model

package
v0.0.0-...-d8a8f93 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2019 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// IstioAPIGroupDomain defines API group domain of all Istio configuration resources.
	// Group domain suffix to the proto schema's group to generate the full resource group.
	IstioAPIGroupDomain = ".istio.io"

	// HeaderURI is URI HTTP header
	HeaderURI = "uri"

	// HeaderAuthority is authority HTTP header
	HeaderAuthority = "authority"

	// HeaderMethod is method HTTP header
	HeaderMethod = "method"

	// HeaderScheme is scheme HTTP header
	HeaderScheme = "scheme"

	// NamespaceAll is a designated symbol for listing across all namespaces
	NamespaceAll = ""

	// IstioMeshGateway is the built in gateway for all sidecars
	IstioMeshGateway = "mesh"
)
View Source 
const (

	// IngressCertsPath is the path location for ingress certificates
	IngressCertsPath = "/etc/istio/ingress-certs/"

	// AuthCertsPath is the path location for mTLS certificates
	AuthCertsPath = "/etc/certs/"

	// CertChainFilename is mTLS chain file
	CertChainFilename = "cert-chain.pem"

	// KeyFilename is mTLS private key
	KeyFilename = "key.pem"

	// RootCertFilename is mTLS root cert
	RootCertFilename = "root-cert.pem"

	// IngressCertFilename is the ingress cert file name
	IngressCertFilename = "tls.crt"

	// IngressKeyFilename is the ingress private key file name
	IngressKeyFilename = "tls.key"

	// ConfigPathDir config directory for storing envoy json config files.
	ConfigPathDir = "/etc/istio/proxy"

	// BinaryPathFilename envoy binary location
	BinaryPathFilename = "/usr/local/bin/envoy"

	// ServiceClusterName service cluster name used in xDS calls
	ServiceClusterName = "istio-proxy"

	// DiscoveryPlainAddress discovery IP address:port with plain text
	DiscoveryPlainAddress = "istio-pilot:15007"

	// IstioIngressGatewayName is the internal gateway name assigned to ingress
	IstioIngressGatewayName = "istio-autogenerated-k8s-ingress"

	// IstioIngressNamespace is the namespace where Istio ingress controller is deployed
	IstioIngressNamespace = "istio-system"
)
View Source 
const (

	// JwtPubKeyExpireDuration is the expire duration for JWT public key in the cache.
	// After this duration expire, refresher job will fetch key for the cached item again.
	JwtPubKeyExpireDuration = time.Hour

	// JwtPubKeyEvictionDuration is the life duration for cached item.
	// Cached item will be removed from the cache if it hasn't been used longer than JwtPubKeyEvictionDuration.
	JwtPubKeyEvictionDuration = 24 * 7 * time.Hour

	// JwtPubKeyRefreshInterval is the running interval of JWT pubKey refresh job.
	JwtPubKeyRefreshInterval = time.Minute * 20
)
View Source 
const (
	// UnspecifiedIP constant for empty IP address
	UnspecifiedIP = "0.0.0.0"

	// IstioDefaultConfigNamespace constant for default namespace
	IstioDefaultConfigNamespace = "default"
)
View Source 
const (
	// AZLabel indicates the region/zone of an instance. It is used if the native
	// registry doesn't provide one.
	AZLabel = "istio-az"
)
View Source 
const (
	// DefaultAuthenticationPolicyName is the name of the cluster-scoped authentication policy. Only
	// policy with this name in the cluster-scoped will be considered.
	DefaultAuthenticationPolicyName = "default"
)
View Source 
const (
	// DefaultRbacConfigName is the name of the mesh global RbacConfig name. Only RbacConfig with this
	// name will be considered.
	DefaultRbacConfigName = "default"
)
View Source 
const UnixAddressPrefix = "unix://"

UnixAddressPrefix is the prefix used to indicate an address is for a Unix Domain socket. It is used in ServiceEntry.Endpoint.Address message.

Variables

View Source 
var (
	// MockConfig is used purely for testing
	MockConfig = ProtoSchema{
		Type:        "mock-config",
		Plural:      "mock-configs",
		Group:       "test",
		Version:     "v1",
		MessageName: "test.MockConfig",
		Validate: func(name, namespace string, config proto.Message) error {
			if config.(*test.MockConfig).Key == "" {
				return errors.New("empty key")
			}
			return nil
		},
	}

	// RouteRule describes route rules
	RouteRule = ProtoSchema{
		Type:        "route-rule",
		Plural:      "route-rules",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.routing.v1alpha1.RouteRule",
		Validate:    ValidateRouteRule,
	}

	// VirtualService describes v1alpha3 route rules
	VirtualService = ProtoSchema{
		Type:        "virtual-service",
		Plural:      "virtual-services",
		Group:       "networking",
		Version:     "v1alpha3",
		MessageName: "istio.networking.v1alpha3.VirtualService",
		Gogo:        true,
		Validate:    ValidateVirtualService,
	}

	// Gateway describes a gateway (how a proxy is exposed on the network)
	Gateway = ProtoSchema{
		Type:        "gateway",
		Plural:      "gateways",
		Group:       "networking",
		Version:     "v1alpha3",
		MessageName: "istio.networking.v1alpha3.Gateway",
		Gogo:        true,
		Validate:    ValidateGateway,
	}

	// IngressRule describes ingress rules
	IngressRule = ProtoSchema{
		Type:        "ingress-rule",
		Plural:      "ingress-rules",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.routing.v1alpha1.IngressRule",
		Validate:    ValidateIngressRule,
	}

	// EgressRule describes egress rule
	EgressRule = ProtoSchema{
		Type:        "egress-rule",
		Plural:      "egress-rules",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.routing.v1alpha1.EgressRule",
		Validate:    ValidateEgressRule,
	}

	// ServiceEntry describes service entries
	ServiceEntry = ProtoSchema{
		Type:        "service-entry",
		Plural:      "service-entries",
		Group:       "networking",
		Version:     "v1alpha3",
		MessageName: "istio.networking.v1alpha3.ServiceEntry",
		Gogo:        true,
		Validate:    ValidateServiceEntry,
	}

	// DestinationPolicy describes destination rules
	DestinationPolicy = ProtoSchema{
		Type:        "destination-policy",
		Plural:      "destination-policies",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.routing.v1alpha1.DestinationPolicy",
		Validate:    ValidateDestinationPolicy,
	}

	// DestinationRule describes destination rules
	DestinationRule = ProtoSchema{
		Type:        "destination-rule",
		Plural:      "destination-rules",
		Group:       "networking",
		Version:     "v1alpha3",
		MessageName: "istio.networking.v1alpha3.DestinationRule",
		Validate:    ValidateDestinationRule,
	}

	// EnvoyFilter describes additional envoy filters to be inserted by Pilot
	EnvoyFilter = ProtoSchema{
		Type:        "envoy-filter",
		Plural:      "envoy-filters",
		Group:       "networking",
		Version:     "v1alpha3",
		MessageName: "istio.networking.v1alpha3.EnvoyFilter",
		Validate:    ValidateEnvoyFilter,
	}

	// HTTPAPISpec describes an HTTP API specification.
	HTTPAPISpec = ProtoSchema{
		Type:        "http-api-spec",
		Plural:      "http-api-specs",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.mixer.v1.config.client.HTTPAPISpec",
		Validate:    ValidateHTTPAPISpec,
	}

	// HTTPAPISpecBinding describes an HTTP API specification binding.
	HTTPAPISpecBinding = ProtoSchema{
		Type:        "http-api-spec-binding",
		Plural:      "http-api-spec-bindings",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.mixer.v1.config.client.HTTPAPISpecBinding",
		Validate:    ValidateHTTPAPISpecBinding,
	}

	// QuotaSpec describes an Quota specification.
	QuotaSpec = ProtoSchema{
		Type:        "quota-spec",
		Plural:      "quota-specs",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.mixer.v1.config.client.QuotaSpec",
		Validate:    ValidateQuotaSpec,
	}

