cache

package
v0.0.0-...-873615e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0 Imports: 22 Imported by: 10

Documentation

Overview

Package cache is the in-memory secret store.

Index

Constants

This section is empty.

Variables

View Source
var (
	RequestType  = monitoring.CreateLabel("request_type")
	ResourceName = monitoring.CreateLabel("resource_name")
)

Functions

This section is empty.

Types

type FileCert

type FileCert struct {
	ResourceName string
	Filename     string
}

FileCert stores a reference to a certificate on disk

type SecretManagerClient

type SecretManagerClient struct {
	// contains filtered or unexported fields
}

SecretManagerClient a SecretManager that signs CSRs using a provided security.Client. The primary usage is to fetch the two specially named resources: `default`, which refers to the workload's spiffe certificate, and ROOTCA, which contains just the root certificate for the workload certificates. These are separated only due to the fact that Envoy has them separated. Additionally, arbitrary certificates may be fetched from local files to support DestinationRule and Gateway. Note that certificates stored externally will be sent from Istiod directly; the in-agent SecretManagerClient has low privileges and cannot read Kubernetes Secrets or other storage backends. Istiod is in charge of determining whether the agent (ie SecretManagerClient) or Istiod will serve an SDS response, by selecting the appropriate cluster in the SDS configuration it serves.

SecretManagerClient supports two modes of retrieving certificate (potentially at the same time):

  • File based certificates. If certs are mounted under well-known path /etc/certs/{key,cert,root-cert.pem}, requests for `default` and `ROOTCA` will automatically read from these files. Additionally, certificates from Gateway/DestinationRule can also be served. This is done by parsing resource names in accordance with security.SdsCertificateConfig (file-cert: and file-root:).
  • On demand CSRs. This is used only for the `default` certificate. When this resource is requested, a CSR will be sent to the configured caClient.

Callers are expected to only call GenerateSecret when a new certificate is required. Generally, this should be done a single time at startup, then repeatedly when the certificate is near expiration. To help users handle certificate expiration, any certificates created by the caClient will be monitored; when they are near expiration the secretHandler function is triggered, prompting the client to call GenerateSecret again, if they still care about the certificate. For files, this callback is instead triggered on any change to the file (triggering on expiration would not be helpful, as all we can do is re-read the same file).

func NewSecretManagerClient

func NewSecretManagerClient(caClient security.Client, options *security.Options) (*SecretManagerClient, error)

NewSecretManagerClient creates a new SecretManagerClient.

func (*SecretManagerClient) Close

func (sc *SecretManagerClient) Close()

func (*SecretManagerClient) GenerateSecret

func (sc *SecretManagerClient) GenerateSecret(resourceName string) (secret *security.SecretItem, err error)

GenerateSecret passes the cached secret to SDS.StreamSecrets and SDS.FetchSecret.

func (*SecretManagerClient) OnSecretUpdate

func (sc *SecretManagerClient) OnSecretUpdate(resourceName string)

func (*SecretManagerClient) RegisterSecretHandler

func (sc *SecretManagerClient) RegisterSecretHandler(h func(resourceName string))

func (*SecretManagerClient) UpdateConfigTrustBundle

func (sc *SecretManagerClient) UpdateConfigTrustBundle(trustBundle []byte) error

UpdateConfigTrustBundle : Update the Configured Trust Bundle in the secret Manager client

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL