ca

package
v0.0.0-...-0247fcc Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 6, 2025 License: Apache-2.0 Imports: 22 Imported by: 12

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RecordCertsExpiry

func RecordCertsExpiry(keyCertBundle *util.KeyCertBundle)

RecordCertsExpiry updates the certificate-expiration related metrics given a new keycertbundle

Types

type CertificateAuthority

type CertificateAuthority interface {
	// Sign generates a certificate for a workload or CA, from the given CSR and cert opts.
	Sign(csrPEM []byte, opts ca.CertOpts) ([]byte, error)
	// SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.
	SignWithCertChain(csrPEM []byte, opts ca.CertOpts) ([]string, error)
	// GetCAKeyCertBundle returns the KeyCertBundle used by CA.
	GetCAKeyCertBundle() *util.KeyCertBundle
}

CertificateAuthority contains methods to be supported by a CA.

type ClusterNodeAuthorizer

type ClusterNodeAuthorizer struct {
	// contains filtered or unexported fields
}

func NewClusterNodeAuthorizer

func NewClusterNodeAuthorizer(client kube.Client, trustedNodeAccounts sets.Set[types.NamespacedName]) *ClusterNodeAuthorizer

func (*ClusterNodeAuthorizer) Close

func (na *ClusterNodeAuthorizer) Close()

func (*ClusterNodeAuthorizer) HasSynced

func (na *ClusterNodeAuthorizer) HasSynced() bool

type MulticlusterNodeAuthorizor

type MulticlusterNodeAuthorizor struct {
	// contains filtered or unexported fields
}

MulticlusterNodeAuthorizor is is responsible for maintaining an index of ClusterNodeAuthenticators, one per cluster (https://docs.google.com/document/d/10uf4EvUVif4xGeCYQydaKh9Yaz9wpysao7gyLewJY2Q). Node authorizations from one cluster will be forwarded to the ClusterNodeAuthenticators for the same cluster.

func NewMulticlusterNodeAuthenticator

func NewMulticlusterNodeAuthenticator(
	trustedNodeAccounts sets.Set[types.NamespacedName],
	controller multicluster.ComponentBuilder,
) *MulticlusterNodeAuthorizor

type SaNode

type SaNode struct {
	ServiceAccount types.NamespacedName
	Node           string
}

func (SaNode) String

func (s SaNode) String() string

type Server

type Server struct {
	pb.UnimplementedIstioCertificateServiceServer

	Authenticators []security.Authenticator
	// contains filtered or unexported fields
}

Server implements IstioCAService and IstioCertificateService and provides the services on the specified port.

func New

func New(
	ca CertificateAuthority,
	ttl time.Duration,
	authenticators []security.Authenticator,
	controller multicluster.ComponentBuilder,
) (*Server, error)

New creates a new instance of `IstioCAServiceServer`

func (*Server) CreateCertificate

func (s *Server) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
	*pb.IstioCertificateResponse, error,
)

CreateCertificate handles an incoming certificate signing request (CSR). It does authentication and authorization. Upon validated, signs a certificate that: the SAN is the identity of the caller in authentication result. the subject public key is the public key in the CSR. the validity duration is the ValidityDuration in request, or default value if the given duration is invalid. it is signed by the CA signing key.

func (*Server) Register

func (s *Server) Register(grpcServer *grpc.Server)

Register registers a GRPC server on the specified port.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL