Documentation
¶
Index ¶
Constants ¶
View Source
const PEMBlockCertificateRequest = "CERTIFICATE REQUEST"
Variables ¶
This section is empty.
Functions ¶
func GetCertIstio ¶
func GetCertIstio(ctx context.Context, ma *meshauth.Mesh, dest *meshauth.Dest, ttlSec int, certSigner string) (string, []string, error)
GetCertIstio implements the basic Istio gRPC protocol as client, getting a cert for the primary key in Mesh.
The 'dest' must be configured with
- TokenSource reading the istio-ca mounted token
- K8S token source returning "istio-ca" certs (using cluster, kubeconfig or other user creds)
- An existing certificate
- A long-lived certificate
Types ¶
type IstioCA ¶
type IstioCA struct {
// Map of issuers to trust domains.
IssuerToTrustDomain map[string]string
CA *meshca.CA
Auth *meshauth.Mesh
SSHCA *sshd.SSHMesh
}
IstioCA implements the Istio CA interface as a 'reflective CA'.
Will accept any valid JWT and return a cert for the same identity. Trust domain is based on the JWT issuer.
func (*IstioCA) CreateCertificate ¶
func (ca *IstioCA) CreateCertificate(ctx context.Context, r *connect.Request[auth.IstioCertificateRequest]) (*connect.Response[auth.IstioCertificateResponse], error)
CreateCertificate should be chained with a verification handler. The method itself assumes Authorization has been verified.
Source Files
Click to show internal directories.
Click to hide internal directories.