caServer

证书签发 CreateCertificate

判断CA类型来进行创建CA

    if err := s.maybeCreateCA(caOpts); err != nil {
        return nil, err
    }

启动CA

s.startCA(caOpts)

根据CA类型来启动CA

func (s *Server) startCA(caOpts *caOptions) {
    if s.CA == nil && s.RA == nil {
        return
    }
    s.addStartFunc(func(stop <-chan struct{}) error {
        grpcServer := s.secureGrpcServer
        if s.secureGrpcServer == nil {
            grpcServer = s.grpcServer
        }
        // 判断CA类型
        if s.RA != nil {
            log.Infof("Starting RA")
            s.RunCA(grpcServer, s.RA, caOpts)
        } else if s.CA != nil {
            log.Infof("Starting IstioD CA")
            s.RunCA(grpcServer, s.CA, caOpts)
        }
        return nil
    })
}

启动

func (s *Server) RunCA(grpc *grpc.Server, ca caserver.CertificateAuthority, opts *caOptions) {
    if !s.EnableCA() {
        return
    }
    if ca == nil {
        // When the CA to run is nil, return
        log.Warn("the CA to run is nil")
        return
    }
    iss := trustedIssuer.Get()
    aud := audience.Get()
    // 读取token
    token, err := ioutil.ReadFile(s.jwtPath)
    if err == nil {
        tok, err := detectAuthEnv(string(token))
        if err != nil {
            log.Warn("Starting with invalid K8S JWT token", err, string(token))
        } else {
            if iss == "" {
                iss = tok.Iss
            }
            if len(tok.Aud) > 0 && len(aud) == 0 {
                aud = tok.Aud[0]
            }
        }
    }

    // CA API使用带有最大工作负载证书TTL的证书。 hostlist必须为非空-在grpc server启动前无法使用。 添加客户端证书身份验证和kube（启用了SDS）
    caServer, startErr := caserver.New(ca, maxWorkloadCertTTL.Get(), opts.Authenticators)
    if startErr != nil {
        log.Fatalf("failed to create istio ca server: %v", startErr)
    }

    // 所有令牌-无需配置两次。 令牌还可以包括群集信息以自动配置网络属性。
    if iss != "" && 
        k8sInCluster.Get() == "" { // not running in cluster - in cluster use direct call to apiserver
        // 如果未在K8S中运行，则使用标准JWT验证添加自定义验证器。在K8S中运行时-我们可以使用内置验证器，该验证器还检查pod移除（无效）。
        oidcAuth, err := authenticate.NewJwtAuthenticator(iss, opts.TrustDomain, aud)
        if err == nil {
            caServer.Authenticators = append(caServer.Authenticators, oidcAuth)
            log.Info("Using out-of-cluster JWT authentication")
        } else {
            log.Info("K8S token doesn't support OIDC, using only in-cluster auth")
        }
    }

    caServer.Register(grpc)

    log.Info("Istiod CA has started")
}

caServer需要实现IstioCertificateServiceServer接口

type IstioCertificateServiceServer interface {
    // 使用提供的csr,签发证书
    CreateCertificate(context.Context, *IstioCertificateRequest) (*IstioCertificateResponse, error)
}

caServer调用Register

func (s *Server) Register(grpcServer *grpc.Server) {
    pb.RegisterIstioCertificateServiceServer(grpcServer, s)
}

具体的实现

func (s *Server) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
    *pb.IstioCertificateResponse, error) {
    s.monitoring.CSR.Increment()
    // 获取客户端的身份信息
    caller := s.authenticate(ctx)
    if caller == nil {
        s.monitoring.AuthnError.Increment()
        return nil, status.Error(codes.Unauthenticated, "request authenticate failure")
    }

    // 获取证书链及根证书
    _, _, certChainBytes, rootCertBytes := s.ca.GetCAKeyCertBundle().GetAll()
    // 签发证书
    cert, signErr := s.ca.Sign(
        []byte(request.Csr), caller.Identities, time.Duration(request.ValidityDuration)*time.Second, false)
    if signErr != nil {
        serverCaLog.Errorf("CSR signing error (%v)", signErr.Error())
        s.monitoring.GetCertSignError(signErr.(*caerror.Error).ErrorType()).Increment()
        return nil, status.Errorf(signErr.(*caerror.Error).HTTPErrorCode(), "CSR signing error (%v)", signErr.(*caerror.Error))
    }
    respCertChain := []string{string(cert)}
    if len(certChainBytes) != 0 {
        respCertChain = append(respCertChain, string(certChainBytes))
    }
    respCertChain = append(respCertChain, string(rootCertBytes))
    response := &pb.IstioCertificateResponse{
        CertChain: respCertChain,
    }
    s.monitoring.Success.Increment()
    serverCaLog.Debug("CSR successfully signed.")
    // 返回响应
    return response, nil
}

CertificateAuthority

type CertificateAuthority interface {
    // Sign generates a certificate for a workload or CA, from the given CSR and TTL.
    // TODO(myidpt): simplify this interface and pass a struct with cert field values instead.
    Sign(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
    // SignWithCertChain is similar to Sign but returns the leaf cert and the entire cert chain.
    SignWithCertChain(csrPEM []byte, subjectIDs []string, ttl time.Duration, forCA bool) ([]byte, error)
    // GetCAKeyCertBundle returns the KeyCertBundle used by CA.
    GetCAKeyCertBundle() util.KeyCertBundle
}

istioca

func (ca *IstioCA) sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, checkLifetime, forCA bool) ([]byte, error) {
    signingCert, signingKey, _, _ := ca.keyCertBundle.GetAll()
    if signingCert == nil {
        return nil, caerror.NewError(caerror.CANotReady, fmt.Errorf("Istio CA is not ready")) // nolint
    }

    csr, err := util.ParsePemEncodedCSR(csrPEM)
    if err != nil {
        return nil, caerror.NewError(caerror.CSRError, err)
    }

    lifetime := requestedLifetime
    // If the requested requestedLifetime is non-positive, apply the default TTL.
    if requestedLifetime.Seconds() <= 0 {
        lifetime = ca.defaultCertTTL
    }
    // If checkLifetime is set and the requested TTL is greater than maxCertTTL, return an error
    if checkLifetime && requestedLifetime.Seconds() > ca.maxCertTTL.Seconds() {
        return nil, caerror.NewError(caerror.TTLError, fmt.Errorf(
            "requested TTL %s is greater than the max allowed TTL %s", requestedLifetime, ca.maxCertTTL))
    }

    certBytes, err := util.GenCertFromCSR(csr, signingCert, csr.PublicKey, *signingKey, subjectIDs, lifetime, forCA)
    if err != nil {
        return nil, caerror.NewError(caerror.CertGenError, err)
    }

    block := &pem.Block{
        Type:  "CERTIFICATE",
        Bytes: certBytes,
    }
    cert := pem.EncodeToMemory(block)

    return cert, nil
}

istio ra(k8s ra)

传入参数构造k8sra

func (s *Server) createIstioRA(client kubelib.Client,
    opts *caOptions) (ra.RegistrationAuthority, error) {

    caCertFile := path.Join(ra.DefaultExtCACertDir, constants.CACertNamespaceConfigMapDataName)
    if _, err := os.Stat(caCertFile); err != nil {
        caCertFile = defaultCACertPath
    }
    raOpts := &ra.IstioRAOptions{
        ExternalCAType: opts.ExternalCAType,
        DefaultCertTTL: workloadCertTTL.Get(),
        MaxCertTTL:     maxWorkloadCertTTL.Get(),
        CaSigner:       opts.ExternalCASigner,
        CaCertFile:     caCertFile,
        VerifyAppendCA: true,
        K8sClient:      client.CertificatesV1beta1(),
    }
    return ra.NewIstioRA(raOpts)

}

校验C类型

func NewIstioRA(opts *IstioRAOptions) (RegistrationAuthority, error) {
    if opts.ExternalCAType == ExtCAK8s {
        istioRA, err := NewKubernetesRA(opts)
        if err != nil {
            return nil, fmt.Errorf("failed to create an K8s CA: %v", err)
        }
        return istioRA, err
    }
    return nil, fmt.Errorf("invalid CA Name %s", opts.ExternalCAType)
}

生成istio ra

func NewKubernetesRA(raOpts *IstioRAOptions) (*KubernetesRA, error) {
    keyCertBundle, err := util.NewKeyCertBundleWithRootCertFromFile(raOpts.CaCertFile)
    if err != nil {
        return nil, raerror.NewError(raerror.CAInitFail, fmt.Errorf("error processing Certificate Bundle for Kubernetes RA"))
    }
    istioRA := &KubernetesRA{csrInterface: raOpts.K8sClient,
        raOpts:        raOpts,
        keyCertBundle: keyCertBundle}
    return istioRA, nil
}

func (r *KubernetesRA) Sign(csrPEM []byte, subjectIDs []string, requestedLifetime time.Duration, forCA bool) ([]byte, error) {

    if forCA {
        return nil, raerror.NewError(raerror.CSRError, fmt.Errorf(
            "unable to generate CA certifificates"))
    }

    if !ValidateCSR(csrPEM, subjectIDs) {
        return nil, raerror.NewError(raerror.CSRError, fmt.Errorf(
            "unable to validate SAN Identities in CSR"))
    }

    // TODO: Need to pass the lifetime into the CSR.
    /*    If the requested requestedLifetime is non-positive, apply the default TTL.
            lifetime := requestedLifetime
            if requestedLifetime.Seconds() <= 0 {
                lifetime = ra.defaultCertTTL
        }
    */

    // If the requested TTL is greater than maxCertTTL, return an error
    if requestedLifetime.Seconds() > r.raOpts.MaxCertTTL.Seconds() {
        return nil, raerror.NewError(raerror.TTLError, fmt.Errorf(
            "requested TTL %s is greater than the max allowed TTL %s", requestedLifetime, r.raOpts.MaxCertTTL))
    }
    csrName := chiron.GenCsrName()
    return r.kubernetesSign(csrPEM, csrName, r.raOpts.CaCertFile)
}

调用csr进行证书签发

func (r *KubernetesRA) kubernetesSign(csrPEM []byte, csrName string, caCertFile string) ([]byte, error) {
    csrSpec := &cert.CertificateSigningRequestSpec{
        SignerName: &r.raOpts.CaSigner,
        Request:    csrPEM,
        Groups:     []string{"system:authenticated"},
        Usages: []cert.KeyUsage{
            cert.UsageDigitalSignature,
            cert.UsageKeyEncipherment,
            cert.UsageServerAuth,
            cert.UsageClientAuth,
        },
    }
    certChain, _, err := chiron.SignCSRK8s(r.csrInterface.CertificateSigningRequests(), csrName, csrSpec, "", caCertFile, false)
    if err != nil {
        return nil, raerror.NewError(raerror.CertGenError, err)
    }
    return certChain, err
}