certificate

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 5, 2020 License: MIT Imports: 10 Imported by: 0

README

Package: Certificate

This package contains tools necessary to manage certificates for the service mesh. There are 3 kinds of certificates:

  • the Envoy-to-xDS certificates - used for Envoys to connect and identify themselves to the xDS control plane.
  • the Envoy-to-Envoy (east-west) certificates - used for encryption and identification of sidecars in communication between services.
  • the root certificate for the entire mesh, which signs the leaf certs above

Interfaces

In types.go we define 2 interfaces:

  1. certificate.Manager - is the interface exposing a particular certificate provider. The certificate manager is responsible for issuing and renewing certificates. It abstracts away the particular methods of signing, renewing, and storing certificates away from the rest of the service mesh components.
  2. certificate.Certificater - an abstraction over an actual certificate, which is signed by our CA, has an expiration, and certain properties common to all PEM encoded certificates issued by any certificate provider implemented.

Providers

The directory providers contains implementations of certificate issuers (certificate.Managers):

  1. tresor is a minimal internal implementation of a certificate issuer, which leverages Go's crypto library and uses Kubernetes' etcd for storage.
  2. keyvault is a certificate issuer leveraging Azure Key Vault for secrets storage.
  3. vault is another implementation of the certificate.Manager interface, which provides a way for all service mesh certificates to be stored on and signed by Hashicorp Vault.
  4. cert-manager is a certificate issuer leveraging cert-manager to sign certificates from Issuers.

Certificate Rotation

In the rotor directory we implement a certificate rotation mechanism, which may or may not be leveraged by the certificate issuers (providers).

Documentation

Index

Constants

View Source
const (
	// TypeCertificate is a string constant to be used in the generation of a certificate.
	TypeCertificate = "CERTIFICATE"

	// TypePrivateKey is a string constant to be used in the generation of a private key for a certificate.
	TypePrivateKey = "PRIVATE KEY"

	// TypeCertificateRequest is a string constant to be used in the generation
	// of a certificate requests.
	TypeCertificateRequest = "CERTIFICATE REQUEST"
)

Variables

This section is empty.

Functions

func DecodePEMCertificate

func DecodePEMCertificate(certPEM []byte) (*x509.Certificate, error)

DecodePEMCertificate converts a certificate from PEM to x509 encoding

func DecodePEMPrivateKey

func DecodePEMPrivateKey(keyPEM []byte) (*rsa.PrivateKey, error)

DecodePEMPrivateKey converts a certificate from PEM to x509 encoding

func EncodeCertDERtoPEM

func EncodeCertDERtoPEM(derBytes []byte) (pem.Certificate, error)

EncodeCertDERtoPEM encodes the certificate provided in DER format into PEM format More information on the 2 formats is available in the following article: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

func EncodeCertReqDERtoPEM added in v0.4.0

func EncodeCertReqDERtoPEM(derBytes []byte) (pem.CertificateRequest, error)

EncodeCertReqDERtoPEM encodes the certificate request provided in DER format into PEM format.

func EncodeKeyDERtoPEM

func EncodeKeyDERtoPEM(priv *rsa.PrivateKey) (pem.PrivateKey, error)

EncodeKeyDERtoPEM converts a DER encoded private key into a PEM encoded key

func LoadCertificateFromFile

func LoadCertificateFromFile(caPEMFile string) (tresorPem.Certificate, error)

LoadCertificateFromFile loads a certificate from a PEM file.

func LoadPrivateKeyFromFile

func LoadPrivateKeyFromFile(caKeyPEMFile string) (tresorPem.PrivateKey, error)

LoadPrivateKeyFromFile loads a private key from a PEM file.

Types

type Certificater

type Certificater interface {

	// GetCommonName retrieves the name of the certificate.
	GetCommonName() CommonName

	// GetCertificateChain retrieves the cert chain.
	GetCertificateChain() []byte

	// GetPrivateKey returns the private key.
	GetPrivateKey() []byte

	// GetIssuingCA returns the root certificate for the given cert.
	GetIssuingCA() []byte

	// GetExpiration returns the time the certificate would expire.
	GetExpiration() time.Time
}

Certificater is the interface declaring methods each Certificate object must have.

type CommonName

type CommonName string

CommonName is the Subject Common Name from a given SSL certificate.

func (CommonName) String

func (cn CommonName) String() string

type Manager

type Manager interface {
	// IssueCertificate issues a new certificate.
	IssueCertificate(CommonName, *time.Duration) (Certificater, error)

	// GetCertificate returns a certificate given its Common Name (CN)
	GetCertificate(CommonName) (Certificater, error)

	// RotateCertificate rotates an existing certificate.
	RotateCertificate(CommonName) (Certificater, error)

	// GetRootCertificate returns the root certificate in PEM format and its expiration.
	GetRootCertificate() (Certificater, error)

	// ListCertificates lists all certificates issued
	ListCertificates() ([]Certificater, error)

	// GetAnnouncementsChannel returns a channel, which is used to announce when changes have been made to the issued certificates.
	GetAnnouncementsChannel() <-chan interface{}
}

Manager is the interface declaring the methods for the Certificate Manager.

Directories

Path Synopsis
providers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL