spiffe

package

v0.0.0-...-6c25587 Latest Latest Go to latest Published: Nov 21, 2024 License: Apache-2.0 Imports: 15 Imported by: 84

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/istio/istio

Documentation ¶

Index ¶

Constants
func ExpandWithTrustDomains(spiffeIdentities sets.String, trustDomainAliases []string) sets.String
func GetTrustDomainFromURISAN(uriSan string) (string, error)
func MustGenSpiffeURI(meshCfg *meshconfig.MeshConfig, ns, serviceAccount string) string
func MustGenSpiffeURIForTrustDomain(td, ns, serviceAccount string) string
func RetrieveSpiffeBundleRootCerts(config map[string]string, caCertPool *x509.CertPool, ...) (map[string][]*x509.Certificate, error)
type Identity
- func ParseIdentity(s string) (Identity, error)
- func (i Identity) String() string
type PeerCertVerifier
- func NewPeerCertVerifier() *PeerCertVerifier

Constants ¶

View Source

const (
	Scheme = "spiffe"

	URIPrefix    = Scheme + "://"
	URIPrefixLen = len(URIPrefix)

	ServiceAccountSegment = "sa"
	NamespaceSegment      = "ns"
)

Variables ¶

This section is empty.

Functions ¶

func ExpandWithTrustDomains ¶

func ExpandWithTrustDomains(spiffeIdentities sets.String, trustDomainAliases []string) sets.String

ExpandWithTrustDomains expands a given spiffe identities, plus a list of trust domain aliases. We ensure the returned list does not contain duplicates; the original input is always retained. For example, ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/def"}, {"td1", "td2"}) returns

{"spiffe://td1/ns/def/sa/def", "spiffe://td2/ns/def/sa/def"}.

ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/a", "spiffe://td1/ns/def/sa/b"}, {"td2"}) returns

{"spiffe://td1/ns/def/sa/a", "spiffe://td2/ns/def/sa/a", "spiffe://td1/ns/def/sa/b", "spiffe://td2/ns/def/sa/b"}.

func GetTrustDomainFromURISAN ¶

func GetTrustDomainFromURISAN(uriSan string) (string, error)

GetTrustDomainFromURISAN extracts the trust domain part from the URI SAN in the X.509 certificate.

func MustGenSpiffeURI ¶

func MustGenSpiffeURI(meshCfg *meshconfig.MeshConfig, ns, serviceAccount string) string

MustGenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.

func MustGenSpiffeURIForTrustDomain ¶

func MustGenSpiffeURIForTrustDomain(td, ns, serviceAccount string) string

MustGenSpiffeURIForTrustDomain returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.

func RetrieveSpiffeBundleRootCerts ¶

func RetrieveSpiffeBundleRootCerts(config map[string]string, caCertPool *x509.CertPool, retryTimeout time.Duration) (
	map[string][]*x509.Certificate, error,
)

RetrieveSpiffeBundleRootCerts retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints.

Types ¶

type Identity ¶

type Identity struct {
	TrustDomain    string
	Namespace      string
	ServiceAccount string
}

func ParseIdentity ¶

func ParseIdentity(s string) (Identity, error)

func (Identity) String ¶

func (i Identity) String() string

type PeerCertVerifier ¶

type PeerCertVerifier struct {
	// contains filtered or unexported fields
}

PeerCertVerifier is an instance to verify the peer certificate in the SPIFFE way using the retrieved root certificates.

func NewPeerCertVerifier ¶

func NewPeerCertVerifier() *PeerCertVerifier

NewPeerCertVerifier returns a new PeerCertVerifier.

func (*PeerCertVerifier) AddMapping ¶

func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)

AddMapping adds a new trust domain to certificates mapping to the certPools map.

func (*PeerCertVerifier) AddMappingFromPEM ¶

func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error

AddMappingFromPEM adds multiple RootCA's to the spiffe Trust bundle in the trustDomain namespace

func (*PeerCertVerifier) AddMappings ¶

func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)

AddMappings merges a trust domain to certs map to the certPools map.

func (*PeerCertVerifier) GetGeneralCertPool ¶

func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool

GetGeneralCertPool returns generalCertPool containing all root certs.

func (*PeerCertVerifier) VerifyPeerCert ¶

func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCert is an implementation of tls.Config.VerifyPeerCertificate. It verifies the peer certificate using the root certificates associated with its trust domain.

Source Files ¶

View all Source files

spiffe.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL