Documentation ¶
Overview ¶
Package sds implements secret discovery service in NodeAgent.
Index ¶
Constants ¶
View Source
const ( // SecretType is used for secret discovery service to construct response. SecretType = "type.googleapis.com/envoy.api.v2.auth.Secret" // IngressGatewaySdsCaSuffix is the suffix of the sds resource name for root CA. All SDS requests // for root CA sent by ingress gateway have suffix -cacert. IngressGatewaySdsCaSuffix = "-cacert" )
Variables ¶
This section is empty.
Functions ¶
func NewPlugins ¶
NewPlugins returns a slice of default Plugins.
func NotifyProxy ¶
func NotifyProxy(conID, resourceName string, secret *model.SecretItem) error
NotifyProxy send notification to proxy about secret update, SDS will close streaming connection if secret is nil.
Types ¶
type Options ¶
type Options struct { // WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies. WorkloadUDSPath string // IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with // ingress gateway proxies. IngressGatewayUDSPath string // CertFile is the path of Cert File for gRPC server TLS settings. CertFile string // KeyFile is the path of Key File for gRPC server TLS settings. KeyFile string // CAEndpoint is the CA endpoint to which node agent sends CSR request. CAEndpoint string // The CA provider name. CAProviderName string // TrustDomain corresponds to the trust root of a system. // https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain TrustDomain string // PluginNames is plugins' name for certain authentication provider. PluginNames []string // The Vault CA address. VaultAddress string // The Vault auth path. VaultAuthPath string // The Vault role. VaultRole string // The Vault sign CSR path. VaultSignCsrPath string // The Vault TLS root certificate. VaultTLSRootCert string // EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies. EnableWorkloadSDS bool // EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent. EnableIngressGatewaySDS bool // AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT) AlwaysValidTokenFlag bool }
Options provides all of the configuration parameters for secret discovery service.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the gPRC server that exposes SDS through UDS.
Click to show internal directories.
Click to hide internal directories.