initDNSCertsK8SRA will create the certificates using K8S RA. Only called by initIstiodCerts if provider (PILOT_CERT_PROVIDER) has k8s.io prefix and local certificates are not found. The roots are loaded from mesh config.
()
| 53 | // |
| 54 | // The roots are loaded from mesh config. |
| 55 | func (s *Server) initDNSCertsK8SRA() error { |
| 56 | var certChain, keyPEM, caBundle []byte |
| 57 | var err error |
| 58 | pilotCertProviderName := features.PilotCertProvider |
| 59 | |
| 60 | signerName := strings.TrimPrefix(pilotCertProviderName, constants.CertProviderKubernetesSignerPrefix) |
| 61 | log.Infof("Generating K8S-signed cert for %v using signer %v", s.dnsNames, signerName) |
| 62 | certChain, keyPEM, _, err = chiron.GenKeyCertK8sCA(s.kubeClient.Kube(), |
| 63 | strings.Join(s.dnsNames, ","), "", signerName, true, SelfSignedCACertTTL.Get()) |
| 64 | if err != nil { |
| 65 | return fmt.Errorf("failed generating key and cert by kubernetes: %v", err) |
| 66 | } |
| 67 | caBundle, err = s.RA.GetRootCertFromMeshConfig(signerName) |
| 68 | if err != nil { |
| 69 | return err |
| 70 | } |
| 71 | |
| 72 | // MeshConfig:Add callback for mesh config update |
| 73 | s.environment.AddMeshHandler(func() { |
| 74 | newCaBundle, _ := s.RA.GetRootCertFromMeshConfig(signerName) |
| 75 | if newCaBundle != nil && !bytes.Equal(newCaBundle, s.istiodCertBundleWatcher.GetKeyCertBundle().CABundle) { |
| 76 | newCertChain, newKeyPEM, _, err := chiron.GenKeyCertK8sCA(s.kubeClient.Kube(), |
| 77 | strings.Join(s.dnsNames, ","), "", signerName, true, SelfSignedCACertTTL.Get()) |
| 78 | if err != nil { |
| 79 | log.Fatalf("failed regenerating key and cert for istiod by kubernetes: %v", err) |
| 80 | } |
| 81 | s.istiodCertBundleWatcher.SetAndNotify(newKeyPEM, newCertChain, newCaBundle) |
| 82 | } |
| 83 | }) |
| 84 | |
| 85 | s.addStartFunc("istiod server certificate rotation", func(stop <-chan struct{}) error { |
| 86 | go func() { |
| 87 | // Track TTL of DNS cert and renew cert in accordance to grace period. |
| 88 | s.RotateDNSCertForK8sCA(stop, "", signerName, true, SelfSignedCACertTTL.Get()) |
| 89 | }() |
| 90 | return nil |
| 91 | }) |
| 92 | s.istiodCertBundleWatcher.SetAndNotify(keyPEM, certChain, caBundle) |
| 93 | return nil |
| 94 | } |
| 95 | |
| 96 | // initDNSCertsIstiod will issue DNS certs using Istiod CA, and set the root certs for |
| 97 | // distribution. Only called from initIstiodCerts if PILOT_CERT_PROVIDER=istiod (default) |
no test coverage detected