Documentation
¶
Index ¶
- func GetAthenzIdentity(athenzDomain, athenzService, athenzProvider, ztsUrl string, ...) (*util.SiaCertData, error)
- func GetRoleCertificate(athenzDomain, athenzService, athenzProvider, roleName, ztsUrl string, ...) (*util.SiaCertData, error)
- func StoreAthenzIdentityInCertificateManager(certificateName, location string, siaCertData *util.SiaCertData, scope string, ...) error
- func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, ...) error
- func StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, ...) error
- type CertificateManagerOperations
- type DefaultMetadataProvider
- type MetadataProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetAthenzIdentity ¶ added in v1.11.36
func GetAthenzIdentity(athenzDomain, athenzService, athenzProvider, ztsUrl string, sanDNSDomains []string, spiffeTrustDomain string, csrSubjectFields util.CsrSubjectFields) (*util.SiaCertData, error)
GetAthenzIdentity this method can be called from within a GCF (Google Cloud Function) - to get an Athenz certificate from ZTS. See https://cloud.google.com/functions/docs/writing/write-http-functions#http-example-go
func GetRoleCertificate ¶ added in v1.12.23
func GetRoleCertificate(athenzDomain, athenzService, athenzProvider, roleName, ztsUrl string, expiryTime int64, sanDNSDomains []string, spiffeTrustDomain string, csrSubjectFields util.CsrSubjectFields, rolePrincipalEmail bool, svcTLSCert *util.SiaCertData) (*util.SiaCertData, error)
GetRoleCertificate retrieves a role certificate for the specified Athenz domain, service, provider, and role name. It requires service certificate to obtain role certificate, so Athenz service certificate needs to be obtained first and pass it here to get role certificate from ZTS. Finally, it returns a SiaCertData object containing the role certificate and private key.
func StoreAthenzIdentityInCertificateManager ¶ added in v1.12.29
func StoreAthenzIdentityInCertificateManager(certificateName, location string, siaCertData *util.SiaCertData, scope string, resourceLabels map[string]string) error
StoreAthenzIdentityInCertificateManager store the retrieved athenz identity certificate in Google Certificate Manager. The certificate is stored as a self-managed certificate with the certificate and private key.
The certificate specified by the certificateName must be pre-created and the service account that the function is invoked with must have been authorized to assume the "Certificate Manager Admin" role or equivalent permissions to create/update certificates.
The location parameter specifies where the certificate should be created (e.g., "global"). For regional certificates, specify the region (e.g., "us-central1").
The scope parameter specifies the scope of the certificate. The valid values are: "DEFAULT", "EDGE_CACHE", "ALL_REGIONS", and "CLIENT_AUTH".
func StoreAthenzIdentityInSecretManager ¶ added in v1.11.36
func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, isRoleCertificate bool) error
StoreAthenzIdentityInSecretManager store the retrieved athenz identity in the specified secret. The secret is stored in the following json format:
{
"<domain>.<service>.cert.pem":"<x509-cert-pem>,
"<domain>.<service>.key.pem":"<pkey-pem>,
"ca.cert.pem":"<ca-cert-pem>,
"time": <utc-timestamp>
}
The secret specified by the name must be pre-created and the service account that the function is invoked with must have been authorized to assume the "Secret Manager Secret Version Adder" role
func StoreAthenzIdentityInSecretManagerCustomFormat ¶ added in v1.12.3
func StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string, isRoleCertificate bool) error
StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the specified secret. The secret is stored in the following json format:
{
"<x509-cert-pem-key>":"<x509-cert-pem>,
"<private-pem-key>":"<pkey-pem>,
"<ca-cert-key>":"<ca-cert-pem>,
"<time-key>": <utc-timestamp>
}
It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'. Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain X509CertificateSignerPem and timestamp only if the corresponding json field names are set.
sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
{ "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
The secret specified by the name must be pre-created and the service account that the function is invoked with must have been authorized to assume the "Secret Manager Secret Version Adder" role
Types ¶
type CertificateManagerOperations ¶ added in v1.12.33
type CertificateManagerOperations interface {
CreateCertificate(ctx context.Context, parent string, certificate *certificatemanagerapi.Certificate, certificateId string) (*certificatemanagerapi.Operation, error)
PatchCertificate(ctx context.Context, name string, certificate *certificatemanagerapi.Certificate, updateMask string) (*certificatemanagerapi.Operation, error)
GetOperation(ctx context.Context, operationName string) (*certificatemanagerapi.Operation, error)
}
CertificateManagerOperations defines operations needed for certificate management
type DefaultMetadataProvider ¶ added in v1.12.29
type DefaultMetadataProvider struct{}
DefaultMetadataProvider is the default implementation that uses the gcpm package
func (*DefaultMetadataProvider) GetProject ¶ added in v1.12.29
func (p *DefaultMetadataProvider) GetProject(metaEndpoint string) (string, error)
GetProject retrieves the GCP project ID from the metadata server
type MetadataProvider ¶ added in v1.12.29
MetadataProvider defines the interface for GCP metadata operations
Source Files