istio: istio.io/istio/security/pkg/server/ca Index | Files | Directories

package ca

import "istio.io/istio/security/pkg/server/ca"

Index

Package Files

monitoring.go server.go

func Authenticate Uses

func Authenticate(ctx context.Context, auth []security.Authenticator) *security.Caller

authenticate goes through a list of authenticators (provided client cert, k8s jwt, and ID token) and authenticates if one of them is valid.

type CertificateAuthority Uses

type CertificateAuthority interface {
    // Sign generates a certificate for a workload or CA, from the given CSR and TTL.
    // TODO(myidpt): simplify this interface and pass a struct with cert field values instead.
    Sign(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
    // SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.
    SignWithCertChain(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
    // GetCAKeyCertBundle returns the KeyCertBundle used by CA.
    GetCAKeyCertBundle() util.KeyCertBundle
}

CertificateAuthority contains methods to be supported by a CA.

type Server Uses

type Server struct {
    Authenticators []security.Authenticator
    // contains filtered or unexported fields
}

Server implements IstioCAService and IstioCertificateService and provides the services on the specified port.

func New Uses

func New(ca CertificateAuthority, ttl time.Duration,
    authenticators []security.Authenticator) (*Server, error)

New creates a new instance of `IstioCAServiceServer`

func (*Server) CreateCertificate Uses

func (s *Server) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
    *pb.IstioCertificateResponse, error)

CreateCertificate handles an incoming certificate signing request (CSR). It does authentication and authorization. Upon validated, signs a certificate that: the SAN is the identity of the caller in authentication result. the subject public key is the public key in the CSR. the validity duration is the ValidityDuration in request, or default value if the given duration is invalid. it is signed by the CA signing key.

func (*Server) Register Uses

func (s *Server) Register(grpcServer *grpc.Server)

Register registers a GRPC server on the specified port.

Directories

PathSynopsis
authenticate
authenticate/kubeauth

Package ca imports 13 packages (graph) and is imported by 4 packages. Updated 2021-01-25. Refresh now. Tools for package owners.