ca

package
v0.0.0-...-aa7a887 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 27, 2024 License: Apache-2.0 Imports: 22 Imported by: 12

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RecordCertsExpiry 

func RecordCertsExpiry(keyCertBundle *util.KeyCertBundle)

RecordCertsExpiry updates the certificate-expiration related metrics given a new keycertbundle

Types

type CertificateAuthority 

type CertificateAuthority interface {
	// Sign generates a certificate for a workload or CA, from the given CSR and cert opts.
	Sign(csrPEM []byte, opts ca.CertOpts) ([]byte, error)
	// SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.
	SignWithCertChain(csrPEM []byte, opts ca.CertOpts) ([]string, error)
	// GetCAKeyCertBundle returns the KeyCertBundle used by CA.
	GetCAKeyCertBundle() *util.KeyCertBundle
}

CertificateAuthority contains methods to be supported by a CA.

type ClusterNodeAuthorizer 

type ClusterNodeAuthorizer struct {
	// contains filtered or unexported fields
}

func NewClusterNodeAuthorizer 

func NewClusterNodeAuthorizer(client kube.Client, trustedNodeAccounts sets.Set[types.NamespacedName]) *ClusterNodeAuthorizer

func (*ClusterNodeAuthorizer) Close 

func (na *ClusterNodeAuthorizer) Close()

func (*ClusterNodeAuthorizer) HasSynced 

func (na *ClusterNodeAuthorizer) HasSynced() bool

type MulticlusterNodeAuthorizor 

type MulticlusterNodeAuthorizor struct {
	// contains filtered or unexported fields
}

MulticlusterNodeAuthorizor is is responsible for maintaining an index of ClusterNodeAuthenticators, one per cluster (https://docs.google.com/document/d/10uf4EvUVif4xGeCYQydaKh9Yaz9wpysao7gyLewJY2Q). Node authorizations from one cluster will be forwarded to the ClusterNodeAuthenticators for the same cluster.

func NewMulticlusterNodeAuthenticator 

func NewMulticlusterNodeAuthenticator(
	trustedNodeAccounts sets.Set[types.NamespacedName],
	controller multicluster.ComponentBuilder,
) *MulticlusterNodeAuthorizor

type SaNode 

type SaNode struct {
	ServiceAccount types.NamespacedName
	Node           string
}

func (SaNode) String 

func (s SaNode) String() string

type Server 

type Server struct {
	pb.UnimplementedIstioCertificateServiceServer

	Authenticators []security.Authenticator
	// contains filtered or unexported fields
}

Server implements IstioCAService and IstioCertificateService and provides the services on the specified port.

func New 

func New(
	ca CertificateAuthority,
	ttl time.Duration,
	authenticators []security.Authenticator,
	controller multicluster.ComponentBuilder,
) (*Server, error)

New creates a new instance of `IstioCAServiceServer`

func (*Server) CreateCertificate 

func (s *Server) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
	*pb.IstioCertificateResponse, error,
)

CreateCertificate handles an incoming certificate signing request (CSR). It does authentication and authorization. Upon validated, signs a certificate that: the SAN is the identity of the caller in authentication result. the subject public key is the public key in the CSR. the validity duration is the ValidityDuration in request, or default value if the given duration is invalid. it is signed by the CA signing key.

func (*Server) Register 

func (s *Server) Register(grpcServer *grpc.Server)

Register registers a GRPC server on the specified port.

Source Files

View all Source files

Directories

Path Synopsis
kubeauth

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.