istio: Index | Files | Directories

package ca

import ""


Package Files

ca.go selfsignedcarootcertrotator.go


const (

    // CASecret stores the key/cert of self-signed CA for persistency purpose.
    CASecret = "istio-ca-secret"
    // CertChainID is the ID/name for the certificate chain file.
    CertChainID = "cert-chain.pem"
    // PrivateKeyID is the ID/name for the private key file.
    PrivateKeyID = "key.pem"
    // RootCertID is the ID/name for the CA root certificate file.
    RootCertID = "root-cert.pem"
    // ServiceAccountNameAnnotationKey is the key to specify corresponding service account in the annotation of K8s secrets.
    ServiceAccountNameAnnotationKey = ""

type IstioCA Uses

type IstioCA struct {
    // contains filtered or unexported fields

IstioCA generates keys and certificates for Istio identities.

func NewIstioCA Uses

func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)

NewIstioCA returns a new IstioCA instance.

func (*IstioCA) GenKeyCert Uses

func (ca *IstioCA) GenKeyCert(hostnames []string, certTTL time.Duration, checkLifetime bool) ([]byte, []byte, error)

GenKeyCert generates a certificate signed by the CA, returns the certificate chain and the private key.

func (*IstioCA) GetCAKeyCertBundle Uses

func (ca *IstioCA) GetCAKeyCertBundle() util.KeyCertBundle

GetCAKeyCertBundle returns the KeyCertBundle for the CA.

func (*IstioCA) Run Uses

func (ca *IstioCA) Run(stopChan chan struct{})

func (*IstioCA) Sign Uses

func (ca *IstioCA) Sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) (
    []byte, error)

Sign takes a PEM-encoded CSR, subject IDs and lifetime, and returns a signed certificate. If forCA is true, the signed certificate is a CA certificate, otherwise, it is a workload certificate. TODO(myidpt): Add error code to identify the Sign error types.

func (*IstioCA) SignWithCertChain Uses

func (ca *IstioCA) SignWithCertChain(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) (
    []byte, error)

SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.

type IstioCAOptions Uses

type IstioCAOptions struct {
    CAType caTypes

    DefaultCertTTL time.Duration
    MaxCertTTL     time.Duration
    CARSAKeySize   int

    KeyCertBundle util.KeyCertBundle

    LivenessProbeOptions *probe.Options
    ProbeCheckInterval   time.Duration

    // Config for creating self-signed root cert rotator.
    RotatorConfig *SelfSignedCARootCertRotatorConfig

IstioCAOptions holds the configurations for creating an Istio CA. TODO(myidpt): remove IstioCAOptions.

func NewPluggedCertIstioCAOptions Uses

func NewPluggedCertIstioCAOptions(certChainFile, signingCertFile, signingKeyFile, rootCertFile string,
    defaultCertTTL, maxCertTTL time.Duration, caRSAKeySize int) (caOpts *IstioCAOptions, err error)

NewPluggedCertIstioCAOptions returns a new IstioCAOptions instance using given certificate.

func NewSelfSignedIstioCAOptions Uses

func NewSelfSignedIstioCAOptions(ctx context.Context,
    rootCertGracePeriodPercentile int, caCertTTL, rootCertCheckInverval, defaultCertTTL,
    maxCertTTL time.Duration, org string, dualUse bool, namespace string,
    readCertRetryInterval time.Duration, client corev1.CoreV1Interface,
    rootCertFile string, enableJitter bool, caRSAKeySize int) (caOpts *IstioCAOptions, err error)

NewSelfSignedIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate.

type SelfSignedCARootCertRotator Uses

type SelfSignedCARootCertRotator struct {
    // contains filtered or unexported fields

SelfSignedCARootCertRotator automatically checks self-signed signing root certificate and rotates root certificate if it is going to expire.

func NewSelfSignedCARootCertRotator Uses

func NewSelfSignedCARootCertRotator(config *SelfSignedCARootCertRotatorConfig,
    ca *IstioCA) *SelfSignedCARootCertRotator

NewSelfSignedCARootCertRotator returns a new root cert rotator instance that rotates self-signed root cert periodically.

func (*SelfSignedCARootCertRotator) Run Uses

func (rotator *SelfSignedCARootCertRotator) Run(stopCh chan struct{})

Run refreshes root certs and updates config map accordingly.

type SelfSignedCARootCertRotatorConfig Uses

type SelfSignedCARootCertRotatorConfig struct {
    CheckInterval time.Duration
    // contains filtered or unexported fields



Package ca imports 20 packages (graph) and is imported by 3 packages. Updated 2020-11-14. Refresh now. Tools for package owners.