istio: Index | Files | Directories

package ca

import ""


Package Files

ca.go selfsignedcarootcertrotator.go


const (

    // CASecret stores the key/cert of self-signed CA for persistency purpose.
    CASecret = "istio-ca-secret"
    // CertChainID is the ID/name for the certificate chain file.
    CertChainID = "cert-chain.pem"
    // PrivateKeyID is the ID/name for the private key file.
    PrivateKeyID = "key.pem"
    // RootCertID is the ID/name for the CA root certificate file.
    RootCertID = "root-cert.pem"
    // ServiceAccountNameAnnotationKey is the key to specify corresponding service account in the annotation of K8s secrets.
    ServiceAccountNameAnnotationKey = ""

type IstioCA Uses

type IstioCA struct {
    // contains filtered or unexported fields

IstioCA generates keys and certificates for Istio identities.

func NewIstioCA Uses

func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)

NewIstioCA returns a new IstioCA instance.

func (*IstioCA) GetCAKeyCertBundle Uses

func (ca *IstioCA) GetCAKeyCertBundle() util.KeyCertBundle

GetCAKeyCertBundle returns the KeyCertBundle for the CA.

func (*IstioCA) Run Uses

func (ca *IstioCA) Run(stopChan chan struct{})

func (*IstioCA) Sign Uses

func (ca *IstioCA) Sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) ([]byte, error)

Sign takes a PEM-encoded CSR, subject IDs and lifetime, and returns a signed certificate. If forCA is true, the signed certificate is a CA certificate, otherwise, it is a workload certificate. TODO(myidpt): Add error code to identify the Sign error types.

func (*IstioCA) SignWithCertChain Uses

func (ca *IstioCA) SignWithCertChain(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)

SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.

type IstioCAOptions Uses

type IstioCAOptions struct {
    CAType caTypes

    CertTTL    time.Duration
    MaxCertTTL time.Duration

    KeyCertBundle util.KeyCertBundle

    LivenessProbeOptions *probe.Options
    ProbeCheckInterval   time.Duration

    // Config for creating self-signed root cert rotator.
    RotatorConfig *SelfSignedCARootCertRotatorConfig

IstioCAOptions holds the configurations for creating an Istio CA. TODO(myidpt): remove IstioCAOptions.

func NewPluggedCertIstioCAOptions Uses

func NewPluggedCertIstioCAOptions(certChainFile, signingCertFile, signingKeyFile, rootCertFile string,
    certTTL, maxCertTTL time.Duration, namespace string, client corev1.CoreV1Interface) (caOpts *IstioCAOptions, err error)

NewPluggedCertIstioCAOptions returns a new IstioCAOptions instance using given certificate.

func NewSelfSignedIstioCAOptions Uses

func NewSelfSignedIstioCAOptions(ctx context.Context, readSigningCertOnly bool,
    rootCertGracePeriodPercentile int, caCertTTL, rootCertCheckInverval, certTTL,
    maxCertTTL time.Duration, org string, dualUse bool, namespace string,
    readCertRetryInterval time.Duration, client corev1.CoreV1Interface,
    rootCertFile string, enableJitter bool) (caOpts *IstioCAOptions, err error)

NewSelfSignedIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate.

type SelfSignedCARootCertRotator Uses

type SelfSignedCARootCertRotator struct {
    // contains filtered or unexported fields

SelfSignedCARootCertRotator automatically checks self-signed signing root certificate and rotates root certificate if it is going to expire.

func NewSelfSignedCARootCertRotator Uses

func NewSelfSignedCARootCertRotator(config *SelfSignedCARootCertRotatorConfig,
    ca *IstioCA) *SelfSignedCARootCertRotator

NewSelfSignedCARootCertRotator returns a new root cert rotator instance that rotates self-signed root cert periodically.

func (*SelfSignedCARootCertRotator) Run Uses

func (rotator *SelfSignedCARootCertRotator) Run(rootCertRotatorChan chan struct{})

Run refreshes root certs and updates config map accordingly.

type SelfSignedCARootCertRotatorConfig Uses

type SelfSignedCARootCertRotatorConfig struct {
    CheckInterval time.Duration
    // contains filtered or unexported fields



Package ca imports 21 packages (graph) and is imported by 3 packages. Updated 2019-10-18. Refresh now. Tools for package owners.