	// QuotaSpecBinding describes an Quota specification binding.
	QuotaSpecBinding = ProtoSchema{
		Type:        "quota-spec-binding",
		Plural:      "quota-spec-bindings",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.mixer.v1.config.client.QuotaSpecBinding",
		Validate:    ValidateQuotaSpecBinding,
	}

	// AuthenticationPolicy describes an authentication policy.
	AuthenticationPolicy = ProtoSchema{
		Type:        "policy",
		Plural:      "policies",
		Group:       "authentication",
		Version:     "v1alpha1",
		MessageName: "istio.authentication.v1alpha1.Policy",
		Validate:    ValidateAuthenticationPolicy,
	}

	// AuthenticationMeshPolicy describes an authentication policy at mesh level.
	AuthenticationMeshPolicy = ProtoSchema{
		ClusterScoped: true,
		Type:          "mesh-policy",
		Plural:        "mesh-policies",
		Group:         "authentication",
		Version:       "v1alpha1",
		MessageName:   "istio.authentication.v1alpha1.Policy",
		Validate:      ValidateAuthenticationPolicy,
	}

	// ServiceRole describes an RBAC service role.
	ServiceRole = ProtoSchema{
		Type:        "service-role",
		Plural:      "service-roles",
		Group:       "config",
		Version:     istioAPIVersion,
		MessageName: "istio.rbac.v1alpha1.ServiceRole",
		Validate:    ValidateServiceRole,
	}

	// ServiceRoleBinding describes an RBAC service role.
	ServiceRoleBinding = ProtoSchema{
		ClusterScoped: false,
		Type:          "service-role-binding",
		Plural:        "service-role-bindings",
		Group:         "config",
		Version:       istioAPIVersion,
		MessageName:   "istio.rbac.v1alpha1.ServiceRoleBinding",
		Validate:      ValidateServiceRoleBinding,
	}

	// RbacConfig describes the mesh level RBAC config.
	RbacConfig = ProtoSchema{
		ClusterScoped: true,
		Type:          "rbac-config",
		Plural:        "rbac-configs",
		Group:         "config",
		Version:       istioAPIVersion,
		MessageName:   "istio.rbac.v1alpha1.RbacConfig",
		Validate:      ValidateRbacConfig,
	}

	// IstioConfigTypes lists all Istio config types with schemas and validation
	IstioConfigTypes = ConfigDescriptor{
		RouteRule,
		VirtualService,
		IngressRule,
		Gateway,
		EgressRule,
		ServiceEntry,
		DestinationPolicy,
		DestinationRule,
		EnvoyFilter,
		HTTPAPISpec,
		HTTPAPISpecBinding,
		QuotaSpec,
		QuotaSpecBinding,
		AuthenticationPolicy,
		AuthenticationMeshPolicy,
		ServiceRole,
		ServiceRoleBinding,
		RbacConfig,
	}
)
View Source 
var IstioIngressWorkloadLabels = map[string]string{"istio": "ingress"}

IstioIngressWorkloadLabels is the label assigned to Istio ingress pods

View Source 
var JwtKeyResolver = newJwksResolver(JwtPubKeyExpireDuration, JwtPubKeyEvictionDuration, JwtPubKeyRefreshInterval)

JwtKeyResolver resolves JWT public key and JwksURI.

Functions

func ApplyJSON 

func ApplyJSON(js string, pb proto.Message) error

ApplyJSON unmarshals a JSON string into a proto message

func ApplyMeshConfigDefaults 

func ApplyMeshConfigDefaults(yaml string) (*meshconfig.MeshConfig, error)

ApplyMeshConfigDefaults returns a new MeshConfig decoded from the input YAML with defaults applied to omitted configuration values.

func ApplyYAML 

func ApplyYAML(yml string, pb proto.Message) error

ApplyYAML unmarshals a YAML string into a proto message

func BuildSubsetKey 

func BuildSubsetKey(direction TrafficDirection, subsetName string, hostname Hostname, port int) string

BuildSubsetKey generates a unique string referencing service instances for a given service name, a subset and a port. The proxy queries Pilot with this key to obtain the list of instances in a subset.

func DefaultMeshConfig 

func DefaultMeshConfig() meshconfig.MeshConfig

DefaultMeshConfig configuration

func DefaultProxyConfig 

func DefaultProxyConfig() meshconfig.ProxyConfig

DefaultProxyConfig for individual proxies

func GatewayRDSRouteName 

func GatewayRDSRouteName(server *networking.Server) string

GatewayRDSRouteName generates the RDS route config name for gateway's servers. Unlike sidecars where the RDS route name is the listener port number, gateways have a different structure for RDS. HTTP servers have route name set to http.<portNumber>. 

Multiple HTTP servers can exist on the same port and the code will combine all of them into
one single RDS payload for http.<portNumber>

HTTPS servers with TLS termination (i.e. envoy decoding the content, and making outbound http calls to backends) will use route name https.<portnumber>.<portName>. HTTPS servers using SNI passthrough or non-HTTPS servers (e.g., TCP+TLS) with SNI passthrough will be setup as opaque TCP proxies without terminating the SSL connection. They would inspect the SNI header and forward to the appropriate upstream as opaque TCP.

Within HTTPS servers terminating TLS, user could setup multiple servers in the gateway. each server could have one or more hosts but have different TLS certificates. In this case, we end up having separate filter chain for each server, with the filter chain match matching on the server specific TLS certs and SNI headers. We have two options here: either have all filter chains use the same RDS route name (e.g. "443") and expose all virtual hosts on that port to every filter chain uniformly or expose only the set of virtual hosts configured under the server for those certificates. We adopt the latter approach. In other words, each filter chain in the multi-filter-chain listener will have a distinct RDS route name (https.<portnumber>.portname) so that when a RDS request comes in, we serve the virtual hosts and associated routes for that server.

Note that the common case is one where multiple servers are exposed under a single multi-SAN cert on a single port. In this case, we have a single https.<portnumber>.portname RDS for the HTTPS server. While we can use the same RDS route name for two servers (say HTTP and HTTPS) exposing the same set of hosts on different ports, the optimization (one RDS instead of two) could quickly become useless the moment the set of hosts on the two servers start differing -- necessitating the need for two different RDS routes.

func GetConsolidateAuthenticationPolicy 

func GetConsolidateAuthenticationPolicy(mesh *meshconfig.MeshConfig, store IstioConfigStore, hostname Hostname, port *Port) *authn.Policy

GetConsolidateAuthenticationPolicy returns the authentication policy for service specified by hostname and port, if defined. If not, it generates and output a policy that is equivalent to the legacy flag and/or service annotation. Once these legacy flags/config deprecated, this function can be placed by a call to store.AuthenticationPolicyByDestination directly.

func IsApplicationNodeType 

func IsApplicationNodeType(nType NodeType) bool

IsApplicationNodeType verifies that the NodeType is one of the declared constants in the model

func IsDNS1123Label 

func IsDNS1123Label(value string) bool

IsDNS1123Label tests for a string that conforms to the definition of a label in DNS (RFC 1123).

func IsEgressRulesSupportedHTTPProtocol 

func IsEgressRulesSupportedHTTPProtocol(protocol Protocol) bool

IsEgressRulesSupportedHTTPProtocol returns true if the protocol is supported by egress rules, as an HTTP protocol (service names can contain wildcard domain names)

func IsEgressRulesSupportedProtocol 

func IsEgressRulesSupportedProtocol(protocol Protocol) bool

IsEgressRulesSupportedProtocol returns true if the protocol is supported by egress rules

func IsEgressRulesSupportedTCPProtocol 

func IsEgressRulesSupportedTCPProtocol(protocol Protocol) bool

IsEgressRulesSupportedTCPProtocol returns true if the protocol is supported by egress rules, as a TCP protocol (service names can contain CIDR)

func IsValidSubsetKey 

func IsValidSubsetKey(s string) bool

IsValidSubsetKey checks if a string is valid for subset key parsing.

func IsWildcardDNS1123Label 

func IsWildcardDNS1123Label(value string) bool

IsWildcardDNS1123Label tests for a string that conforms to the definition of a label in DNS (RFC 1123), but allows the wildcard label (`*`), and typical labels with a leading astrisk instead of alphabetic character (e.g. "*-foo")

func Key 

func Key(typ, name, namespace string) string

Key function for the configuration objects

func MatchSource 

func MatchSource(meta ConfigMeta, source *routing.IstioService, instances []*ServiceInstance) bool

MatchSource checks that a rule applies for source service instances. Empty source match condition applies for all cases.

func ParseMetadata 

func ParseMetadata(metadata *types.Struct) map[string]string

ParseMetadata parses the opaque Metadata from an Envoy Node into string key-value pairs. Any non-string values are ignored.

func ParsePort 

func ParsePort(addr string) int

ParsePort extracts port number from a valid proxy address

func ParseServiceKey 

func ParseServiceKey(s string) (hostname Hostname, ports PortList, labels LabelsCollection)

ParseServiceKey is the inverse of the Service.String() method Deprecated

func ParseSubsetKey 

func ParseSubsetKey(s string) (direction TrafficDirection, subsetName string, hostname Hostname, port int)

ParseSubsetKey is the inverse of the BuildSubsetKey method

func ServiceKey 

func ServiceKey(hostname Hostname, servicePorts PortList, labelsList LabelsCollection) string

ServiceKey generates a service key for a collection of ports and labels Deprecated

Interface wants to turn `Hostname` into `fmt.Stringer`, completely defeating the purpose of the type alias. nolint: interfacer

func SortHTTPAPISpec 

func SortHTTPAPISpec(specs []Config)

SortHTTPAPISpec sorts a slice in a stable manner.

func SortQuotaSpec 

func SortQuotaSpec(specs []Config)

SortQuotaSpec sorts a slice in a stable manner.

func SortRouteRules 

func SortRouteRules(rules []Config)

SortRouteRules sorts a slice of v1alpha1 rules by precedence in a stable manner.

func ToJSON 

func ToJSON(msg proto.Message) (string, error)

ToJSON marshals a proto to canonical JSON

func ToJSONMap 

func ToJSONMap(msg proto.Message) (map[string]interface{}, error)

ToJSONMap converts a proto message to a generic map using canonical JSON encoding JSON encoding is specified here: https://developers.google.com/protocol-buffers/docs/proto3#json

func ToJSONWithIndent 

func ToJSONWithIndent(msg proto.Message, indent string) (string, error)

ToJSONWithIndent marshals a proto to canonical JSON with pretty printed string

func ToYAML 

func ToYAML(msg proto.Message) (string, error)

ToYAML marshals a proto to canonical YAML

func ValidateAbort 

func ValidateAbort(abort *routing.HTTPFaultInjection_Abort) (errs error)

ValidateAbort checks that fault injection abort is well-formed

func ValidateAbortHTTPStatus 

func ValidateAbortHTTPStatus(httpStatus *routing.HTTPFaultInjection_Abort_HttpStatus) (errs error)

ValidateAbortHTTPStatus checks that fault injection abort HTTP status is valid

func ValidateAuthenticationPolicy 

func ValidateAuthenticationPolicy(name, namespace string, msg proto.Message) error

ValidateAuthenticationPolicy checks that AuthenticationPolicy is well-formed.

func ValidateCircuitBreaker 

func ValidateCircuitBreaker(cb *routing.CircuitBreaker) (errs error)

ValidateCircuitBreaker validates Circuit Breaker

func ValidateConnectTimeout 

func ValidateConnectTimeout(timeout *duration.Duration) error

ValidateConnectTimeout validates the envoy conncection timeout

func ValidateDelay 

func ValidateDelay(delay *routing.HTTPFaultInjection_Delay) (errs error)

ValidateDelay checks that fault injection delay is well-formed

func ValidateDestinationPolicy 

func ValidateDestinationPolicy(name, namespace string, msg proto.Message) error

ValidateDestinationPolicy checks proxy policies

func ValidateDestinationRule 

func ValidateDestinationRule(name, namespace string, msg proto.Message) (errs error)

ValidateDestinationRule checks proxy policies

func ValidateDestinationWeight 

func ValidateDestinationWeight(dw *routing.DestinationWeight) (errs error)

ValidateDestinationWeight validates DestinationWeight

func ValidateDuration 

func ValidateDuration(pd *duration.Duration) error

ValidateDuration checks that a proto duration is well-formed

func ValidateDurationGogo 

func ValidateDurationGogo(pd *types.Duration) error

ValidateDurationGogo checks that a gogo proto duration is well-formed

func ValidateDurationRange 

func ValidateDurationRange(dur, min, max time.Duration) error

ValidateDurationRange verifies range is in specified duration

func ValidateEgressRule 

func ValidateEgressRule(name, namespace string, msg proto.Message) error

ValidateEgressRule checks egress rules

func ValidateEgressRuleDestination 

func ValidateEgressRuleDestination(destination *routing.IstioService) error

ValidateEgressRuleDestination checks that valid destination is used for an egress-rule only service field is allowed, all other fields are forbidden

func ValidateEgressRuleDomain 

func ValidateEgressRuleDomain(domain string) error

ValidateEgressRuleDomain validates domains in the egress rules domains are according to the definion of Envoy's domain of virtual hosts.

Wildcard hosts are supported in the form of “*.foo.com” or “*-bar.foo.com”. Note that the wildcard will not match the empty string. e.g. “*-bar.foo.com” will match “baz-bar.foo.com” but not “-bar.foo.com”. Additionally, a special entry “*” is allowed which will match any host/authority header.

func ValidateEgressRulePort 

func ValidateEgressRulePort(port *routing.EgressRule_Port) error

ValidateEgressRulePort checks the port of the egress rule (communication port and protocol)

func ValidateEgressRuleService 

func ValidateEgressRuleService(service string) error

ValidateEgressRuleService validates service field of egress rules. Service field of egress rule contains either domain, according to the definition of Envoy's domain of virtual hosts, or CIDR, according to the definition of destination_ip_list of a route in Envoy's TCP Proxy filter.

func ValidateEnvoyFilter 

func ValidateEnvoyFilter(name, namespace string, msg proto.Message) (errs error)

ValidateEnvoyFilter checks envoy filter config supplied by user

func ValidateFQDN 

func ValidateFQDN(fqdn string) error

ValidateFQDN checks a fully-qualified domain name

func ValidateFloatPercent 

func ValidateFloatPercent(val float32) error

ValidateFloatPercent checks that percent is in range

func ValidateGateway 

func ValidateGateway(name, namespace string, msg proto.Message) (errs error)

ValidateGateway checks gateway specifications

func ValidateGogoDuration 

func ValidateGogoDuration(in *types.Duration) error

ValidateGogoDuration validates the gogoproto variant of duration.

func ValidateHTTPAPISpec 

func ValidateHTTPAPISpec(name, namespace string, msg proto.Message) error

ValidateHTTPAPISpec checks that HTTPAPISpec is well-formed.

func ValidateHTTPAPISpecBinding 

func ValidateHTTPAPISpecBinding(name, namespace string, msg proto.Message) error

ValidateHTTPAPISpecBinding checks that HTTPAPISpecBinding is well-formed.

func ValidateHTTPFault 

func ValidateHTTPFault(fault *routing.HTTPFaultInjection) (errs error)

ValidateHTTPFault validates HTTP Fault

func ValidateHTTPHeaderName 

func ValidateHTTPHeaderName(name string) error

ValidateHTTPHeaderName checks that the name is lower-case

func ValidateHTTPRetries 

func ValidateHTTPRetries(retry *routing.HTTPRetry) (errs error)

ValidateHTTPRetries validates HTTP Retries

func ValidateHTTPTimeout 

func ValidateHTTPTimeout(timeout *routing.HTTPTimeout) (errs error)

ValidateHTTPTimeout validates HTTP Timeout

func ValidateIPv4Address 

func ValidateIPv4Address(addr string) error

ValidateIPv4Address validates that a string in "CIDR notation" or "Dot-decimal notation"

func ValidateIPv4Subnet 

func ValidateIPv4Subnet(subnet string) error

ValidateIPv4Subnet checks that a string is in "CIDR notation" or "Dot-decimal notation"

func ValidateIngressRule 

func ValidateIngressRule(name, namespace string, msg proto.Message) error

ValidateIngressRule checks ingress rules

func ValidateIstioService 

func ValidateIstioService(svc *routing.IstioService) (errs error)

ValidateIstioService checks for validity of a service reference

func ValidateL4Fault 

func ValidateL4Fault(fault *routing.L4FaultInjection) (errs error)

ValidateL4Fault validates L4 Fault

func ValidateL4MatchAttributes 

func ValidateL4MatchAttributes(ma *routing.L4MatchAttributes) (errs error)

ValidateL4MatchAttributes validates L4 Match Attributes

func ValidateLoadBalancing 

func ValidateLoadBalancing(lb *routing.LoadBalancing) (errs error)

ValidateLoadBalancing validates Load Balancing

func ValidateMatchCondition 

func ValidateMatchCondition(mc *routing.MatchCondition) (errs error)

ValidateMatchCondition validates a match condition

func ValidateMeshConfig 

func ValidateMeshConfig(mesh *meshconfig.MeshConfig) (errs error)

ValidateMeshConfig checks that the mesh config is well-formed

func ValidateMixerAttributes 

func ValidateMixerAttributes(msg proto.Message) error

ValidateMixerAttributes checks that Mixer attributes is well-formed.

func ValidateNetworkEndpointAddress 

func ValidateNetworkEndpointAddress(n *NetworkEndpoint) error

ValidateNetworkEndpointAddress checks the Address field of a NetworkEndpoint. If the family is TCP, it checks the address is a valid IP address. If the family is Unix, it checks the address is a valid socket file path.

func ValidateParentAndDrain 

func ValidateParentAndDrain(drainTime, parentShutdown *duration.Duration) (errs error)

ValidateParentAndDrain checks that parent and drain durations are valid

func ValidatePercent 

func ValidatePercent(val int32) error

ValidatePercent checks that percent is in range

func ValidatePort 

func ValidatePort(port int) error

ValidatePort checks that the network port is in range

func ValidateProxyAddress 

func ValidateProxyAddress(hostAddr string) error

ValidateProxyAddress checks that a network address is well-formed

func ValidateProxyConfig 

func ValidateProxyConfig(config *meshconfig.ProxyConfig) (errs error)

ValidateProxyConfig checks that the mesh config is well-formed

func ValidateQuotaSpec 

func ValidateQuotaSpec(name, namespace string, msg proto.Message) error

ValidateQuotaSpec checks that Quota is well-formed.

func ValidateQuotaSpecBinding 

func ValidateQuotaSpecBinding(name, namespace string, msg proto.Message) error

ValidateQuotaSpecBinding checks that QuotaSpecBinding is well-formed.

func ValidateRbacConfig 

func ValidateRbacConfig(name, namespace string, msg proto.Message) error

ValidateRbacConfig checks that RbacConfig is well-formed.

func ValidateRefreshDelay 

func ValidateRefreshDelay(refresh *duration.Duration) error

ValidateRefreshDelay validates the discovery refresh delay time

func ValidateRouteRule 

func ValidateRouteRule(name, namespace string, msg proto.Message) error

ValidateRouteRule checks routing rules

func ValidateServiceEntry 

func ValidateServiceEntry(name, namespace string, config proto.Message) (errs error)

ValidateServiceEntry validates a service entry.

func ValidateServiceRole 

func ValidateServiceRole(name, namespace string, msg proto.Message) error

ValidateServiceRole checks that ServiceRole is well-formed.

func ValidateServiceRoleBinding 

func ValidateServiceRoleBinding(name, namespace string, msg proto.Message) error

ValidateServiceRoleBinding checks that ServiceRoleBinding is well-formed.

func ValidateStringMatch 

func ValidateStringMatch(match *routing.StringMatch) error

ValidateStringMatch checks that the match types are correct

func ValidateSubnet 

func ValidateSubnet(subnet string) error

ValidateSubnet checks that IPv4 subnet form

func ValidateTerminate 

func ValidateTerminate(terminate *routing.L4FaultInjection_Terminate) (errs error)

ValidateTerminate checks that fault injection terminate is well-formed

func ValidateThrottle 

func ValidateThrottle(throttle *routing.L4FaultInjection_Throttle) (errs error)

ValidateThrottle checks that fault injections throttle is well-formed

func ValidateUnixAddress 

func ValidateUnixAddress(addr string) error

ValidateUnixAddress validates that the string is a valid unix domain socket path.

func ValidateVirtualService 

func ValidateVirtualService(name, namespace string, msg proto.Message) (errs error)

ValidateVirtualService checks that a v1alpha3 route rule is well-formed.

func ValidateWeights 

func ValidateWeights(routes []*routing.DestinationWeight) (errs error)

ValidateWeights checks that destination weights sum to 100

func ValidateWildcardDomain 

func ValidateWildcardDomain(domain string) error

ValidateWildcardDomain checks that a domain is a valid FQDN, but also allows wildcard prefixes.

Types

type AddressFamily 

type AddressFamily int

AddressFamily indicates the kind of transport used to reach a NetworkEndpoint 

const (
	// AddressFamilyTCP represents an address that connects to a TCP endpoint. It consists of an IP address or host and
	// a port number.
	AddressFamilyTCP AddressFamily = iota
	// AddressFamilyUnix represents an address that connects to a Unix Domain Socket. It consists of a socket file path.
	AddressFamilyUnix
)

func (AddressFamily) String 

func (f AddressFamily) String() string

type Config 

type Config struct {
	ConfigMeta

	// Spec holds the configuration object as a protobuf message
	Spec proto.Message
}

Config is a configuration unit consisting of the type of configuration, the key identifier that is unique per type, and the content represented as a protobuf message.

func RejectConflictingEgressRules 

func RejectConflictingEgressRules(rules []Config) ([]Config, error)

RejectConflictingEgressRules rejects conflicting egress rules. The conflicts occur either than two egress rules share the same domain, or when they define different protocols on the same port

type ConfigDescriptor 

type ConfigDescriptor []ProtoSchema

ConfigDescriptor defines the bijection between the short type name and its fully qualified protobuf message name

func (ConfigDescriptor) GetByType 

func (descriptor ConfigDescriptor) GetByType(name string) (ProtoSchema, bool)

GetByType finds a schema by type if it is available

func (ConfigDescriptor) Types 

func (descriptor ConfigDescriptor) Types() []string

Types lists all known types in the config schema

func (ConfigDescriptor) Validate 

func (descriptor ConfigDescriptor) Validate() error

Validate checks that each name conforms to the spec and has a ProtoMessage

type ConfigMeta 

type ConfigMeta struct {
	// Type is a short configuration name that matches the content message type
	// (e.g. "route-rule")
	Type string `json:"type,omitempty"`

	// Group is the API group of the config.
	Group string `json:"group,omitempty"`

	// Version is the API version of the Config.
	Version string `json:"version,omitempty"`

	// Name is a unique immutable identifier in a namespace
	Name string `json:"name,omitempty"`

	// Namespace defines the space for names (optional for some types),
	// applications may choose to use namespaces for a variety of purposes
	// (security domains, fault domains, organizational domains)
	Namespace string `json:"namespace,omitempty"`

	// Domain defines the suffix of the fully qualified name past the namespace.
	// Domain is not a part of the unique key unlike name and namespace.
	Domain string `json:"domain,omitempty"`

	// Map of string keys and values that can be used to organize and categorize
	// (scope and select) objects.
	Labels map[string]string `json:"labels,omitempty"`

	// Annotations is an unstructured key value map stored with a resource that may be
	// set by external tools to store and retrieve arbitrary metadata. They are not
	// queryable and should be preserved when modifying objects.
	Annotations map[string]string `json:"annotations,omitempty"`

	// ResourceVersion is an opaque identifier for tracking updates to the config registry.
	// The implementation may use a change index or a commit log for the revision.
	// The config client should not make any assumptions about revisions and rely only on
	// exact equality to implement optimistic concurrency of read-write operations.
	//
	// The lifetime of an object of a particular revision depends on the underlying data store.
	// The data store may compactify old revisions in the interest of storage optimization.
	//
	// An empty revision carries a special meaning that the associated object has
	// not been stored and assigned a revision.
	ResourceVersion string `json:"resourceVersion,omitempty"`

	// CreationTimestamp records the creation time
	CreationTimestamp meta_v1.Time `json:"resourceVersion,omitempty"`
}

ConfigMeta is metadata attached to each configuration unit. The revision is optional, and if provided, identifies the last update operation on the object.

func (*ConfigMeta) Key 

func (meta *ConfigMeta) Key() string

Key is the unique identifier for a configuration object

type ConfigStore 

type ConfigStore interface {
	// ConfigDescriptor exposes the configuration type schema known by the config store.
	// The type schema defines the bidrectional mapping between configuration
	// types and the protobuf encoding schema.
	ConfigDescriptor() ConfigDescriptor

	// Get retrieves a configuration element by a type and a key
	Get(typ, name, namespace string) (config *Config, exists bool)

	// List returns objects by type and namespace.
	// Use "" for the namespace to list across namespaces.
	List(typ, namespace string) ([]Config, error)

	// Create adds a new configuration object to the store. If an object with the
	// same name and namespace for the type already exists, the operation fails
	// with no side effects.
	Create(config Config) (revision string, err error)

	// Update modifies an existing configuration object in the store.  Update
	// requires that the object has been created.  Resource version prevents
	// overriding a value that has been changed between prior _Get_ and _Put_
	// operation to achieve optimistic concurrency. This method returns a new
	// revision if the operation succeeds.
	Update(config Config) (newRevision string, err error)

	// Delete removes an object from the store by key
	Delete(typ, name, namespace string) error
}

ConfigStore describes a set of platform agnostic APIs that must be supported by the underlying platform to store and retrieve Istio configuration.

Configuration key is defined to be a combination of the type, name, and namespace of the configuration object. The configuration key is guaranteed to be unique in the store.

The storage interface presented here assumes that the underlying storage layer supports _Get_ (list), _Update_ (update), _Create_ (create) and _Delete_ semantics but does not guarantee any transactional semantics.

_Update_, _Create_, and _Delete_ are mutator operations. These operations are asynchronous, and you might not see the effect immediately (e.g. _Get_ might not return the object by key immediately after you mutate the store.) Intermittent errors might occur even though the operation succeeds, so you should always check if the object store has been modified even if the mutating operation returns an error. Objects should be created with _Create_ operation and updated with _Update_ operation.

Resource versions record the last mutation operation on each object. If a mutation is applied to a different revision of an object than what the underlying storage expects as defined by pure equality, the operation is blocked. The client of this interface should not make assumptions about the structure or ordering of the revision identifier.

Object references supplied and returned from this interface should be treated as read-only. Modifying them violates thread-safety.

type ConfigStoreCache 

type ConfigStoreCache interface {
	ConfigStore

	// RegisterEventHandler adds a handler to receive config update events for a
	// configuration type
	RegisterEventHandler(typ string, handler func(Config, Event))

	// Run until a signal is received
	Run(stop <-chan struct{})

	// HasSynced returns true after initial cache synchronization is complete
	HasSynced() bool
}

ConfigStoreCache is a local fully-replicated cache of the config store. The cache actively synchronizes its local state with the remote store and provides a notification mechanism to receive update events. As such, the notification handlers must be registered prior to calling _Run_, and the cache requires initial synchronization grace period after calling _Run_.

Update notifications require the following consistency guarantee: the view in the cache must be AT LEAST as fresh as the moment notification arrives, but MAY BE more fresh (e.g. if _Delete_ cancels an _Add_ event).

Handlers execute on the single worker queue in the order they are appended. Handlers receive the notification event and the associated object. Note that all handlers must be registered before starting the cache controller.

type Controller 

type Controller interface {
	// AppendServiceHandler notifies about changes to the service catalog.
	AppendServiceHandler(f func(*Service, Event)) error

	// AppendInstanceHandler notifies about changes to the service instances
	// for a service.
	AppendInstanceHandler(f func(*ServiceInstance, Event)) error

	// Run until a signal is received
	Run(stop <-chan struct{})
}

Controller defines an event controller loop. Proxy agent registers itself with the controller loop and receives notifications on changes to the service topology or changes to the configuration artifacts.

The controller guarantees the following consistency requirement: registry view in the controller is as AT LEAST as fresh as the moment notification arrives, but MAY BE more fresh (e.g. "delete" cancels an "add" event). For example, an event for a service creation will see a service registry without the service if the event is immediately followed by the service deletion event.

Handlers execute on the single worker queue in the order they are appended. Handlers receive the notification event and the associated object. Note that all handlers must be appended before starting the controller.

type Environment 

type Environment struct {
	// Discovery interface for listing services and instances.
	ServiceDiscovery

	// Accounts interface for listing service accounts
	ServiceAccounts

	// Config interface for listing routing rules
	IstioConfigStore

	// Mesh is the mesh config (to be merged into the config store)
	Mesh *meshconfig.MeshConfig

	// Mixer subject alternate name for mutual TLS
	MixerSAN []string
}

Environment provides an aggregate environmental API for Pilot

type Event 

type Event int

Event represents a registry update event 

const (
	// EventAdd is sent when an object is added
	EventAdd Event = iota

	// EventUpdate is sent when an object is modified
	// Captures the modified object
	EventUpdate

	// EventDelete is sent when an object is deleted
	// Captures the object at the last known state
	EventDelete
)

func (Event) String 

func (event Event) String() string

type Hostname 

type Hostname string

Hostname describes a (possibly wildcarded) hostname

func MostSpecificHostMatch 

func MostSpecificHostMatch(needle Hostname, stack []Hostname) (Hostname, bool)

MostSpecificHostMatch compares the elements of the stack to the needle, and returns the longest stack element matching the needle, or false if no element in the stack matches the needle.

func ResolveHostname 

func ResolveHostname(meta ConfigMeta, svc *routing.IstioService) Hostname

ResolveHostname uses metadata information to resolve a service reference to a fully qualified hostname. The metadata namespace and domain are used as fallback values to fill up the complete name.

func ResolveShortnameToFQDN 

func ResolveShortnameToFQDN(host string, meta ConfigMeta) Hostname

ResolveShortnameToFQDN uses metadata information to resolve a reference to shortname of the service to FQDN

func (Hostname) Matches 

func (h Hostname) Matches(o Hostname) bool

Matches returns true if this Hostname "matches" the other hostname. Hostnames match if: - they're fully resolved (i.e. not wildcarded) and match exactly (i.e. an exact string match) - one or both are wildcarded (e.g. "*.foo.com"), in which case we use wildcard resolution rules to determine if h is covered by o. e.g.: 

Hostname("foo.com").Matches("foo.com")   = true
Hostname("foo.com").Matches("bar.com")   = false
Hostname("*.com").Matches("foo.com")     = true
Hostname("*.com").Matches("foo.com")     = true
Hostname("*.foo.com").Matches("foo.com") = false

func (Hostname) String 

func (h Hostname) String() string

String returns Hostname as a string; Hostname is already an alias of a string, so this is really for convenience over explicit casting.

type Hostnames 

type Hostnames []Hostname

Hostnames is a collection of Hostname; it exists so it's easy to sort hostnames consistently across Pilot. In a few locations we care about the order hostnames appear in Envoy config: primarily HTTP routes, but also in gateways, and for SNI. In those locations, we sort hostnames longest to shortest with wildcards last.

func (Hostnames) Len 

func (h Hostnames) Len() int

func (Hostnames) Less 

func (h Hostnames) Less(i, j int) bool

func (Hostnames) Swap 

func (h Hostnames) Swap(i, j int)

type IstioConfigStore 

type IstioConfigStore interface {
	ConfigStore

	// EgressRules lists all egress rules
	EgressRules() []Config

	// ServiceEntries lists all service entries
	ServiceEntries() []Config

	// RouteRules selects routing rules by source service instances and
	// destination service.  A rule must match at least one of the input service
	// instances since the proxy does not distinguish between source instances in
	// the request.
	RouteRules(source []*ServiceInstance, destination string) []Config

