README
¶
Package: Certificate
This package contains tools necessary to manage certificates for the service mesh. There are 3 kinds of certificates:
- the Envoy-to-xDS certificates - used for Envoys to connect and identify themselves to the xDS control plane.
- the Envoy-to-Envoy (east-west) certificates - used for encryption and identification of sidecars in communication between services.
- the root certificate for the entire mesh, which signs the leaf certs above
Interfaces
In types.go we define 2 interfaces:
certificate.Manager- is the interface exposing a particular certificate provider. The certificate manager is responsible for issuing and renewing certificates. It abstracts away the particular methods of signing, renewing, and storing certificates away from the rest of the service mesh components.certificate.Certificater- an abstraction over an actual certificate, which is signed by our CA, has an expiration, and certain properties common to all PEM encoded certificates issued by any certificate provider implemented.
Providers
The directory providers contains implementations of certificate issuers (certificate.Managers):
tresoris a minimal internal implementation of a certificate issuer, which leverages Go'scryptolibrary and uses Kubernetes' etcd for storage.keyvaultis a certificate issuer leveraging Azure Key Vault for secrets storage.vaultis another implementation of thecertificate.Managerinterface, which provides a way for all service mesh certificates to be stored on and signed by Hashicorp Vault.cert-manageris a certificate issuer leveraging cert-manager to sign certificates from Issuers.
Certificate Rotation
In the rotor directory we implement a certificate rotation mechanism, which may or may not be leveraged by the certificate issuers (providers).
Documentation
¶
Index ¶
- Constants
- func DecodePEMCertificate(certPEM []byte) (*x509.Certificate, error)
- func DecodePEMPrivateKey(keyPEM []byte) (*rsa.PrivateKey, error)
- func EncodeCertDERtoPEM(derBytes []byte) (pem.Certificate, error)
- func EncodeCertReqDERtoPEM(derBytes []byte) (pem.CertificateRequest, error)
- func EncodeKeyDERtoPEM(priv *rsa.PrivateKey) (pem.PrivateKey, error)
- func LoadCertificateFromFile(caPEMFile string) (tresorPem.Certificate, error)
- func LoadPrivateKeyFromFile(caKeyPEMFile string) (tresorPem.PrivateKey, error)
- type Certificater
- type CommonName
- type Manager
Constants ¶
const ( // TypeCertificate is a string constant to be used in the generation of a certificate. TypeCertificate = "CERTIFICATE" // TypePrivateKey is a string constant to be used in the generation of a private key for a certificate. TypePrivateKey = "PRIVATE KEY" // TypeCertificateRequest is a string constant to be used in the generation // of a certificate requests. TypeCertificateRequest = "CERTIFICATE REQUEST" )
Variables ¶
This section is empty.
Functions ¶
func DecodePEMCertificate ¶
func DecodePEMCertificate(certPEM []byte) (*x509.Certificate, error)
DecodePEMCertificate converts a certificate from PEM to x509 encoding
func DecodePEMPrivateKey ¶
func DecodePEMPrivateKey(keyPEM []byte) (*rsa.PrivateKey, error)
DecodePEMPrivateKey converts a certificate from PEM to x509 encoding
func EncodeCertDERtoPEM ¶
func EncodeCertDERtoPEM(derBytes []byte) (pem.Certificate, error)
EncodeCertDERtoPEM encodes the certificate provided in DER format into PEM format More information on the 2 formats is available in the following article: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
func EncodeCertReqDERtoPEM ¶ added in v0.4.0
func EncodeCertReqDERtoPEM(derBytes []byte) (pem.CertificateRequest, error)
EncodeCertReqDERtoPEM encodes the certificate request provided in DER format into PEM format.
func EncodeKeyDERtoPEM ¶
func EncodeKeyDERtoPEM(priv *rsa.PrivateKey) (pem.PrivateKey, error)
EncodeKeyDERtoPEM converts a DER encoded private key into a PEM encoded key
func LoadCertificateFromFile ¶
func LoadCertificateFromFile(caPEMFile string) (tresorPem.Certificate, error)
LoadCertificateFromFile loads a certificate from a PEM file.
func LoadPrivateKeyFromFile ¶
func LoadPrivateKeyFromFile(caKeyPEMFile string) (tresorPem.PrivateKey, error)
LoadPrivateKeyFromFile loads a private key from a PEM file.
Types ¶
type Certificater ¶
type Certificater interface {
// GetCommonName retrieves the name of the certificate.
GetCommonName() CommonName
// GetCertificateChain retrieves the cert chain.
GetCertificateChain() []byte
// GetPrivateKey returns the private key.
GetPrivateKey() []byte
// GetIssuingCA returns the root certificate for the given cert.
GetIssuingCA() []byte
// GetExpiration returns the time the certificate would expire.
GetExpiration() time.Time
}
Certificater is the interface declaring methods each Certificate object must have.
type CommonName ¶
type CommonName string
CommonName is the Subject Common Name from a given SSL certificate.
func (CommonName) String ¶
func (cn CommonName) String() string
type Manager ¶
type Manager interface {
// IssueCertificate issues a new certificate.
IssueCertificate(CommonName, time.Duration) (Certificater, error)
// GetCertificate returns a certificate given its Common Name (CN)
GetCertificate(CommonName) (Certificater, error)
// RotateCertificate rotates an existing certificate.
RotateCertificate(CommonName) (Certificater, error)
// GetRootCertificate returns the root certificate in PEM format and its expiration.
GetRootCertificate() (Certificater, error)
// ListCertificates lists all certificates issued
ListCertificates() ([]Certificater, error)
// GetAnnouncementsChannel returns a channel, which is used to announce when changes have been made to the issued certificates.
GetAnnouncementsChannel() <-chan interface{}
}
Manager is the interface declaring the methods for the Certificate Manager.
Source Files
Directories