const (

	// CASecret stores the key/cert of self-signed CA for persistency purpose.
	CASecret = "istio-ca-secret"
	// CertChainID is the ID/name for the certificate chain file.
	CertChainID = "cert-chain.pem"
	// PrivateKeyID is the ID/name for the private key file.
	PrivateKeyID = "key.pem"
	// RootCertID is the ID/name for the CA root certificate file.
	RootCertID = "root-cert.pem"
	// ServiceAccountNameAnnotationKey is the key to specify corresponding service account in the annotation of K8s secrets.
	ServiceAccountNameAnnotationKey = ""
	// ReadSigningCertCheckInterval specifies the time to wait between retries on reading the signing key and cert.
	ReadSigningCertCheckInterval = time.Second * 5


This section is empty.


func BuildSecret

func BuildSecret(saName, scrtName, namespace string, certChain, privateKey, rootCert, caCert, caPrivateKey []byte, secretType v1.SecretType) *v1.Secret

BuildSecret returns a secret struct, contents of which are filled with parameters passed in.


type CertificateAuthority

type CertificateAuthority interface {
	// Sign generates a certificate for a workload or CA, from the given CSR and TTL.
	// TODO(myidpt): simplify this interface and pass a struct with cert field values instead.
	Sign(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
	// GetCAKeyCertBundle returns the KeyCertBundle used by CA.
	GetCAKeyCertBundle() util.KeyCertBundle

CertificateAuthority contains methods to be supported by a CA.

type ErrType

type ErrType int

ErrType is the type for CA errors.

const (
	// CANotReady means the CA is not ready to sign CSRs.
	CANotReady ErrType = iota
	// CSRError means the CA cannot sign CSR due to CSR error.
	// TTLError means the required TTL is invalid.
	// CertGenError means an error happened during the certificate generation.

type Error

type Error struct {
	// contains filtered or unexported fields

Error encapsulates the short and long errors.

func NewError

func NewError(t ErrType, err error) *Error

NewError creates a new Error instance.

func (Error) Error

func (e Error) Error() string

Error returns the string error message.

func (Error) ErrorType

func (e Error) ErrorType() string

ErrorType returns a short string representing the error type.

func (Error) HTTPErrorCode

func (e Error) HTTPErrorCode() codes.Code

HTTPErrorCode returns an HTTP error code representing the error type.

type IstioCA

type IstioCA struct {
	// contains filtered or unexported fields

IstioCA generates keys and certificates for Istio identities.

func NewIstioCA

func NewIstioCA(opts *IstioCAOptions) (*IstioCA, error)

NewIstioCA returns a new IstioCA instance.

func (*IstioCA) GetCAKeyCertBundle

func (ca *IstioCA) GetCAKeyCertBundle() util.KeyCertBundle

GetCAKeyCertBundle returns the KeyCertBundle for the CA.

func (*IstioCA) Sign

func (ca *IstioCA) Sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) ([]byte, error)

Sign takes a PEM-encoded CSR, subject IDs and lifetime, and returns a signed certificate. If forCA is true, the signed certificate is a CA certificate, otherwise, it is a workload certificate. TODO(myidpt): Add error code to identify the Sign error types.

type IstioCAOptions

type IstioCAOptions struct {
	CAType caTypes

	CertTTL    time.Duration
	MaxCertTTL time.Duration

	KeyCertBundle util.KeyCertBundle

	LivenessProbeOptions *probe.Options
	ProbeCheckInterval   time.Duration

IstioCAOptions holds the configurations for creating an Istio CA. TODO(myidpt): remove IstioCAOptions.

func NewPluggedCertIstioCAOptions

func NewPluggedCertIstioCAOptions(certChainFile, signingCertFile, signingKeyFile, rootCertFile string,
	certTTL, maxCertTTL time.Duration, namespace string, client corev1.CoreV1Interface) (caOpts *IstioCAOptions, err error)

NewPluggedCertIstioCAOptions returns a new IstioCAOptions instance using given certificate.

func NewSelfSignedIstioCAOptions

func NewSelfSignedIstioCAOptions(ctx context.Context, caCertTTL, certTTL, maxCertTTL time.Duration, org string, dualUse bool,
	namespace string, readCertRetryInterval time.Duration, client corev1.CoreV1Interface) (caOpts *IstioCAOptions, err error)

NewSelfSignedIstioCAOptions returns a new IstioCAOptions instance using self-signed certificate.

Source Files


Path Synopsis