	// RouteRulesByDestination selects routing rules associated with destination
	// service instances.  A rule must match at least one of the input
	// destination instances.
	RouteRulesByDestination(destination []*ServiceInstance) []Config

	// Policy returns a policy for a service version that match at least one of
	// the source instances.  The labels must match precisely in the policy.
	Policy(source []*ServiceInstance, destination string, labels Labels) *Config

	// DestinationRule returns a destination rule for a service name in a given domain.
	DestinationRule(hostname Hostname) *Config

	// VirtualServices lists all virtual services bound to the specified gateways
	VirtualServices(gateways map[string]bool) []Config

	// Gateways lists all gateways bound to the specified workload labels
	Gateways(workloadLabels LabelsCollection) []Config

	// SubsetToLabels returns the labels associated with a subset of a given service.
	SubsetToLabels(subsetName string, hostname Hostname) LabelsCollection

	// EnvoyFilter lists the envoy filter configuration bound to the specified workload labels
	EnvoyFilter(workloadLabels LabelsCollection) *Config

	// HTTPAPISpecByDestination selects Mixerclient HTTP API Specs
	// associated with destination service instances.
	HTTPAPISpecByDestination(instance *ServiceInstance) []Config

	// QuotaSpecByDestination selects Mixerclient quota specifications
	// associated with destination service instances.
	QuotaSpecByDestination(instance *ServiceInstance) []Config

	// AuthenticationPolicyByDestination selects authentication policy associated
	// with a service + port. Hostname must be FQDN.
	// If there are more than one policies at different scopes (global, namespace, service)
	// the one with the most specific scope will be selected. If there are more than
	// one with the same scope, the first one seen will be used (later, we should
	// have validation at submitting time to prevent this scenario from happening)
	AuthenticationPolicyByDestination(hostname Hostname, port *Port) *Config

	// ServiceRoles selects ServiceRoles in the specified namespace.
	ServiceRoles(namespace string) []Config

	// ServiceRoleBindings selects ServiceRoleBindings in the specified namespace.
	ServiceRoleBindings(namespace string) []Config

	// RbacConfig selects the RbacConfig of name DefaultRbacConfigName.
	RbacConfig() *Config
}

IstioConfigStore is a specialized interface to access config store using Istio configuration types

func MakeIstioStore 

func MakeIstioStore(store ConfigStore) IstioConfigStore

MakeIstioStore creates a wrapper around a store. In pilot it is initialized with a ConfigStoreCache, tests only use a regular ConfigStore.

type Labels 

type Labels map[string]string

Labels is a non empty set of arbitrary strings. Each version of a service can be differentiated by a unique set of labels associated with the version. These labels are assigned to all instances of a particular service version. For example, lets say catalog.mystore.com has 2 versions v1 and v2. v1 instances could have labels gitCommit=aeiou234, region=us-east, while v2 instances could have labels name=kittyCat,region=us-east.

func ParseLabelsString 

func ParseLabelsString(s string) Labels

ParseLabelsString extracts labels from a string

func (Labels) Equals 

func (l Labels) Equals(that Labels) bool

Equals returns true if the labels are identical

func (Labels) String 

func (l Labels) String() string

func (Labels) SubsetOf 

func (l Labels) SubsetOf(that Labels) bool

SubsetOf is true if the label has identical values for the keys

func (Labels) Validate 

func (l Labels) Validate() error

Validate ensures tag is well-formed

type LabelsCollection 

type LabelsCollection []Labels

LabelsCollection is a collection of labels used for comparing labels against a collection of labels

func (LabelsCollection) HasSubsetOf 

func (labels LabelsCollection) HasSubsetOf(that Labels) bool

HasSubsetOf returns true if the input labels are a super set of one labels in a collection or if the tag collection is empty

func (LabelsCollection) IsSupersetOf 

func (labels LabelsCollection) IsSupersetOf(that Labels) bool

IsSupersetOf returns true if the input labels are a subset set of any set of labels in a collection

type MergedGateway 

type MergedGateway struct {
	Names map[string]bool

	// maps from physical port to virtual servers
	Servers map[uint32][]*networking.Server

	// maps from port names to virtual hosts
	// Used for RDS. No two port names share same port except for HTTPS
	// The typical length of the value is always 1, except for HTTP (not HTTPS),
	RDSRouteConfigNames map[string][]*networking.Server
}

MergedGateway describes a set of gateways for a workload merged into a single logical gateway.

TODO: do we need a `func (m *MergedGateway) MergeInto(gateway *networking.Gateway)`?

func MergeGateways 

func MergeGateways(gateways ...Config) *MergedGateway

MergeGateways combines multiple gateways targeting the same workload into a single logical Gateway. Note that today any Servers in the combined gateways listening on the same port must have the same protocol. If servers with different protocols attempt to listen on the same port, one of the protocols will be chosen at random.

type NetworkEndpoint 

type NetworkEndpoint struct {
	// Family indicates what type of endpoint, such as TCP or Unix Domain Socket.
	Family AddressFamily

	// Address of the network endpoint. If Family is `AddressFamilyTCP`, it is
	// typically an IPv4 address. If Family is `AddressFamilyUnix`, it is the
	// path to the domain socket.
	Address string

	// Port number where this instance is listening for connections This
	// need not be the same as the port where the service is accessed.
	// e.g., catalog.mystore.com:8080 -> 172.16.0.1:55446
	// Ignored for `AddressFamilyUnix`.
	Port int

	// Port declaration from the service declaration This is the port for
	// the service associated with this instance (e.g.,
	// catalog.mystore.com)
	ServicePort *Port

	// Defines a platform-specific workload instance identifier (optional).
	UID string
}

NetworkEndpoint defines a network address (IP:port) associated with an instance of the service. A service has one or more instances each running in a container/VM/pod. If a service has multiple ports, then the same instance IP is expected to be listening on multiple ports (one per each service port). Note that the port associated with an instance does not have to be the same as the port associated with the service. Depending on the network setup (NAT, overlays), this could vary.

For e.g., if catalog.mystore.com is accessible through port 80 and 8080, and it maps to an instance with IP 172.16.0.1, such that connections to port 80 are forwarded to port 55446, and connections to port 8080 are forwarded to port 33333,

then internally, we have two two endpoint structs for the service catalog.mystore.com 

--> 172.16.0.1:54546 (with ServicePort pointing to 80) and
--> 172.16.0.1:33333 (with ServicePort pointing to 8080)

type NodeType 

type NodeType string

NodeType decides the responsibility of the proxy serves in the mesh 

const (
	// Sidecar type is used for sidecar proxies in the application containers
	Sidecar NodeType = "sidecar"

	// Ingress type is used for cluster ingress proxies
	Ingress NodeType = "ingress"

	// Router type is used for standalone proxies acting as L7/L4 routers
	Router NodeType = "router"
)

type Port 

type Port struct {
	// Name ascribes a human readable name for the port object. When a
	// service has multiple ports, the name field is mandatory
	Name string `json:"name,omitempty"`

	// Port number where the service can be reached. Does not necessarily
	// map to the corresponding port numbers for the instances behind the
	// service. See NetworkEndpoint definition below.
	Port int `json:"port"`

	// Protocol to be used for the port.
	Protocol Protocol `json:"protocol,omitempty"`
}

Port represents a network port where a service is listening for connections. The port should be annotated with the type of protocol used by the port.

func ParseJwksURI 

func ParseJwksURI(jwksURI string) (string, *Port, bool, error)

ParseJwksURI parses the input URI and returns the corresponding hostname, port, and whether SSL is used. URI must start with "http://" or "https://", which corresponding to "http" or "https" scheme. Port number is extracted from URI if available (i.e from postfix :<port>, eg. ":80"), or assigned to a default value based on URI scheme (80 for http and 443 for https). Port name is set to URI scheme value. Note: this is to replace [buildJWKSURIClusterNameAndAddress] (https://github.com/istio/istio/blob/master/pilot/pkg/proxy/envoy/v1/mixer.go#L401), which is used for the old EUC policy.

func (Port) Match 

func (port Port) Match(portSelector *authn.PortSelector) bool

Match returns true if port matches with authentication port selector criteria.

type PortList 

type PortList []*Port

PortList is a set of ports

func (PortList) Get 

func (ports PortList) Get(name string) (*Port, bool)

Get retrieves a port declaration by name

func (PortList) GetByPort 

func (ports PortList) GetByPort(num int) (*Port, bool)

GetByPort retrieves a port declaration by port value

func (PortList) GetNames 

func (ports PortList) GetNames() []string

GetNames returns port names

type Probe 

type Probe struct {
	Port *Port  `json:"port,omitempty"`
	Path string `json:"path,omitempty"`
}

Probe represents a health probe associated with an instance of service.

type ProbeList 

type ProbeList []*Probe

ProbeList is a set of probes

type ProtoSchema 

type ProtoSchema struct {
	// ClusterScoped is true for resource in cluster-level.
	ClusterScoped bool

	// Type is the config proto type.
	Type string

	// Plural is the type in plural.
	Plural string

	// Group is the config proto group.
	Group string

	// Version is the config proto version.
	Version string

	// MessageName refers to the protobuf message type name corresponding to the type
	MessageName string

	// Gogo is true for gogo protobuf messages
	Gogo bool

	// Validate configuration as a protobuf message assuming the object is an
	// instance of the expected message type
	Validate func(name, namespace string, config proto.Message) error
}

ProtoSchema provides description of the configuration schema and its key function

func (*ProtoSchema) FromJSON 

func (ps *ProtoSchema) FromJSON(js string) (proto.Message, error)

FromJSON converts a canonical JSON to a proto message

func (*ProtoSchema) FromJSONMap 

func (ps *ProtoSchema) FromJSONMap(data interface{}) (proto.Message, error)

FromJSONMap converts from a generic map to a proto message using canonical JSON encoding JSON encoding is specified here: https://developers.google.com/protocol-buffers/docs/proto3#json

func (*ProtoSchema) FromYAML 

func (ps *ProtoSchema) FromYAML(yml string) (proto.Message, error)

FromYAML converts a canonical YAML to a proto message

func (*ProtoSchema) Make 

func (ps *ProtoSchema) Make() (proto.Message, error)

Make creates a new instance of the proto message

type Protocol 

type Protocol string

Protocol defines network protocols for ports 

const (
	// ProtocolGRPC declares that the port carries gRPC traffic
	ProtocolGRPC Protocol = "GRPC"
	// ProtocolHTTP declares that the port carries HTTP/1.1 traffic.
	// Note that HTTP/1.0 or earlier may not be supported by the proxy.
	ProtocolHTTP Protocol = "HTTP"
	// ProtocolHTTP2 declares that the port carries HTTP/2 traffic
	ProtocolHTTP2 Protocol = "HTTP2"
	// ProtocolHTTPS declares that the port carries HTTPS traffic
	ProtocolHTTPS Protocol = "HTTPS"
	// ProtocolTCP declares the the port uses TCP.
	// This is the default protocol for a service port.
	ProtocolTCP Protocol = "TCP"
	// ProtocolTLS declares that the port carries TLS traffic.
	// TLS traffic is assumed to contain SNI as part of the handshake.
	ProtocolTLS Protocol = "TLS"
	// ProtocolUDP declares that the port uses UDP.
	// Note that UDP protocol is not currently supported by the proxy.
	ProtocolUDP Protocol = "UDP"
	// ProtocolMongo declares that the port carries mongoDB traffic
	ProtocolMongo Protocol = "Mongo"
	// ProtocolRedis declares that the port carries redis traffic
	ProtocolRedis Protocol = "Redis"
	// ProtocolUnsupported - value to signify that the protocol is unsupported
	ProtocolUnsupported Protocol = "UnsupportedProtocol"
)

func ParseProtocol 

func ParseProtocol(s string) Protocol

ParseProtocol from string ignoring case

func (Protocol) IsHTTP 

func (p Protocol) IsHTTP() bool

IsHTTP is true for protocols that use HTTP as transport protocol

func (Protocol) IsHTTP2 

func (p Protocol) IsHTTP2() bool

IsHTTP2 is true for protocols that use HTTP/2 as transport protocol

func (Protocol) IsTCP 

func (p Protocol) IsTCP() bool

IsTCP is true for protocols that use TCP as transport protocol

func (Protocol) IsTLS 

func (p Protocol) IsTLS() bool

IsTLS is true for protocols on top of TLS (e.g. HTTPS)

type Proxy 

type Proxy struct {
	// ClusterID specifies the cluster where the proxy resides
	ClusterID string

	// Type specifies the node type
	Type NodeType

	// IPAddress is the IP address of the proxy used to identify it and its
	// co-located service instances. Example: "10.60.1.6"
	IPAddress string

	// ID is the unique platform-specific sidecar proxy ID
	ID string

	// Domain defines the DNS domain suffix for short hostnames (e.g.
	// "default.svc.cluster.local")
	Domain string

	// Metadata key-value pairs extending the Node identifier
	Metadata map[string]string
}

Proxy defines the proxy attributes used by xDS identification

func ParseServiceNode 

func ParseServiceNode(s string) (Proxy, error)

ParseServiceNode is the inverse of service node function

func (*Proxy) ServiceNode 

func (node *Proxy) ServiceNode() string

ServiceNode encodes the proxy node attributes into a URI-acceptable string

type Resolution 

type Resolution int

Resolution indicates how the service instances need to be resolved before routing traffic. 

const (
	// ClientSideLB implies that the proxy will decide the endpoint from its local lb pool
	ClientSideLB Resolution = iota
	// DNSLB implies that the proxy will resolve a DNS address and forward to the resolved address
	DNSLB
	// Passthrough implies that the proxy should forward traffic to the destination IP requested by the caller
	Passthrough
)

type Service 

type Service struct {
	// Hostname of the service, e.g. "catalog.mystore.com"
	Hostname Hostname `json:"hostname"`

	// Address specifies the service IPv4 address of the load balancer
	Address string `json:"address,omitempty"`

	// ClusterVIPs specifies the service address of the load balancer
	// in each of the clusters where the service resides
	ClusterVIPs map[string]string `json:"cluster-vips,omitempty"`

	// Ports is the set of network ports where the service is listening for
	// connections
	Ports PortList `json:"ports,omitempty"`

	// ExternalName is only set for external services and holds the external
	// service DNS name.  External services are name-based solution to represent
	// external service instances as a service inside the cluster.
	// Deprecated : made obsolete by the MeshExternal and Resolution flags.
	ExternalName Hostname `json:"external"`

	// ServiceAccounts specifies the service accounts that run the service.
	ServiceAccounts []string `json:"serviceaccounts,omitempty"`

	// MeshExternal (if true) indicates that the service is external to the mesh.
	// These services are defined using Istio's ServiceEntry spec.
	MeshExternal bool

	// LoadBalancingDisabled indicates that no load balancing should be done for this service.
	// Deprecated : made obsolete by the MeshExternal and Resolution flags.
	LoadBalancingDisabled bool `json:"-"`

	// Resolution indicates how the service instances need to be resolved before routing
	// traffic. Most services in the service registry will use static load balancing wherein
	// the proxy will decide the service instance that will receive the traffic. Service entries
	// could either use DNS load balancing (i.e. proxy will query DNS server for the IP of the service)
	// or use the passthrough model (i.e. proxy will forward the traffic to the network endpoint requested
	// by the caller)
	Resolution Resolution
}

Service describes an Istio service (e.g., catalog.mystore.com:8080) Each service has a fully qualified domain name (FQDN) and one or more ports where the service is listening for connections. *Optionally*, a service can have a single load balancer/virtual IP address associated with it, such that the DNS queries for the FQDN resolves to the virtual IP address (a load balancer IP).

E.g., in kubernetes, a service foo is associated with foo.default.svc.cluster.local hostname, has a virtual IP of 10.0.1.1 and listens on ports 80, 8080

func (*Service) External 

func (s *Service) External() bool

External predicate checks whether the service is external

func (Service) GetServiceAddressForProxy 

func (s Service) GetServiceAddressForProxy(node *Proxy) string

GetServiceAddressForProxy returns a Service's IP address specific to the cluster where the node resides

func (*Service) Key 

func (s *Service) Key(port *Port, labels Labels) string

Key generates a unique string referencing service instances for a given port and labels. The separator character must be exclusive to the regular expressions allowed in the service declaration. Deprecated

func (*Service) Validate 

func (s *Service) Validate() error

Validate ensures that the service object is well-defined

type ServiceAccounts 

type ServiceAccounts interface {
	// GetIstioServiceAccounts returns a list of service accounts looked up from
	// the specified service hostname and ports.
	GetIstioServiceAccounts(hostname Hostname, ports []string) []string
}

ServiceAccounts exposes Istio service accounts

type ServiceAttributes 

type ServiceAttributes struct {
	// Name is "destination.service.name" attribute
	Name string
	// Namespace is "destination.service.namespace" attribute
	Namespace string
	// UID is "destination.service.uid" attribute
	UID string
}

ServiceAttributes represents a group of custom attributes of the service.

type ServiceDiscovery 

type ServiceDiscovery interface {
	// Services list declarations of all services in the system
	Services() ([]*Service, error)

	// GetService retrieves a service by host name if it exists
	GetService(hostname Hostname) (*Service, error)

	// GetServiceAttributes retrieves the custom attributes of a service
	GetServiceAttributes(hostname Hostname) (*ServiceAttributes, error)

	// Instances retrieves instances for a service and its ports that match
	// any of the supplied labels. All instances match an empty tag list.
	//
	// For example, consider the example of catalog.mystore.com as described in NetworkEndpoints
	// Instances(catalog.myservice.com, 80) ->
	//      --> NetworkEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//      --> NetworkEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//      --> NetworkEndpoint(172.16.0.3:8888), Service(catalog.myservice.com), Labels(kitty=cat)
	//      --> NetworkEndpoint(172.16.0.4:8888), Service(catalog.myservice.com), Labels(kitty=cat)
	//
	// Calling Instances with specific labels returns a trimmed list.
	// e.g., Instances(catalog.myservice.com, 80, foo=bar) ->
	//      --> NetworkEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//      --> NetworkEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//
	// Similar concepts apply for calling this function with a specific
	// port, hostname and labels.
	// Deprecated: made obsolete by InstancesByPort
	Instances(hostname Hostname, ports []string, labels LabelsCollection) ([]*ServiceInstance, error)

	// InstancesByPort retrieves instances for a service on the given ports with labels that match
	// any of the supplied labels. All instances match an empty tag list.
	//
	// For example, consider the example of catalog.mystore.com as described in NetworkEndpoints
	// Instances(catalog.myservice.com, 80) ->
	//      --> NetworkEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//      --> NetworkEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//      --> NetworkEndpoint(172.16.0.3:8888), Service(catalog.myservice.com), Labels(kitty=cat)
	//      --> NetworkEndpoint(172.16.0.4:8888), Service(catalog.myservice.com), Labels(kitty=cat)
	//
	// Calling Instances with specific labels returns a trimmed list.
	// e.g., Instances(catalog.myservice.com, 80, foo=bar) ->
	//      --> NetworkEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//      --> NetworkEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
	//
	// Similar concepts apply for calling this function with a specific
	// port, hostname and labels.
	//
	// Introduced in Istio 0.8. It is only called with 1 port.
	// CDS (clusters.go) calls it for building 'dnslb' type clusters.
	// EDS calls it for building the endpoints result.
	// Consult istio-dev before using this for anything else (except debugging/tools)
	InstancesByPort(hostname Hostname, servicePort int, labels LabelsCollection) ([]*ServiceInstance, error)

	// GetProxyServiceInstances returns the service instances that co-located with a given Proxy
	//
	// Co-located generally means running in the same network namespace and security context.
	//
	// A Proxy operating as a Sidecar will return a non-empty slice.  A stand-alone Proxy
	// will return an empty slice.
	//
	// There are two reasons why this returns multiple ServiceInstances instead of one:
	// - A ServiceInstance has a single NetworkEndpoint which has a single Port.  But a Service
	//   may have many ports.  So a workload implementing such a Service would need
	//   multiple ServiceInstances, one for each port.
	// - A single workload may implement multiple logical Services.
	//
	// In the second case, multiple services may be implemented by the same physical port number,
	// though with a different ServicePort and NetworkEndpoint for each.  If any of these overlapping
	// services are not HTTP or H2-based, behavior is undefined, since the listener may not be able to
	// determine the intended destination of a connection without a Host header on the request.
	GetProxyServiceInstances(*Proxy) ([]*ServiceInstance, error)

	// ManagementPorts lists set of management ports associated with an IPv4 address.
	// These management ports are typically used by the platform for out of band management
	// tasks such as health checks, etc. In a scenario where the proxy functions in the
	// transparent mode (traps all traffic to and from the service instance IP address),
	// the configuration generated for the proxy will not manipulate traffic destined for
	// the management ports
	ManagementPorts(addr string) PortList

	// WorkloadHealthCheckInfo lists set of probes associated with an IPv4 address.
	// These probes are used by the platform to identify requests that are performing
	// health checks.
	WorkloadHealthCheckInfo(addr string) ProbeList
}

ServiceDiscovery enumerates Istio service instances.

type ServiceInstance 

type ServiceInstance struct {
	Endpoint         NetworkEndpoint `json:"endpoint,omitempty"`
	Service          *Service        `json:"service,omitempty"`
	Labels           Labels          `json:"labels,omitempty"`
	AvailabilityZone string          `json:"az,omitempty"`
	ServiceAccount   string          `json:"serviceaccount,omitempty"`
}

ServiceInstance represents an individual instance of a specific version of a service. It binds a network endpoint (ip:port), the service description (which is oblivious to various versions) and a set of labels that describe the service version associated with this instance.

Since a ServiceInstance has a single NetworkEndpoint, which has a single port, multiple ServiceInstances are required to represent a workload that listens on multiple ports.

The labels associated with a service instance are unique per a network endpoint. There is one well defined set of labels for each service instance network endpoint.

For example, the set of service instances associated with catalog.mystore.com are modeled like this 

--> NetworkEndpoint(172.16.0.1:8888), Service(catalog.myservice.com), Labels(foo=bar)
--> NetworkEndpoint(172.16.0.2:8888), Service(catalog.myservice.com), Labels(foo=bar)
--> NetworkEndpoint(172.16.0.3:8888), Service(catalog.myservice.com), Labels(kitty=cat)
--> NetworkEndpoint(172.16.0.4:8888), Service(catalog.myservice.com), Labels(kitty=cat)

func (*ServiceInstance) GetAZ 

func (si *ServiceInstance) GetAZ() string

GetAZ returns the availability zone from an instance. - k8s: region/zone, extracted from node's failure-domain.beta.kubernetes.io/{region,zone} - consul: defaults to 'instance.Datacenter'

This is used by EDS to group the endpoints by AZ and by .

func (*ServiceInstance) Validate 

func (instance *ServiceInstance) Validate() error

Validate ensures that the service instance is well-defined

type TrafficDirection 

type TrafficDirection string

TrafficDirection defines whether traffic exists a service instance or enters a service instance 

const (
	// TrafficDirectionInbound indicates inbound traffic
	TrafficDirectionInbound TrafficDirection = "inbound"
	// TrafficDirectionOutbound indicates outbound traffic
	TrafficDirectionOutbound TrafficDirection = "outbound"
)

Source Files

View all Source files

Directories

Path Synopsis
Package test is a generated protocol buffer package.
 Package test is a generated protocol buffer package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.