secrets

package

v0.0.0-...-d8a8f93 Latest Latest Go to latest Published: May 2, 2019 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/airmap/istio

Documentation ¶

Index ¶

Constants
type Config
type SDSServer
- func NewSDSServer() *SDSServer
type SecretFileServer
- func (sf *SecretFileServer) Put(serviceAccount string, keycert util.KeyCertBundle) error
type SecretServer
- func NewSecretServer(cfg *Config) (SecretServer, error)
type SecretServerMode

Constants ¶

View Source

const (
	// KeyFilePermission is the permission bits for private key file.
	KeyFilePermission = 0600

	// CertFilePermission is the permission bits for certificate file.
	CertFilePermission = 0644
)

View Source

const (
	// SecretTypeURL defines the type URL for Envoy secret proto.
	SecretTypeURL = "type.googleapis.com/envoy.api.v2.auth.Secret"

	// SecretName defines the type of the secrets to fetch from the SDS server.
	SecretName = "SPKI"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// Mode specifies how the node agent communications to workload.
	Mode SecretServerMode

	// SecretDirectory specifies the root directory storing the key cert files, only for file mode.
	SecretDirectory string
}

Config contains the SecretServer configuration.

type SDSServer ¶

type SDSServer struct {
	// contains filtered or unexported fields
}

SDSServer implements api.SecretDiscoveryServiceServer that listens on a list of Unix Domain Sockets.

func NewSDSServer ¶

func NewSDSServer() *SDSServer

NewSDSServer creates the SDSServer that registers SecretDiscoveryServiceServer, a gRPC server.

func (*SDSServer) DeregisterUdsPath ¶

func (s *SDSServer) DeregisterUdsPath(udsPath string) error

DeregisterUdsPath closes and removes the grpcServer instance serving UDS

func (*SDSServer) FetchSecrets ¶

func (s *SDSServer) FetchSecrets(ctx context.Context, request *api.DiscoveryRequest) (*api.DiscoveryResponse, error)

FetchSecrets fetches the X.509 key/cert for a given workload whose identity can be derived from the UDS path where this call is received.

func (*SDSServer) GetTLSCertificate ¶

func (s *SDSServer) GetTLSCertificate() (*auth.TlsCertificate, error)

GetTLSCertificate generates the X.509 key/cert for the workload identity derived from udsPath, which is where the FetchSecrets grpc request is received. SecretServer implementations could have different implementation

func (*SDSServer) Put ¶

func (s *SDSServer) Put(serviceAccount string, b util.KeyCertBundle) error

Put stores the KeyCertBundle for a specific service account.

func (*SDSServer) RegisterUdsPath ¶

func (s *SDSServer) RegisterUdsPath(udsPath string) error

RegisterUdsPath registers a path for Unix Domain Socket and has SDSServer's gRPC server listen on it.

func (*SDSServer) SetServiceIdentityCert ¶

func (s *SDSServer) SetServiceIdentityCert(content []byte) error

SetServiceIdentityCert sets the service identity certificate into the memory.

func (*SDSServer) SetServiceIdentityPrivateKey ¶

func (s *SDSServer) SetServiceIdentityPrivateKey(content []byte) error

SetServiceIdentityPrivateKey sets the service identity private key into the memory.

func (*SDSServer) StreamSecrets ¶

func (s *SDSServer) StreamSecrets(stream sds.SecretDiscoveryService_StreamSecretsServer) error

StreamSecrets is not supported.

type SecretFileServer ¶

type SecretFileServer struct {
	// contains filtered or unexported fields
}

SecretFileServer is an implementation of SecretServer that writes the key/cert into file system.

func (*SecretFileServer) Put ¶

func (sf *SecretFileServer) Put(serviceAccount string, keycert util.KeyCertBundle) error

Put writes the specified key and cert to the files.

type SecretServer ¶

type SecretServer interface {
	// Put stores the key cert bundle with associated workload identity.
	Put(serviceAccount string, bundle util.KeyCertBundle) error
}

SecretServer is for implementing the communication from the node agent to the workload.

func NewSecretServer ¶

func NewSecretServer(cfg *Config) (SecretServer, error)

NewSecretServer instantiates a SecretServer according to the configuration.

type SecretServerMode ¶

type SecretServerMode int

SecretServerMode is the mode SecretServer runs.

const (
	// SecretFile the key/cert to the workload through file.
	SecretFile SecretServerMode = iota // 0
	// SecretDiscoveryServiceAPI the key/cert to the workload through SDS API.
	SecretDiscoveryServiceAPI // 1
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL