v3

package

v1.8.1 Latest Latest Go to latest Published: Oct 5, 2022 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kumahq/kuma

Documentation ¶

Index ¶

func CreateDownstreamTlsContext(downstreamMesh core_xds.CaRequest, mesh core_xds.IdentityCertRequest) (*envoy_tls.DownstreamTlsContext, error)
func CreateUpstreamTlsContext(mesh core_xds.IdentityCertRequest, upstreamMesh core_xds.CaRequest, ...) (*envoy_tls.UpstreamTlsContext, error)
func KumaIDMatcher(tagName, tagValue string) *envoy_type_matcher.StringMatcher
func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher
func NewSecretConfigSource(secretName string) *envoy_tls.SdsSecretConfig
func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher
func StaticDownstreamTlsContext(keyPair *tls.KeyPair) *envoy_tls.DownstreamTlsContext
func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string, sni string) (*envoy_tls.UpstreamTlsContext, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateDownstreamTlsContext ¶

func CreateDownstreamTlsContext(downstreamMesh core_xds.CaRequest, mesh core_xds.IdentityCertRequest) (*envoy_tls.DownstreamTlsContext, error)

CreateDownstreamTlsContext creates DownstreamTlsContext for incoming connections It verifies that incoming connection has TLS certificate signed by Mesh CA with URI SAN of prefix spiffe://{mesh_name}/ It secures inbound listener with certificate of "identity_cert" that will be received from the SDS (it contains URI SANs of all inbounds).

func CreateUpstreamTlsContext ¶

func CreateUpstreamTlsContext(mesh core_xds.IdentityCertRequest, upstreamMesh core_xds.CaRequest, upstreamService string, sni string) (*envoy_tls.UpstreamTlsContext, error)

CreateUpstreamTlsContext creates UpstreamTlsContext for outgoing connections It verifies that the upstream server has TLS certificate signed by Mesh CA with URI SAN of spiffe://{mesh_name}/{upstream_service} The downstream client exposes for the upstream server cert with multiple URI SANs, which means that if DP has inbound with services "web" and "web-api" and communicates with "backend" the upstream server ("backend") will see that DP with TLS certificate of URIs of "web" and "web-api". There is no way to correlate incoming request to "web" or "web-api" with outgoing request to "backend" to expose only one URI SAN.

Pass "*" for upstreamService to validate that upstream service is a service that is part of the mesh (but not specific one)

func KumaIDMatcher ¶

func KumaIDMatcher(tagName, tagValue string) *envoy_type_matcher.StringMatcher

func MeshSpiffeIDPrefixMatcher ¶

func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher

func NewSecretConfigSource ¶ added in v1.8.1

func NewSecretConfigSource(secretName string) *envoy_tls.SdsSecretConfig

func ServiceSpiffeIDMatcher ¶

func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher

func StaticDownstreamTlsContext ¶

func StaticDownstreamTlsContext(keyPair *tls.KeyPair) *envoy_tls.DownstreamTlsContext

func UpstreamTlsContextOutsideMesh ¶

func UpstreamTlsContextOutsideMesh(ca, cert, key []byte, allowRenegotiation bool, hostname string, sni string) (*envoy_tls.UpstreamTlsContext, error)

Types ¶

This section is empty.

Source Files ¶

View all Source files

tls.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL