Documentation ¶
Index ¶
- func CreateCommonTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, ...) (*envoy_auth.CommonTlsContext, error)
- func CreateDownstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata) (*envoy_auth.DownstreamTlsContext, error)
- func CreateUpstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, ...) (*envoy_auth.UpstreamTlsContext, error)
- func MeshSpiffeIDPrefix(mesh string) string
- func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher
- func ServiceSpiffeID(mesh string, service string) string
- func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher
- type ClusterInfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateCommonTlsContext ¶
func CreateCommonTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, validationSANMatcher *envoy_type_matcher.StringMatcher) (*envoy_auth.CommonTlsContext, error)
func CreateDownstreamTlsContext ¶
func CreateDownstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata) (*envoy_auth.DownstreamTlsContext, error)
CreateDownstreamTlsContext creates DownstreamTlsContext for incoming connections It verifies that incoming connection has TLS certificate signed by Mesh CA with URI SAN of prefix spiffe://{mesh_name}/ It secures inbound listener with certificate of "identity_cert" that will be received from the SDS (it contains URI SANs of all inbounds). Access to SDS is secured by TLS certificate (set in config or autogenerated at CP start) and path to dataplane token
func CreateUpstreamTlsContext ¶
func CreateUpstreamTlsContext(ctx xds_context.Context, metadata *core_xds.DataplaneMetadata, upstreamService string) (*envoy_auth.UpstreamTlsContext, error)
CreateUpstreamTlsContext creates UpstreamTlsContext for outgoing connections It verifies that the upstream server has TLS certificate signed by Mesh CA with URI SAN of spiffe://{mesh_name}/{upstream_service} The downstream client exposes for the upstream server cert with multiple URI SANs, which means that if DP has inbound with services "web" and "web-api" and communicates with "backend" the upstream server ("backend") will see that DP with TLS certificate of URIs of "web" and "web-api". There is no way to correlate incoming request to "web" or "web-api" with outgoing request to "backend" to expose only one URI SAN.
Pass "*" for upstreamService to validate that upstream service is a service that is part of the mesh (but not specific one)
func MeshSpiffeIDPrefix ¶
func MeshSpiffeIDPrefixMatcher ¶
func MeshSpiffeIDPrefixMatcher(mesh string) *envoy_type_matcher.StringMatcher
func ServiceSpiffeID ¶
func ServiceSpiffeIDMatcher ¶
func ServiceSpiffeIDMatcher(mesh string, service string) *envoy_type_matcher.StringMatcher