-
Notifications
You must be signed in to change notification settings - Fork 2.9k
/
provider.go
44 lines (33 loc) · 1.57 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package certs
import (
"crypto/tls"
"crypto/x509"
"github.com/cilium/cilium/api/v1/models"
"github.com/cilium/cilium/pkg/identity"
)
type CertificateRotationEvent struct {
Identity identity.NumericIdentity
Deleted bool
}
type CertificateProvider interface {
// GetTrustBundle gives the CA trust bundle for the certificate provider
// this is then used to verify the certificates given by the peer in the handshake
GetTrustBundle() (*x509.CertPool, error)
// GetCertificateForIdentity gives the certificate and intermediates required
// to send as trust chain for a certain identity as well as a private key
GetCertificateForIdentity(id identity.NumericIdentity) (*tls.Certificate, error)
// ValidateIdentity will check if the SANs or other identity methods are valid
// for the given Cilium identity this function is needed as SPIFFE encodes the
// full ID in the URI SAN.
ValidateIdentity(id identity.NumericIdentity, cert *x509.Certificate) (bool, error)
// NumericIdentityToSNI will return the SNI that should be used for a given Cilium Identity
NumericIdentityToSNI(id identity.NumericIdentity) string
// SNIToNumericIdentity will return the Cilium Identity for a given SNI
SNIToNumericIdentity(sni string) (identity.NumericIdentity, error)
// SubscribeToRotatedIdentities will return a channel with the identities that have rotated certificates
SubscribeToRotatedIdentities() <-chan CertificateRotationEvent
// Status will return the status of the certificate provider
Status() *models.Status
}