v3

package

v1.8.1 Latest Latest Go to latest Published: Oct 5, 2022 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kumahq/kuma

Documentation ¶

Index ¶

func CreateDownstreamTlsContext(downstreamMesh core_xds.CaRequest, mesh core_xds.IdentityCertRequest) (*envoy_tls.DownstreamTlsContext, error)
func CreateUpstreamTlsContext(mesh core_xds.IdentityCertRequest, upstreamMesh core_xds.CaRequest, ...) (*envoy_tls.UpstreamTlsContext, error)
func KumaIDMatcher(tagName, tagValue string) *envoy_type_matcher.StringMatcher
func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher
func NewSecretConfigSource(secretName string) *envoy_tls.SdsSecretConfig
func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher
func StaticDownstreamTlsContext(keyPair *tls.KeyPair) *envoy_tls.DownstreamTlsContext
func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string, sni string) (*envoy_tls.UpstreamTlsContext, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateDownstreamTlsContext ¶

func CreateDownstreamTlsContext(downstreamMesh core_xds.CaRequest, mesh core_xds.IdentityCertRequest) (*envoy_tls.DownstreamTlsContext, error)

CreateDownstreamTlsContext creates DownstreamTlsContext for incoming connections It verifies that incoming connection has TLS certificate signed by Mesh CA with URI SAN of prefix spiffe://{mesh_name}/ It secures inbound listener with certificate of "identity_cert" that will be received from the SDS (it contains URI SANs of all inbounds).

func CreateUpstreamTlsContext ¶

func CreateUpstreamTlsContext(mesh core_xds.IdentityCertRequest, upstreamMesh core_xds.CaRequest, upstreamService string, sni string) (*envoy_tls.UpstreamTlsContext, error)

CreateUpstreamTlsContext creates UpstreamTlsContext for outgoing connections It verifies that the upstream server has TLS certificate signed by Mesh CA with URI SAN of spiffe://{mesh_name}/{upstream_service} The downstream client exposes for the upstream server cert with multiple URI SANs, which means that if DP has inbound with services "web" and "web-api" and communicates with "backend" the upstream server ("backend") will see that DP with TLS certificate of URIs of "web" and "web-api". There is no way to correlate incoming request to "web" or "web-api" with outgoing request to "backend" to expose only one URI SAN.

Pass "*" for upstreamService to validate that upstream service is a service that is part of the mesh (but not specific one)

func KumaIDMatcher ¶

func KumaIDMatcher(tagName, tagValue string) *envoy_type_matcher.StringMatcher

func MeshSpiffeIDPrefixMatcher ¶

func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher

func NewSecretConfigSource ¶ added in v1.8.1

func NewSecretConfigSource(secretName string) *envoy_tls.SdsSecretConfig

func ServiceSpiffeIDMatcher ¶

func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher

func StaticDownstreamTlsContext ¶

func StaticDownstreamTlsContext(keyPair *tls.KeyPair) *envoy_tls.DownstreamTlsContext

func UpstreamTlsContextOutsideMesh ¶

func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string, sni string) (*envoy_tls.UpstreamTlsContext, error)

Types ¶

This section is empty.

Source Files ¶

View all Source files

tls.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL