github.com/cilium/cilium@v1.16.2/pkg/auth/certs/provider.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package certs 5 6 import ( 7 "crypto/tls" 8 "crypto/x509" 9 10 "github.com/cilium/cilium/api/v1/models" 11 "github.com/cilium/cilium/pkg/identity" 12 ) 13 14 type CertificateRotationEvent struct { 15 Identity identity.NumericIdentity 16 Deleted bool 17 } 18 19 type CertificateProvider interface { 20 // GetTrustBundle gives the CA trust bundle for the certificate provider 21 // this is then used to verify the certificates given by the peer in the handshake 22 GetTrustBundle() (*x509.CertPool, error) 23 24 // GetCertificateForIdentity gives the certificate and intermediates required 25 // to send as trust chain for a certain identity as well as a private key 26 GetCertificateForIdentity(id identity.NumericIdentity) (*tls.Certificate, error) 27 28 // ValidateIdentity will check if the SANs or other identity methods are valid 29 // for the given Cilium identity this function is needed as SPIFFE encodes the 30 // full ID in the URI SAN. 31 ValidateIdentity(id identity.NumericIdentity, cert *x509.Certificate) (bool, error) 32 33 // NumericIdentityToSNI will return the SNI that should be used for a given Cilium Identity 34 NumericIdentityToSNI(id identity.NumericIdentity) string 35 36 // SNIToNumericIdentity will return the Cilium Identity for a given SNI 37 SNIToNumericIdentity(sni string) (identity.NumericIdentity, error) 38 39 // SubscribeToRotatedIdentities will return a channel with the identities that have rotated certificates 40 SubscribeToRotatedIdentities() <-chan CertificateRotationEvent 41 42 // Status will return the status of the certificate provider 43 Status() *models.Status 44 }