Documentation
¶
Index ¶
Constants ¶
const ( // CASecret stores the key/cert of self-signed CA for persistency purpose. CASecret = "istio-ca-secret" // CertChainID is the ID/name for the certificate chain file. CertChainID = "cert-chain.pem" // PrivateKeyID is the ID/name for the private key file. PrivateKeyID = "key.pem" // RootCertID is the ID/name for the CA root certificate file. RootCertID = "root-cert.pem" // ServiceAccountNameAnnotationKey is the key to specify corresponding service account in the annotation of K8s secrets. ServiceAccountNameAnnotationKey = "istio.io/service-account.name" // ReadSigningCertCheckInterval specifies the time to wait between retries on reading the signing key and cert. ReadSigningCertCheckInterval = time.Second * 5 )
Variables ¶
This section is empty.
Functions ¶
func BuildSecret ¶
func BuildSecret(saName, scrtName, namespace string, certChain, privateKey, rootCert, caCert, caPrivateKey []byte, secretType v1.SecretType) *v1.Secret
BuildSecret returns a secret struct, contents of which are filled with parameters passed in.
Types ¶
type CertificateAuthority ¶
type CertificateAuthority interface {
// Sign generates a certificate for a workload or CA, from the given CSR and TTL.
// TODO(myidpt): simplify this interface and pass a struct with cert field values instead.
Sign(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
// GetCAKeyCertBundle returns the KeyCertBundle used by CA.
GetCAKeyCertBundle() util.KeyCertBundle
}
CertificateAuthority contains methods to be supported by a CA.
type ErrType ¶
type ErrType int
ErrType is the type for CA errors.
const ( // CANotReady means the CA is not ready to sign CSRs. CANotReady ErrType = iota // CSRError means the CA cannot sign CSR due to CSR error. CSRError // TTLError means the required TTL is invalid. TTLError // CertGenError means an error happened during the certificate generation. CertGenError )
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error encapsulates the short and long errors.
func (Error) HTTPErrorCode ¶
HTTPErrorCode returns an HTTP error code representing the error type.
type IstioCA ¶
type IstioCA struct {
// contains filtered or unexported fields
}
IstioCA generates keys and certificates for Istio identities.
func NewIstioCA ¶
func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)
NewIstioCA returns a new IstioCA instance.
func (*IstioCA) GetCAKeyCertBundle ¶
func (ca *IstioCA) GetCAKeyCertBundle() util.KeyCertBundle
GetCAKeyCertBundle returns the KeyCertBundle for the CA.
func (*IstioCA) Sign ¶
func (ca *IstioCA) Sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) ([]byte, error)
Sign takes a PEM-encoded CSR, subject IDs and lifetime, and returns a signed certificate. If forCA is true, the signed certificate is a CA certificate, otherwise, it is a workload certificate. TODO(myidpt): Add error code to identify the Sign error types.
type IstioCAOptions ¶
type IstioCAOptions struct {
CAType caTypes
CertTTL time.Duration
MaxCertTTL time.Duration
KeyCertBundle util.KeyCertBundle
LivenessProbeOptions *probe.Options
ProbeCheckInterval time.Duration
}
IstioCAOptions holds the configurations for creating an Istio CA. TODO(myidpt): remove IstioCAOptions.
func NewPluggedCertIstioCAOptions ¶
func NewPluggedCertIstioCAOptions(certChainFile, signingCertFile, signingKeyFile, rootCertFile string, certTTL, maxCertTTL time.Duration, namespace string, client corev1.CoreV1Interface) (caOpts *IstioCAOptions, err error)
NewPluggedCertIstioCAOptions returns a new IstioCAOptions instance using given certificate.
func NewSelfSignedIstioCAOptions ¶
func NewSelfSignedIstioCAOptions(ctx context.Context, caCertTTL, certTTL, maxCertTTL time.Duration, org string, dualUse bool, namespace string, readCertRetryInterval time.Duration, client corev1.CoreV1Interface) (caOpts *IstioCAOptions, err error)
NewSelfSignedIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate.
Source Files
Directories