tls

package

v0.12.0 Latest Latest Go to latest Published: Sep 4, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cert-manager/istio-csr

Links

Open Source Insights

Documentation ¶

Index ¶

type Interface
type Options
type Provider
- func NewProvider(log logr.Logger, cm certmanager.Signer, opts Options, ...) (*Provider, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Interface ¶ added in v0.3.0

type Interface interface {
	// TrustDomain returns the Trust Domain of the mesh.
	TrustDomain() string

	// RootCAs returns the root CA PEM bundle as well as an *x509.CertPool
	// containing the decoded CA certificates.
	// This func blocks until the CA certificates are available.
	RootCAs(ctx context.Context) *rootca.RootCAs

	// Config provides a tls.Config that is updated with updated serving
	// certificates and root CAs.
	// This func blocks until the tls.Config is available.
	Config(ctx context.Context) (*tls.Config, error)

	// SubscribeRootCAsEvent will return a channel that a message will be passed
	// when a root CA changes.
	SubscribeRootCAsEvent() <-chan event.GenericEvent
}

Interface is a TLS provider that serves consumers with the current root CA certificates, as well as exposing a tls.Config that can be used for serving.

type Options ¶ added in v0.2.0

type Options struct {
	// TrustDomain is the trust domain to use for this mesh.
	TrustDomain string

	// RootCAsCertFile is an optional file location containing a PEM CA bundle.
	// If non-empty, this CA bundle will be used to populate the CA of the mesh.
	RootCAsCertFile string

	// ServingCertificateDuration is the duration requested for the gRPC service
	// serving certificate.
	ServingCertificateDuration time.Duration

	// ServingCertificateDNSNames is the DNS names that will be requested for the
	// gRPC service serving certificate. The service must be routable by clients
	// by at least one of these DNS names.
	ServingCertificateDNSNames []string

	// ServingCertificateKeySize is the number of bits to use for the serving
	// certificate RSAKeySize. The default is 2048.
	ServingCertificateKeySize int

	// ServingSignatureAlgorithm is the type of key of serving signature algorithm
	// used, RSA or ECDSA, The default is RSA.
	ServingSignatureAlgorithm string
}

type Provider ¶

type Provider struct {
	// contains filtered or unexported fields
}

Provider is used to provide a tls config containing an automatically renewed private key and certificate. The provider will continue to renew the signed certificate and private in the background, while consumers can transparently use an exposed TLS config. Consumers *MUST* using this config as is, in order for the certificate and private key be renewed transparently.

func NewProvider ¶

func NewProvider(log logr.Logger, cm certmanager.Signer, opts Options, issuerChangeNotifier certmanager.IssuerChangeNotifier) (*Provider, error)

NewProvider will return a new provider where a TLS config is ready to be fetched.

func (*Provider) Check ¶ added in v0.2.0

func (p *Provider) Check(_ *http.Request) error

Check is used by the shared readiness manager to expose whether the tls provider is ready.

func (*Provider) Config ¶ added in v0.2.0

func (p *Provider) Config(ctx context.Context) (*tls.Config, error)

Config should be used by consumers of the provider to get a TLS config which will have the signed certificate and private key appropriately renewed. This function will block until a TLS config is ready or the context has been cancelled.

func (*Provider) NeedLeaderElection ¶ added in v0.2.0

func (p *Provider) NeedLeaderElection() bool

All istio-csr pods need up-to-date serving certs to minimise the delay when a non-leader pod takes leadership.

func (*Provider) RootCAs ¶ added in v0.3.0

func (p *Provider) RootCAs(ctx context.Context) *rootca.RootCAs

RootCAs returns the configured CA certificate. This function blocks until the root CA has been populated.

func (*Provider) Start ¶ added in v0.2.0

func (p *Provider) Start(ctx context.Context) error

Start will start the TLS provider. This will fetch a serving certificate and provide a TLS config based on it. Keep this certificate renewed. Blocking function.

func (*Provider) SubscribeRootCAsEvent ¶ added in v0.3.0

func (p *Provider) SubscribeRootCAsEvent() <-chan event.GenericEvent

SubscribeRootCAsEvent will return a channel that a message will be passed when a root CA changes.

func (*Provider) TrustDomain ¶ added in v0.2.0

func (p *Provider) TrustDomain() string

Source Files ¶

View all Source files

tls.go

Directories ¶

Path	Synopsis
fake
rootca

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL