-
Notifications
You must be signed in to change notification settings - Fork 7
/
types.go
156 lines (120 loc) · 4.77 KB
/
types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
// Package certificate implements utility routines to endcode and decode certificates, and provides the
// interface definitions for Certificate and Certificate Manager.
package certificate
import (
"context"
"sync"
"time"
"golang.org/x/sync/singleflight"
"github.com/flomesh-io/fsm/pkg/apis/config/v1alpha3"
"github.com/flomesh-io/fsm/pkg/certificate/pem"
"github.com/flomesh-io/fsm/pkg/messaging"
)
const (
// TypeCertificate is a string constant to be used in the generation of a certificate.
TypeCertificate = "CERTIFICATE"
// TypePrivateKey is a string constant to be used in the generation of a private key for a certificate.
TypePrivateKey = "PRIVATE KEY"
// TypeCertificateRequest is a string constant to be used in the generation
// of a certificate requests.
TypeCertificateRequest = "CERTIFICATE REQUEST"
)
// SerialNumber is the Serial Number of the given certificate.
type SerialNumber string
func (sn SerialNumber) String() string {
return string(sn)
}
// CommonName is the Subject Common Name from a given SSL certificate.
type CommonName string
func (cn CommonName) String() string {
return string(cn)
}
// CertType is the type of certificate. This is only used by FSM.
type CertType string
const (
// Internal is the CertType representing all certs issued for use by the FSM
// control plane.
Internal CertType = "internal"
// IngressGateway is the CertType for certs issued for use by ingress gateways.
IngressGateway CertType = "ingressGateway"
// Service is the CertType for certs issued for use by the data plane.
Service CertType = "service"
)
// Certificate represents an x509 certificate.
type Certificate struct {
// The CommonName of the certificate
CommonName CommonName
// The SubjectAlternateNames of the certificate
SANames []string
// The serial number of the certificate
SerialNumber SerialNumber
// When the cert expires
// If this is a composite certificate, the expiration time is the earliest of them.
Expiration time.Time
// PEM encoded Certificate and Key (byte arrays)
CertChain pem.Certificate
PrivateKey pem.PrivateKey
// Certificate Authority signing this certificate
IssuingCA pem.RootCertificate
// The trust context of this certificate's recipient
// Includes both issuing CA and validating CA (if applicable)
TrustedCAs pem.RootCertificate
signingIssuerID string
validatingIssuerID string
certType CertType
}
// Issuer is the interface for a certificate authority that can issue certificates from a given root certificate.
type Issuer interface {
// IssueCertificate issues a new certificate.
IssueCertificate(CommonName, []string, time.Duration) (*Certificate, error)
}
type issuer struct {
Issuer
ID string
TrustDomain string
// memoized once the first certificate is issued
CertificateAuthority pem.RootCertificate
}
// Manager represents all necessary information for the certificate managers.
type Manager struct {
// Cache for all the certificates issued
// Types: map[certificate.CommonName]*certificate.Certificate
cache sync.Map
ingressCertValidityDuration func() time.Duration
// TODO(#4711): define serviceCertValidityDuration in the MRC
serviceCertValidityDuration func() time.Duration
msgBroker *messaging.Broker
mu sync.Mutex // mu syncrhonizes acces to the below resources.
signingIssuer *issuer
// equal to signingIssuer if there is no additional public cert issuer.
validatingIssuer *issuer
group singleflight.Group
}
// MRCClient is an interface that can watch for changes to the MRC. It is typically backed by a k8s informer.
type MRCClient interface {
List() ([]*v1alpha3.MeshRootCertificate, error)
MRCEventBroker
// GetCertIssuerForMRC returns an Issuer based on the provided MRC.
GetCertIssuerForMRC(mrc *v1alpha3.MeshRootCertificate) (Issuer, pem.RootCertificate, error)
}
// MRCEventType is a type alias for a string describing the type of MRC event
type MRCEventType string
// MRCEvent describes a change event on a given MRC
type MRCEvent struct {
Type MRCEventType
// The last observed version of the MRC as of the time of this event
MRC *v1alpha3.MeshRootCertificate
}
var (
// MRCEventAdded is the type of announcement emitted when we observe an addition of a Kubernetes MeshRootCertificate
MRCEventAdded MRCEventType = "meshrootcertificate-added"
// MRCEventUpdated is the type of announcement emitted when we observe an update to a Kubernetes MeshRootCertificate
MRCEventUpdated MRCEventType = "meshrootcertificate-updated"
)
// MRCEventBroker describes any type that allows the caller to Watch() MRCEvents
type MRCEventBroker interface {
// Watch allows the caller to subscribe to events surrounding
// MRCs. Watch returns a channel that emits events, and
// an error if the subscription goes awry.
Watch(context.Context) (<-chan MRCEvent, error)
}