Documentation
¶
Index ¶
- Constants
- Variables
- func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig
- func ConvertLocality(locality string) *core.Locality
- func EnforceCompliance(ctx *tls.CommonTlsContext)
- func EnforceGoCompliance(ctx *gotls.Config)
- func GetLocalityLabel(label string) string
- func GetMetricType(typeURL string) string
- func GetOrDefault(s string, def string) string
- func GetResourceType(shortType string) string
- func GetShortType(typeURL string) string
- func IsApplicationNodeType(nType NodeType) bool
- func IsEnvoyType(typeURL string) bool
- func StringToExactMatch(in []string) []*matcher.StringMatcher
- type BootstrapNodeMetadata
- type IPMode
- type Node
- type NodeMetaProxyConfig
- type NodeMetadata
- type NodeType
- type PodPort
- type PodPortList
- type StringBool
- type StringList
- type TrafficInterceptionMode
Constants ¶
View Source
const ( // SDSClusterName is the name of the cluster for SDS connections SDSClusterName = "sds-grpc" // SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert. SDSDefaultResourceName = "default" // SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert. SDSRootResourceName = "ROOTCA" )
View Source
const ( // IstioCanonicalServiceLabelName is the name of label for the Istio Canonical Service for a workload instance. IstioCanonicalServiceLabelName = "service.istio.io/canonical-name" // IstioCanonicalServiceRevisionLabelName is the name of label for the Istio Canonical Service revision for a workload instance. IstioCanonicalServiceRevisionLabelName = "service.istio.io/canonical-revision" )
View Source
const ( // name of environment variable at Wasm VM, which will carry the Wasm image pull secret. WasmSecretEnv = "ISTIO_META_WASM_IMAGE_PULL_SECRET" // name of environment variable at Wasm VM, which will carry the Wasm image pull policy. WasmPolicyEnv = "ISTIO_META_WASM_IMAGE_PULL_POLICY" // name of environment variable at Wasm VM, which will carry the resource version of WasmPlugin. WasmResourceVersionEnv = "ISTIO_META_WASM_PLUGIN_RESOURCE_VERSION" WasmHTTPFilterType = APITypePrefix + wellknown.HTTPWasm WasmNetworkFilterType = APITypePrefix + "envoy.extensions.filters.network.wasm.v3.Wasm" TypedStructType = APITypePrefix + "udpa.type.v1.TypedStruct" )
View Source
const ( APITypePrefix = "type.googleapis.com/" ClusterType = APITypePrefix + "envoy.config.cluster.v3.Cluster" EndpointType = APITypePrefix + "envoy.config.endpoint.v3.ClusterLoadAssignment" ListenerType = APITypePrefix + "envoy.config.listener.v3.Listener" RouteType = APITypePrefix + "envoy.config.route.v3.RouteConfiguration" SecretType = APITypePrefix + "envoy.extensions.transport_sockets.tls.v3.Secret" ExtensionConfigurationType = APITypePrefix + "envoy.config.core.v3.TypedExtensionConfig" NameTableType = APITypePrefix + "istio.networking.nds.v1.NameTable" HealthInfoType = APITypePrefix + "istio.v1.HealthInformation" ProxyConfigType = APITypePrefix + "istio.mesh.v1alpha1.ProxyConfig" // DebugType requests debug info from istio, a secured implementation for istio debug interface. DebugType = "istio.io/debug" BootstrapType = APITypePrefix + "envoy.config.bootstrap.v3.Bootstrap" AddressType = APITypePrefix + "istio.workload.Address" WorkloadType = APITypePrefix + "istio.workload.Workload" WorkloadAuthorizationType = APITypePrefix + "istio.security.Authorization" )
View Source
const ( // LocalityLabel indicates the region/zone/subzone of an instance. It is used to override the native // registry's value. // // Note: because k8s labels does not support `/`, so we use `.` instead in k8s. LocalityLabel = "istio-locality" )
Variables ¶
View Source
var ALPNH2Only = []string{"h2"}
ALPNH2Only advertises that Proxy is going to use HTTP/2 when talking to the cluster.
View Source
var ALPNInMeshH2 = []string{"istio", "h2"}
ALPNInMeshH2 advertises that Proxy is going to use HTTP/2 when talking to the in-mesh cluster. The custom "istio" value indicates in-mesh traffic and it's going to be used for routing decisions. Once Envoy supports client-side ALPN negotiation, this should be {"istio", "h2", "http/1.1"}.
Functions ¶
func ConstructSdsSecretConfig ¶
func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig
ConstructSdsSecretConfig constructs SDS Secret Configuration for workload proxy.
func ConvertLocality ¶
ConvertLocality converts '/' separated locality string to Locality struct.
func EnforceCompliance ¶
func EnforceCompliance(ctx *tls.CommonTlsContext)
EnforceCompliance limits the TLS settings to the compliant values. This should be called as the last policy.
func EnforceGoCompliance ¶
EnforceGoCompliance limits the TLS settings to the compliant values. This should be called as the last policy.
func GetLocalityLabel ¶
GetLocalityLabel returns the locality from the supplied label. Because Kubernetes labels don't support `/`, we replace "." with "/" in the supplied label as a workaround.
func GetMetricType ¶
GetMetricType returns the form of a type reported for metrics
func GetOrDefault ¶
GetOrDefault returns either the value, or the default if the value is empty. Useful when retrieving node metadata fields.
func GetResourceType ¶
GetResourceType returns resource form of an abbreviated form
func GetShortType ¶
GetShortType returns an abbreviated form of a type, useful for logging or human friendly messages
func IsApplicationNodeType ¶
IsApplicationNodeType verifies that the NodeType is one of the declared constants in the model
func IsEnvoyType ¶
IsEnvoyType checks whether the typeURL is a valid Envoy type.
func StringToExactMatch ¶
func StringToExactMatch(in []string) []*matcher.StringMatcher
Types ¶
type BootstrapNodeMetadata ¶
type BootstrapNodeMetadata struct {
NodeMetadata
// InstanceName is the short name for the workload instance (ex: pod name)
// replaces POD_NAME
InstanceName string `json:"NAME,omitempty"`
// Owner specifies the workload owner (opaque string). Typically, this is the owning controller of
// of the workload instance (ex: k8s deployment for a k8s pod).
Owner string `json:"OWNER,omitempty"`
// PilotSAN is the list of subject alternate names for the xDS server.
PilotSubjectAltName []string `json:"PILOT_SAN,omitempty"`
// XDSRootCert defines the root cert to use for XDS connections
XDSRootCert string `json:"-"`
// OutlierLogPath is the cluster manager outlier event log path.
OutlierLogPath string `json:"OUTLIER_LOG_PATH,omitempty"`
// AppContainers is the list of containers in the pod.
AppContainers string `json:"APP_CONTAINERS,omitempty"`
// IstioProxySHA is the SHA of the proxy version.
IstioProxySHA string `json:"ISTIO_PROXY_SHA,omitempty"`
}
BootstrapNodeMetadata is a superset of NodeMetadata, intended to model the entirety of the node metadata we configure in the Envoy bootstrap. This is split out from NodeMetadata to explicitly segment the parameters that are consumed by Pilot from the parameters used only as part of the bootstrap. Fields used by bootstrap only are consumed by Envoy itself, such as the telemetry filters.
func (*BootstrapNodeMetadata) UnmarshalJSON ¶
func (m *BootstrapNodeMetadata) UnmarshalJSON(data []byte) error
type Node ¶
type Node struct {
// ID of the Envoy node
ID string
// Metadata is the typed node metadata
Metadata *BootstrapNodeMetadata
// RawMetadata is the untyped node metadata
RawMetadata map[string]any
// Locality from Envoy bootstrap
Locality *core.Locality
}
Node is a typed version of Envoy node with metadata.
type NodeMetaProxyConfig ¶
type NodeMetaProxyConfig meshconfig.ProxyConfig
ProxyConfig can only be marshaled using (gogo) jsonpb. However, the rest of node meta is not a proto To allow marshaling, we need to define a custom type that calls out to the gogo marshaller
func (*NodeMetaProxyConfig) MarshalJSON ¶
func (s *NodeMetaProxyConfig) MarshalJSON() ([]byte, error)
func (*NodeMetaProxyConfig) UnmarshalJSON ¶
func (s *NodeMetaProxyConfig) UnmarshalJSON(data []byte) error
type NodeMetadata ¶
type NodeMetadata struct {
// ProxyConfig defines the proxy config specified for a proxy.
// Note that this setting may be configured different for each proxy, due user overrides
// or from different versions of proxies connecting. While Pilot has access to the meshConfig.defaultConfig,
// this field should be preferred if it is present.
ProxyConfig *NodeMetaProxyConfig `json:"PROXY_CONFIG,omitempty"`
// IstioVersion specifies the Istio version associated with the proxy
IstioVersion string `json:"ISTIO_VERSION,omitempty"`
// IstioRevision specifies the Istio revision associated with the proxy.
// Mostly used when istiod requests the upstream.
IstioRevision string `json:"ISTIO_REVISION,omitempty"`
// Labels specifies the set of workload instance (ex: k8s pod) labels associated with this node.
// It contains both StaticLabels and pod labels if any, it is a superset of StaticLabels.
// Note: it is not meant to be used during xds generation.
Labels map[string]string `json:"LABELS,omitempty"`
// StaticLabels specifies the set of labels from `ISTIO_METAJSON_LABELS`.
StaticLabels map[string]string `json:"STATIC_LABELS,omitempty"`
// Annotations specifies the set of workload instance (ex: k8s pod) annotations associated with this node.
Annotations map[string]string `json:"ANNOTATIONS,omitempty"`
// InstanceIPs is the set of IPs attached to this proxy
InstanceIPs StringList `json:"INSTANCE_IPS,omitempty"`
// Namespace is the namespace in which the workload instance is running.
Namespace string `json:"NAMESPACE,omitempty"`
// NodeName is the name of the kubernetes node on which the workload instance is running.
NodeName string `json:"NODE_NAME,omitempty"`
// WorkloadName specifies the name of the workload represented by this node.
WorkloadName string `json:"WORKLOAD_NAME,omitempty"`
// InterceptionMode is the name of the metadata variable that carries info about
// traffic interception mode at the proxy
InterceptionMode TrafficInterceptionMode `json:"INTERCEPTION_MODE,omitempty"`
// ServiceAccount specifies the service account which is running the workload.
ServiceAccount string `json:"SERVICE_ACCOUNT,omitempty"`
// HTTPProxyPort enables http proxy on the port for the current sidecar.
// Same as MeshConfig.HttpProxyPort, but with per/sidecar scope.
HTTPProxyPort string `json:"HTTP_PROXY_PORT,omitempty"`
// MeshID specifies the mesh ID environment variable.
MeshID string `json:"MESH_ID,omitempty"`
// ClusterID defines the cluster the node belongs to.
ClusterID cluster.ID `json:"CLUSTER_ID,omitempty"`
// Network defines the network the node belongs to. It is an optional metadata,
// set at injection time. When set, the Endpoints returned to a node and not on same network
// will be replaced with the gateway defined in the settings.
Network network.ID `json:"NETWORK,omitempty"`
// RequestedNetworkView specifies the networks that the proxy wants to see
RequestedNetworkView StringList `json:"REQUESTED_NETWORK_VIEW,omitempty"`
// PodPorts defines the ports on a pod. This is used to lookup named ports.
PodPorts PodPortList `json:"POD_PORTS,omitempty"`
// TLSServerCertChain is the absolute path to server cert-chain file
TLSServerCertChain string `json:"TLS_SERVER_CERT_CHAIN,omitempty"`
// TLSServerKey is the absolute path to server private key file
TLSServerKey string `json:"TLS_SERVER_KEY,omitempty"`
// TLSServerRootCert is the absolute path to server root cert file
TLSServerRootCert string `json:"TLS_SERVER_ROOT_CERT,omitempty"`
// TLSClientCertChain is the absolute path to client cert-chain file
TLSClientCertChain string `json:"TLS_CLIENT_CERT_CHAIN,omitempty"`
// TLSClientKey is the absolute path to client private key file
TLSClientKey string `json:"TLS_CLIENT_KEY,omitempty"`
// TLSClientRootCert is the absolute path to client root cert file
TLSClientRootCert string `json:"TLS_CLIENT_ROOT_CERT,omitempty"`
CertBaseDir string `json:"BASE,omitempty"`
// IdleTimeout specifies the idle timeout for the proxy, in duration format (10s).
// If not set, default timeout is 1 hour.
IdleTimeout string `json:"IDLE_TIMEOUT,omitempty"`
// HTTP10 indicates the application behind the sidecar is making outbound http requests with HTTP/1.0
// protocol. It will enable the "AcceptHttp_10" option on the http options for outbound HTTP listeners.
// Alpha in 1.1, based on feedback may be turned into an API or change. Set to "1" to enable.
HTTP10 string `json:"HTTP10,omitempty"`
// Generator indicates the client wants to use a custom Generator plugin.
Generator string `json:"GENERATOR,omitempty"`
// DNSCapture indicates whether the workload has enabled dns capture
DNSCapture StringBool `json:"DNS_CAPTURE,omitempty"`
// DNSAutoAllocate indicates whether the workload should have auto allocated addresses for ServiceEntry
// This allows resolving ServiceEntries, which is especially useful for distinguishing TCP traffic
// This depends on DNSCapture.
DNSAutoAllocate StringBool `json:"DNS_AUTO_ALLOCATE,omitempty"`
// EnableHBONE, if set, will enable generation of HBONE listener config.
// Note: this only impacts sidecars; ztunnel and waypoint proxy unconditionally use HBONE.
EnableHBONE StringBool `json:"ENABLE_HBONE,omitempty"`
// DisableHBONESend, will disable sending HBONE.
// Warning: If this is enabled, ambient may break; use with caution.
DisableHBONESend StringBool `json:"DISABLE_HBONE_SEND,omitempty"`
// AutoRegister will enable auto registration of the connected endpoint to the service registry using the given WorkloadGroup name
AutoRegisterGroup string `json:"AUTO_REGISTER_GROUP,omitempty"`
// WorkloadEntry specifies the name of the WorkloadEntry this proxy corresponds to.
//
// This field is intended for use in those scenarios where a user needs to
// onboard a workload from a VM without relying on auto-registration.
//
// At runtime, when a proxy establishes an ADS connection to the istiod,
// istiod will treat a non-empty value of this field as an indicator
// that proxy corresponds to a VM and must be represented by a WorkloadEntry
// with a given name.
WorkloadEntry string `json:"WORKLOAD_ENTRY,omitempty"`
// UnprivilegedPod is used to determine whether a Gateway Pod can open ports < 1024
UnprivilegedPod string `json:"UNPRIVILEGED_POD,omitempty"`
// PlatformMetadata contains any platform specific metadata
PlatformMetadata map[string]string `json:"PLATFORM_METADATA,omitempty"`
// StsPort specifies the port of security token exchange server (STS).
// Used by envoy filters
StsPort string `json:"STS_PORT,omitempty"`
// Envoy status port redirecting to agent status port.
EnvoyStatusPort int `json:"ENVOY_STATUS_PORT,omitempty"`
// Envoy prometheus port redirecting to admin port prometheus endpoint.
EnvoyPrometheusPort int `json:"ENVOY_PROMETHEUS_PORT,omitempty"`
// ExitOnZeroActiveConnections terminates Envoy if there are no active connections if set.
ExitOnZeroActiveConnections StringBool `json:"EXIT_ON_ZERO_ACTIVE_CONNECTIONS,omitempty"`
// InboundListenerExactBalance sets connection balance config to use exact_balance for virtualInbound,
// as long as QUIC, since it uses UDP, isn't also used.
InboundListenerExactBalance StringBool `json:"INBOUND_LISTENER_EXACT_BALANCE,omitempty"`
// OutboundListenerExactBalance sets connection balance config to use exact_balance for outbound
// redirected tcp listeners. This does not change the virtualOutbound listener.
OutboundListenerExactBalance StringBool `json:"OUTBOUND_LISTENER_EXACT_BALANCE,omitempty"`
// The istiod address when running ASM Managed Control Plane.
CloudrunAddr string `json:"CLOUDRUN_ADDR,omitempty"`
// Metadata discovery service enablement
MetadataDiscovery StringBool `json:"METADATA_DISCOVERY,omitempty"`
// Contains a copy of the raw metadata. This is needed to lookup arbitrary values.
// If a value is known ahead of time it should be added to the struct rather than reading from here,
Raw map[string]any `json:"-"`
}
NodeMetadata defines the metadata associated with a proxy Fields should not be assumed to exist on the proxy, especially newly added fields which will not exist on older versions. The JSON field names should never change, as they are needed for backward compatibility with older proxies nolint: maligned
func (NodeMetadata) ProxyConfigOrDefault ¶
func (m NodeMetadata) ProxyConfigOrDefault(def *meshconfig.ProxyConfig) *meshconfig.ProxyConfig
ProxyConfigOrDefault is a helper function to get the ProxyConfig from metadata, or fallback to a default This is useful as the logic should check for proxy config from proxy first and then defer to mesh wide defaults if not present.
func (NodeMetadata) ToStruct ¶
func (m NodeMetadata) ToStruct() *structpb.Struct
ToStruct converts NodeMetadata to a protobuf structure. This should be used only for debugging - performance is bad.
type NodeType ¶
type NodeType string
NodeType decides the responsibility of the proxy serves in the mesh
const ( // SidecarProxy type is used for sidecar proxies in the application containers SidecarProxy NodeType = "sidecar" // Router type is used for standalone proxies acting as L7/L4 routers Router NodeType = "router" // Waypoint type is used for waypoint proxies Waypoint NodeType = "waypoint" // Ztunnel type is used for node proxies (ztunnel) Ztunnel NodeType = "ztunnel" )
type PodPort ¶
type PodPort struct {
// If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
// named port in a pod must have a unique name. Name for the port that can be
// referred to by services.
// +optional
Name string `json:"name,omitempty"`
// Number of port to expose on the pod's IP address.
// This must be a valid port number, 0 < x < 65536.
ContainerPort int `json:"containerPort"`
// Name of the protocol
Protocol string `json:"protocol"`
}
PodPort describes a mapping of port name to port number. Generally, this is just the definition of a port in Kubernetes, but without depending on Kubernetes api.
type PodPortList ¶
type PodPortList []PodPort
PodPortList defines a list of PodPort's that is serialized as a string This is for legacy reasons, where proper JSON was not supported and was written as a string
func (PodPortList) MarshalJSON ¶
func (l PodPortList) MarshalJSON() ([]byte, error)
func (*PodPortList) UnmarshalJSON ¶
func (l *PodPortList) UnmarshalJSON(data []byte) error
type StringBool ¶
type StringBool bool
StringBool defines a boolean that is serialized as a string for legacy reasons
func (StringBool) MarshalJSON ¶
func (s StringBool) MarshalJSON() ([]byte, error)
func (*StringBool) UnmarshalJSON ¶
func (s *StringBool) UnmarshalJSON(data []byte) error
type StringList ¶
type StringList []string
StringList is a list that will be marshaled to a comma separate string in Json
func (StringList) MarshalJSON ¶
func (l StringList) MarshalJSON() ([]byte, error)
func (*StringList) UnmarshalJSON ¶
func (l *StringList) UnmarshalJSON(data []byte) error
type TrafficInterceptionMode ¶
type TrafficInterceptionMode string
TrafficInterceptionMode indicates how traffic to/from the workload is captured and sent to Envoy. This should not be confused with the CaptureMode in the API that indicates how the user wants traffic to be intercepted for the listener. TrafficInterceptionMode is always derived from the Proxy metadata
Source Files
Click to show internal directories.
Click to hide internal directories.