Documentation ¶
Index ¶
- Constants
- type Agent
- func (a *Agent) Check() (err error)
- func (a *Agent) Close()
- func (a *Agent) EnvoyDisabled() bool
- func (a *Agent) FindRootCAForCA() (string, error)
- func (a *Agent) FindRootCAForXDS() (string, error)
- func (a *Agent) GRPCBootstrapPath() string
- func (a *Agent) GetDNSTable() *dnsProto.NameTable
- func (a *Agent) GetKeyCertsForXDS() (string, string)
- func (a *Agent) Run(ctx context.Context) (func(), error)
- func (a *Agent) WaitForSigterm() bool
- type AgentOptions
- type ProxyConnection
- type ResponseHandler
- type XdsProxy
- func (p *XdsProxy) DeltaAggregatedResources(downstream discovery.AggregatedDiscoveryService_DeltaAggregatedResourcesServer) error
- func (p *XdsProxy) HandleDeltaUpstream(ctx context.Context, con *ProxyConnection, ...) error
- func (p *XdsProxy) HandleUpstream(ctx context.Context, con *ProxyConnection, ...) error
- func (p *XdsProxy) InitIstiodDialOptions(agent *Agent) error
- func (p *XdsProxy) PersistDeltaRequest(req *discovery.DeltaDiscoveryRequest)
- func (p *XdsProxy) PersistRequest(req *discovery.DiscoveryRequest)
- func (p *XdsProxy) RegisterStream(c *ProxyConnection)
- func (p *XdsProxy) StreamAggregatedResources(...) error
- func (p *XdsProxy) UnregisterStream(c *ProxyConnection)
Constants ¶
const ( MetadataClientCertKey = "ISTIO_META_TLS_CLIENT_KEY" MetadataClientCertChain = "ISTIO_META_TLS_CLIENT_CERT_CHAIN" MetadataClientRootCert = "ISTIO_META_TLS_CLIENT_ROOT_CERT" )
const ( // CitadelCACertPath is the directory for Citadel CA certificate. // This is mounted from config map 'istio-ca-root-cert'. Part of startup, // this may be replaced with ./etc/certs, if a root-cert.pem is found, to // handle secrets mounted from non-citadel CAs. CitadelCACertPath = "./var/run/secrets/istio" )
To debug: curl -X POST localhost:15000/logging?config=trace - to see SendingDiscoveryRequest Breakpoints in secretcache.go GenerateSecret.. Note that istiod currently can't validate the JWT token unless it runs on k8s Main problem is the JWT validation check which hardcodes the k8s server address and token location.
To test on a local machine, for debugging:
kis exec $POD -- cat /run/secrets/istio-token/istio-token > var/run/secrets/tokens/istio-token kis port-forward $POD 15010:15010 &
You can also copy the K8S CA and a token to be used to connect to k8s - but will need removing the hardcoded addr kis exec $POD -- cat /run/secrets/kubernetes.io/serviceaccount/{ca.crt,token} > var/run/secrets/kubernetes.io/serviceaccount/
Or disable the jwt validation while debugging SDS problems.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Agent ¶
type Agent struct {
// contains filtered or unexported fields
}
Agent contains the configuration of the agent, based on the injected environment: - SDS hostPath if node-agent was used - /etc/certs/key if Citadel or other mounted Secrets are used - root cert to use for connecting to XDS server - CA address, with proper defaults and detection
func NewAgent ¶
func NewAgent(proxyConfig *mesh.ProxyConfig, agentOpts *AgentOptions, sopts *security.Options, eopts envoy.ProxyConfig) *Agent
NewAgent hosts the functionality for local SDS and XDS. This consists of the local SDS server and associated clients to sign certificates (when not using files), and the local XDS proxy (including health checking for VMs and DNS proxying).
func (*Agent) EnvoyDisabled ¶
EnvoyDisabled if true indicates calling Run will not run and wait for Envoy.
func (*Agent) FindRootCAForCA ¶
FindRootCAForCA Find the root CA to use when connecting to the CA (Istiod or external).
func (*Agent) FindRootCAForXDS ¶
FindRootCAForXDS determines the root CA to be configured in bootstrap file. It may be different from the CA for the cert server - which is based on CA_ADDR In addition it deals with the case the XDS server is on port 443, expected with a proper cert. /etc/ssl/certs/ca-certificates.crt
func (*Agent) GRPCBootstrapPath ¶
GRPCBootstrapPath returns the most recently generated gRPC bootstrap or nil if there is none.
func (*Agent) GetDNSTable ¶
func (*Agent) GetKeyCertsForXDS ¶
GetKeyCertsForXDS return the key cert files path for connecting with xds.
func (*Agent) Run ¶
Run is a non-blocking call which returns either an error or a function to await for completion.
func (*Agent) WaitForSigterm ¶
WaitForSigterm if true indicates calling Run will block until SIGTERM or SIGNT is received.
type AgentOptions ¶
type AgentOptions struct { // ProxyXDSDebugViaAgent if true will listen on 15004 and forward queries // to XDS istio.io/debug. (Requires ProxyXDSViaAgent). ProxyXDSDebugViaAgent bool // Port value for the debugging endpoint. ProxyXDSDebugViaAgentPort int // DNSCapture indicates if the XDS proxy has dns capture enabled or not // This option will not be considered if proxyXDSViaAgent is false. DNSCapture bool // DNSAddr is the DNS capture address DNSAddr string // ProxyType is the type of proxy we are configured to handle ProxyType model.NodeType // ProxyNamespace to use for local dns resolution ProxyNamespace string // ProxyDomain is the DNS domain associated with the proxy (assumed // to include the namespace as well) (for local dns resolution) ProxyDomain string // Node identifier used by Envoy ServiceNode string // XDSRootCerts is the location of the root CA for the XDS connection. Used for setting platform certs or // using custom roots. XDSRootCerts string // CARootCerts of the location of the root CA for the CA connection. Used for setting platform certs or // using custom roots. CARootCerts string // Extra headers to add to the XDS connection. XDSHeaders map[string]string // Is the proxy an IPv6 proxy IsIPv6 bool // Path to local UDS to communicate with Envoy XdsUdsPath string // Ability to retrieve ProxyConfig dynamically through XDS EnableDynamicProxyConfig bool // All of the proxy's IP Addresses ProxyIPAddresses []string // Enables dynamic generation of bootstrap. EnableDynamicBootstrap bool // Envoy status port (that circles back to the agent status port). Really belongs to the proxy config. // Cannot be eradicated because mistakes have been made. EnvoyStatusPort int // Envoy prometheus port that circles back to its admin port for prom endpoint. Really belongs to the // proxy config. EnvoyPrometheusPort int MinimumDrainDuration time.Duration ExitOnZeroActiveConnections bool // Cloud platform Platform platform.Environment // GRPCBootstrapPath if set will generate a file compatible with GRPC_XDS_BOOTSTRAP GRPCBootstrapPath string // Disables all envoy agent features DisableEnvoy bool DownstreamGrpcOptions []grpc.ServerOption IstiodSAN string WASMInsecureRegistries []string }
AgentOptions contains additional config for the agent, not included in ProxyConfig. Most are from env variables ( still experimental ) or for testing only. Eventually most non-test settings should graduate to ProxyConfig Please don't add 100 parameters to the NewAgent function (or any other)!
type ProxyConnection ¶
type ProxyConnection struct {
// contains filtered or unexported fields
}
type ResponseHandler ¶
ResponseHandler handles a XDS response in the agent. These will not be forwarded to Envoy. Currently, all handlers function on a single resource per type, so the API only exposes one resource.
type XdsProxy ¶
type XdsProxy struct {
// contains filtered or unexported fields
}
XDS Proxy proxies all XDS requests from envoy to istiod, in addition to allowing subsystems inside the agent to also communicate with either istiod/envoy (eg dns, sds, etc). The goal here is to consolidate all xds related connections to istiod/envoy into a single tcp connection with multiple gRPC streams. TODO: Right now, the workloadSDS server and gatewaySDS servers are still separate connections. These need to be consolidated. TODO: consolidate/use ADSC struct - a lot of duplication.
func (*XdsProxy) DeltaAggregatedResources ¶
func (p *XdsProxy) DeltaAggregatedResources(downstream discovery.AggregatedDiscoveryService_DeltaAggregatedResourcesServer) error
requests from envoy for aditya: downstream -> envoy (anything "behind" xds proxy) upstream -> istiod (in front of xds proxy)?
func (*XdsProxy) HandleDeltaUpstream ¶
func (p *XdsProxy) HandleDeltaUpstream(ctx context.Context, con *ProxyConnection, xds discovery.AggregatedDiscoveryServiceClient) error
func (*XdsProxy) HandleUpstream ¶
func (p *XdsProxy) HandleUpstream(ctx context.Context, con *ProxyConnection, xds discovery.AggregatedDiscoveryServiceClient) error
func (*XdsProxy) InitIstiodDialOptions ¶
func (*XdsProxy) PersistDeltaRequest ¶
func (p *XdsProxy) PersistDeltaRequest(req *discovery.DeltaDiscoveryRequest)
func (*XdsProxy) PersistRequest ¶
func (p *XdsProxy) PersistRequest(req *discovery.DiscoveryRequest)
PersistRequest sends a request to the currently connected proxy. Additionally, on any reconnection to the upstream XDS request we will resend this request.
func (*XdsProxy) RegisterStream ¶
func (p *XdsProxy) RegisterStream(c *ProxyConnection)
func (*XdsProxy) StreamAggregatedResources ¶
func (p *XdsProxy) StreamAggregatedResources(downstream discovery.AggregatedDiscoveryService_StreamAggregatedResourcesServer) error
Every time envoy makes a fresh connection to the agent, we reestablish a new connection to the upstream xds This ensures that a new connection between istiod and agent doesn't end up consuming pending messages from envoy as the new connection may not go to the same istiod. Vice versa case also applies.
func (*XdsProxy) UnregisterStream ¶
func (p *XdsProxy) UnregisterStream(c *ProxyConnection)