istioagent

package
v0.0.0-...-0a41d8a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 13, 2025 License: Apache-2.0 Imports: 51 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// MetadataClientCertKey is ISTIO_META env var used for client key.
	MetadataClientCertKey = "ISTIO_META_TLS_CLIENT_KEY"
	// MetadataClientCertChain is ISTIO_META env var used for client cert chain.
	MetadataClientCertChain = "ISTIO_META_TLS_CLIENT_CERT_CHAIN"
	// MetadataClientRootCert is ISTIO_META env var used for client root cert.
	MetadataClientRootCert = "ISTIO_META_TLS_CLIENT_ROOT_CERT"
)
View Source
const (
	// CitadelCACertPath is the directory for Citadel CA certificate.
	// This is mounted from config map 'istio-ca-root-cert'. Part of startup,
	// this may be replaced with ./etc/certs, if a root-cert.pem is found, to
	// handle secrets mounted from non-citadel CAs.
	CitadelCACertPath = "./var/run/secrets/istio"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Agent

type Agent struct {
	// contains filtered or unexported fields
}

Agent contains the configuration of the agent, based on the injected environment: - SDS hostPath if node-agent was used - /etc/certs/key if Citadel or other mounted Secrets are used - root cert to use for connecting to XDS server - CA address, with proper defaults and detection

func NewAgent

func NewAgent(proxyConfig *mesh.ProxyConfig, agentOpts *AgentOptions, sopts *security.Options, eopts envoy.ProxyConfig) *Agent

NewAgent hosts the functionality for local SDS and XDS. This consists of the local SDS server and associated clients to sign certificates (when not using files), and the local XDS proxy (including health checking for VMs and DNS proxying).

func (*Agent) Check

func (a *Agent) Check() (err error)

Check is used in to readiness check of agent to ensure DNSServer is ready.

func (*Agent) Close

func (a *Agent) Close()

func (*Agent) DrainNow

func (a *Agent) DrainNow()

func (*Agent) EnvoyDisabled

func (a *Agent) EnvoyDisabled() bool

EnvoyDisabled if true indicates calling Run will not run and wait for Envoy.

func (*Agent) FindRootCAForCA

func (a *Agent) FindRootCAForCA() (string, error)

FindRootCAForCA Find the root CA to use when connecting to the CA (Istiod or external).

func (*Agent) FindRootCAForXDS

func (a *Agent) FindRootCAForXDS() (string, error)

FindRootCAForXDS determines the root CA to be configured in bootstrap file. It may be different from the CA for the cert server - which is based on CA_ADDR In addition it deals with the case the XDS server is on port 443, expected with a proper cert. /etc/ssl/certs/ca-certificates.crt

func (*Agent) GRPCBootstrapPath

func (a *Agent) GRPCBootstrapPath() string

GRPCBootstrapPath returns the most recently generated gRPC bootstrap or nil if there is none.

func (*Agent) GetDNSTable

func (a *Agent) GetDNSTable() *dnsProto.NameTable

GetDNSTable builds DNS table used in debugging interface.

func (*Agent) GetKeyCertsForCA

func (a *Agent) GetKeyCertsForCA() (string, string)

GetKeyCertsForXDS return the key cert files path for connecting with CA server.

func (*Agent) GetKeyCertsForXDS

func (a *Agent) GetKeyCertsForXDS() (string, string)

GetKeyCertsForXDS return the key cert files path for connecting with xds.

func (*Agent) Run

func (a *Agent) Run(ctx context.Context) (func(), error)

Run is a non-blocking call which returns either an error or a function to await for completion.

func (*Agent) WaitForSigterm

func (a *Agent) WaitForSigterm() bool

WaitForSigterm if true indicates calling Run will block until SIGTERM or SIGNT is received.

type AgentOptions

type AgentOptions struct {
	// DNSCapture indicates if the XDS proxy has dns capture enabled or not
	DNSCapture bool
	// Enables DNS server at Gateways.
	DNSAtGateway bool
	// DNSAddr is the DNS capture address
	DNSAddr string
	// DNSForwardParallel indicates whether the agent should send parallel DNS queries to all upstream nameservers.
	DNSForwardParallel bool
	// ProxyType is the type of proxy we are configured to handle
	ProxyType model.NodeType
	// ProxyNamespace to use for local dns resolution
	ProxyNamespace string
	// ProxyDomain is the DNS domain associated with the proxy (assumed
	// to include the namespace as well) (for local dns resolution)
	ProxyDomain string
	// Node identifier used by Envoy
	ServiceNode string

	// XDSRootCerts is the location of the root CA for the XDS connection. Used for setting platform certs or
	// using custom roots.
	XDSRootCerts string

	// CARootCerts of the location of the root CA for the CA connection. Used for setting platform certs or
	// using custom roots.
	CARootCerts string

	// Extra headers to add to the XDS connection.
	XDSHeaders map[string]string

	// Is the proxy an IPv6 proxy
	IsIPv6 bool

	// Path to local UDS to communicate with Envoy
	XdsUdsPath string

	// Ability to retrieve ProxyConfig dynamically through XDS
	EnableDynamicProxyConfig bool

	// All of the proxy's IP Addresses
	ProxyIPAddresses []string

	// Envoy status port (that circles back to the agent status port). Really belongs to the proxy config.
	// Cannot be eradicated because mistakes have been made.
	EnvoyStatusPort int

	// Envoy prometheus port that circles back to its admin port for prom endpoint. Really belongs to the
	// proxy config.
	EnvoyPrometheusPort int

	MinimumDrainDuration time.Duration

	ExitOnZeroActiveConnections bool

	// Cloud platform
	Platform platform.Environment

	// GRPCBootstrapPath if set will generate a file compatible with GRPC_XDS_BOOTSTRAP
	GRPCBootstrapPath string

	// Disables all envoy agent features
	DisableEnvoy          bool
	DownstreamGrpcOptions []grpc.ServerOption

	IstiodSAN string

	WASMOptions wasm.Options

	// Enable metadata discovery bootstrap extension
	MetadataDiscovery bool

	SDSFactory func(options *security.Options, workloadSecretCache security.SecretManager, pkpConf *mesh.PrivateKeyProvider) SDSService

	// Name of the socket file which will be used for workload SDS.
	// If this is set to something other than the default socket file used
	// by Istio's default SDS server, the socket file must be present.
	// Note that the path is not configurable by design - only the socket file name.
	WorkloadIdentitySocketFile string
}

AgentOptions contains additional config for the agent, not included in ProxyConfig. Most are from env variables ( still experimental ) or for testing only. Eventually most non-test settings should graduate to ProxyConfig Please don't add 100 parameters to the NewAgent function (or any other)!

type LifecycleEvent

type LifecycleEvent string
const (
	DrainLifecycleEvent LifecycleEvent = "drain"
	ExitLifecycleEvent  LifecycleEvent = "exit"
)

type Proxy

type Proxy struct {
	ID          string
	IPAddresses []string
	Type        model.NodeType

	DNSDomain string
	// contains filtered or unexported fields
}

Shared properties with Pilot Proxy struct.

func (*Proxy) DiscoverIPMode

func (node *Proxy) DiscoverIPMode()

func (*Proxy) IsIPv6

func (node *Proxy) IsIPv6() bool

IsIPv6 returns true if proxy only supports IPv6 addresses.

func (*Proxy) ServiceNode

func (node *Proxy) ServiceNode() string

func (*Proxy) SupportsIPv6

func (node *Proxy) SupportsIPv6() bool

type ProxyConnection

type ProxyConnection struct {
	// contains filtered or unexported fields
}

ProxyConnection represents connection to downstream proxy.

type ResponseHandler

type ResponseHandler func(resp *anypb.Any) error

ResponseHandler handles a XDS response in the agent. These will not be forwarded to Envoy. Currently, all handlers function on a single resource per type, so the API only exposes one resource.

type RootCertProvider

type RootCertProvider interface {
	GetKeyCertsForCA() (string, string)
	FindRootCAForCA() (string, error)
}

type SDSService

type SDSService interface {
	OnSecretUpdate(resourceName string)
	Stop()
}

type XdsProxy

type XdsProxy struct {
	// contains filtered or unexported fields
}

XdsProxy proxies all XDS requests from envoy to istiod, in addition to allowing subsystems inside the agent to also communicate with either istiod/envoy (eg dns, sds, etc). The goal here is to consolidate all xds related connections to istiod/envoy into a single tcp connection with multiple gRPC streams. TODO: Right now, the workloadSDS server and gatewaySDS servers are still separate connections. These need to be consolidated. TODO: consolidate/use ADSC struct - a lot of duplication.

func (*XdsProxy) DeltaAggregatedResources

func (p *XdsProxy) DeltaAggregatedResources(downstream DeltaDiscoveryStream) error

DeltaAggregatedResources is an implementation of Delta XDS API used for proxying between Istiod and Envoy. Every time envoy makes a fresh connection to the agent, we reestablish a new connection to the upstream xds This ensures that a new connection between istiod and agent doesn't end up consuming pending messages from envoy as the new connection may not go to the same istiod. Vice versa case also applies.

func (*XdsProxy) StreamAggregatedResources

func (p *XdsProxy) StreamAggregatedResources(downstream DiscoveryStream) error

StreamAggregatedResources is an implementation of XDS API used for proxying between Istiod and Envoy. Every time envoy makes a fresh connection to the agent, we reestablish a new connection to the upstream xds This ensures that a new connection between istiod and agent doesn't end up consuming pending messages from envoy as the new connection may not go to the same istiod. Vice versa case also applies.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL