istio_ca

package

v0.1.0 Latest Latest Go to latest Published: Feb 15, 2023 License: Apache-2.0 Imports: 42 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cisco-open/nasp

Documentation ¶

Index ¶

Constants
func CreateK8SToken(ctx context.Context, config *rest.Config, saName, saNamespace string, ...) ([]byte, error)
func GetIMGWData(cl client.Client, config *rest.Config, scheme *runtime.Scheme, ...) (pod corev1.Pod, address string, err error)
func GetIstioRootCAPEM(cl client.Client, istioRevision string) ([]byte, error)
func GetIstioTokenFromPod(config *rest.Config, scheme *runtime.Scheme, name, namespace string) ([]byte, error)
func GetIstiodService(cl client.Client, istioRevision string) (*corev1.Service, error)
func NewIstioCAClient(config IstioCAClientConfig, logger logr.Logger) ca.Client
type CitadelClient
- func NewCitadelClient(opts *security.Options, tlsOpts *TLSOptions, logger logr.Logger) (*CitadelClient, error)
- func (c *CitadelClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error)
- func (c *CitadelClient) Close()
- func (c *CitadelClient) GetRootCertBundle() ([]string, error)
type ConfigRetrievalError
- func (e ConfigRetrievalError) Error() string
type CredFetcher
- func (f CredFetcher) GetIdentityProvider() string
- func (f CredFetcher) GetPlatformCredential() (string, error)
- func (f CredFetcher) GetType() string
- func (f CredFetcher) Stop()
type IstioCAClient
- func (c *IstioCAClient) GetCAEndpoint() string
- func (c *IstioCAClient) GetCAPem() []byte
- func (c *IstioCAClient) GetCertificate(hostname string, ttl time.Duration) (ca.Certificate, error)
- func (c *IstioCAClient) GetConfig() IstioCAClientConfig
type IstioCAClientConfig
- func GetIstioCAClientConfig(clusterID string, istioRevision string) (IstioCAClientConfig, error)
- func GetIstioCAClientConfigFromLocal(clusterID string, endpointAddress string) (config IstioCAClientConfig, err error)
- func GetIstioCAClientConfigWithKubeConfig(clusterID string, istioRevision string, kubeConfig []byte, ...) (IstioCAClientConfig, error)
type IstioCAClientConfigAndEnvironment
- func GetIstioCAClientConfigFromHeimdall(heimdallURL, clientID, clientSecret, version string) (config IstioCAClientConfigAndEnvironment, err error)
type TLSOptions

Constants ¶

View Source

const (
	// K8sSATrustworthyJWTFileName is the token volume mount file name for k8s trustworthy jwt token.
	K8sSATrustworthyJWTFileName = "/var/run/secrets/tokens/istio-token"

	// K8sSAJWTFileName is the token volume mount file name for k8s jwt token.
	K8sSAJWTFileName = "/var/run/secrets/kubernetes.io/serviceaccount/token"

	// The data name in the ConfigMap of each namespace storing the root cert of non-Kube CA.
	CACertPEMFileName = "/var/run/secrets/istio/root-cert.pem"
)

Variables ¶

This section is empty.

Functions ¶

func CreateK8SToken ¶

func CreateK8SToken(ctx context.Context, config *rest.Config, saName, saNamespace string, audiences []string, expirationSeconds int) ([]byte, error)

func GetIMGWData ¶

func GetIMGWData(cl client.Client, config *rest.Config, scheme *runtime.Scheme, istioRevision string) (pod corev1.Pod, address string, err error)

func GetIstioRootCAPEM ¶

func GetIstioRootCAPEM(cl client.Client, istioRevision string) ([]byte, error)

func GetIstioTokenFromPod ¶

func GetIstioTokenFromPod(config *rest.Config, scheme *runtime.Scheme, name, namespace string) ([]byte, error)

func GetIstiodService ¶

func GetIstiodService(cl client.Client, istioRevision string) (*corev1.Service, error)

func NewIstioCAClient ¶

func NewIstioCAClient(config IstioCAClientConfig, logger logr.Logger) ca.Client

Types ¶

type CitadelClient ¶

type CitadelClient struct {
	// contains filtered or unexported fields
}

func NewCitadelClient ¶

func NewCitadelClient(opts *security.Options, tlsOpts *TLSOptions, logger logr.Logger) (*CitadelClient, error)

NewCitadelClient create a CA client for Citadel.

func (*CitadelClient) CSRSign ¶

func (c *CitadelClient) CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error)

CSRSign calls Citadel to sign a CSR.

func (*CitadelClient) Close ¶

func (c *CitadelClient) Close()

func (*CitadelClient) GetRootCertBundle ¶

func (c *CitadelClient) GetRootCertBundle() ([]string, error)

GetRootCertBundle: Citadel (Istiod) CA doesn't publish any endpoint to retrieve CA certs

type ConfigRetrievalError ¶

type ConfigRetrievalError struct {
	Status string
}

func (ConfigRetrievalError) Error ¶

func (e ConfigRetrievalError) Error() string

type CredFetcher ¶

type CredFetcher struct {
	Token string
}

func (CredFetcher) GetIdentityProvider ¶

func (f CredFetcher) GetIdentityProvider() string

func (CredFetcher) GetPlatformCredential ¶

func (f CredFetcher) GetPlatformCredential() (string, error)

func (CredFetcher) GetType ¶

func (f CredFetcher) GetType() string

func (CredFetcher) Stop ¶

func (f CredFetcher) Stop()

type IstioCAClient ¶

type IstioCAClient struct {
	// contains filtered or unexported fields
}

func (*IstioCAClient) GetCAEndpoint ¶

func (c *IstioCAClient) GetCAEndpoint() string

func (*IstioCAClient) GetCAPem ¶

func (c *IstioCAClient) GetCAPem() []byte

func (*IstioCAClient) GetCertificate ¶

func (c *IstioCAClient) GetCertificate(hostname string, ttl time.Duration) (ca.Certificate, error)

func (*IstioCAClient) GetConfig ¶

func (c *IstioCAClient) GetConfig() IstioCAClientConfig

type IstioCAClientConfig ¶

type IstioCAClientConfig struct {
	CAEndpoint    string
	CAEndpointSAN string
	ClusterID     string
	Token         []byte
	CApem         []byte
	Revision      string
}

func GetIstioCAClientConfig ¶

func GetIstioCAClientConfig(clusterID string, istioRevision string) (IstioCAClientConfig, error)

func GetIstioCAClientConfigFromLocal ¶

func GetIstioCAClientConfigFromLocal(clusterID string, endpointAddress string) (config IstioCAClientConfig, err error)

func GetIstioCAClientConfigWithKubeConfig ¶

func GetIstioCAClientConfigWithKubeConfig(clusterID string, istioRevision string, kubeConfig []byte, saObjectKey *client.ObjectKey) (IstioCAClientConfig, error)

type IstioCAClientConfigAndEnvironment ¶

type IstioCAClientConfigAndEnvironment struct {
	CAClientConfig IstioCAClientConfig
	Environment    environment.IstioEnvironment
}

func GetIstioCAClientConfigFromHeimdall ¶

func GetIstioCAClientConfigFromHeimdall(heimdallURL, clientID, clientSecret, version string) (config IstioCAClientConfigAndEnvironment, err error)

type TLSOptions ¶

type TLSOptions struct {
	RootCertPEM []byte
	KeyPEM      []byte
	CertPEM     []byte
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL