dag

package
v1.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 30, 2020 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Overview

Package dag provides a data model, in the form of a directed acyclic graph, of the relationship between Kubernetes Ingress, Service, and Secret objects.

Index

Constants

View Source
const CACertificateKey = "ca.crt"

CACertificateKey is the key name for accessing TLS CA certificate bundles in Kubernetes Secrets.

Variables

This section is empty.

Functions

This section is empty.

Types

type Builder

type Builder struct {

	// Source is the source of Kubernetes objects
	// from which to build a DAG.
	Source KubernetesCache

	// DisablePermitInsecure disables the use of the
	// permitInsecure field in HTTPProxy.
	DisablePermitInsecure bool

	FallbackCertificate *types.NamespacedName

	StatusWriter
	logrus.FieldLogger
	// contains filtered or unexported fields
}

Builder builds a DAG.

func (*Builder) Build

func (b *Builder) Build() *DAG

Build builds a new DAG.

type Cluster added in v1.0.0

type Cluster struct {
	// Upstream is the backend Kubernetes service traffic arriving
	// at this Cluster will be forwarded too.
	Upstream *Service

	// The relative weight of this Cluster compared to its siblings.
	Weight uint32

	// The protocol to use to speak to this cluster.
	Protocol string

	// UpstreamValidation defines how to verify the backend service's certificate
	UpstreamValidation *PeerValidationContext

	// The load balancer type to use when picking a host in the cluster.
	// See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/cds.proto#envoy-api-enum-cluster-lbpolicy
	LoadBalancerPolicy string

	// Cluster http health check policy
	*HTTPHealthCheckPolicy

	// Cluster tcp health check policy
	*TCPHealthCheckPolicy

	// RequestHeadersPolicy defines how headers are managed during forwarding
	RequestHeadersPolicy *HeadersPolicy

	// ResponseHeadersPolicy defines how headers are managed during forwarding
	ResponseHeadersPolicy *HeadersPolicy

	// SNI is used when a route proxies an upstream using tls.
	// SNI describes how the SNI is set on a Cluster and is configured via RequestHeadersPolicy.Host key.
	// Policies set on service are used before policies set on a route. Otherwise the value of the externalService
	// is used if the route is configured to proxy to an externalService type.
	// If the value is not set, then SNI is not changed.
	SNI string
}

Cluster holds the connection specific parameters that apply to traffic routed to an upstream service.

func (Cluster) Visit added in v1.0.0

func (c Cluster) Visit(f func(Vertex))

type DAG

type DAG struct {
	// contains filtered or unexported fields
}

A DAG represents a directed acyclic graph of objects representing the relationship between Kubernetes Ingress objects, the backend Services, and Secret objects. The DAG models these relationships as Roots and Vertices.

func (*DAG) Statuses

func (d *DAG) Statuses() map[types.NamespacedName]Status

Statuses returns a slice of Status objects associated with the computation of this DAG.

func (*DAG) Visit

func (d *DAG) Visit(fn func(Vertex))

Visit calls fn on each root of this DAG.

type HTTPHealthCheckPolicy added in v1.2.0

type HTTPHealthCheckPolicy struct {
	Path               string
	Host               string
	Interval           time.Duration
	Timeout            time.Duration
	UnhealthyThreshold uint32
	HealthyThreshold   uint32
}

Cluster http health check policy

type HeaderMatchCondition added in v1.7.0

type HeaderMatchCondition struct {
	Name      string
	Value     string
	MatchType string
	Invert    bool
}

HeaderMatchCondition matches request headers by MatchType

func (*HeaderMatchCondition) String added in v1.7.0

func (hc *HeaderMatchCondition) String() string

type HeaderValue added in v1.1.0

type HeaderValue struct {
	// Name represents a key of a header
	Key string
	// Value represents the value of a header specified by a key
	Value string
}

type HeadersPolicy added in v1.1.0

type HeadersPolicy struct {
	// HostRewrite defines if a host should be rewritten on upstream requests
	HostRewrite string

	Set    map[string]string
	Remove []string
}

HeadersPolicy defines how headers are managed during forwarding

type KubernetesCache

type KubernetesCache struct {
	// RootNamespaces specifies the namespaces where root
	// HTTPProxies can be defined. If empty, roots can be defined in any
	// namespace.
	RootNamespaces []string

	// Contour's IngressClass.
	// If not set, defaults to DEFAULT_INGRESS_CLASS.
	IngressClass string

	logrus.FieldLogger
	// contains filtered or unexported fields
}

A KubernetesCache holds Kubernetes objects and associated configuration and produces DAG values.

func (*KubernetesCache) DelegationPermitted added in v1.8.0

func (kc *KubernetesCache) DelegationPermitted(secret types.NamespacedName, targetNamespace string) bool

DelegationPermitted returns true if the referenced secret has been delegated to the namespace where the ingress object is located.

func (*KubernetesCache) Insert

func (kc *KubernetesCache) Insert(obj interface{}) bool

Insert inserts obj into the KubernetesCache. Insert returns true if the cache accepted the object, or false if the value is not interesting to the cache. If an object with a matching type, name, and namespace exists, it will be overwritten.

func (*KubernetesCache) LookupSecret added in v1.8.0

func (kc *KubernetesCache) LookupSecret(name types.NamespacedName, validate func(*v1.Secret) error) (*Secret, error)

LookupSecret returns a Secret if present or nil if the underlying kubernetes secret fails validation or is missing.

func (*KubernetesCache) Remove

func (kc *KubernetesCache) Remove(obj interface{}) bool

Remove removes obj from the KubernetesCache. Remove returns a boolean indicating if the cache changed after the remove operation.

type Listener added in v0.10.0

type Listener struct {

	// Address is the TCP address to listen on.
	// If blank 0.0.0.0, or ::/0 for IPv6, is assumed.
	Address string

	// Port is the TCP port to listen on.
	Port int

	VirtualHosts []Vertex
}

A Listener represents a TCP socket that accepts incoming connections.

func (*Listener) Visit added in v0.10.0

func (l *Listener) Visit(f func(Vertex))

type MatchCondition added in v1.7.0

type MatchCondition interface {
	fmt.Stringer
}

type MirrorPolicy added in v1.0.0

type MirrorPolicy struct {
	Cluster *Cluster
}

MirrorPolicy defines the mirroring policy for a route.

type ObjectStatusWriter added in v1.0.0

type ObjectStatusWriter struct {
	// contains filtered or unexported fields
}

func (*ObjectStatusWriter) SetInvalid added in v1.0.0

func (osw *ObjectStatusWriter) SetInvalid(format string, args ...interface{})

func (*ObjectStatusWriter) SetValid added in v1.0.0

func (osw *ObjectStatusWriter) SetValid()

func (*ObjectStatusWriter) WithObject added in v1.0.0

func (osw *ObjectStatusWriter) WithObject(obj k8s.Object) (_ *ObjectStatusWriter, commit func())

WithObject returns a new ObjectStatusWriter with a copy of the current ObjectStatusWriter's values, including its status if set. This is convenient if the object shares a relationship with its parent. The caller should arrange for the commit function to be called to write the final status of the object.

func (*ObjectStatusWriter) WithValue added in v1.0.0

func (osw *ObjectStatusWriter) WithValue(key, val string) *ObjectStatusWriter

type Observer added in v1.8.0

type Observer interface {
	OnChange(*DAG)
}

Observer is an interface for receiving notification of DAG updates.

func ComposeObservers added in v1.8.0

func ComposeObservers(observers ...Observer) Observer

ComposeObservers returns a new Observer that calls each of its arguments in turn.

type ObserverFunc added in v1.8.0

type ObserverFunc func(*DAG)

ObserverFunc is a function that implements the Observer interface by calling itself. It can be nil.

func (ObserverFunc) OnChange added in v1.8.0

func (f ObserverFunc) OnChange(d *DAG)

type PeerValidationContext added in v1.4.0

type PeerValidationContext struct {
	// CACertificate holds a reference to the Secret containing the CA to be used to
	// verify the upstream connection.
	CACertificate *Secret
	// SubjectName holds an optional subject name which Envoy will check against the
	// certificate presented by the upstream.
	SubjectName string
}

PeerValidationContext defines how to validate the certificate on the upstream service.

