Documentation ¶
Index ¶
- func ConfigIsPresent(ctx context.Context, configDir string) bool
- func GetAgentService() string
- func GetAmbId(resource kates.Object) amb.AmbassadorID
- func GetAmbassadorConfigBaseDir() string
- func GetAmbassadorDebug() string
- func GetAmbassadorFieldSelector() string
- func GetAmbassadorId() string
- func GetAmbassadorLabelSelector() string
- func GetAmbassadorNamespace() string
- func GetAmbassadorRoot() string
- func GetAnnotations(resources ...kates.Object) (result []kates.Object)
- func GetAppDir() string
- func GetClusterID(ctx context.Context) (clusterID string)
- func GetConfigDir(demoMode bool) string
- func GetDiagdArgs(ctx context.Context, demoMode bool) []string
- func GetDiagdBindAddress() string
- func GetDiagdBindPort() string
- func GetDiagdFlags(ctx context.Context, demoMode bool) []string
- func GetEnvoyBaseId() string
- func GetEnvoyBootstrapFile() string
- func GetEnvoyConfigFile() string
- func GetEnvoyDir() string
- func GetEnvoyFlags() []string
- func GetEventHost() string
- func GetEventPath() string
- func GetEventUrl() string
- func GetLicenseSecretName() string
- func GetLicenseSecretNamespace() string
- func GetSidecarHost() string
- func GetSidecarPath() string
- func GetSidecarUrl() string
- func GetSnapshotDir() string
- func IsAmbassadorSingleNamespace() bool
- func IsDiagdOnly() bool
- func IsEdgeStack() bool
- func IsEnvoyAvailable() bool
- func IsKnativeEnabled() bool
- func Main(ctx context.Context, Version string, args ...string) error
- type AmbassadorInputs
- type FSWErrorHandler
- type FSWEvent
- type FSWEventHandler
- type FSWOp
- type FSWatcher
- type IstioCert
- func (icert *IstioCert) HandleEvent(ctx context.Context, name string, deleted bool)
- func (icert *IstioCert) Secret(ctx context.Context) (*kates.Secret, bool)
- func (icert *IstioCert) SetFetchTime(fetchTime timeFetcher)
- func (icert *IstioCert) SetReadPEM(readPEM pemReader)
- func (icert *IstioCert) String() string
- type IstioCertUpdate
- type ModuleSecrets
- type SecretRef
- type Snapshot
- type Stopper
- type Watcher
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ConfigIsPresent ¶ added in v1.10.0
ConfigIsPresent checks to see if any configuration is actually present in the given configdir.
func GetAgentService ¶
func GetAgentService() string
func GetAmbId ¶
func GetAmbId(resource kates.Object) amb.AmbassadorID
GetAmbId extracts the AmbassadorId from the kubernetes resource.
func GetAmbassadorConfigBaseDir ¶
func GetAmbassadorConfigBaseDir() string
func GetAmbassadorDebug ¶
func GetAmbassadorDebug() string
func GetAmbassadorFieldSelector ¶
func GetAmbassadorFieldSelector() string
func GetAmbassadorId ¶
func GetAmbassadorId() string
func GetAmbassadorLabelSelector ¶
func GetAmbassadorLabelSelector() string
func GetAmbassadorNamespace ¶
func GetAmbassadorNamespace() string
func GetAmbassadorRoot ¶
func GetAmbassadorRoot() string
func GetAnnotations ¶
GetAnnotations extracts and converts any parseable annotations from the supplied resource. It omits any malformed annotations and does not report the errors. This is ok for now because the python code will catch and report any errors.
func GetClusterID ¶
func GetConfigDir ¶
GetConfigDir returns the path to the directory we should check for filesystem config.
func GetDiagdBindAddress ¶
func GetDiagdBindAddress() string
func GetDiagdBindPort ¶
func GetDiagdBindPort() string
func GetEnvoyBaseId ¶
func GetEnvoyBaseId() string
func GetEnvoyBootstrapFile ¶
func GetEnvoyBootstrapFile() string
func GetEnvoyConfigFile ¶
func GetEnvoyConfigFile() string
func GetEnvoyDir ¶
func GetEnvoyDir() string
func GetEnvoyFlags ¶
func GetEnvoyFlags() []string
func GetEventHost ¶
func GetEventHost() string
func GetEventPath ¶
func GetEventPath() string
func GetEventUrl ¶
func GetEventUrl() string
func GetLicenseSecretName ¶
func GetLicenseSecretName() string
func GetLicenseSecretNamespace ¶
func GetLicenseSecretNamespace() string
func GetSidecarHost ¶
func GetSidecarHost() string
func GetSidecarPath ¶
func GetSidecarPath() string
func GetSidecarUrl ¶
func GetSidecarUrl() string
func GetSnapshotDir ¶
func GetSnapshotDir() string
func IsAmbassadorSingleNamespace ¶
func IsAmbassadorSingleNamespace() bool
func IsDiagdOnly ¶
func IsDiagdOnly() bool
func IsEdgeStack ¶
func IsEdgeStack() bool
func IsEnvoyAvailable ¶
func IsEnvoyAvailable() bool
func IsKnativeEnabled ¶
func IsKnativeEnabled() bool
func Main ¶
This is the main ambassador entrypoint. It launches and manages two other processes:
- The diagd process.
- Envoy
The entrypoint process manages two other goroutines:
- The watcher goroutine that watches for changes in ambassador inputs and notifies diagd.
- The ambex goroutine that feeds envoy configuration updates via ADS.
Dataflow Diagram
Kubernetes Watches | | (k8s resources, subscription) | \|/ consul endpoints, subscription) entrypoint[watcher]<----------------------------------- Consul Watches | | (Snapshot, POST) | \|/ diagd | | (envoy config resources, pushed via writing files + SIGHUP) | \|/ entrypoint[ambex] | | (envoy config resources, ADS subscription) | \|/ envoy
Notation:
The arrows point in the direction that data flows. Each arrow is labeled with a tuple of the data type, and a short description of the nature of communication.
The golang entrypoint process assembles all the ambassador inputs from kubernetes and consul. When it has a complete/consistent set of inputs, it passes the complete snapshot of inputs along to diagd along with a list of deltas and invalid objects. This snapshot is fully detailed in snapshot.go
The entrypoint goes to some trouble to ensure shared fate between all three processes as well as all the goroutines it manages, i.e. if any one of them dies for any reason, the whole process will shutdown and some larger process manager (e.g. kubernetes) is expected to take note and restart if appropriate.
Types ¶
type AmbassadorInputs ¶
type AmbassadorInputs struct { // k8s resources IngressClasses []*kates.IngressClass `json:"ingressclasses"` Ingresses []*kates.Ingress `json:"ingresses"` Services []*kates.Service `json:"service"` Endpoints []*kates.Endpoints `json:"Endpoints"` // ambassador resources Hosts []*amb.Host `json:"Host"` Mappings []*amb.Mapping `json:"Mapping"` TCPMappings []*amb.TCPMapping `json:"TCPMapping"` Modules []*amb.Module `json:"Module"` TLSContexts []*amb.TLSContext `json:"TLSContext"` // plugin services AuthServices []*amb.AuthService `json:"AuthService"` RateLimitServices []*amb.RateLimitService `json:"RateLimitService"` LogServices []*amb.LogService `json:"LogService"` TracingServices []*amb.TracingService `json:"TracingService"` DevPortals []*amb.DevPortal `json:"DevPortal"` // resolvers ConsulResolvers []*amb.ConsulResolver `json:"ConsulResolver"` KubernetesEndpointResolvers []*amb.KubernetesEndpointResolver `json:"KubernetesEndpointResolver"` KubernetesServiceResolvers []*amb.KubernetesServiceResolver `json:"KubernetesServiceResolver"` KNativeClusterIngresses []*kates.Unstructured `json:"clusteringresses.networking.internal.knative.dev,omitempty"` KNativeIngresses []*kates.Unstructured `json:"ingresses.networking.internal.knative.dev,omitempty"` K8sSecrets []*kates.Secret `json:"-"` // Secrets from Kubernetes FSSecrets map[SecretRef]*kates.Secret `json:"-"` // Secrets from the filesystem Secrets []*kates.Secret `json:"secret"` // Secrets we'll feed to Ambassador // contains filtered or unexported fields }
func NewAmbassadorInputs ¶ added in v1.10.0
func NewAmbassadorInputs() *AmbassadorInputs
NewAmbassadorInputs creates a new, empty set of Ambassador inputs.
func (*AmbassadorInputs) ReconcileConsul ¶
func (s *AmbassadorInputs) ReconcileConsul(ctx context.Context, consul *consul)
func (*AmbassadorInputs) ReconcileSecrets ¶
func (s *AmbassadorInputs) ReconcileSecrets()
ReconcileSecrets figures out which secrets we're actually using, since we don't want to send secrets to Ambassador unless we're using them, since any secret we send will be saved to disk.
func (*AmbassadorInputs) Render ¶
func (a *AmbassadorInputs) Render() string
type FSWErrorHandler ¶ added in v1.10.0
FSWErrorHandler is a handler function for an error.
type FSWEvent ¶ added in v1.10.0
type FSWEvent struct { // Path is the fully-qualified path of the file that changed. Path string // Op is the operation for this event. Op FSWOp // Bootstrap is true IFF this is a synthesized event noting // that a file existed at the moment we started watching a // directory. Bootstrap bool // Time is when this event happened Time time.Time }
FSWEvent represents a single interesting event.
type FSWEventHandler ¶ added in v1.10.0
FSWEventHandler is a handler function for an interesting event.
type FSWatcher ¶ added in v1.10.0
FSWatcher is a thing that can watch the filesystem for us, and call handler functions when things change.
The core of an FSWatcher is fsnotify/fsnotify, but we wrap some state around it.
First, fsnotify tries to mark the operation associated with a change -- however, these are not always accurate, since the filesystem tries to coalesce events that are close in time. Therefore FSWatcher doesn't actually look at the operation: everything is just "a change happened".
