spiffe

package
v0.0.0-...-83b5d90 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 16, 2025 License: Apache-2.0 Imports: 15 Imported by: 101

Documentation

Index

Constants

View Source
const (
	Scheme = "spiffe"

	URIPrefix    = Scheme + "://"
	URIPrefixLen = len(URIPrefix)

	ServiceAccountSegment = "sa"
	NamespaceSegment      = "ns"
)

Variables

This section is empty.

Functions

func ExpandWithTrustDomains

func ExpandWithTrustDomains(spiffeIdentities sets.String, trustDomainAliases []string) sets.String

ExpandWithTrustDomains expands a given spiffe identities, plus a list of trust domain aliases. We ensure the returned list does not contain duplicates; the original input is always retained. For example, ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/def"}, {"td1", "td2"}) returns

{"spiffe://td1/ns/def/sa/def", "spiffe://td2/ns/def/sa/def"}.

ExpandWithTrustDomains({"spiffe://td1/ns/def/sa/a", "spiffe://td1/ns/def/sa/b"}, {"td2"}) returns

{"spiffe://td1/ns/def/sa/a", "spiffe://td2/ns/def/sa/a", "spiffe://td1/ns/def/sa/b", "spiffe://td2/ns/def/sa/b"}.

func GetTrustDomainFromURISAN

func GetTrustDomainFromURISAN(uriSan string) (string, error)

GetTrustDomainFromURISAN extracts the trust domain part from the URI SAN in the X.509 certificate.

func MustGenSpiffeURI

func MustGenSpiffeURI(meshCfg *meshconfig.MeshConfig, ns, serviceAccount string) string

MustGenSpiffeURI returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.

func MustGenSpiffeURIForTrustDomain

func MustGenSpiffeURIForTrustDomain(td, ns, serviceAccount string) string

MustGenSpiffeURIForTrustDomain returns the formatted uri(SPIFFE format for now) for the certificate and logs if there was an error.

func RetrieveSpiffeBundleRootCerts

func RetrieveSpiffeBundleRootCerts(config map[string]string, caCertPool *x509.CertPool, retryTimeout time.Duration) (
	map[string][]*x509.Certificate, error,
)

RetrieveSpiffeBundleRootCerts retrieves the trusted CA certificates from a list of SPIFFE bundle endpoints. It can use the system cert pool and the supplied certificates to validate the endpoints.

Types

type Identity

type Identity struct {
	TrustDomain    string
	Namespace      string
	ServiceAccount string
}

func ParseIdentity

func ParseIdentity(s string) (Identity, error)

func (Identity) String

func (i Identity) String() string

type PeerCertVerifier

type PeerCertVerifier struct {
	// contains filtered or unexported fields
}

PeerCertVerifier is an instance to verify the peer certificate in the SPIFFE way using the retrieved root certificates.

func NewPeerCertVerifier

func NewPeerCertVerifier() *PeerCertVerifier

NewPeerCertVerifier returns a new PeerCertVerifier.

func (*PeerCertVerifier) AddMapping

func (v *PeerCertVerifier) AddMapping(trustDomain string, certs []*x509.Certificate)

AddMapping adds a new trust domain to certificates mapping to the certPools map.

func (*PeerCertVerifier) AddMappingFromPEM

func (v *PeerCertVerifier) AddMappingFromPEM(trustDomain string, rootCertBytes []byte) error

AddMappingFromPEM adds multiple RootCA's to the spiffe Trust bundle in the trustDomain namespace

func (*PeerCertVerifier) AddMappings

func (v *PeerCertVerifier) AddMappings(certMap map[string][]*x509.Certificate)

AddMappings merges a trust domain to certs map to the certPools map.

func (*PeerCertVerifier) GetGeneralCertPool

func (v *PeerCertVerifier) GetGeneralCertPool() *x509.CertPool

GetGeneralCertPool returns generalCertPool containing all root certs.

func (*PeerCertVerifier) VerifyPeerCert

func (v *PeerCertVerifier) VerifyPeerCert(rawCerts [][]byte, _ [][]*x509.Certificate) error

VerifyPeerCert is an implementation of tls.Config.VerifyPeerCertificate. It verifies the peer certificate using the root certificates associated with its trust domain.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL