envoyproxy

package
v10.321.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2021 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// IngressSocketPath is the unix socket path where the authz server will be listening on for the ingress authz server
	//IngressSocketPath = "@aporeto_envoy_authz_ingress"
	IngressSocketPath = "127.0.0.1:1999"

	// EgressSocketPath is the unix socket path where the authz server will be listening on for the egress authz server
	EgressSocketPath = "127.0.0.1:1998"
)
View Source
const (
	// SdsSocketpath is the socket path on which the envoy will talk to the remoteEnforcer.
	//SdsSocketpath = "@aporeto_envoy_sds"
	SdsSocketpath = "127.0.0.1:2999"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthServer

type AuthServer struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

AuthServer struct, the server to hold the envoy External Auth.

func NewExtAuthzServer

func NewExtAuthzServer(puID string, puContexts cache.DataStore, collector collector.EventCollector, direction Direction, secrets secrets.Secrets, tokenIssuer common.ServiceTokenIssuer) (*AuthServer, error)

NewExtAuthzServer creates a new envoy ext_authz server

func (*AuthServer) Check

func (s *AuthServer) Check(ctx context.Context, checkRequest *ext_auth.CheckRequest) (*ext_auth.CheckResponse, error)

Check implements the AuthorizationServer interface

func (*AuthServer) GracefulStop

func (s *AuthServer) GracefulStop()

GracefulStop calls the function with the same name on the backing gRPC server

func (*AuthServer) Stop

func (s *AuthServer) Stop()

Stop calls the function with the same name on the backing gRPC server

func (*AuthServer) UpdateSecrets

func (s *AuthServer) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, secrets secrets.Secrets, certPEM, keyPEM string)

UpdateSecrets updates the secrets Whenever the Envoy makes a request for certificate, the certs and keys are fetched from the Proxy.

type Direction

type Direction uint8

Direction is used to indicate if the authorization server is ingress or egress. NOTE: the type is currently set to uint8 and not bool because in Istio there are 3 types: - SIDECAR_INBOUND - SIDECAR_OUTBOUND - GATEWAY And we are not sure yet if we need an extra authz server for GATEWAY.

const (
	// UnknownDirection is only used to denote uninitialized variables
	UnknownDirection Direction = 0

	// IngressDirection refers to inbound / ingress traffic.
	// NOTE: for Istio use this in conjunction with SIDECAR_INBOUND
	IngressDirection Direction = 1

	// EgressDirection refers to outbound / egress traffic.
	// NOTE: for Istio use this in conjunction with SIDECAR_OUTBOUND
	EgressDirection Direction = 2
)

func (Direction) String

func (d Direction) String() string

String overwrites the string interface

type Options

type Options struct {
	SocketPath string
}

Options to create a SDS server to task to envoy

type SdsDiscoveryStream

type SdsDiscoveryStream interface {
	Send(*v2.DiscoveryResponse) error
	Recv() (*v2.DiscoveryRequest, error)
	grpc.ServerStream
}

SdsDiscoveryStream is the same as the sds.SecretDiscoveryService_StreamSecretsServer

type SdsServer

type SdsServer struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

SdsServer to talk with envoy for sds.

func NewSdsServer

func NewSdsServer(contextID string, puInfo *policy.PUInfo, caPool *x509.CertPool, secrets secrets.Secrets) (*SdsServer, error)

NewSdsServer creates a instance of a server.

func (*SdsServer) CreateSdsService

func (s *SdsServer) CreateSdsService(options *Options) error

CreateSdsService does the following 1. create grpc server. 2. create a listener on the Unix Domain Socket. 3.

func (*SdsServer) DeltaSecrets

DeltaSecrets checks for the delta and sends the changes.

func (*SdsServer) FetchSecrets

func (s *SdsServer) FetchSecrets(ctx context.Context, req *v2.DiscoveryRequest) (*v2.DiscoveryResponse, error)

FetchSecrets gets the discovery request and call the Aporeto backend to fetch the certs. 1. parse the discovery request. 2. track the request. 3. call the Aporeto api to generate the secret

func (*SdsServer) GracefulStop

func (s *SdsServer) GracefulStop()

GracefulStop calls the function with the same name on the backing gRPC server

func (*SdsServer) Run

func (s *SdsServer) Run()

Run starts the sdsGrpcServer to serve

func (*SdsServer) Stop

func (s *SdsServer) Stop()

Stop stops all the listeners and the grpc servers.

func (*SdsServer) StreamSecrets

StreamSecrets is the function invoked by the envoy in-order to pull the certs, this also sends the response back to the envoy. It does the following: 1. create a receiver thread to stream the requests. 2. parse the discovery request. 3. track the request. 4. call the Aporeto api to generate the secret

func (*SdsServer) UpdateSecrets

func (s *SdsServer) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, secrets secrets.Secrets, certPEM, keyPEM string)

UpdateSecrets updates the secrets Whenever the Envoy makes a request for certificate, the certs and keys are fetched from the Proxy.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL