Documentation ¶
Index ¶
- Variables
- func GatewayFromContext(ctx context.Context) core.GatewayID
- func NewRequestHandler(logger hclog.Logger, registry GatewaySecretRegistry, ...) *server.CallbackFuncs
- func NewSecretManager(client SecretClient, cache SecretCache, logger hclog.Logger) *secretManager
- func SPIFFEStreamMiddleware(logger hclog.Logger, fetcher CertificateFetcher, ...) grpc.StreamServerInterceptor
- type CertificateFetcher
- type GatewaySecretRegistry
- type Manager
- type ManagerConfig
- type MultiSecretClient
- type RequestHandler
- type SDSServer
- type SecretCache
- type SecretClient
- type SecretManager
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidSecretProtocol = errors.New("secret protocol is not registered")
Functions ¶
func GatewayFromContext ¶
GatewayFromContext retrieves info about a gateway from the context or nil if there is none
func NewRequestHandler ¶
func NewRequestHandler(logger hclog.Logger, registry GatewaySecretRegistry, secretManager SecretManager) *server.CallbackFuncs
NewRequestHandler initializes a RequestHandler instance and wraps it in a github.com/envoyproxy/go-control-plane/pkg/server/v3,(*CallbackFuncs) so that it can be used by the stock go-control-plane server implementation
func NewSecretManager ¶
func NewSecretManager(client SecretClient, cache SecretCache, logger hclog.Logger) *secretManager
NewSecretManager returns a secret manager that manages the use of an underlying SecretClient and SecretCache to track and keep TLS secrets up-to-date.
func SPIFFEStreamMiddleware ¶
func SPIFFEStreamMiddleware(logger hclog.Logger, fetcher CertificateFetcher, registry GatewaySecretRegistry) grpc.StreamServerInterceptor
SPIFFEStreamMiddleware verifies the spiffe entries for the certificate and sets the client identidy on the request context. If no spiffe information is detected, or if the service is unknown, the request is rejected.
Types ¶
type CertificateFetcher ¶
type CertificateFetcher interface { SPIFFE() *url.URL RootPool() *x509.CertPool TLSCertificate() *tls.Certificate }
CertificateFetcher is used to fetch the CA and server certificate that the server should use for TLS
type GatewaySecretRegistry ¶
type GatewaySecretRegistry interface { // GatewayExists is used to determine whether or not we know a particular gateway instance GatewayExists(ctx context.Context, info core.GatewayID) (bool, error) // CanFetchSecrets is used to determine whether a gateway should be able to fetch a set // of secrets it has requested CanFetchSecrets(ctx context.Context, info core.GatewayID, secrets []string) (bool, error) }
GatewaySecretRegistry is used as the authority for determining what gateways the SDS server should actually respond to because they're managed by consul-api-gateway
type Manager ¶
type Manager struct { ManagerConfig // contains filtered or unexported fields }
Manager wraps and manages an envoy process and its bootstrap configuration
func NewManager ¶
func NewManager(logger hclog.Logger, config ManagerConfig) *Manager
NewManager returns a new Manager isntance
func (*Manager) CommandArgs ¶
CommandArgs returns the actual command for the manager to invoke
func (*Manager) RenderBootstrap ¶
RenderBootstrap persists a bootstrapped envoy template to disk
type ManagerConfig ¶
type ManagerConfig struct { ID string Namespace string ConsulCA string ConsulAddress string ConsulXDSPort int Token string BootstrapFilePath string LogLevel string EnvoyBinary string ExtraArgs []string Output io.Writer }
ManagerConfig configures a Manager
type MultiSecretClient ¶
type MultiSecretClient struct {
// contains filtered or unexported fields
}
MultiSecretClient implements a registry of secret clients that handle fetching secrets based off of the protocol they're given in the secret name.
func NewMultiSecretClient ¶
func NewMultiSecretClient() *MultiSecretClient
func (*MultiSecretClient) FetchSecret ¶
func (*MultiSecretClient) Register ¶
func (m *MultiSecretClient) Register(protocol string, client SecretClient)
type RequestHandler ¶
type RequestHandler struct {
// contains filtered or unexported fields
}
RequestHandler implements the handlers for an SDS Delta server
func (*RequestHandler) OnStreamClosed ¶
func (r *RequestHandler) OnStreamClosed(streamID int64)
OnStreamClosed is invoked when an envoy instance disconnects from the server
func (*RequestHandler) OnStreamOpen ¶
func (r *RequestHandler) OnStreamOpen(ctx context.Context, streamID int64) error
OnStreamOpen is invoked when an envoy instance first connects to the server
func (*RequestHandler) OnStreamRequest ¶
func (r *RequestHandler) OnStreamRequest(streamID int64, req *discovery.DiscoveryRequest) error
OnStreamRequest is invoked when a request for resources comes in from the envoy instance
type SDSServer ¶
type SDSServer struct {
// contains filtered or unexported fields
}
SDSServer wraps a gRPC-based SDS Delta server
func NewSDSServer ¶
func NewSDSServer(logger hclog.Logger, fetcher CertificateFetcher, client SecretClient, registry GatewaySecretRegistry) *SDSServer
NEWSDSServer initializes an SDSServer instance
type SecretCache ¶
type SecretCache interface { UpdateResource(name string, res types.Resource) error DeleteResource(name string) error }
SecretCache is used as an intermediate cache for pushing tls certificates into. In practice we're using github.com/envoyproxy/go-control-plane/pkg/cache.(*LinearCache) as the concrete struct that implements this and handles notifying watched gRPC streams when we push new requested resources into into or delete existing resources from the cache.
type SecretClient ¶
type SecretClient interface {
FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)
}
SecretClient is used to retrieve TLS secrets. When a gRPC stream attempts to watch a secret we first check if we've already pushed it into our intermediate SecretCache, if we have, then we only increment a reference counter used to track the lifecycle of the watched secret. If we are not yet tracking the secret, we retrieve it remotely via the SecretClient.
type SecretManager ¶
type SecretManager interface { // SetResourcesForNode sets a list of TLS certificates being tracked by the node SetResourcesForNode(ctx context.Context, names []string, node string) error // Watch is used for tracking an envoy node's TLS secrets of interest Watch(ctx context.Context, names []string, node string) error // Unwatch is used for removing a subset of an envoy node's TLS secrets // from the list the node's secrets of interest Unwatch(ctx context.Context, names []string, node string) error // UnwatchAll is used to completely unwatch all a node's secrets UnwatchAll(ctx context.Context, node string) error // Manage is used for re-fetching expiring TLS certificates and updating them Manage(ctx context.Context) }
SecretManager handles the lifecycle of watched TLS secrets.