Documentation ¶
Index ¶
- Constants
- func CalculateCaPems(caPems *bytes.Buffer) *bytes.Buffer
- func GetSpiffeIdFromCert(cert *x509.Certificate) (*url.URL, error)
- func GetSpiffeIdFromCertChain(certs []*x509.Certificate) (*url.URL, error)
- func GetSpiffeIdFromIdentity(id identity.Identity) (*url.URL, error)
- func GetSpiffeIdFromTlsCertChain(tlsCerts []*tls.Certificate) (*url.URL, error)
- func ValidateSpiffeId(id *identity.TokenId, spiffeId *url.URL) error
- type Api
- type CertValidatingIdentity
- type Config
- type CtrlOptions
- type EdgeConfig
- type Enrollment
- type EnrollmentOption
- type HttpTimeouts
- type IdentityStatusConfig
- type IdentityStatusSource
- type NetworkConfig
- type RaftConfig
- type Totp
Constants ¶
const ( DefaultProfileMemoryInterval = 15 * time.Second DefaultHealthChecksBoltCheckInterval = 30 * time.Second DefaultHealthChecksBoltCheckTimeout = 20 * time.Second DefaultHealthChecksBoltCheckInitialDelay = 30 * time.Second DefaultRaftCommandHandlerMaxQueueSize = 250 // DefaultTlsHandshakeRateLimiterEnabled is whether the tls handshake rate limiter is enabled by default DefaultTlsHandshakeRateLimiterEnabled = false // TlsHandshakeRateLimiterMinSizeValue is the minimum size that can be configured for the tls handshake rate limiter // window range TlsHandshakeRateLimiterMinSizeValue = 5 // TlsHandshakeRateLimiterMaxSizeValue is the maximum size that can be configured for the tls handshake rate limiter // window range TlsHandshakeRateLimiterMaxSizeValue = 10000 // TlsHandshakeRateLimiterMetricOutstandingCount is the name of the metric tracking how many tasks are in process TlsHandshakeRateLimiterMetricOutstandingCount = "tls_handshake_limiter.in_process" // TlsHandshakeRateLimiterMetricCurrentWindowSize is the name of the metric tracking the current window size TlsHandshakeRateLimiterMetricCurrentWindowSize = "tls_handshake_limiter.window_size" // TlsHandshakeRateLimiterMetricWorkTimer is the name of the metric tracking how long successful tasks are taking to complete TlsHandshakeRateLimiterMetricWorkTimer = "tls_handshake_limiter.work_timer" // DefaultTlsHandshakeRateLimiterMaxWindow is the default max size for the tls handshake rate limiter DefaultTlsHandshakeRateLimiterMaxWindow = 1000 )
const ( DefaultEdgeApiActivityUpdateBatchSize = 250 DefaultEdgeAPIActivityUpdateInterval = 90 * time.Second MaxEdgeAPIActivityUpdateBatchSize = 10000 MinEdgeAPIActivityUpdateBatchSize = 1 MaxEdgeAPIActivityUpdateInterval = 10 * time.Minute MinEdgeAPIActivityUpdateInterval = time.Millisecond DefaultEdgeSessionTimeout = 30 * time.Minute MinEdgeSessionTimeout = 1 * time.Minute MinEdgeEnrollmentDuration = 5 * time.Minute DefaultEdgeEnrollmentDuration = 180 * time.Minute DefaultHttpIdleTimeout = 5000 * time.Millisecond DefaultHttpReadTimeout = 5000 * time.Millisecond DefaultHttpReadHeaderTimeout = 5000 * time.Millisecond DefaultHttpWriteTimeout = 100000 * time.Millisecond DefaultTotpDomain = "openziti.io" DefaultAuthRateLimiterEnabled = true DefaultAuthRateLimiterMaxSize = 250 DefaultAuthRateLimiterMinSize = 5 AuthRateLimiterMinSizeValue = 5 AuthRateLimiterMaxSizeValue = 1000 DefaultIdentityOnlineStatusScanInterval = time.Minute MinIdentityOnlineStatusScanInterval = time.Second DefaultIdentityOnlineStatusUnknownTimeout = 5 * time.Minute DefaultIdentityOnlineStatusSource = IdentityStatusSourceHybrid )
const ( DefaultOptionsCreateCircuitRetries = 2 DefaultOptionsCycleSeconds = 60 DefaultOptionsEnableLegacyLinkMgmt = false DefaultOptionsInitialLinkLatency = 65 * time.Second DefaultOptionsPendingLinkTimeout = 10 * time.Second DefaultOptionsMetricsReportInterval = time.Minute DefaultOptionsMinRouterCost = 10 DefaultOptionsRouterConnectChurnLimit = time.Minute DefaultOptionsRouterMessagingMaxWorkers = 100 DefaultOptionsRouterMessagingQueueSize = 100 DefaultOptionsRouteTimeout = 10 * time.Second DefaultOptionsSmartRerouteCap = 4 DefaultOptionsSmartRerouteFraction = 0.02 DefaultOptionsSmartRerouteMinCostDelta = 15 OptionsRouterCommMaxQueueSize = 1_000_000 OptionsRouterCommMaxWorkers = 10_000 )
Variables ¶
This section is empty.
Functions ¶
func CalculateCaPems ¶
CalculateCaPems takes the supplied caPems buffer as a set of PEM Certificates separated by new lines. Duplicate certificates are removed, and the result is returned as a bytes.Buffer of PEM Certificates separated by new lines.
func GetSpiffeIdFromCert ¶ added in v1.1.6
func GetSpiffeIdFromCert(cert *x509.Certificate) (*url.URL, error)
GetSpiffeIdFromCert will search a x509 certificate for a trust domain encoded as a spiffe:// URI SAN. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first SPIFFE id looking up the chain is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
func GetSpiffeIdFromCertChain ¶ added in v1.1.6
func GetSpiffeIdFromCertChain(certs []*x509.Certificate) (*url.URL, error)
GetSpiffeIdFromCertChain cycles through a slice of certificates that goes from leaf up CAs. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first encountered SPIFFE id looking up the chain back to the root CA is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
func GetSpiffeIdFromIdentity ¶ added in v1.1.6
GetSpiffeIdFromIdentity will search an Identity for a trust domain encoded as a spiffe:// URI SAN starting from the server cert and up its signing chain. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first SPIFFE id looking up the chain back to the root CA is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
func GetSpiffeIdFromTlsCertChain ¶ added in v1.1.6
func GetSpiffeIdFromTlsCertChain(tlsCerts []*tls.Certificate) (*url.URL, error)
GetSpiffeIdFromTlsCertChain will search a tls certificate chain for a trust domain encoded as a spiffe:// URI SAN. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first SPIFFE id looking up the chain is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
Types ¶
type CertValidatingIdentity ¶ added in v1.1.6
func (*CertValidatingIdentity) ClientTLSConfig ¶ added in v1.1.6
func (self *CertValidatingIdentity) ClientTLSConfig() *tls.Config
func (*CertValidatingIdentity) ServerTLSConfig ¶ added in v1.1.6
func (self *CertValidatingIdentity) ServerTLSConfig() *tls.Config
func (*CertValidatingIdentity) VerifyConnection ¶ added in v1.1.6
func (self *CertValidatingIdentity) VerifyConnection(state tls.ConnectionState) error
type Config ¶
type Config struct { Id *identity.TokenId SpiffeIdTrustDomain *url.URL AdditionalTrustDomains []*url.URL Raft *RaftConfig Network *NetworkConfig Edge *EdgeConfig Db boltz.Db Trace struct { Handler *channel.TraceHandler } Profile struct { Memory struct { Path string Interval time.Duration } CPU struct { Path string } } Ctrl struct { Listener transport.Address Options *CtrlOptions } HealthChecks struct { BoltCheck struct { Interval time.Duration Timeout time.Duration InitialDelay time.Duration } } CommandRateLimiter command.RateLimiterConfig TlsHandshakeRateLimiter command.AdaptiveRateLimiterConfig Src map[interface{}]interface{} }
func LoadConfig ¶ added in v1.1.6
type CtrlOptions ¶ added in v1.1.6
type CtrlOptions struct { *channel.Options NewListener *transport.Address AdvertiseAddress *transport.Address RouterHeartbeatOptions *channel.HeartbeatOptions PeerHeartbeatOptions *channel.HeartbeatOptions }
CtrlOptions extends channel.Options to include support for additional, non-channel specific options (e.g. NewListener)
type EdgeConfig ¶ added in v1.1.6
type EdgeConfig struct { Enabled bool Api Api Enrollment Enrollment IdentityStatusConfig IdentityStatusConfig Totp Totp AuthRateLimiter command.AdaptiveRateLimiterConfig // contains filtered or unexported fields }
func LoadEdgeConfigFromMap ¶ added in v1.1.6
func LoadEdgeConfigFromMap(configMap map[interface{}]interface{}) (*EdgeConfig, error)
func NewEdgeConfig ¶ added in v1.1.6
func NewEdgeConfig() *EdgeConfig
func (*EdgeConfig) AddCaPems ¶ added in v1.1.6
func (c *EdgeConfig) AddCaPems(caPems []byte)
AddCaPems adds a byte array of certificates to the current buffered list of CAs. The certificates should be in PEM format separated by new lines. RefreshCas should be called after all calls to AddCaPems are completed.
func (*EdgeConfig) CaCerts ¶ added in v1.1.6
func (c *EdgeConfig) CaCerts() []*x509.Certificate
func (*EdgeConfig) CaPems ¶ added in v1.1.6
func (c *EdgeConfig) CaPems() []byte
func (*EdgeConfig) RefreshCas ¶ added in v1.1.6
func (c *EdgeConfig) RefreshCas()
func (*EdgeConfig) SessionTimeoutDuration ¶ added in v1.1.6
func (c *EdgeConfig) SessionTimeoutDuration() time.Duration
type Enrollment ¶
type Enrollment struct { SigningCert identity.Identity SigningCertConfig identity.Config SigningCertCaPem []byte EdgeIdentity EnrollmentOption EdgeRouter EnrollmentOption }
type EnrollmentOption ¶
type HttpTimeouts ¶
type HttpTimeouts struct { ReadTimeoutDuration time.Duration ReadHeaderTimeoutDuration time.Duration WriteTimeoutDuration time.Duration IdleTimeoutsDuration time.Duration }
func DefaultHttpTimeouts ¶
func DefaultHttpTimeouts() *HttpTimeouts
type IdentityStatusConfig ¶ added in v1.2.0
type IdentityStatusConfig struct { Source IdentityStatusSource ScanInterval time.Duration UnknownTimeout time.Duration }
type IdentityStatusSource ¶ added in v1.2.0
type IdentityStatusSource uint32
const ( IdentityStatusSourceHeartbeats IdentityStatusSource = 1 IdentityStatusSourceConnectEvents IdentityStatusSource = 2 IdentityStatusSourceHybrid IdentityStatusSource = 3 )
type NetworkConfig ¶ added in v1.1.6
type NetworkConfig struct { CreateCircuitRetries uint32 CycleSeconds uint32 EnableLegacyLinkMgmt bool InitialLinkLatency time.Duration IntervalAgeThreshold time.Duration MetricsReportInterval time.Duration MinRouterCost uint16 PendingLinkTimeout time.Duration RouteTimeout time.Duration RouterConnectChurnLimit time.Duration RouterComm struct { QueueSize uint32 MaxWorkers uint32 } Smart struct { RerouteFraction float32 RerouteCap uint32 MinCostDelta uint32 } }
func DefaultNetworkConfig ¶ added in v1.1.6
func DefaultNetworkConfig() *NetworkConfig
func LoadNetworkConfig ¶ added in v1.1.6
func LoadNetworkConfig(src map[interface{}]interface{}) (*NetworkConfig, error)
type RaftConfig ¶ added in v1.1.6
type RaftConfig struct { Recover bool DataDir string AdvertiseAddress transport.Address InitialMembers []string CommandHandlerOptions struct { MaxQueueSize uint16 } SnapshotInterval *time.Duration SnapshotThreshold *uint32 TrailingLogs *uint32 MaxAppendEntries *uint32 ElectionTimeout time.Duration CommitTimeout *time.Duration HeartbeatTimeout time.Duration LeaderLeaseTimeout time.Duration LogLevel *string Logger hclog.Logger }