ca

package
v0.0.0-...-e81a5ea Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 3, 2025 License: Apache-2.0 Imports: 20 Imported by: 86

Documentation

Index

Constants

View Source
const (

	// CACertFile is the CA certificate chain file.
	CACertFile = "ca-cert.pem"
	// CAPrivateKeyFile is the private key file of CA.
	CAPrivateKeyFile = "ca-key.pem"
	// CASecret stores the key/cert of self-signed CA for persistency purpose.
	CASecret = "istio-ca-secret"
	// CertChainFile is the ID/name for the certificate chain file.
	CertChainFile = "cert-chain.pem"
	// PrivateKeyFile is the ID/name for the private key file.
	PrivateKeyFile = "key.pem"
	// RootCertFile is the ID/name for the CA root certificate file.
	RootCertFile = "root-cert.pem"
	// TLSSecretCACertFile is the CA certificate file name as it exists in tls type k8s secret.
	TLSSecretCACertFile = "tls.crt"
	// TLSSecretCAPrivateKeyFile is the CA certificate key file name as it exists in tls type k8s secret.
	TLSSecretCAPrivateKeyFile = "tls.key"
	// TLSSecretRootCertFile is the root cert file name as it exists in tls type k8s secret.
	TLSSecretRootCertFile = "ca.crt"

	// CACertsSecret stores the plugin CA certificates, in external istiod scenario, the secret can be in the config cluster.
	CACertsSecret = "cacerts"
	// IstioGenerated is the key indicating the secret is generated by Istio.
	IstioGenerated = "istio-generated"
)

Variables

This section is empty.

Functions

func BuildSecret

func BuildSecret(scrtName, namespace string, certChain, privateKey, rootCert, caCert, caPrivateKey []byte, secretType v1.SecretType) *v1.Secret

BuildSecret returns a secret struct, contents of which are filled with parameters passed in. Adds the "istio-generated" key if the secret name is `cacerts`.

Types

type CertOpts

type CertOpts struct {
	// SubjectIDs are used for building the SAN extension for the certificate.
	SubjectIDs []string

	// TTL is the requested lifetime (Time to live) to be applied in the certificate.
	TTL time.Duration

	// ForCA indicates whether the signed certificate if for CA.
	// If true, the signed certificate is a CA certificate, otherwise, it is a workload certificate.
	ForCA bool

	// Cert Signer info
	CertSigner string
}

type IstioCA

type IstioCA struct {
	// contains filtered or unexported fields
}

IstioCA generates keys and certificates for Istio identities.

func NewIstioCA

func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)

NewIstioCA returns a new IstioCA instance.

func (*IstioCA) GenKeyCert

func (ca *IstioCA) GenKeyCert(hostnames []string, certTTL time.Duration, checkLifetime bool) ([]byte, []byte, error)

GenKeyCert generates a certificate signed by the CA, returns the certificate chain and the private key.

func (*IstioCA) GetCAKeyCertBundle

func (ca *IstioCA) GetCAKeyCertBundle() *util.KeyCertBundle

GetCAKeyCertBundle returns the KeyCertBundle for the CA.

func (*IstioCA) Run

func (ca *IstioCA) Run(stopChan chan struct{})

func (*IstioCA) Sign

func (ca *IstioCA) Sign(csrPEM []byte, certOpts CertOpts) (
	[]byte, error,
)

Sign takes a PEM-encoded CSR and cert opts, and returns a signed certificate.

func (*IstioCA) SignWithCertChain

func (ca *IstioCA) SignWithCertChain(csrPEM []byte, certOpts CertOpts) (
	[]string, error,
)

SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.

type IstioCAOptions

type IstioCAOptions struct {
	CAType caTypes

	DefaultCertTTL time.Duration
	MaxCertTTL     time.Duration
	CARSAKeySize   int

	KeyCertBundle *util.KeyCertBundle

	// Config for creating self-signed root cert rotator.
	RotatorConfig *SelfSignedCARootCertRotatorConfig

	// OnRootCertUpdate is the cb which can only be called by self-signed root cert rotator
	OnRootCertUpdate func() error
}

IstioCAOptions holds the configurations for creating an Istio CA.

func NewPluggedCertIstioCAOptions

func NewPluggedCertIstioCAOptions(fileBundle SigningCAFileBundle,
	defaultCertTTL, maxCertTTL time.Duration, caRSAKeySize int,
) (caOpts *IstioCAOptions, err error)

NewPluggedCertIstioCAOptions returns a new IstioCAOptions instance using given certificate.

func NewSelfSignedDebugIstioCAOptions

func NewSelfSignedDebugIstioCAOptions(rootCertFile string, caCertTTL, defaultCertTTL, maxCertTTL time.Duration,
	org string, caRSAKeySize int,
) (caOpts *IstioCAOptions, err error)

NewSelfSignedDebugIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate produced by in-memory CA, which runs without K8s, and no local ca key file presented.

func NewSelfSignedIstioCAOptions

func NewSelfSignedIstioCAOptions(ctx context.Context,
	rootCertGracePeriodPercentile int, caCertTTL, rootCertCheckInverval, defaultCertTTL,
	maxCertTTL time.Duration, org string, useCacertsSecretName, dualUse bool, namespace string, client corev1.CoreV1Interface,
	rootCertFile string, enableJitter bool, caRSAKeySize int,
) (caOpts *IstioCAOptions, err error)

NewSelfSignedIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate.

type RootCertUpdateFunc

type RootCertUpdateFunc func() error

type SelfSignedCARootCertRotator

type SelfSignedCARootCertRotator struct {
	// contains filtered or unexported fields
}

SelfSignedCARootCertRotator automatically checks self-signed signing root certificate and rotates root certificate if it is going to expire.

func NewSelfSignedCARootCertRotator

func NewSelfSignedCARootCertRotator(config *SelfSignedCARootCertRotatorConfig,
	ca *IstioCA,
	onRootCertUpdate func() error,
) *SelfSignedCARootCertRotator

NewSelfSignedCARootCertRotator returns a new root cert rotator instance that rotates self-signed root cert periodically. nolint: gosec Not security sensitive code

func (*SelfSignedCARootCertRotator) Run

func (rotator *SelfSignedCARootCertRotator) Run(stopCh chan struct{})

Run refreshes root certs and updates config map accordingly.

type SelfSignedCARootCertRotatorConfig

type SelfSignedCARootCertRotatorConfig struct {
	CheckInterval time.Duration
	// contains filtered or unexported fields
}

type SigningCAFileBundle

type SigningCAFileBundle struct {
	RootCertFile    string
	CertChainFiles  []string
	SigningCertFile string
	SigningKeyFile  string
}

SigningCAFileBundle locations of the files used for the signing CA

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL