Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SaveKeyCert ¶
SaveKeyCert stores the specified key/cert into file specified by the path. TODO(incfly): move this into CAClient struct's own method later.
Types ¶
type CAClient ¶
type CAClient struct {
// contains filtered or unexported fields
}
CAClient is a client to provision key and certificate from the upstream CA via CSR protocol.
func NewCAClient ¶
func NewCAClient(pltfmc platform.Client, ptclc grpc.CAGrpcClient, caAddr string, maxRetries int, interval time.Duration) (*CAClient, error)
NewCAClient creates a new CAClient instance.
func (*CAClient) CreateCSRRequest ¶
func (c *CAClient) CreateCSRRequest(opts *pkiutil.CertOptions) ([]byte, *pb.CsrRequest, error)
CreateCSRRequest returns a CsrRequest based on the specified CertOptions. TODO(incfly): add SendCSR method directly to CAClient.
func (*CAClient) Retrieve ¶
func (c *CAClient) Retrieve(options *pkiutil.CertOptions) (newCert []byte, certChain []byte, privateKey []byte, err error)
Retrieve sends the CSR to Istio CA with automatic retries. When successful, it returns the generated key and cert, otherwise, it returns error. This is a blocking function.
type Config ¶
type Config struct {
// Address of the CA which the CA client calls to
CAAddress string
// Organization presented in the certificates
Org string
// Requested TTL of the certificates
RequestedCertTTL time.Duration
// Size of RSA private key
RSAKeySize int
// The environment this CA client is running on.
Env string
// The cluster management platform this ndoe agent is running on.
Platform string
// Whether the certificate is for CA
ForCA bool
// CSRInitialRetrialInterval is the retrial interval for certificate requests.
CSRInitialRetrialInterval time.Duration
// CSRMaxRetries is the number of retries for certificate requests.
CSRMaxRetries int
// CSRGracePeriodPercentage indicates the length of the grace period in the
// percentage of the entire certificate TTL.
CSRGracePeriodPercentage int
// CertFile defines the cert of the CA client.
CertFile string
// CertChainFile defines the cert chain file of the CA client, including the client's cert.
CertChainFile string
// KeyFile defines the private key of the CA client.
KeyFile string
// RootCertFile defines the root cert of the CA client.
RootCertFile string
}
Config is configuration for the CA client.
type KeyCertBundleRotator ¶
type KeyCertBundleRotator struct {
// contains filtered or unexported fields
}
KeyCertBundleRotator automatically updates the key and cert bundle by interacting with upstream CA.
func NewKeyCertBundleRotator ¶
func NewKeyCertBundleRotator(cfg *Config, bundle pkiutil.KeyCertBundle) (*KeyCertBundleRotator, error)
NewKeyCertBundleRotator is constructor for keyCertBundleRotatorImpl based on the provided configuration.
func (*KeyCertBundleRotator) Start ¶
func (c *KeyCertBundleRotator) Start(errCh chan<- error)
Start periodically rotates the KeyCertBundle by interacting with the upstream CA. It is a blocking function that should run as a go routine. Thread safe.
func (*KeyCertBundleRotator) Stop ¶
func (c *KeyCertBundleRotator) Stop()
Stop stops the loop. Thread safe.
type KeyCertRetriever ¶
type KeyCertRetriever interface {
Retrieve(opt *pkiutil.CertOptions) (newCert, certChain, privateKey []byte, err error)
}
KeyCertRetriever is the interface responsible for retrieve new key and certificate from upstream CA.
Source Files
Directories