ca

package

v0.0.0-...-bf9fd61 Latest Latest Go to latest Published: Apr 18, 2024 License: Apache-2.0 Imports: 20 Imported by: 47

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/istio/istio

Documentation ¶

Index ¶

Constants
func BuildSecret(scrtName, namespace string, ...) *v1.Secret
type CertOpts
type IstioCA
- func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)
type IstioCAOptions
type RootCertUpdateFunc
type SelfSignedCARootCertRotator
- func NewSelfSignedCARootCertRotator(config *SelfSignedCARootCertRotatorConfig, ca *IstioCA, ...) *SelfSignedCARootCertRotator
- func (rotator *SelfSignedCARootCertRotator) Run(stopCh chan struct{})
type SelfSignedCARootCertRotatorConfig
type SigningCAFileBundle

Constants ¶

View Source

const (

	// CACertFile is the CA certificate chain file.
	CACertFile = "ca-cert.pem"
	// CAPrivateKeyFile is the private key file of CA.
	CAPrivateKeyFile = "ca-key.pem"
	// CASecret stores the key/cert of self-signed CA for persistency purpose.
	CASecret = "istio-ca-secret"
	// CertChainFile is the ID/name for the certificate chain file.
	CertChainFile = "cert-chain.pem"
	// PrivateKeyFile is the ID/name for the private key file.
	PrivateKeyFile = "key.pem"
	// RootCertFile is the ID/name for the CA root certificate file.
	RootCertFile = "root-cert.pem"
	// TLSSecretCACertFile is the CA certificate file name as it exists in tls type k8s secret.
	TLSSecretCACertFile = "tls.crt"
	// TLSSecretCAPrivateKeyFile is the CA certificate key file name as it exists in tls type k8s secret.
	TLSSecretCAPrivateKeyFile = "tls.key"
	// TLSSecretRootCertFile is the root cert file name as it exists in tls type k8s secret.
	TLSSecretRootCertFile = "ca.crt"

	// CACertsSecret stores the plugin CA certificates, in external istiod scenario, the secret can be in the config cluster.
	CACertsSecret = "cacerts"
	// IstioGenerated is the key indicating the secret is generated by Istio.
	IstioGenerated = "istio-generated"
)

Variables ¶

This section is empty.

Functions ¶

func BuildSecret ¶

func BuildSecret(scrtName, namespace string, certChain, privateKey, rootCert, caCert, caPrivateKey []byte, secretType v1.SecretType) *v1.Secret

BuildSecret returns a secret struct, contents of which are filled with parameters passed in. Adds the "istio-generated" key if the secret name is `cacerts`.

Types ¶

type CertOpts ¶

type CertOpts struct {
	// SubjectIDs are used for building the SAN extension for the certificate.
	SubjectIDs []string

	// TTL is the requested lifetime (Time to live) to be applied in the certificate.
	TTL time.Duration

	// ForCA indicates whether the signed certificate if for CA.
	// If true, the signed certificate is a CA certificate, otherwise, it is a workload certificate.
	ForCA bool

	// Cert Signer info
	CertSigner string
}

type IstioCA ¶

type IstioCA struct {
	// contains filtered or unexported fields
}

IstioCA generates keys and certificates for Istio identities.

func NewIstioCA ¶

func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)

NewIstioCA returns a new IstioCA instance.

func (*IstioCA) GenKeyCert ¶

func (ca *IstioCA) GenKeyCert(hostnames []string, certTTL time.Duration, checkLifetime bool) ([]byte, []byte, error)

GenKeyCert generates a certificate signed by the CA, returns the certificate chain and the private key.

func (*IstioCA) GetCAKeyCertBundle ¶

func (ca *IstioCA) GetCAKeyCertBundle() *util.KeyCertBundle

GetCAKeyCertBundle returns the KeyCertBundle for the CA.

func (*IstioCA) Run ¶

func (ca *IstioCA) Run(stopChan chan struct{})

func (*IstioCA) Sign ¶

func (ca *IstioCA) Sign(csrPEM []byte, certOpts CertOpts) (
	[]byte, error,
)

Sign takes a PEM-encoded CSR and cert opts, and returns a signed certificate.

func (*IstioCA) SignWithCertChain ¶

func (ca *IstioCA) SignWithCertChain(csrPEM []byte, certOpts CertOpts) (
	[]string, error,
)

SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.

type IstioCAOptions ¶

type IstioCAOptions struct {
	CAType caTypes

	DefaultCertTTL time.Duration
	MaxCertTTL     time.Duration
	CARSAKeySize   int

	KeyCertBundle *util.KeyCertBundle

	// Config for creating self-signed root cert rotator.
	RotatorConfig *SelfSignedCARootCertRotatorConfig

	// OnRootCertUpdate is the cb which can only be called by self-signed root cert rotator
	OnRootCertUpdate func() error
}

IstioCAOptions holds the configurations for creating an Istio CA.

func NewPluggedCertIstioCAOptions ¶

func NewPluggedCertIstioCAOptions(fileBundle SigningCAFileBundle,
	defaultCertTTL, maxCertTTL time.Duration, caRSAKeySize int,
) (caOpts *IstioCAOptions, err error)

NewPluggedCertIstioCAOptions returns a new IstioCAOptions instance using given certificate.

func NewSelfSignedDebugIstioCAOptions ¶

func NewSelfSignedDebugIstioCAOptions(rootCertFile string, caCertTTL, defaultCertTTL, maxCertTTL time.Duration,
	org string, caRSAKeySize int,
) (caOpts *IstioCAOptions, err error)

NewSelfSignedDebugIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate produced by in-memory CA, which runs without K8s, and no local ca key file presented.

func NewSelfSignedIstioCAOptions ¶

func NewSelfSignedIstioCAOptions(ctx context.Context,
	rootCertGracePeriodPercentile int, caCertTTL, rootCertCheckInverval, defaultCertTTL,
	maxCertTTL time.Duration, org string, useCacertsSecretName, dualUse bool, namespace string, client corev1.CoreV1Interface,
	rootCertFile string, enableJitter bool, caRSAKeySize int,
) (caOpts *IstioCAOptions, err error)

NewSelfSignedIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate.

type RootCertUpdateFunc ¶

type RootCertUpdateFunc func() error

type SelfSignedCARootCertRotator ¶

type SelfSignedCARootCertRotator struct {
	// contains filtered or unexported fields
}

SelfSignedCARootCertRotator automatically checks self-signed signing root certificate and rotates root certificate if it is going to expire.

func NewSelfSignedCARootCertRotator ¶

func NewSelfSignedCARootCertRotator(config *SelfSignedCARootCertRotatorConfig,
	ca *IstioCA,
	onRootCertUpdate func() error,
) *SelfSignedCARootCertRotator

NewSelfSignedCARootCertRotator returns a new root cert rotator instance that rotates self-signed root cert periodically. nolint: gosec Not security sensitive code

func (*SelfSignedCARootCertRotator) Run ¶

func (rotator *SelfSignedCARootCertRotator) Run(stopCh chan struct{})

Run refreshes root certs and updates config map accordingly.

type SelfSignedCARootCertRotatorConfig ¶

type SelfSignedCARootCertRotatorConfig struct {
	CheckInterval time.Duration
	// contains filtered or unexported fields
}

type SigningCAFileBundle ¶

type SigningCAFileBundle struct {
	RootCertFile    string
	CertChainFiles  []string
	SigningCertFile string
	SigningKeyFile  string
}

SigningCAFileBundle locations of the files used for the signing CA

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
mock

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL