Documentation ¶
Index ¶
- type Interface
- type Options
- type Provider
- func (p *Provider) Check(_ *http.Request) error
- func (p *Provider) Config(ctx context.Context) (*tls.Config, error)
- func (p *Provider) NeedLeaderElection() bool
- func (p *Provider) RootCAs() rootca.RootCAs
- func (p *Provider) Start(ctx context.Context) error
- func (p *Provider) SubscribeRootCAsEvent() <-chan event.GenericEvent
- func (p *Provider) TrustDomain() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Interface ¶ added in v0.3.0
type Interface interface { // TrustDomain returns the Trust Domain of the mesh. TrustDomain() string // RootCAs returns the root CA PEM bundle as well as an *x509.CertPool // containing the decoded CA certificates. // This func blocks until the CA certificates are available. RootCAs() rootca.RootCAs // Config provides a tls.Config that is updated with updated serving // certificates and root CAs. // This func blocks until the tls.Config is available. Config(ctx context.Context) (*tls.Config, error) // SubscribeRootCAsEvent will return a channel that a message will be passed // when a root CA changes. SubscribeRootCAsEvent() <-chan event.GenericEvent }
Interface is a TLS provider that serves consumers with the current root CA certificates, as well as exposing a tls.Config that can be used for serving.
type Options ¶ added in v0.2.0
type Options struct { // TrustDomain is the trust domain to use for this mesh. TrustDomain string // RootCAsCertFile is an optional file location containing a PEM CA bundle. // If non-empty, this CA bundle will be used to populate the CA of the mesh. RootCAsCertFile string // ServingCertificateDuration is the duration requested for the gRPC service // serving certificate. ServingCertificateDuration time.Duration // ServingCertificateDNSNames is the DNS names that will be requested for the // gRPC service serving certificate. The service must be routable by clients // by at least one of these DNS names. ServingCertificateDNSNames []string // ServingCertificateKeySize is the number of bits to use for the serving // certificate RSAKeySize. The default is 2048. ServingCertificateKeySize int // ServingSignatureAlgorithm is the type of key of serving signature algorithm // used, RSA or ECDSA, The default is RSA. ServingSignatureAlgorithm string }
type Provider ¶
type Provider struct {
// contains filtered or unexported fields
}
Provider is used to provide a tls config containing an automatically renewed private key and certificate. The provider will continue to renew the signed certificate and private in the background, while consumers can transparently use an exposed TLS config. Consumers *MUST* using this config as is, in order for the certificate and private key be renewed transparently.
func NewProvider ¶
func NewProvider(log logr.Logger, cm certmanager.Signer, opts Options, issuerChangeNotifier certmanager.IssuerChangeNotifier) (*Provider, error)
NewProvider will return a new provider where a TLS config is ready to be fetched.
func (*Provider) Check ¶ added in v0.2.0
Check is used by the shared readiness manager to expose whether the tls provider is ready.
func (*Provider) Config ¶ added in v0.2.0
Config should be used by consumers of the provider to get a TLS config which will have the signed certificate and private key appropriately renewed. This function will block until a TLS config is ready or the context has been cancelled.
func (*Provider) NeedLeaderElection ¶ added in v0.2.0
All istio-csr pods need up-to-date serving certs to minimise the delay when a non-leader pod takes leadership.
func (*Provider) RootCAs ¶ added in v0.3.0
RootCAs returns the configured CA certificate. This function blocks until the root CA has been populated.
func (*Provider) Start ¶ added in v0.2.0
Start will start the TLS provider. This will fetch a serving certificate and provide a TLS config based on it. Keep this certificate renewed. Blocking function.
func (*Provider) SubscribeRootCAsEvent ¶ added in v0.3.0
func (p *Provider) SubscribeRootCAsEvent() <-chan event.GenericEvent
SubscribeRootCAsEvent will return a channel that a message will be passed when a root CA changes.