Documentation
¶
Index ¶
- Constants
- Variables
- func AppendURIPrefixToTrustDomain(trustDomainAliases []string) []string
- func ApplyCredentialSDSToServerCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ServerTLSSettings, ...)
- func ApplyCustomSDSToClientCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ClientTLSSettings, ...)
- func ApplyToCommonTLSContext(tlsContext *tls.CommonTlsContext, proxy *model.Proxy, subjectAltNames []string, ...)
- func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig
- func ConstructSdsSecretConfigForCredential(name string, credentialSocketExist bool) *tls.SdsSecretConfig
- func ConstructSdsSecretConfigForCredentialSocket(name string) *tls.SdsSecretConfig
- func EnforceCompliance(ctx *tls.CommonTlsContext)
- func EnforceGoCompliance(ctx *gotls.Config)
Constants ¶
const ( // SDSClusterName is the name of the cluster for SDS connections SDSClusterName = pm.SDSClusterName // SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert. SDSDefaultResourceName = pm.SDSDefaultResourceName // SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert. SDSRootResourceName = pm.SDSRootResourceName // ThirdPartyJwtPath is the token volume mount file name for k8s trustworthy jwt token. ThirdPartyJwtPath = "/var/run/secrets/tokens/istio-token" // SdsCaSuffix is the suffix of the sds resource name for root CA. SdsCaSuffix = credentials.SdsCaSuffix // EnvoyJwtFilterName is the name of the Envoy JWT filter. This should be the same as the name defined // in https://github.com/envoyproxy/envoy/blob/v1.9.1/source/extensions/filters/http/well_known_names.h#L48 EnvoyJwtFilterName = "envoy.filters.http.jwt_authn" )
Variables ¶
var SDSAdsConfig = &core.ConfigSource{ ConfigSourceSpecifier: &core.ConfigSource_Ads{ Ads: &core.AggregatedConfigSource{}, }, ResourceApiVersion: core.ApiVersion_V3, }
Functions ¶
func ApplyCredentialSDSToServerCommonTLSContext ¶
func ApplyCredentialSDSToServerCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ServerTLSSettings, credentialSocketExist bool, )
ApplyCredentialSDSToServerCommonTLSContext applies the credentialName sds (Gateway/DestinationRule) to CommonTlsContext Used for building both gateway/sidecar TLS context
func ApplyCustomSDSToClientCommonTLSContext ¶
func ApplyCustomSDSToClientCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ClientTLSSettings, credentialSocketExist bool, )
ApplyCustomSDSToClientCommonTLSContext applies the customized sds to CommonTlsContext Used for building upstream TLS context for egress gateway's TLS/mTLS origination
func ApplyToCommonTLSContext ¶
func ApplyToCommonTLSContext(tlsContext *tls.CommonTlsContext, proxy *model.Proxy, subjectAltNames []string, crl string, trustDomainAliases []string, validateClient bool, )
ApplyToCommonTLSContext completes the commonTlsContext
func ConstructSdsSecretConfig ¶
func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig
ConstructSdsSecretConfig constructs SDS Secret Configuration for workload proxy.
func ConstructSdsSecretConfigForCredential ¶
func ConstructSdsSecretConfigForCredential(name string, credentialSocketExist bool) *tls.SdsSecretConfig
ConstructSdsSecretConfigForCredential constructs SDS secret configuration used from certificates referenced by credentialName in DestinationRule or Gateway. Currently this is served by a local SDS server, but in the future replaced by Istiod SDS server.
func ConstructSdsSecretConfigForCredentialSocket ¶
func ConstructSdsSecretConfigForCredentialSocket(name string) *tls.SdsSecretConfig
ConstructSdsSecretConfigForCredentialSocket constructs SDS Secret Configuration based on CredentialNameSocketPath if CredentialNameSocketPath exists, use a static cluster 'sds-external'
func EnforceCompliance ¶
func EnforceCompliance(ctx *tls.CommonTlsContext)
func EnforceGoCompliance ¶
Types ¶
This section is empty.
Source Files