github.com/cilium/cilium@v1.16.2/pkg/auth/certs/provider.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package certs
     5  
     6  import (
     7  	"crypto/tls"
     8  	"crypto/x509"
     9  
    10  	"github.com/cilium/cilium/api/v1/models"
    11  	"github.com/cilium/cilium/pkg/identity"
    12  )
    13  
    14  type CertificateRotationEvent struct {
    15  	Identity identity.NumericIdentity
    16  	Deleted  bool
    17  }
    18  
    19  type CertificateProvider interface {
    20  	// GetTrustBundle gives the CA trust bundle for the certificate provider
    21  	// this is then used to verify the certificates given by the peer in the handshake
    22  	GetTrustBundle() (*x509.CertPool, error)
    23  
    24  	// GetCertificateForIdentity gives the certificate and intermediates required
    25  	// to send as trust chain for a certain identity as well as a private key
    26  	GetCertificateForIdentity(id identity.NumericIdentity) (*tls.Certificate, error)
    27  
    28  	// ValidateIdentity will check if the SANs or other identity methods are valid
    29  	// for the given Cilium identity this function is needed as SPIFFE encodes the
    30  	// full ID in the URI SAN.
    31  	ValidateIdentity(id identity.NumericIdentity, cert *x509.Certificate) (bool, error)
    32  
    33  	// NumericIdentityToSNI will return the SNI that should be used for a given Cilium Identity
    34  	NumericIdentityToSNI(id identity.NumericIdentity) string
    35  
    36  	// SNIToNumericIdentity will return the Cilium Identity for a given SNI
    37  	SNIToNumericIdentity(sni string) (identity.NumericIdentity, error)
    38  
    39  	// SubscribeToRotatedIdentities will return a channel with the identities that have rotated certificates
    40  	SubscribeToRotatedIdentities() <-chan CertificateRotationEvent
    41  
    42  	// Status will return the status of the certificate provider
    43  	Status() *models.Status
    44  }