead. WorkloadKeyCertResourceName = "default" )
var ( RequestType = monitoring.MustCreateLabel("request_type") )
FileCert stores a reference to a certificate on disk
type SecretManagerClient struct {
// contains filtered or unexported fields
}
SecretManagerClient a SecretManager that signs CSRs using a provided security.Client. The primary usage is to fetch the two specially named resources: `default`, which refers to the workload's spiffe certificate, and ROOTCA, which contains just the root certificate for the workload certificates. These are separated only due to the fact that Envoy has them separated. Additionally, arbitrary certificates may be fetched from local files to support DestinationRule and Gateway. Note that certificates stored externally will be sent from Istiod directly; the in-agent SecretManagerClient has low privileges and cannot read Kubernetes Secrets or other storage backends. Istiod is in charge of determining whether the agent (ie SecretManagerClient) or Istiod will serve an SDS response, by selecting the appropriate cluster in the SDS configuration it serves.
SecretManagerClient supports two modes of retrieving certificate (potentially at the same time): * File based certificates. If certs are mounted under well-known path /etc/certs/{key,cert,root-cert.pem},
requests for `default` and `ROOTCA` will automatically read from these files. Additionally, certificates from Gateway/DestinationRule can also be served. This is done by parsing resource names in accordance with model.SdsCertificateConfig (file-cert: and file-root:).
* On demand CSRs. This is used only for the `default` certificate. When this resource is
requested, a CSR will be sent to the configured caClient.
Callers are expected to only call GenerateSecret when a new certificate is required. Generally, this should be done a single time at startup, then repeatedly when the certificate is near expiration. To help users handle certificate expiration, any certificates created by the caClient will be monitored; when they are near expiration the notifyCallback function is triggered, prompting the client to call GenerateSecret again, if they still care about the certificate. For files, this callback is instead triggered on any change to the file (triggering on expiration would not be helpful, as all we can do is re-read the same file).
func NewSecretManagerClient(caClient security.Client, options security.Options) (*SecretManagerClient, error)
NewSecretManagerClient creates a new SecretManagerClient.
func (sc *SecretManagerClient) CallUpdateCallback(resourceName string)
func (sc *SecretManagerClient) Close()
func (sc *SecretManagerClient) GenerateSecret(resourceName string) (secret *security.SecretItem, err error)
GenerateSecret generates new secret and cache the secret, this function is called by SDS.StreamSecrets and SDS.FetchSecret. Since credential passing from client may change, regenerate secret every time instead of reading from cache.
func (sc *SecretManagerClient) SetUpdateCallback(f func(resourceName string))
Path | Synopsis |
---|---|
mock |
Package cache imports 19 packages (graph) and is imported by 7 packages. Updated 2021-01-09. Refresh now. Tools for package owners.