Documentation ¶
Index ¶
- Constants
- type AuthServer
- type Direction
- type Options
- type SdsDiscoveryStream
- type SdsServer
- func (s *SdsServer) CreateSdsService(options *Options) error
- func (s *SdsServer) DeltaSecrets(stream sds.SecretDiscoveryService_DeltaSecretsServer) error
- func (s *SdsServer) FetchSecrets(ctx context.Context, req *v2.DiscoveryRequest) (*v2.DiscoveryResponse, error)
- func (s *SdsServer) GracefulStop()
- func (s *SdsServer) Run()
- func (s *SdsServer) Stop()
- func (s *SdsServer) StreamSecrets(stream sds.SecretDiscoveryService_StreamSecretsServer) error
- func (s *SdsServer) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, secrets secrets.Secrets, ...)
Constants ¶
const ( // IngressSocketPath is the unix socket path where the authz server will be listening on for the ingress authz server //IngressSocketPath = "@aporeto_envoy_authz_ingress" IngressSocketPath = "127.0.0.1:1999" // EgressSocketPath is the unix socket path where the authz server will be listening on for the egress authz server EgressSocketPath = "127.0.0.1:1998" )
const ( // SdsSocketpath is the socket path on which the envoy will talk to the remoteEnforcer. //SdsSocketpath = "@aporeto_envoy_sds" SdsSocketpath = "127.0.0.1:2999" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthServer ¶
AuthServer struct, the server to hold the envoy External Auth.
func NewExtAuthzServer ¶
func NewExtAuthzServer(puID string, puContexts cache.DataStore, collector collector.EventCollector, direction Direction, registry *serviceregistry.Registry, secrets secrets.Secrets, tokenIssuer common.ServiceTokenIssuer) (*AuthServer, error)
NewExtAuthzServer creates a new envoy ext_authz server
func (*AuthServer) Check ¶
func (s *AuthServer) Check(ctx context.Context, checkRequest *ext_auth.CheckRequest) (*ext_auth.CheckResponse, error)
Check implements the AuthorizationServer interface
func (*AuthServer) GracefulStop ¶
func (s *AuthServer) GracefulStop()
GracefulStop calls the function with the same name on the backing gRPC server
func (*AuthServer) Stop ¶
func (s *AuthServer) Stop()
Stop calls the function with the same name on the backing gRPC server
func (*AuthServer) UpdateSecrets ¶
func (s *AuthServer) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, secrets secrets.Secrets, certPEM, keyPEM string)
UpdateSecrets updates the secrets Whenever the Envoy makes a request for certificate, the certs and keys are fetched from the Proxy.
type Direction ¶
type Direction uint8
Direction is used to indicate if the authorization server is ingress or egress. NOTE: the type is currently set to uint8 and not bool because in Istio there are 3 types: - SIDECAR_INBOUND - SIDECAR_OUTBOUND - GATEWAY And we are not sure yet if we need an extra authz server for GATEWAY.
const ( // UnknownDirection is only used to denote uninitialized variables UnknownDirection Direction = 0 // IngressDirection refers to inbound / ingress traffic. // NOTE: for Istio use this in conjunction with SIDECAR_INBOUND IngressDirection Direction = 1 // EgressDirection refers to outbound / egress traffic. // NOTE: for Istio use this in conjunction with SIDECAR_OUTBOUND EgressDirection Direction = 2 )
type Options ¶
type Options struct {
SocketPath string
}
Options to create a SDS server to task to envoy
type SdsDiscoveryStream ¶
type SdsDiscoveryStream interface { Send(*v2.DiscoveryResponse) error Recv() (*v2.DiscoveryRequest, error) grpc.ServerStream }
SdsDiscoveryStream is the same as the sds.SecretDiscoveryService_StreamSecretsServer
type SdsServer ¶
SdsServer to talk with envoy for sds.
func NewSdsServer ¶
func NewSdsServer(contextID string, puInfo *policy.PUInfo, caPool *x509.CertPool, secrets secrets.Secrets) (*SdsServer, error)
NewSdsServer creates a instance of a server.
func (*SdsServer) CreateSdsService ¶
CreateSdsService does the following 1. create grpc server. 2. create a listener on the Unix Domain Socket. 3.
func (*SdsServer) DeltaSecrets ¶
func (s *SdsServer) DeltaSecrets(stream sds.SecretDiscoveryService_DeltaSecretsServer) error
DeltaSecrets checks for the delta and sends the changes.
func (*SdsServer) FetchSecrets ¶
func (s *SdsServer) FetchSecrets(ctx context.Context, req *v2.DiscoveryRequest) (*v2.DiscoveryResponse, error)
FetchSecrets gets the discovery request and call the Aporeto backend to fetch the certs. 1. parse the discovery request. 2. track the request. 3. call the Aporeto api to generate the secret
func (*SdsServer) GracefulStop ¶
func (s *SdsServer) GracefulStop()
GracefulStop calls the function with the same name on the backing gRPC server
func (*SdsServer) Stop ¶
func (s *SdsServer) Stop()
Stop stops all the listeners and the grpc servers.
func (*SdsServer) StreamSecrets ¶
func (s *SdsServer) StreamSecrets(stream sds.SecretDiscoveryService_StreamSecretsServer) error
StreamSecrets is the function invoked by the envoy in-order to pull the certs, this also sends the response back to the envoy. It does the following: 1. create a receiver thread to stream the requests. 2. parse the discovery request. 3. track the request. 4. call the Aporeto api to generate the secret
func (*SdsServer) UpdateSecrets ¶
func (s *SdsServer) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, secrets secrets.Secrets, certPEM, keyPEM string)
UpdateSecrets updates the secrets Whenever the Envoy makes a request for certificate, the certs and keys are fetched from the Proxy.