Documentation

Overview

Package certprovider defines APIs for Certificate Providers in gRPC.

Experimental

Notice: All APIs in this package are experimental and may be removed in a later release.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Register

func Register(b Builder)

Register registers the Provider builder, whose name as returned by its Name() method will be used as the name registered with this builder. Registered Builders are used by the Store to create Providers.

Types

type BuildOptions

type BuildOptions struct {
	// CertName holds the certificate name, whose key material is of interest to
	// the caller.
	CertName string
	// WantRoot indicates if the caller is interested in the root certificate.
	WantRoot bool
	// WantIdentity indicates if the caller is interested in the identity
	// certificate.
	WantIdentity bool
}

BuildOptions contains parameters passed to a Provider at build time.

type BuildableConfig

type BuildableConfig struct {
	// contains filtered or unexported fields
}

BuildableConfig wraps parsed provider configuration and functionality to instantiate provider instances.

func NewBuildableConfig

func NewBuildableConfig(name string, config []byte, starter func(BuildOptions) Provider) *BuildableConfig

NewBuildableConfig creates a new BuildableConfig with the given arguments. Provider implementations are expected to invoke this function after parsing the given configuration as part of their ParseConfig() method. Equivalent configurations are expected to invoke this function with the same config argument.

func ParseConfig

func ParseConfig(name string, config interface{}) (*BuildableConfig, error)

ParseConfig is a convenience function to create a BuildableConfig given a provider name and configuration. Returns an error if there is no registered builder for the given name or if the config parsing fails.

func (*BuildableConfig) Build

func (bc *BuildableConfig) Build(opts BuildOptions) (Provider, error)

Build kicks off a provider instance with the wrapped configuration. Multiple invocations of this method with the same opts will result in provider instances being reused.

func (*BuildableConfig) String

func (bc *BuildableConfig) String() string

String returns the provider name and config as a colon separated string.

type Builder

type Builder interface {
	// ParseConfig parses the given config, which is in a format specific to individual
	// implementations, and returns a BuildableConfig on success.
	ParseConfig(interface{}) (*BuildableConfig, error)

	// Name returns the name of providers built by this builder.
	Name() string
}

Builder creates a Provider.

type Distributor

type Distributor struct {
	// contains filtered or unexported fields
}

Distributor makes it easy for provider implementations to furnish new key materials by handling synchronization between the producer and consumers of the key material.

Provider implementations which choose to use a Distributor should do the following: - create a new Distributor using the NewDistributor() function. - invoke the Set() method whenever they have new key material or errors to

report.

- delegate to the distributor when handing calls to KeyMaterial(). - invoke the Stop() method when they are done using the distributor.

func NewDistributor

func NewDistributor() *Distributor

NewDistributor returns a new Distributor.

func (*Distributor) KeyMaterial

func (d *Distributor) KeyMaterial(ctx context.Context) (*KeyMaterial, error)

KeyMaterial returns the most recent key material provided to the Distributor. If no key material was provided at the time of this call, it will block until the deadline on the context expires or fresh key material arrives.

func (*Distributor) Set

func (d *Distributor) Set(km *KeyMaterial, err error)

Set updates the key material in the distributor with km.

Provider implementations which use the distributor must not modify the contents of the KeyMaterial struct pointed to by km.

A non-nil err value indicates the error that the provider implementation ran into when trying to fetch key material, and makes it possible to surface the error to the user. A non-nil error value passed here causes distributor's KeyMaterial() method to return nil key material.

func (*Distributor) Stop

func (d *Distributor) Stop()

Stop turns down the distributor, releases allocated resources and fails any active KeyMaterial() call waiting for new key material.

type KeyMaterial

type KeyMaterial struct {
	// Certs contains a slice of cert/key pairs used to prove local identity.
	Certs []tls.Certificate
	// Roots contains the set of trusted roots to validate the peer's identity.
	Roots *x509.CertPool
}

KeyMaterial wraps the certificates and keys returned by a Provider instance.

type Provider

type Provider interface {
	// KeyMaterial returns the key material sourced by the Provider.
	// Callers are expected to use the returned value as read-only.
	KeyMaterial(ctx context.Context) (*KeyMaterial, error)

	// Close cleans up resources allocated by the Provider.
	Close()
}

Provider makes it possible to keep channel credential implementations up to date with secrets that they rely on to secure communications on the underlying channel.

Provider implementations are free to rely on local or remote sources to fetch the latest secrets, and free to share any state between different instantiations as they deem fit.

func GetProvider

func GetProvider(name string, config interface{}, opts BuildOptions) (Provider, error)

GetProvider is a convenience function to create a provider given the name, config and build options.

Directories

Path Synopsis
meshca Package meshca provides an implementation of the Provider interface which communicates with MeshCA to get certificates signed.
meshca/internal/v1
pemfile Package pemfile provides a file watching certificate provider plugin implementation which works for files with PEM contents.