Documentation ¶
Index ¶
- Constants
- type Agent
- func (a *Agent) Check() (err error)
- func (a *Agent) Close()
- func (a *Agent) DrainNow()
- func (a *Agent) EnvoyDisabled() bool
- func (a *Agent) FindRootCAForCA() (string, error)
- func (a *Agent) FindRootCAForXDS() (string, error)
- func (a *Agent) GRPCBootstrapPath() string
- func (a *Agent) GetDNSTable() *dnsProto.NameTable
- func (a *Agent) GetKeyCertsForCA() (string, string)
- func (a *Agent) GetKeyCertsForXDS() (string, string)
- func (a *Agent) Run(ctx context.Context) (func(), error)
- func (a *Agent) WaitForSigterm() bool
- type AgentOptions
- type DeltaDiscoveryClient
- type DeltaDiscoveryStream
- type DiscoveryClient
- type DiscoveryStream
- type LifecycleEvent
- type Proxy
- type ProxyConnection
- type ResponseHandler
- type RootCertProvider
- type SDSService
- type SDSServiceFactory
- type XdsProxy
Constants ¶
const ( // MetadataClientCertKey is ISTIO_META env var used for client key. MetadataClientCertKey = "ISTIO_META_TLS_CLIENT_KEY" // MetadataClientCertChain is ISTIO_META env var used for client cert chain. MetadataClientCertChain = "ISTIO_META_TLS_CLIENT_CERT_CHAIN" // MetadataClientRootCert is ISTIO_META env var used for client root cert. MetadataClientRootCert = "ISTIO_META_TLS_CLIENT_ROOT_CERT" )
const ( // CitadelCACertPath is the directory for Citadel CA certificate. // This is mounted from config map 'istio-ca-root-cert'. Part of startup, // this may be replaced with ./etc/certs, if a root-cert.pem is found, to // handle secrets mounted from non-citadel CAs. CitadelCACertPath = "./var/run/secrets/istio" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Agent ¶
type Agent struct {
// contains filtered or unexported fields
}
Agent contains the configuration of the agent, based on the injected environment: - SDS hostPath if node-agent was used - /etc/certs/key if Citadel or other mounted Secrets are used - root cert to use for connecting to XDS server - CA address, with proper defaults and detection
func NewAgent ¶
func NewAgent(proxyConfig *mesh.ProxyConfig, agentOpts *AgentOptions, sopts *security.Options, eopts envoy.ProxyConfig) *Agent
NewAgent hosts the functionality for local SDS and XDS. This consists of the local SDS server and associated clients to sign certificates (when not using files), and the local XDS proxy (including health checking for VMs and DNS proxying).
func (*Agent) EnvoyDisabled ¶
EnvoyDisabled if true indicates calling Run will not run and wait for Envoy.
func (*Agent) FindRootCAForCA ¶
FindRootCAForCA Find the root CA to use when connecting to the CA (Istiod or external).
func (*Agent) FindRootCAForXDS ¶
FindRootCAForXDS determines the root CA to be configured in bootstrap file. It may be different from the CA for the cert server - which is based on CA_ADDR In addition it deals with the case the XDS server is on port 443, expected with a proper cert. /etc/ssl/certs/ca-certificates.crt
func (*Agent) GRPCBootstrapPath ¶
GRPCBootstrapPath returns the most recently generated gRPC bootstrap or nil if there is none.
func (*Agent) GetDNSTable ¶
GetDNSTable builds DNS table used in debugging interface.
func (*Agent) GetKeyCertsForCA ¶
GetKeyCertsForXDS return the key cert files path for connecting with CA server.
func (*Agent) GetKeyCertsForXDS ¶
GetKeyCertsForXDS return the key cert files path for connecting with xds.
func (*Agent) Run ¶
Run is a non-blocking call which returns either an error or a function to await for completion.
func (*Agent) WaitForSigterm ¶
WaitForSigterm if true indicates calling Run will block until SIGTERM or SIGNT is received.
type AgentOptions ¶
type AgentOptions struct { // DNSCapture indicates if the XDS proxy has dns capture enabled or not DNSCapture bool // Enables DNS server at Gateways. DNSAtGateway bool // DNSAddr is the DNS capture address DNSAddr string // DNSForwardParallel indicates whether the agent should send parallel DNS queries to all upstream nameservers. DNSForwardParallel bool // ProxyType is the type of proxy we are configured to handle ProxyType model.NodeType // ProxyNamespace to use for local dns resolution ProxyNamespace string // ProxyDomain is the DNS domain associated with the proxy (assumed // to include the namespace as well) (for local dns resolution) ProxyDomain string // Node identifier used by Envoy ServiceNode string // XDSRootCerts is the location of the root CA for the XDS connection. Used for setting platform certs or // using custom roots. XDSRootCerts string // CARootCerts of the location of the root CA for the CA connection. Used for setting platform certs or // using custom roots. CARootCerts string // Extra headers to add to the XDS connection. XDSHeaders map[string]string // Is the proxy an IPv6 proxy IsIPv6 bool // Path to local UDS to communicate with Envoy XdsUdsPath string // Ability to retrieve ProxyConfig dynamically through XDS EnableDynamicProxyConfig bool // All of the proxy's IP Addresses ProxyIPAddresses []string // Envoy status port (that circles back to the agent status port). Really belongs to the proxy config. // Cannot be eradicated because mistakes have been made. EnvoyStatusPort int // Envoy prometheus port that circles back to its admin port for prom endpoint. Really belongs to the // proxy config. EnvoyPrometheusPort int MinimumDrainDuration time.Duration ExitOnZeroActiveConnections bool // Cloud platform Platform platform.Environment // GRPCBootstrapPath if set will generate a file compatible with GRPC_XDS_BOOTSTRAP GRPCBootstrapPath string // Disables all envoy agent features DisableEnvoy bool DownstreamGrpcOptions []grpc.ServerOption IstiodSAN string WASMOptions wasm.Options // Enable metadata discovery bootstrap extension MetadataDiscovery bool SDSFactory func(options *security.Options, workloadSecretCache security.SecretManager, pkpConf *mesh.PrivateKeyProvider) SDSService // Name of the socket file which will be used for workload SDS. // If this is set to something other than the default socket file used // by Istio's default SDS server, the socket file must be present. // Note that the path is not configurable by design - only the socket file name. WorkloadIdentitySocketFile string }
AgentOptions contains additional config for the agent, not included in ProxyConfig. Most are from env variables ( still experimental ) or for testing only. Eventually most non-test settings should graduate to ProxyConfig Please don't add 100 parameters to the NewAgent function (or any other)!
type DeltaDiscoveryClient ¶
type DeltaDiscoveryClient = discovery.AggregatedDiscoveryService_DeltaAggregatedResourcesClient
type DeltaDiscoveryStream ¶
type DeltaDiscoveryStream = discovery.AggregatedDiscoveryService_DeltaAggregatedResourcesServer
type DiscoveryClient ¶
type DiscoveryClient = discovery.AggregatedDiscoveryService_StreamAggregatedResourcesClient
type DiscoveryStream ¶
type DiscoveryStream = discovery.AggregatedDiscoveryService_StreamAggregatedResourcesServer
type LifecycleEvent ¶
type LifecycleEvent string
const ( DrainLifecycleEvent LifecycleEvent = "drain" ExitLifecycleEvent LifecycleEvent = "exit" )
type Proxy ¶
type Proxy struct { ID string IPAddresses []string Type model.NodeType DNSDomain string // contains filtered or unexported fields }
Shared properties with Pilot Proxy struct.
func (*Proxy) DiscoverIPMode ¶
func (node *Proxy) DiscoverIPMode()
func (*Proxy) ServiceNode ¶
func (*Proxy) SupportsIPv6 ¶
type ProxyConnection ¶
type ProxyConnection struct {
// contains filtered or unexported fields
}
ProxyConnection represents connection to downstream proxy.
type ResponseHandler ¶
ResponseHandler handles a XDS response in the agent. These will not be forwarded to Envoy. Currently, all handlers function on a single resource per type, so the API only exposes one resource.
type RootCertProvider ¶
type SDSService ¶
type SDSService interface { OnSecretUpdate(resourceName string) Stop() }
type SDSServiceFactory ¶
type SDSServiceFactory = func(_ *security.Options, _ security.SecretManager, _ *mesh.PrivateKeyProvider) SDSService
type XdsProxy ¶
type XdsProxy struct {
// contains filtered or unexported fields
}
XdsProxy proxies all XDS requests from envoy to istiod, in addition to allowing subsystems inside the agent to also communicate with either istiod/envoy (eg dns, sds, etc). The goal here is to consolidate all xds related connections to istiod/envoy into a single tcp connection with multiple gRPC streams. TODO: Right now, the workloadSDS server and gatewaySDS servers are still separate connections. These need to be consolidated. TODO: consolidate/use ADSC struct - a lot of duplication.
func (*XdsProxy) DeltaAggregatedResources ¶
func (p *XdsProxy) DeltaAggregatedResources(downstream DeltaDiscoveryStream) error
DeltaAggregatedResources is an implementation of Delta XDS API used for proxying between Istiod and Envoy. Every time envoy makes a fresh connection to the agent, we reestablish a new connection to the upstream xds This ensures that a new connection between istiod and agent doesn't end up consuming pending messages from envoy as the new connection may not go to the same istiod. Vice versa case also applies.
func (*XdsProxy) StreamAggregatedResources ¶
func (p *XdsProxy) StreamAggregatedResources(downstream DiscoveryStream) error
StreamAggregatedResources is an implementation of XDS API used for proxying between Istiod and Envoy. Every time envoy makes a fresh connection to the agent, we reestablish a new connection to the upstream xds This ensures that a new connection between istiod and agent doesn't end up consuming pending messages from envoy as the new connection may not go to the same istiod. Vice versa case also applies.