// StartCA starts the CA or RA server if configured. func(s *Server) startCA(caOpts *caOptions) { if s.CA == nil && s.RA == nil { return } s.addStartFunc("ca", func(stop <-chanstruct{})error { grpcServer := s.secureGrpcServer if s.secureGrpcServer == nil { grpcServer = s.grpcServer } // Start the RA server if configured, else start the CA server if s.RA != nil { log.Infof("Starting RA") s.RunCA(grpcServer, s.RA, caOpts) } elseif s.CA != nil { log.Infof("Starting IstioD CA") s.RunCA(grpcServer, s.CA, caOpts) } returnnil }) }
func(sc *SecretManagerClient) GenerateSecret(resourceName string) (secret *security.SecretItem, err error) { cacheLog.Debugf("generate secret %q", resourceName) // Setup the call to store generated secret to disk deferfunc() { // 生成成功之后,需要写成 secret }()
// 中间忽略一些内容
// 发送 CSR 给 CA // send request to CA to get new workload certificate ns, err = sc.generateNewSecret(resourceName) if err != nil { returnnil, fmt.Errorf("failed to generate workload certificate: %v", err) }
// Store the new secret in the secretCache and trigger the periodic rotation for workload certificate // 将申请的到的储存起来 sc.registerSecret(*ns)
if sc.caClient == nil { returnnil, fmt.Errorf("attempted to fetch secret, but ca client is nil") } t0 := time.Now() logPrefix := cacheLogPrefix(resourceName)
cacheLog.WithLabels("latency", time.Since(t0), "ttl", time.Until(expireTime)).Info("generated new workload certificate")
iflen(trustBundlePEM) > 0 { rootCertPEM = concatCerts(trustBundlePEM) } else { // If CA Client has no explicit mechanism to retrieve CA root, infer it from the root of the certChain rootCertPEM = []byte(certChainPEM[len(certChainPEM)-1]) }
// Generate implements the XDS Generator interface. This allows the XDS server to dispatch requests // for SecretTypeV3 to our server to generate the Envoy response. func(s *sdsservice) Generate(proxy *model.Proxy, w *model.WatchedResource, updates *model.PushRequest) (model.Resources, model.XdsLogDetails, error) { // updates.Full indicates we should do a complete push of all updated resources // In practice, all pushes should be incremental (ie, if the `default` cert changes we won't push // all file certs). if updates.Full { resp, err := s.generate(w.ResourceNames) return resp, pushLog(w.ResourceNames), err } names := []string{} watched := sets.New(w.ResourceNames...) for i := range updates.ConfigsUpdated { if i.Kind == kind.Secret && watched.Contains(i.Name) { names = append(names, i.Name) } } resp, err := s.generate(names) return resp, pushLog(names), err }