istio.io/istio@v0.0.0-20240520182934-d79c90f27776/istioctl/pkg/util/configdump/secret.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/istioctl/pkg/util/configdump/secret.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package configdump
    16  
    17  import (
    18  	"encoding/base64"
    19  	"fmt"
    20  
    21  	admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
    22  	extapi "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
    23  	anypb "google.golang.org/protobuf/types/known/anypb"
    24  )
    25  
    26  // GetSecretConfigDump retrieves a secret dump from a config dump wrapper
    27  func (w *Wrapper) GetSecretConfigDump() (*admin.SecretsConfigDump, error) {
    28  	secretDumpAny, err := w.getSection(secrets)
    29  	if err != nil {
    30  		return nil, err
    31  	}
    32  	secretDump := &admin.SecretsConfigDump{}
    33  	err = secretDumpAny.UnmarshalTo(secretDump)
    34  	if err != nil {
    35  		return nil, err
    36  	}
    37  	return secretDump, nil
    38  }
    39  
    40  // GetRootCAFromSecretConfigDump retrieves root CA from a secret config dump wrapper
    41  func (w *Wrapper) GetRootCAFromSecretConfigDump(anySec *anypb.Any) (string, error) {
    42  	var secret extapi.Secret
    43  	if err := anySec.UnmarshalTo(&secret); err != nil {
    44  		return "", fmt.Errorf("failed to unmarshall ROOTCA secret: %v", err)
    45  	}
    46  	var returnStr string
    47  	var returnErr error
    48  	rCASecret := secret.GetValidationContext()
    49  	if rCASecret != nil {
    50  		trustCA := rCASecret.GetTrustedCa()
    51  		if trustCA != nil {
    52  			inlineBytes := trustCA.GetInlineBytes()
    53  			if inlineBytes != nil {
    54  				returnStr = base64.StdEncoding.EncodeToString(inlineBytes)
    55  				returnErr = nil
    56  			} else {
    57  				returnStr = ""
    58  				returnErr = fmt.Errorf("can not retrieve inlineBytes from trustCA section")
    59  			}
    60  		} else {
    61  			returnStr = ""
    62  			returnErr = fmt.Errorf("can not retrieve trustedCa from secret ROOTCA")
    63  		}
    64  	} else {
    65  		returnStr = ""
    66  		returnErr = fmt.Errorf("can not find ROOTCA from secret config dump")
    67  	}
    68  	return returnStr, returnErr
    69  }