caclient

package
v0.0.0-...-865e90e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 4, 2018 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func SaveKeyCert

func SaveKeyCert(keyFile, certFile string, privKey, cert []byte) error

SaveKeyCert stores the specified key/cert into file specified by the path. TODO(incfly): move this into CAClient struct's own method later.

Types

type CAClient

type CAClient struct {
	// contains filtered or unexported fields
}

CAClient is a client to provision key and certificate from the upstream CA via CSR protocol.

func NewCAClient

func NewCAClient(pltfmc platform.Client, protocolClient protocol.CAProtocol, maxRetries int, interval time.Duration) (*CAClient, error)

NewCAClient creates a new CAClient instance.

func (*CAClient) Retrieve

func (c *CAClient) Retrieve(options *pkiutil.CertOptions) (newCert []byte, certChain []byte, privateKey []byte, err error)

Retrieve sends the CSR to Istio CA with automatic retries. When successful, it returns the generated key and cert, otherwise, it returns error. This is a blocking function.

type Config

type Config struct {
	// Address of the CA which the CA client calls to
	CAAddress string

	// Organization presented in the certificates
	Org string

	// Requested TTL of the certificates
	RequestedCertTTL time.Duration

	// Size of RSA private key
	RSAKeySize int

	// The environment this CA client is running on.
	Env string

	// The cluster management platform this ndoe agent is running on.
	Platform string

	// Whether the certificate is for CA
	ForCA bool

	// CSRInitialRetrialInterval is the retrial interval for certificate requests.
	CSRInitialRetrialInterval time.Duration

	// CSRMaxRetries is the number of retries for certificate requests.
	CSRMaxRetries int

	// CSRGracePeriodPercentage indicates the length of the grace period in the
	// percentage of the entire certificate TTL.
	CSRGracePeriodPercentage int

	// CertFile defines the cert of the CA client.
	CertFile string

	// CertChainFile defines the cert chain file of the CA client, including the client's cert.
	CertChainFile string

	// KeyFile defines the private key of the CA client.
	KeyFile string

	// RootCertFile defines the root cert of the CA client.
	RootCertFile string
}

Config is configuration for the CA client.

type KeyCertBundleRotator

type KeyCertBundleRotator struct {
	// contains filtered or unexported fields
}

KeyCertBundleRotator automatically updates the key and cert bundle by interacting with upstream CA.

func NewKeyCertBundleRotator

func NewKeyCertBundleRotator(cfg *Config, retriever KeyCertRetriever, bundle pkiutil.KeyCertBundle) (*KeyCertBundleRotator, error)

NewKeyCertBundleRotator is constructor for keyCertBundleRotatorImpl based on the provided configuration.

func (*KeyCertBundleRotator) Start

func (c *KeyCertBundleRotator) Start(errCh chan<- error)

Start periodically rotates the KeyCertBundle by interacting with the upstream CA. It is a blocking function that should run as a go routine. Thread safe.

func (*KeyCertBundleRotator) Stop

func (c *KeyCertBundleRotator) Stop()

Stop stops the loop. Thread safe.

type KeyCertRetriever

type KeyCertRetriever interface {
	Retrieve(opt *pkiutil.CertOptions) (newCert, certChain, privateKey []byte, err error)
}

KeyCertRetriever is the interface responsible for retrieve new key and certificate from upstream CA.

Directories

Path Synopsis
Package protocol defines the interface of CA client protocol.
Package protocol defines the interface of CA client protocol.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL