Documentation
¶
Index ¶
- Constants
- Variables
- func CreateCA(ctx context.Context, keyPair util_tls.KeyPair, ...) error
- func GenerateCA() (*util_tls.KeyPair, error)
- func GenerateClientCert(ca tls.Certificate) (util_tls.KeyPair, error)
- func GenerateServerCert(ca tls.Certificate, ip string) (util_tls.KeyPair, error)
- func LoadCA(ctx context.Context, resManager manager.ReadOnlyResourceManager) (tls.Certificate, error)
Constants ¶
View Source
const (
ClientCertSAN = "kuma-cp"
)
Variables ¶
View Source
var GlobalSecretKey = model.ResourceKey{
Name: "envoy-admin-ca",
}
Functions ¶
func GenerateCA ¶
GenerateCA generates CA for Envoy Admin communication (CP sending requests to Envoy Admin). While we could reuse CA from enable mTLS backend on a Mesh object there are two problems
- mTLS on Mesh can be disabled and Envoy Admin communication needs security in place. Otherwise, malicious actor could execute /quitquitquit endpoint and perform DDoS
- ZoneIngress and ZoneEgress are not scoped to a Mesh.
To solve this we need at least self-signed client certificate for the control plane. But we can just as well have a CA and generate client and server certs from it.
Rotation: users can change the CA. To do this, they can swap the secret and restart all instances of the CP. Multizone: CA is generated for every zone. There is no need for it to be stable.
func GenerateClientCert ¶
func GenerateClientCert(ca tls.Certificate) (util_tls.KeyPair, error)
func GenerateServerCert ¶
func LoadCA ¶
func LoadCA(ctx context.Context, resManager manager.ReadOnlyResourceManager) (tls.Certificate, error)
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.