func (*PeerValidationContext) GetCACertificate added in v1.4.0

func (pvc *PeerValidationContext) GetCACertificate() []byte

GetCACertificate returns the CA certificate from PeerValidationContext.

func (*PeerValidationContext) GetSubjectName added in v1.4.0

func (pvc *PeerValidationContext) GetSubjectName() string

GetSubjectName returns the SubjectName from PeerValidationContext.

type PrefixMatchCondition added in v1.7.0

type PrefixMatchCondition struct {
	Prefix string
}

PrefixMatchCondition matches the start of a URL.

func (*PrefixMatchCondition) String added in v1.7.0

func (pc *PrefixMatchCondition) String() string

type RegexMatchCondition added in v1.7.0

type RegexMatchCondition struct {
	Regex string
}

RegexMatchCondition matches the URL by regular expression.

func (*RegexMatchCondition) String added in v1.7.0

func (rc *RegexMatchCondition) String() string

type RetryPolicy added in v1.0.0

type RetryPolicy struct {
	// RetryOn specifies the conditions under which retry takes place.
	// If empty, retries will not be performed.
	RetryOn string

	// RetriableStatusCodes specifies the HTTP status codes under which retry takes place.
	RetriableStatusCodes []uint32

	// NumRetries specifies the allowed number of retries.
	// Ignored if RetryOn is blank, or defaults to 1 if RetryOn is set.
	NumRetries uint32

	// PerTryTimeout specifies the timeout per retry attempt.
	// Ignored if RetryOn is blank.
	PerTryTimeout timeout.Setting
}

RetryPolicy defines the retry / number / timeout options

type Route

type Route struct {

	// PathMatchCondition specifies a MatchCondition to match on the request path.
	// Must not be nil.
	PathMatchCondition MatchCondition

	// HeaderMatchConditions specifies a set of additional Conditions to
	// match on the request headers.
	HeaderMatchConditions []HeaderMatchCondition

	Clusters []*Cluster

	// Should this route generate a 301 upgrade if accessed
	// over HTTP?
	HTTPSUpgrade bool

	// Is this a websocket route?
	// TODO(dfc) this should go on the service
	Websocket bool

	// TimeoutPolicy defines the timeout request/idle
	TimeoutPolicy TimeoutPolicy

	// RetryPolicy defines the retry / number / timeout options for a route
	RetryPolicy *RetryPolicy

	// Indicates that during forwarding, the matched prefix (or path) should be swapped with this value
	PrefixRewrite string

	// Mirror Policy defines the mirroring policy for this Route.
	MirrorPolicy *MirrorPolicy

	// RequestHeadersPolicy defines how headers are managed during forwarding
	RequestHeadersPolicy *HeadersPolicy

	// ResponseHeadersPolicy defines how headers are managed during forwarding
	ResponseHeadersPolicy *HeadersPolicy
}

Route defines the properties of a route to a Cluster.

func (*Route) HasPathPrefix added in v1.1.0

func (r *Route) HasPathPrefix() bool

HasPathPrefix returns whether this route has a PrefixPathCondition.

func (*Route) HasPathRegex added in v1.1.0

func (r *Route) HasPathRegex() bool

HasPathRegex returns whether this route has a RegexPathCondition.

func (*Route) Visit

func (r *Route) Visit(f func(Vertex))

type Secret

type Secret struct {
	Object *v1.Secret
}

Secret represents a K8s Secret for TLS usage as a DAG Vertex. A Secret is a leaf in the DAG.

func (*Secret) Cert added in v1.0.0

func (s *Secret) Cert() []byte

Cert returns the secret's tls certificate

func (*Secret) Data

func (s *Secret) Data() map[string][]byte

Data returns the contents of the backing secret's map.

func (*Secret) Name

func (s *Secret) Name() string

func (*Secret) Namespace

func (s *Secret) Namespace() string

func (*Secret) PrivateKey added in v1.0.0

func (s *Secret) PrivateKey() []byte

PrivateKey returns the secret's tls private key

func (*Secret) Visit

func (s *Secret) Visit(func(Vertex))

type SecureVirtualHost

type SecureVirtualHost struct {
	VirtualHost

	// TLS minimum protocol version. Defaults to envoy_api_v2_auth.TlsParameters_TLS_AUTO
	MinTLSVersion envoy_api_v2_auth.TlsParameters_TlsProtocol

	// The cert and key for this host.
	Secret *Secret

	// FallbackCertificate
	FallbackCertificate *Secret

	// Service to TCP proxy all incoming connections.
	*TCPProxy

	// DownstreamValidation defines how to verify the client's certificate.
	DownstreamValidation *PeerValidationContext
}

A SecureVirtualHost represents a HTTP host protected by TLS.

func (*SecureVirtualHost) Valid added in v1.0.0

func (s *SecureVirtualHost) Valid() bool

func (*SecureVirtualHost) Visit

func (s *SecureVirtualHost) Visit(f func(Vertex))

type Service

type Service struct {
	Name      string
	Namespace string

	ServicePort v1.ServicePort

	// Protocol is the layer 7 protocol of this service
	// One of "", "h2", "h2c", or "tls".
	Protocol string

	// Max connections is maximum number of connections
	// that Envoy will make to the upstream cluster.
	MaxConnections uint32

	// MaxPendingRequests is maximum number of pending
	// requests that Envoy will allow to the upstream cluster.
	MaxPendingRequests uint32

	// MaxRequests is the maximum number of parallel requests that
	// Envoy will make to the upstream cluster.
	MaxRequests uint32

	// MaxRetries is the maximum number of parallel retries that
	// Envoy will allow to the upstream cluster.
	MaxRetries uint32

	// ExternalName is an optional field referencing a dns entry for Service type "ExternalName"
	ExternalName string
}

Service represents a single Kubernetes' Service's Port.

func (*Service) ToFullName added in v1.4.0

func (s *Service) ToFullName() servicemeta

func (*Service) Visit

func (s *Service) Visit(func(Vertex))

type Status

type Status struct {
	Object      k8s.Object
	Status      string
	Description string
	Vhost       string
}

Status contains the status for an HTTPProxy (valid / invalid / orphan, etc)

type StatusWriter added in v1.0.0

type StatusWriter struct {
	// contains filtered or unexported fields
}

func (*StatusWriter) WithObject added in v1.0.0

func (sw *StatusWriter) WithObject(obj k8s.Object) (_ *ObjectStatusWriter, commit func())

WithObject returns an ObjectStatusWriter that can be used to set the state of the object. The state can be set as many times as necessary. The state of the object can be made permanent by calling the commit function returned from WithObject. The caller should pass the ObjectStatusWriter to functions interested in writing status, but keep the commit function for itself. The commit function should be either called via a defer, or directly if statuses are being set in a loop (as defers will not fire until the end of the function).

type TCPHealthCheckPolicy added in v1.2.0

type TCPHealthCheckPolicy struct {
	Interval           time.Duration
	Timeout            time.Duration
	UnhealthyThreshold uint32
	HealthyThreshold   uint32
}

Cluster tcp health check policy

type TCPProxy added in v0.8.0

type TCPProxy struct {

	// Clusters is the, possibly weighted, set
	// of upstream services to forward decrypted traffic.
	Clusters []*Cluster
}

TCPProxy represents a cluster of TCP endpoints.

func (*TCPProxy) Visit added in v0.8.0

func (t *TCPProxy) Visit(f func(Vertex))

type TimeoutPolicy added in v1.0.0

type TimeoutPolicy struct {
	// ResponseTimeout is the timeout applied to the response
	// from the backend server.
	ResponseTimeout timeout.Setting

	// IdleTimeout is the timeout applied to idle connections.
	IdleTimeout timeout.Setting
}

TimeoutPolicy defines the timeout policy for a route.

type Vertex

type Vertex interface {
	Visit(func(Vertex))
}

Vertex is a node in the DAG that can be visited.

type VirtualHost

type VirtualHost struct {
	// Name is the fully qualified domain name of a network host,
	// as defined by RFC 3986.
	Name string
	// contains filtered or unexported fields
}

A VirtualHost represents a named L4/L7 service.

func (*VirtualHost) Valid added in v1.0.0

func (v *VirtualHost) Valid() bool

func (*VirtualHost) Visit

func (v *VirtualHost) Visit(f func(Vertex))

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL