model

package
v0.0.0-...-4fd6c8e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 23, 2024 License: Apache-2.0 Imports: 21 Imported by: 1

Documentation

Index

Constants

View Source
const (
	// SDSClusterName is the name of the cluster for SDS connections
	SDSClusterName = "sds-grpc"

	// SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert.
	SDSDefaultResourceName = "default"

	// SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert.
	SDSRootResourceName = "ROOTCA"
)
View Source
const (
	// IstioCanonicalServiceLabelName is the name of label for the Istio Canonical Service for a workload instance.
	IstioCanonicalServiceLabelName = "service.istio.io/canonical-name"

	// IstioCanonicalServiceRevisionLabelName is the name of label for the Istio Canonical Service revision for a workload instance.
	IstioCanonicalServiceRevisionLabelName = "service.istio.io/canonical-revision"
)
View Source
const (
	// name of environment variable at Wasm VM, which will carry the Wasm image pull secret.
	WasmSecretEnv = "ISTIO_META_WASM_IMAGE_PULL_SECRET"
	// name of environment variable at Wasm VM, which will carry the Wasm image pull policy.
	WasmPolicyEnv = "ISTIO_META_WASM_IMAGE_PULL_POLICY"
	// name of environment variable at Wasm VM, which will carry the resource version of WasmPlugin.
	WasmResourceVersionEnv = "ISTIO_META_WASM_PLUGIN_RESOURCE_VERSION"

	WasmHTTPFilterType    = APITypePrefix + wellknown.HTTPWasm
	WasmNetworkFilterType = APITypePrefix + "envoy.extensions.filters.network.wasm.v3.Wasm"
	TypedStructType       = APITypePrefix + "udpa.type.v1.TypedStruct"
)
View Source
const (
	APITypePrefix = "type.googleapis.com/"

	ClusterType                = APITypePrefix + "envoy.config.cluster.v3.Cluster"
	EndpointType               = APITypePrefix + "envoy.config.endpoint.v3.ClusterLoadAssignment"
	ListenerType               = APITypePrefix + "envoy.config.listener.v3.Listener"
	RouteType                  = APITypePrefix + "envoy.config.route.v3.RouteConfiguration"
	SecretType                 = APITypePrefix + "envoy.extensions.transport_sockets.tls.v3.Secret"
	ExtensionConfigurationType = APITypePrefix + "envoy.config.core.v3.TypedExtensionConfig"

	NameTableType   = APITypePrefix + "istio.networking.nds.v1.NameTable"
	HealthInfoType  = APITypePrefix + "istio.v1.HealthInformation"
	ProxyConfigType = APITypePrefix + "istio.mesh.v1alpha1.ProxyConfig"
	// DebugType requests debug info from istio, a secured implementation for istio debug interface.
	DebugType                 = "istio.io/debug"
	BootstrapType             = APITypePrefix + "envoy.config.bootstrap.v3.Bootstrap"
	AddressType               = APITypePrefix + "istio.workload.Address"
	WorkloadType              = APITypePrefix + "istio.workload.Workload"
	WorkloadAuthorizationType = APITypePrefix + "istio.security.Authorization"
)
View Source
const (
	// LocalityLabel indicates the region/zone/subzone of an instance. It is used to override the native
	// registry's value.
	//
	// Note: because k8s labels does not support `/`, so we use `.` instead in k8s.
	LocalityLabel = "istio-locality"
)

Variables

View Source
var ALPNH2Only = []string{"h2"}

ALPNH2Only advertises that Proxy is going to use HTTP/2 when talking to the cluster.

View Source
var ALPNInMeshH2 = []string{"istio", "h2"}

ALPNInMeshH2 advertises that Proxy is going to use HTTP/2 when talking to the in-mesh cluster. The custom "istio" value indicates in-mesh traffic and it's going to be used for routing decisions. Once Envoy supports client-side ALPN negotiation, this should be {"istio", "h2", "http/1.1"}.

Functions

func ConstructSdsSecretConfig

func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig

ConstructSdsSecretConfig constructs SDS Secret Configuration for workload proxy.

func ConvertLocality

func ConvertLocality(locality string) *core.Locality

ConvertLocality converts '/' separated locality string to Locality struct.

func EnforceCompliance

func EnforceCompliance(ctx *tls.CommonTlsContext)

EnforceCompliance limits the TLS settings to the compliant values. This should be called as the last policy.

func EnforceGoCompliance

func EnforceGoCompliance(ctx *gotls.Config)

EnforceGoCompliance limits the TLS settings to the compliant values. This should be called as the last policy.

func GetLocalityLabel

func GetLocalityLabel(label string) string

GetLocalityLabel returns the locality from the supplied label. Because Kubernetes labels don't support `/`, we replace "." with "/" in the supplied label as a workaround.

func GetMetricType

func GetMetricType(typeURL string) string

GetMetricType returns the form of a type reported for metrics

func GetOrDefault

func GetOrDefault(s string, def string) string

GetOrDefault returns either the value, or the default if the value is empty. Useful when retrieving node metadata fields.

func GetResourceType

func GetResourceType(shortType string) string

GetResourceType returns resource form of an abbreviated form

func GetShortType

func GetShortType(typeURL string) string

GetShortType returns an abbreviated form of a type, useful for logging or human friendly messages

func IsApplicationNodeType

func IsApplicationNodeType(nType NodeType) bool

IsApplicationNodeType verifies that the NodeType is one of the declared constants in the model

func IsEnvoyType

func IsEnvoyType(typeURL string) bool

IsEnvoyType checks whether the typeURL is a valid Envoy type.

func StringToExactMatch

func StringToExactMatch(in []string) []*matcher.StringMatcher

Types

type BootstrapNodeMetadata

type BootstrapNodeMetadata struct {
	NodeMetadata

	// InstanceName is the short name for the workload instance (ex: pod name)
	// replaces POD_NAME
	InstanceName string `json:"NAME,omitempty"`

	// Owner specifies the workload owner (opaque string). Typically, this is the owning controller of
	// of the workload instance (ex: k8s deployment for a k8s pod).
	Owner string `json:"OWNER,omitempty"`

	// PilotSAN is the list of subject alternate names for the xDS server.
	PilotSubjectAltName []string `json:"PILOT_SAN,omitempty"`

	// XDSRootCert defines the root cert to use for XDS connections
	XDSRootCert string `json:"-"`

	// OutlierLogPath is the cluster manager outlier event log path.
	OutlierLogPath string `json:"OUTLIER_LOG_PATH,omitempty"`

	// AppContainers is the list of containers in the pod.
	AppContainers string `json:"APP_CONTAINERS,omitempty"`

	// IstioProxySHA is the SHA of the proxy version.
	IstioProxySHA string `json:"ISTIO_PROXY_SHA,omitempty"`
}

BootstrapNodeMetadata is a superset of NodeMetadata, intended to model the entirety of the node metadata we configure in the Envoy bootstrap. This is split out from NodeMetadata to explicitly segment the parameters that are consumed by Pilot from the parameters used only as part of the bootstrap. Fields used by bootstrap only are consumed by Envoy itself, such as the telemetry filters.

func (*BootstrapNodeMetadata) UnmarshalJSON

func (m *BootstrapNodeMetadata) UnmarshalJSON(data []byte) error

type IPMode

type IPMode int

IPMode represents the IP mode of proxy.

const (
	IPv4 IPMode = iota + 1
	IPv6
	Dual
)

IPMode constants starting with index 1.

func DiscoverIPMode

func DiscoverIPMode(addrs []string) IPMode

type Node

type Node struct {
	// ID of the Envoy node
	ID string
	// Metadata is the typed node metadata
	Metadata *BootstrapNodeMetadata
	// RawMetadata is the untyped node metadata
	RawMetadata map[string]any
	// Locality from Envoy bootstrap
	Locality *core.Locality
}

Node is a typed version of Envoy node with metadata.

type NodeMetaProxyConfig

type NodeMetaProxyConfig meshconfig.ProxyConfig

ProxyConfig can only be marshaled using (gogo) jsonpb. However, the rest of node meta is not a proto To allow marshaling, we need to define a custom type that calls out to the gogo marshaller

func (*NodeMetaProxyConfig) MarshalJSON

func (s *NodeMetaProxyConfig) MarshalJSON() ([]byte, error)

func (*NodeMetaProxyConfig) UnmarshalJSON

func (s *NodeMetaProxyConfig) UnmarshalJSON(data []byte) error

type NodeMetadata

type NodeMetadata struct {
	// ProxyConfig defines the proxy config specified for a proxy.
	// Note that this setting may be configured different for each proxy, due user overrides
	// or from different versions of proxies connecting. While Pilot has access to the meshConfig.defaultConfig,
	// this field should be preferred if it is present.
	ProxyConfig *NodeMetaProxyConfig `json:"PROXY_CONFIG,omitempty"`

	// IstioVersion specifies the Istio version associated with the proxy
	IstioVersion string `json:"ISTIO_VERSION,omitempty"`

	// IstioRevision specifies the Istio revision associated with the proxy.
	// Mostly used when istiod requests the upstream.
	IstioRevision string `json:"ISTIO_REVISION,omitempty"`

	// Labels specifies the set of workload instance (ex: k8s pod) labels associated with this node.
	// It contains both StaticLabels and pod labels if any, it is a superset of StaticLabels.
	// Note: it is not meant to be used during xds generation.
	Labels map[string]string `json:"LABELS,omitempty"`

	// StaticLabels specifies the set of labels from `ISTIO_METAJSON_LABELS`.
	StaticLabels map[string]string `json:"STATIC_LABELS,omitempty"`

	// Annotations specifies the set of workload instance (ex: k8s pod) annotations associated with this node.
	Annotations map[string]string `json:"ANNOTATIONS,omitempty"`

	// InstanceIPs is the set of IPs attached to this proxy
	InstanceIPs StringList `json:"INSTANCE_IPS,omitempty"`

	// Namespace is the namespace in which the workload instance is running.
	Namespace string `json:"NAMESPACE,omitempty"`

	// NodeName is the name of the kubernetes node on which the workload instance is running.
	NodeName string `json:"NODE_NAME,omitempty"`

	// WorkloadName specifies the name of the workload represented by this node.
	WorkloadName string `json:"WORKLOAD_NAME,omitempty"`

	// InterceptionMode is the name of the metadata variable that carries info about
	// traffic interception mode at the proxy
	InterceptionMode TrafficInterceptionMode `json:"INTERCEPTION_MODE,omitempty"`

	// ServiceAccount specifies the service account which is running the workload.
	ServiceAccount string `json:"SERVICE_ACCOUNT,omitempty"`

	// HTTPProxyPort enables http proxy on the port for the current sidecar.
	// Same as MeshConfig.HttpProxyPort, but with per/sidecar scope.
	HTTPProxyPort string `json:"HTTP_PROXY_PORT,omitempty"`

	// MeshID specifies the mesh ID environment variable.
	MeshID string `json:"MESH_ID,omitempty"`

	// ClusterID defines the cluster the node belongs to.
	ClusterID cluster.ID `json:"CLUSTER_ID,omitempty"`

	// Network defines the network the node belongs to. It is an optional metadata,
	// set at injection time. When set, the Endpoints returned to a node and not on same network
	// will be replaced with the gateway defined in the settings.
	Network network.ID `json:"NETWORK,omitempty"`

	// RequestedNetworkView specifies the networks that the proxy wants to see
	RequestedNetworkView StringList `json:"REQUESTED_NETWORK_VIEW,omitempty"`

	// PodPorts defines the ports on a pod. This is used to lookup named ports.
	PodPorts PodPortList `json:"POD_PORTS,omitempty"`

	// TLSServerCertChain is the absolute path to server cert-chain file
	TLSServerCertChain string `json:"TLS_SERVER_CERT_CHAIN,omitempty"`
	// TLSServerKey is the absolute path to server private key file
	TLSServerKey string `json:"TLS_SERVER_KEY,omitempty"`
	// TLSServerRootCert is the absolute path to server root cert file
	TLSServerRootCert string `json:"TLS_SERVER_ROOT_CERT,omitempty"`
	// TLSClientCertChain is the absolute path to client cert-chain file
	TLSClientCertChain string `json:"TLS_CLIENT_CERT_CHAIN,omitempty"`
	// TLSClientKey is the absolute path to client private key file
	TLSClientKey string `json:"TLS_CLIENT_KEY,omitempty"`
	// TLSClientRootCert is the absolute path to client root cert file
	TLSClientRootCert string `json:"TLS_CLIENT_ROOT_CERT,omitempty"`

	CertBaseDir string `json:"BASE,omitempty"`

	// IdleTimeout specifies the idle timeout for the proxy, in duration format (10s).
	// If not set, default timeout is 1 hour.
	IdleTimeout string `json:"IDLE_TIMEOUT,omitempty"`

	// HTTP10 indicates the application behind the sidecar is making outbound http requests with HTTP/1.0
	// protocol. It will enable the "AcceptHttp_10" option on the http options for outbound HTTP listeners.
	// Alpha in 1.1, based on feedback may be turned into an API or change. Set to "1" to enable.
	HTTP10 string `json:"HTTP10,omitempty"`

	// Generator indicates the client wants to use a custom Generator plugin.
	Generator string `json:"GENERATOR,omitempty"`

	// DNSCapture indicates whether the workload has enabled dns capture
	DNSCapture StringBool `json:"DNS_CAPTURE,omitempty"`

	// DNSAutoAllocate indicates whether the workload should have auto allocated addresses for ServiceEntry
	// This allows resolving ServiceEntries, which is especially useful for distinguishing TCP traffic
	// This depends on DNSCapture.
	DNSAutoAllocate StringBool `json:"DNS_AUTO_ALLOCATE,omitempty"`

	// EnableHBONE, if set, will enable generation of HBONE listener config.
	// Note: this only impacts sidecars; ztunnel and waypoint proxy unconditionally use HBONE.
	EnableHBONE StringBool `json:"ENABLE_HBONE,omitempty"`

	// DisableHBONESend, will disable sending HBONE.
	// Warning: If this is enabled, ambient may break; use with caution.
	DisableHBONESend StringBool `json:"DISABLE_HBONE_SEND,omitempty"`

	// AutoRegister will enable auto registration of the connected endpoint to the service registry using the given WorkloadGroup name
	AutoRegisterGroup string `json:"AUTO_REGISTER_GROUP,omitempty"`

	// WorkloadEntry specifies the name of the WorkloadEntry this proxy corresponds to.
	//
	// This field is intended for use in those scenarios where a user needs to
	// onboard a workload from a VM without relying on auto-registration.
	//
	// At runtime, when a proxy establishes an ADS connection to the istiod,
	// istiod will treat a non-empty value of this field as an indicator
	// that proxy corresponds to a VM and must be represented by a WorkloadEntry
	// with a given name.
	WorkloadEntry string `json:"WORKLOAD_ENTRY,omitempty"`

	// UnprivilegedPod is used to determine whether a Gateway Pod can open ports < 1024
	UnprivilegedPod string `json:"UNPRIVILEGED_POD,omitempty"`

	// PlatformMetadata contains any platform specific metadata
	PlatformMetadata map[string]string `json:"PLATFORM_METADATA,omitempty"`

	// StsPort specifies the port of security token exchange server (STS).
	// Used by envoy filters
	StsPort string `json:"STS_PORT,omitempty"`

	// Envoy status port redirecting to agent status port.
	EnvoyStatusPort int `json:"ENVOY_STATUS_PORT,omitempty"`

	// Envoy prometheus port redirecting to admin port prometheus endpoint.
	EnvoyPrometheusPort int `json:"ENVOY_PROMETHEUS_PORT,omitempty"`

	// ExitOnZeroActiveConnections terminates Envoy if there are no active connections if set.
	ExitOnZeroActiveConnections StringBool `json:"EXIT_ON_ZERO_ACTIVE_CONNECTIONS,omitempty"`

	// InboundListenerExactBalance sets connection balance config to use exact_balance for virtualInbound,
	// as long as QUIC, since it uses UDP, isn't also used.
	InboundListenerExactBalance StringBool `json:"INBOUND_LISTENER_EXACT_BALANCE,omitempty"`

	// OutboundListenerExactBalance sets connection balance config to use exact_balance for outbound
	// redirected tcp listeners. This does not change the virtualOutbound listener.
	OutboundListenerExactBalance StringBool `json:"OUTBOUND_LISTENER_EXACT_BALANCE,omitempty"`

	// The istiod address when running ASM Managed Control Plane.
	CloudrunAddr string `json:"CLOUDRUN_ADDR,omitempty"`

	// Metadata discovery service enablement
	MetadataDiscovery StringBool `json:"METADATA_DISCOVERY,omitempty"`

	// Contains a copy of the raw metadata. This is needed to lookup arbitrary values.
	// If a value is known ahead of time it should be added to the struct rather than reading from here,
	Raw map[string]any `json:"-"`
}

NodeMetadata defines the metadata associated with a proxy Fields should not be assumed to exist on the proxy, especially newly added fields which will not exist on older versions. The JSON field names should never change, as they are needed for backward compatibility with older proxies nolint: maligned

func (NodeMetadata) ProxyConfigOrDefault

func (m NodeMetadata) ProxyConfigOrDefault(def *meshconfig.ProxyConfig) *meshconfig.ProxyConfig

ProxyConfigOrDefault is a helper function to get the ProxyConfig from metadata, or fallback to a default This is useful as the logic should check for proxy config from proxy first and then defer to mesh wide defaults if not present.

func (NodeMetadata) ToStruct

func (m NodeMetadata) ToStruct() *structpb.Struct

ToStruct converts NodeMetadata to a protobuf structure. This should be used only for debugging - performance is bad.

type NodeType

type NodeType string

NodeType decides the responsibility of the proxy serves in the mesh

const (
	// SidecarProxy type is used for sidecar proxies in the application containers
	SidecarProxy NodeType = "sidecar"

	// Router type is used for standalone proxies acting as L7/L4 routers
	Router NodeType = "router"

	// Waypoint type is used for waypoint proxies
	Waypoint NodeType = "waypoint"

	// Ztunnel type is used for node proxies (ztunnel)
	Ztunnel NodeType = "ztunnel"
)

type PodPort

type PodPort struct {
	// If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
	// named port in a pod must have a unique name. Name for the port that can be
	// referred to by services.
	// +optional
	Name string `json:"name,omitempty"`
	// Number of port to expose on the pod's IP address.
	// This must be a valid port number, 0 < x < 65536.
	ContainerPort int `json:"containerPort"`
	// Name of the protocol
	Protocol string `json:"protocol"`
}

PodPort describes a mapping of port name to port number. Generally, this is just the definition of a port in Kubernetes, but without depending on Kubernetes api.

type PodPortList

type PodPortList []PodPort

PodPortList defines a list of PodPort's that is serialized as a string This is for legacy reasons, where proper JSON was not supported and was written as a string

func (PodPortList) MarshalJSON

func (l PodPortList) MarshalJSON() ([]byte, error)

func (*PodPortList) UnmarshalJSON

func (l *PodPortList) UnmarshalJSON(data []byte) error

type StringBool

type StringBool bool

StringBool defines a boolean that is serialized as a string for legacy reasons

func (StringBool) MarshalJSON

func (s StringBool) MarshalJSON() ([]byte, error)

func (*StringBool) UnmarshalJSON

func (s *StringBool) UnmarshalJSON(data []byte) error

type StringList

type StringList []string

StringList is a list that will be marshaled to a comma separate string in Json

func (StringList) MarshalJSON

func (l StringList) MarshalJSON() ([]byte, error)

func (*StringList) UnmarshalJSON

func (l *StringList) UnmarshalJSON(data []byte) error

type TrafficInterceptionMode

type TrafficInterceptionMode string

TrafficInterceptionMode indicates how traffic to/from the workload is captured and sent to Envoy. This should not be confused with the CaptureMode in the API that indicates how the user wants traffic to be intercepted for the listener. TrafficInterceptionMode is always derived from the Proxy metadata

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL