secrets

package
v0.0.0-...-46d7da7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 20, 2018 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// KeyFilePermission is the permission bits for private key file.
	KeyFilePermission = 0600

	// CertFilePermission is the permission bits for certificate file.
	CertFilePermission = 0644
)
View Source
const (
	// SecretTypeURL defines the type URL for Envoy secret proto.
	SecretTypeURL = "type.googleapis.com/envoy.api.v2.auth.Secret"

	// SecretName defines the type of the secrets to fetch from the SDS server.
	SecretName = "SPKI"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	// Mode specifies how the node agent communications to workload.
	Mode SecretServerMode

	// SecretDirectory specifies the root directory storing the key cert files, only for file mode.
	SecretDirectory string
}

Config contains the SecretServer configuration.

type SDSServer

type SDSServer struct {
	// contains filtered or unexported fields
}

SDSServer implements api.SecretDiscoveryServiceServer that listens on a list of Unix Domain Sockets.

func NewSDSServer

func NewSDSServer() *SDSServer

NewSDSServer creates the SDSServer that registers SecretDiscoveryServiceServer, a gRPC server.

func (*SDSServer) DeregisterUdsPath

func (s *SDSServer) DeregisterUdsPath(udsPath string) error

DeregisterUdsPath closes and removes the grpcServer instance serving UDS

func (*SDSServer) FetchSecrets

func (s *SDSServer) FetchSecrets(ctx context.Context, request *api.DiscoveryRequest) (*api.DiscoveryResponse, error)

FetchSecrets fetches the X.509 key/cert for a given workload whose identity can be derived from the UDS path where this call is received.

func (*SDSServer) GetTLSCertificate

func (s *SDSServer) GetTLSCertificate() (*auth.TlsCertificate, error)

GetTLSCertificate generates the X.509 key/cert for the workload identity derived from udsPath, which is where the FetchSecrets grpc request is received. SecretServer implementations could have different implementation

func (*SDSServer) Put

func (s *SDSServer) Put(serviceAccount string, b util.KeyCertBundle) error

Put stores the KeyCertBundle for a specific service account.

func (*SDSServer) RegisterUdsPath

func (s *SDSServer) RegisterUdsPath(udsPath string) error

RegisterUdsPath registers a path for Unix Domain Socket and has SDSServer's gRPC server listen on it.

func (*SDSServer) SetServiceIdentityCert

func (s *SDSServer) SetServiceIdentityCert(content []byte) error

SetServiceIdentityCert sets the service identity certificate into the memory.

func (*SDSServer) SetServiceIdentityPrivateKey

func (s *SDSServer) SetServiceIdentityPrivateKey(content []byte) error

SetServiceIdentityPrivateKey sets the service identity private key into the memory.

func (*SDSServer) StreamSecrets

StreamSecrets is not supported.

type SecretFileServer

type SecretFileServer struct {
	// contains filtered or unexported fields
}

SecretFileServer is an implementation of SecretServer that writes the key/cert into file system.

func (*SecretFileServer) Put

func (sf *SecretFileServer) Put(serviceAccount string, keycert util.KeyCertBundle) error

Put writes the specified key and cert to the files.

type SecretServer

type SecretServer interface {
	// Put stores the key cert bundle with associated workload identity.
	Put(serviceAccount string, bundle util.KeyCertBundle) error
}

SecretServer is for implementing the communication from the node agent to the workload.

func NewSecretServer

func NewSecretServer(cfg *Config) (SecretServer, error)

NewSecretServer instantiates a SecretServer according to the configuration.

type SecretServerMode

type SecretServerMode int

SecretServerMode is the mode SecretServer runs.

const (
	// SecretFile the key/cert to the workload through file.
	SecretFile SecretServerMode = iota // 0
	// SecretDiscoveryServiceAPI the key/cert to the workload through SDS API.
	SecretDiscoveryServiceAPI // 1
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL