istio: Index | Files | Directories

package ca

import ""


Package Files

authorizer.go monitoring.go server.go

type CertificateAuthority Uses

type CertificateAuthority interface {
    // Sign generates a certificate for a workload or CA, from the given CSR and TTL.
    // TODO(myidpt): simplify this interface and pass a struct with cert field values instead.
    Sign(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
    // SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.
    SignWithCertChain(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
    // GetCAKeyCertBundle returns the KeyCertBundle used by CA.
    GetCAKeyCertBundle() util.KeyCertBundle

CertificateAuthority contains methods to be supported by a CA.

type Server Uses

type Server struct {
    // contains filtered or unexported fields

Server implements IstioCAService and IstioCertificateService and provides the services on the specified port.

func New Uses

func New(ca CertificateAuthority, ttl time.Duration, forCA bool,
    hostlist []string, port int, trustDomain string, sdsEnabled bool) (*Server, error)

New creates a new instance of `IstioCAServiceServer`.

func (*Server) CreateCertificate Uses

func (s *Server) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
    *pb.IstioCertificateResponse, error)

CreateCertificate handles an incoming certificate signing request (CSR). It does authentication and authorization. Upon validated, signs a certificate that: the SAN is the identity of the caller in authentication result. the subject public key is the public key in the CSR. the validity duration is the ValidityDuration in request, or default value if the given duration is invalid. it is signed by the CA signing key.

func (*Server) HandleCSR Uses

func (s *Server) HandleCSR(ctx context.Context, request *pb.CsrRequest) (*pb.CsrResponse, error)

HandleCSR handles an incoming certificate signing request (CSR). It does proper validation (e.g. authentication) and upon validated, signs the CSR and returns the resulting certificate. If not approved, reason for refusal to sign is returned as part of the response object. [TODO](myidpt): Deprecate this function.

func (*Server) Run Uses

func (s *Server) Run() error

Run starts a GRPC server on the specified port.



Package ca imports 19 packages (graph). Updated 2019-10-02. Refresh now. Tools for package owners.