This causes one interesting problem: given a touch of temporal separation between Create and Write, we may decide to trigger a reconfigure on the Create, before the data have been written. To mitigate against that, we'll wait up to half a second after an event to see if any other events will be happening (with the idea that if you've come within half a second of your cert expiring before renewing it, uh, yeah, maybe you _will_ have some transient errors).
Second, when we start watching a directory, we make sure that "update" events get posted for every file in the directory. These are marked as "bootstrap" events.
Finally, rather than posting things to channels, we call a handler function whenever anything interesting happens, where "interesting" is one of the events above, or an error.
func NewFSWatcher ¶ added in v1.10.0
NewFSWatcher instantiates an FSWatcher. At instantiation time, no directories are being watched.
func (*FSWatcher) SetErrorHandler ¶ added in v1.10.0
func (fsw *FSWatcher) SetErrorHandler(handler FSWErrorHandler)
SetErrorHandler sets the function that will be used to respond to errors.
type IstioCert ¶ added in v1.10.0
type IstioCert struct {
// contains filtered or unexported fields
}
IstioCert holds all the state we need to manage an Istio certificate.
func NewIstioCert ¶ added in v1.10.0
func NewIstioCert(dir string, name string, namespace string, updateChannel chan IstioCertUpdate) *IstioCert
NewIstioCert instantiates an IstioCert to manage a certificate that Istio will write into directory "dir", should have the given "name" and appear to live in K8s namespace "namespace", and will have updates posted to "updateChannel" whenever the cert changes.
What's with this namespace business? Well, Ambassador may be running in single-namespace mode, so causing our cert to appear to be in the same namespace as Ambassador will just be less confusing for everyone.
XXX Nomenclature is a little odd here. Istio is writing a _certificate_, but we're supplying it to the rest of Ambassador as a thing that looks like a Kubernetes TLS _Secret_ -- so we call this class an IstioCert, but the thing it's posting to the updateChannel includes a kates.Secret. Names are hard.
func (*IstioCert) HandleEvent ¶ added in v1.10.0
HandleEvent tells an IstioCert to update its internal state because a file in its directory has been written. If all the cert files have been updated closely enough in time, Update will decide that it's time to actually update the cert, and it'll send an IstioCertUpdate over the Updates channel.
func (*IstioCert) Secret ¶ added in v1.10.0
Secret generates a kates.Secret for this IstioCert. Since this involves reading PEM, it can fail, so it logs and returns a status.
func (*IstioCert) SetFetchTime ¶ added in v1.10.0
func (icert *IstioCert) SetFetchTime(fetchTime timeFetcher)
SetFetchTime will change the function we use to get the current time.
func (*IstioCert) SetReadPEM ¶ added in v1.10.0
func (icert *IstioCert) SetReadPEM(readPEM pemReader)
SetReadPEM will change the function we use to read PEM files.
type IstioCertUpdate ¶ added in v1.10.0
type IstioCertUpdate struct { Op string // "update" or "delete" Name string // secret name Namespace string // secret namespace Secret *kates.Secret // IstioCert secret }
IstioCertUpdate gets sent over the IstioCert's Updates channel whenever the cert changes
XXX This will morph into a more general "internally-generated resource" thing later.
type ModuleSecrets ¶
type ModuleSecrets struct { Defaults struct { TLSSecretNamespacing bool `json:"tls_secret_namespacing"` } `json:"defaults"` Upstream struct { Secret string `json:"secret"` } `json:"upstream"` Server struct { Secret string `json:"secret"` } `json:"server"` Client struct { Secret string `json:"secret"` } `json:"client"` }
ModuleSecrets is... a hack. It's sort of a mashup of the chunk of the Ambassador Module and the chunk of the TLS Module that are common, because they're able to specify secrets. However... first, I don't think the TLS Module actually supported tls_secret_namespacing. Second, the Ambassador Module at least supports arbitrary origination context names -- _any_ key in the TLS dictionary will get turned into an origination context.
I seriously doubt that either of these will actually affect anyone at this remove, but... yeah.
type SecretRef ¶ added in v1.10.0
SecretRef is a secret reference -- basically, a namespace/name pair.
type Snapshot ¶
type Snapshot struct { // The Kubernetes field contains all the ambassador inputs from kubernetes. Kubernetes *AmbassadorInputs // The Consul field contains endpoint data for any mappings setup to use a // consul resolver. Consul *watt.ConsulSnapshot // The Deltas field contains a list of deltas to indicate what has changed // since the prior snapshot. This is only computed for the Kubernetes // portion of the snapshot. Changes in the Consul endpoint data are not // reflected in this field. Deltas []*kates.Delta // The Invalid field contains any kubernetes resources that have failed // validation. Invalid []*kates.Unstructured }
The snapshot type represents a complete configuration snapshot as sent to diagd.
type Watcher ¶
type Watcher interface {
Watch(resolver *amb.ConsulResolver, mapping *amb.Mapping, endpoints chan consulwatch.Endpoints) Stopper
}