v3

package

v1.2.1 Latest Latest Go to latest Published: Jun 30, 2021 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kumahq/kuma

Documentation ¶

Index ¶

func CreateDownstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata) (*envoy_tls.DownstreamTlsContext, error)
func CreateUpstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, ...) (*envoy_tls.UpstreamTlsContext, error)
func KumaIDMatcher(tagName, tagValue string) *envoy_type_matcher.StringMatcher
func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher
func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher
func StaticDownstreamTlsContext(keyPair *tls.KeyPair) *envoy_tls.DownstreamTlsContext
func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string, sni string) (*envoy_tls.UpstreamTlsContext, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateDownstreamTlsContext ¶

func CreateDownstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata) (*envoy_tls.DownstreamTlsContext, error)

CreateDownstreamTlsContext creates DownstreamTlsContext for incoming connections It verifies that incoming connection has TLS certificate signed by Mesh CA with URI SAN of prefix spiffe://{mesh_name}/ It secures inbound listener with certificate of "identity_cert" that will be received from the SDS (it contains URI SANs of all inbounds). Access to SDS is secured by TLS certificate (set in config or autogenerated at CP start) and path to dataplane token

func CreateUpstreamTlsContext ¶

func CreateUpstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, upstreamService string, sni string) (*envoy_tls.UpstreamTlsContext, error)

CreateUpstreamTlsContext creates UpstreamTlsContext for outgoing connections It verifies that the upstream server has TLS certificate signed by Mesh CA with URI SAN of spiffe://{mesh_name}/{upstream_service} The downstream client exposes for the upstream server cert with multiple URI SANs, which means that if DP has inbound with services "web" and "web-api" and communicates with "backend" the upstream server ("backend") will see that DP with TLS certificate of URIs of "web" and "web-api". There is no way to correlate incoming request to "web" or "web-api" with outgoing request to "backend" to expose only one URI SAN.

Pass "*" for upstreamService to validate that upstream service is a service that is part of the mesh (but not specific one)

func KumaIDMatcher ¶

func KumaIDMatcher(tagName, tagValue string) *envoy_type_matcher.StringMatcher

func MeshSpiffeIDPrefixMatcher ¶

func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher

func ServiceSpiffeIDMatcher ¶

func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher

func StaticDownstreamTlsContext ¶

func StaticDownstreamTlsContext(keyPair *tls.KeyPair) *envoy_tls.DownstreamTlsContext

func UpstreamTlsContextOutsideMesh ¶

func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string, sni string) (*envoy_tls.UpstreamTlsContext, error)

Types ¶

This section is empty.

Source Files ¶

View all Source files

tls.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL