This section is empty.


This section is empty.


func SaveKeyCert

func SaveKeyCert(keyFile, certFile string, privKey, cert []byte) error

SaveKeyCert stores the specified key/cert into file specified by the path. TODO(incfly): move this into CAClient struct's own method later.


type CAClient

type CAClient struct {
	// contains filtered or unexported fields

CAClient is a client to provision key and certificate from the upstream CA via CSR protocol.

func NewCAClient

func NewCAClient(pltfmc platform.Client, protocolClient protocol.CAProtocol, maxRetries int, interval time.Duration) (*CAClient, error)

NewCAClient creates a new CAClient instance.

func (*CAClient) Retrieve

func (c *CAClient) Retrieve(options *pkiutil.CertOptions) (newCert []byte, certChain []byte, privateKey []byte, err error)

Retrieve sends the CSR to Istio CA with automatic retries. When successful, it returns the generated key and cert, otherwise, it returns error. This is a blocking function.

type Config

type Config struct {
	// Address of the CA which the CA client calls to
	CAAddress string

	// Organization presented in the certificates
	Org string

	// Requested TTL of the certificates
	RequestedCertTTL time.Duration

	// Size of RSA private key
	RSAKeySize int

	// The environment this CA client is running on.
	Env string

	// The cluster management platform this ndoe agent is running on.
	Platform string

	// Whether the certificate is for CA
	ForCA bool

	// CSRInitialRetrialInterval is the retrial interval for certificate requests.
	CSRInitialRetrialInterval time.Duration

	// CSRMaxRetries is the number of retries for certificate requests.
	CSRMaxRetries int

	// CSRGracePeriodPercentage indicates the length of the grace period in the
	// percentage of the entire certificate TTL.
	CSRGracePeriodPercentage int

	// CertFile defines the cert of the CA client.
	CertFile string

	// CertChainFile defines the cert chain file of the CA client, including the client's cert.
	CertChainFile string

	// KeyFile defines the private key of the CA client.
	KeyFile string

	// RootCertFile defines the root cert of the CA client.
	RootCertFile string

Config is configuration for the CA client.

type KeyCertBundleRotator

type KeyCertBundleRotator struct {
	// contains filtered or unexported fields

KeyCertBundleRotator automatically updates the key and cert bundle by interacting with upstream CA.

func NewKeyCertBundleRotator

func NewKeyCertBundleRotator(cfg *Config, keyCertBundle pkiutil.KeyCertBundle) (*KeyCertBundleRotator, error)

NewKeyCertBundleRotator is constructor for keyCertBundleRotatorImpl based on the provided configuration.

func (*KeyCertBundleRotator) Start

func (c *KeyCertBundleRotator) Start(errCh chan<- error)

Start periodically rotates the KeyCertBundle by interacting with the upstream CA. It is a blocking function that should run as a go routine. Thread safe.

func (*KeyCertBundleRotator) Stop

func (c *KeyCertBundleRotator) Stop()

Stop stops the loop. Thread safe.

type KeyCertRetriever

type KeyCertRetriever interface {
	Retrieve(opt *pkiutil.CertOptions) (newCert, certChain, privateKey []byte, err error)

KeyCertRetriever is the interface responsible for retrieve new key and certificate from upstream CA.


Path Synopsis
protocol Package protocol defines the interface of CA client protocol.