Documentation ¶
Overview ¶
Package cache is the in-memory secret store.
Index ¶
- Variables
- type FileCert
- type SecretManagerClient
- func (sc *SecretManagerClient) Close()
- func (sc *SecretManagerClient) GenerateSecret(resourceName string) (secret *security.SecretItem, err error)
- func (sc *SecretManagerClient) OnSecretUpdate(resourceName string)
- func (sc *SecretManagerClient) RegisterSecretHandler(h func(resourceName string))
- func (sc *SecretManagerClient) UpdateConfigTrustBundle(trustBundle []byte) error
Constants ¶
This section is empty.
Variables ¶
var ( RequestType = monitoring.CreateLabel("request_type") ResourceName = monitoring.CreateLabel("resource_name") )
Functions ¶
This section is empty.
Types ¶
type SecretManagerClient ¶
type SecretManagerClient struct {
// contains filtered or unexported fields
}
SecretManagerClient a SecretManager that signs CSRs using a provided security.Client. The primary usage is to fetch the two specially named resources: `default`, which refers to the workload's spiffe certificate, and ROOTCA, which contains just the root certificate for the workload certificates. These are separated only due to the fact that Envoy has them separated. Additionally, arbitrary certificates may be fetched from local files to support DestinationRule and Gateway. Note that certificates stored externally will be sent from Istiod directly; the in-agent SecretManagerClient has low privileges and cannot read Kubernetes Secrets or other storage backends. Istiod is in charge of determining whether the agent (ie SecretManagerClient) or Istiod will serve an SDS response, by selecting the appropriate cluster in the SDS configuration it serves.
SecretManagerClient supports two modes of retrieving certificate (potentially at the same time):
- File based certificates. If certs are mounted under well-known path /etc/certs/{key,cert,root-cert.pem}, requests for `default` and `ROOTCA` will automatically read from these files. Additionally, certificates from Gateway/DestinationRule can also be served. This is done by parsing resource names in accordance with security.SdsCertificateConfig (file-cert: and file-root:).
- On demand CSRs. This is used only for the `default` certificate. When this resource is requested, a CSR will be sent to the configured caClient.
Callers are expected to only call GenerateSecret when a new certificate is required. Generally, this should be done a single time at startup, then repeatedly when the certificate is near expiration. To help users handle certificate expiration, any certificates created by the caClient will be monitored; when they are near expiration the secretHandler function is triggered, prompting the client to call GenerateSecret again, if they still care about the certificate. For files, this callback is instead triggered on any change to the file (triggering on expiration would not be helpful, as all we can do is re-read the same file).
func NewSecretManagerClient ¶
func NewSecretManagerClient(caClient security.Client, options *security.Options) (*SecretManagerClient, error)
NewSecretManagerClient creates a new SecretManagerClient.
func (*SecretManagerClient) Close ¶
func (sc *SecretManagerClient) Close()
func (*SecretManagerClient) GenerateSecret ¶
func (sc *SecretManagerClient) GenerateSecret(resourceName string) (secret *security.SecretItem, err error)
GenerateSecret passes the cached secret to SDS.StreamSecrets and SDS.FetchSecret.
func (*SecretManagerClient) OnSecretUpdate ¶
func (sc *SecretManagerClient) OnSecretUpdate(resourceName string)
func (*SecretManagerClient) RegisterSecretHandler ¶
func (sc *SecretManagerClient) RegisterSecretHandler(h func(resourceName string))
func (*SecretManagerClient) UpdateConfigTrustBundle ¶
func (sc *SecretManagerClient) UpdateConfigTrustBundle(trustBundle []byte) error
UpdateConfigTrustBundle : Update the Configured Trust Bundle in the secret Manager client