MCPcopy
hub / github.com/istio/istio / initDNSCertsK8SRA

Method initDNSCertsK8SRA

pilot/pkg/bootstrap/certcontroller.go:55–94  ·  view source on GitHub ↗

initDNSCertsK8SRA will create the certificates using K8S RA. Only called by initIstiodCerts if provider (PILOT_CERT_PROVIDER) has k8s.io prefix and local certificates are not found. The roots are loaded from mesh config.

()

Source from the content-addressed store, hash-verified

53//
54// The roots are loaded from mesh config.
55func (s *Server) initDNSCertsK8SRA() error {
56 var certChain, keyPEM, caBundle []byte
57 var err error
58 pilotCertProviderName := features.PilotCertProvider
59
60 signerName := strings.TrimPrefix(pilotCertProviderName, constants.CertProviderKubernetesSignerPrefix)
61 log.Infof("Generating K8S-signed cert for %v using signer %v", s.dnsNames, signerName)
62 certChain, keyPEM, _, err = chiron.GenKeyCertK8sCA(s.kubeClient.Kube(),
63 strings.Join(s.dnsNames, ","), "", signerName, true, SelfSignedCACertTTL.Get())
64 if err != nil {
65 return fmt.Errorf("failed generating key and cert by kubernetes: %v", err)
66 }
67 caBundle, err = s.RA.GetRootCertFromMeshConfig(signerName)
68 if err != nil {
69 return err
70 }
71
72 // MeshConfig:Add callback for mesh config update
73 s.environment.AddMeshHandler(func() {
74 newCaBundle, _ := s.RA.GetRootCertFromMeshConfig(signerName)
75 if newCaBundle != nil && !bytes.Equal(newCaBundle, s.istiodCertBundleWatcher.GetKeyCertBundle().CABundle) {
76 newCertChain, newKeyPEM, _, err := chiron.GenKeyCertK8sCA(s.kubeClient.Kube(),
77 strings.Join(s.dnsNames, ","), "", signerName, true, SelfSignedCACertTTL.Get())
78 if err != nil {
79 log.Fatalf("failed regenerating key and cert for istiod by kubernetes: %v", err)
80 }
81 s.istiodCertBundleWatcher.SetAndNotify(newKeyPEM, newCertChain, newCaBundle)
82 }
83 })
84
85 s.addStartFunc("istiod server certificate rotation", func(stop <-chan struct{}) error {
86 go func() {
87 // Track TTL of DNS cert and renew cert in accordance to grace period.
88 s.RotateDNSCertForK8sCA(stop, "", signerName, true, SelfSignedCACertTTL.Get())
89 }()
90 return nil
91 })
92 s.istiodCertBundleWatcher.SetAndNotify(keyPEM, certChain, caBundle)
93 return nil
94}
95
96// initDNSCertsIstiod will issue DNS certs using Istiod CA, and set the root certs for
97// distribution. Only called from initIstiodCerts if PILOT_CERT_PROVIDER=istiod (default)

Callers 1

initIstiodCertsMethod · 0.95

Calls 13

addStartFuncMethod · 0.95
RotateDNSCertForK8sCAMethod · 0.95
InfofFunction · 0.92
GenKeyCertK8sCAFunction · 0.92
FatalfFunction · 0.92
GetKeyCertBundleMethod · 0.80
SetAndNotifyMethod · 0.80
KubeMethod · 0.65
GetMethod · 0.65
ErrorfMethod · 0.65
AddMeshHandlerMethod · 0.65

Tested by

no test coverage detected