istio: Index | Files

package ra

import ""

Copyright Istio Authors

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.


Package Files

common.go k8s_ra.go


const (
    // ExtCAK8s : Integrate with external CA using k8s CSR API
    ExtCAK8s CaExternalType = "ISTIOD_RA_KUBERNETES_API"

    // ExtCAGrpc : Integration with external CA using Istio CA gRPC API
    ExtCAGrpc CaExternalType = "ISTIOD_RA_ISTIO_API"

    // DefaultExtCACertDir : Location of external CA certificate
    DefaultExtCACertDir string = "./etc/external-ca-cert"

func ValidateCSR Uses

func ValidateCSR(csrPEM []byte, subjectIDs []string) bool

ValidateCSR : Validate all SAN extensions in csrPEM match authenticated identities

type CaExternalType Uses

type CaExternalType string

CaExternalType : Type of External CA integration

type IstioRAOptions Uses

type IstioRAOptions struct {
    // ExternalCAType: Integration API type with external CA
    ExternalCAType CaExternalType
    // DefaultCertTTL: Default Certificate TTL
    DefaultCertTTL time.Duration
    // MaxCertTTL: Maximum Certificate TTL that can be requested
    MaxCertTTL time.Duration
    // CaCertFile : File containing PEM encoded CA root certificate of external CA
    CaCertFile string
    // CaSigner : To indicate custom CA Signer name when using external K8s CA
    CaSigner string
    // VerifyAppendCA : Whether to use caCertFile containing CA root cert to verify and append to signed cert-chain
    VerifyAppendCA bool
    // K8sClient : K8s API client
    K8sClient certificatesv1beta1.CertificatesV1beta1Interface
    // TrustDomain
    TrustDomain string

IstioRAOptions : Configuration Options for the IstioRA

type KubernetesRA Uses

type KubernetesRA struct {
    // contains filtered or unexported fields

KubernetesRA integrated with an external CA using Kubernetes CSR API

func NewKubernetesRA Uses

func NewKubernetesRA(raOpts *IstioRAOptions) (*KubernetesRA, error)

NewKubernetesRA : Create a RA that interfaces with K8S CSR CA

func (*KubernetesRA) GetCAKeyCertBundle Uses

func (r *KubernetesRA) GetCAKeyCertBundle() util.KeyCertBundle

GetCAKeyCertBundle returns the KeyCertBundle for the CA.

func (*KubernetesRA) Sign Uses

func (r *KubernetesRA) Sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) ([]byte, error)

Sign takes a PEM-encoded CSR, subject IDs and lifetime, and returns a certificate signed by k8s CA.

func (*KubernetesRA) SignWithCertChain Uses

func (r *KubernetesRA) SignWithCertChain(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)

SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.

type RegistrationAuthority Uses

type RegistrationAuthority interface {

RegistrationAuthority : Registration Authority interface.

func NewIstioRA Uses

func NewIstioRA(opts *IstioRAOptions) (RegistrationAuthority, error)

NewIstioRA is a factory method that returns an RA that implements the RegistrationAuthority functionality. the caOptions defines the external provider

Package ra imports 8 packages (graph) and is imported by 2 packages. Updated 2021-01-09. Refresh now. Tools for package owners.