Documentation ¶
Index ¶
Constants ¶
const ( // CASecret stores the key/cert of self-signed CA for persistency purpose. CASecret = "istio-ca-secret" // CertChainID is the ID/name for the certificate chain file. CertChainID = "cert-chain.pem" // PrivateKeyID is the ID/name for the private key file. PrivateKeyID = "key.pem" // RootCertID is the ID/name for the CA root certificate file. RootCertID = "root-cert.pem" // ServiceAccountNameAnnotationKey is the key to specify corresponding service account in the annotation of K8s secrets. ServiceAccountNameAnnotationKey = "istio.io/service-account.name" )
Variables ¶
This section is empty.
Functions ¶
func BuildSecret ¶
func BuildSecret(saName, scrtName, namespace string, certChain, privateKey, rootCert, caCert, caPrivateKey []byte, secretType v1.SecretType) *v1.Secret
BuildSecret returns a secret struct, contents of which are filled with parameters passed in.
Types ¶
type CertificateAuthority ¶
type CertificateAuthority interface { // Sign generates a certificate for a workload or CA, from the given CSR and TTL. // TODO(myidpt): simplify this interface and pass a struct with cert field values instead. Sign(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error) // GetCAKeyCertBundle returns the KeyCertBundle used by CA. GetCAKeyCertBundle() util.KeyCertBundle }
CertificateAuthority contains methods to be supported by a CA.
type ErrType ¶
type ErrType int
ErrType is the type for CA errors.
const ( // CANotReady means the CA is not ready to sign CSRs. CANotReady ErrType = iota // CSRError means the CA cannot sign CSR due to CSR error. CSRError // TTLError means the required TTL is invalid. TTLError // CertGenError means an error happened during the certificate generation. CertGenError )
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error encapsulates the short and long errors.
func (Error) HTTPErrorCode ¶
HTTPErrorCode returns an HTTP error code representing the error type.
type IstioCA ¶
type IstioCA struct {
// contains filtered or unexported fields
}
IstioCA generates keys and certificates for Istio identities.
func NewIstioCA ¶
func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)
NewIstioCA returns a new IstioCA instance.
func (*IstioCA) GetCAKeyCertBundle ¶
func (ca *IstioCA) GetCAKeyCertBundle() util.KeyCertBundle
GetCAKeyCertBundle returns the KeyCertBundle for the CA.
func (*IstioCA) Sign ¶
func (ca *IstioCA) Sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) ([]byte, error)
Sign takes a PEM-encoded CSR, subject IDs and lifetime, and returns a signed certificate. If forCA is true, the signed certificate is a CA certificate, otherwise, it is a workload certificate. TODO(myidpt): Add error code to identify the Sign error types.
type IstioCAOptions ¶
type IstioCAOptions struct { CAType caTypes CertTTL time.Duration MaxCertTTL time.Duration KeyCertBundle util.KeyCertBundle LivenessProbeOptions *probe.Options ProbeCheckInterval time.Duration }
IstioCAOptions holds the configurations for creating an Istio CA. TODO(myidpt): remove IstioCAOptions.
func NewPluggedCertIstioCAOptions ¶
func NewPluggedCertIstioCAOptions(certChainFile, signingCertFile, signingKeyFile, rootCertFile string, certTTL, maxCertTTL time.Duration) (caOpts *IstioCAOptions, err error)
NewPluggedCertIstioCAOptions returns a new IstioCAOptions instance using given certificate.
func NewSelfSignedIstioCAOptions ¶
func NewSelfSignedIstioCAOptions(caCertTTL, certTTL, maxCertTTL time.Duration, org string, dualUse bool, namespace string, core corev1.SecretsGetter) (caOpts *IstioCAOptions, err error)
NewSelfSignedIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate.