bootstrap

package
v0.0.0-...-4e9419b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 17, 2025 License: Apache-2.0 Imports: 104 Imported by: 62

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// LocalCertDir replaces the "cert-chain", "signing-cert" and "signing-key" flags in citadel - Istio installer is
	// requires a secret named "cacerts" with specific files inside.
	LocalCertDir = env.Register("ROOT_CA_DIR", "./etc/cacerts",
		"Location of a local or mounted CA root")

	SelfSignedCACertTTL = env.Register("CITADEL_SELF_SIGNED_CA_CERT_TTL",
		cmd.DefaultSelfSignedCACertTTL,
		"The TTL of self-signed CA root certificate.")
)
View Source
var (
	PodNamespace = env.Register("POD_NAMESPACE", constants.IstioSystemNamespace, "").Get()
	PodName      = env.Register("POD_NAME", "", "").Get()
	JwtRule      = env.Register("JWT_RULE", "",
		"The JWT rule used by istiod authentication").Get()
)
View Source
var Revision = env.Register("REVISION", "", "").Get()

Revision is the value of the Istio control plane revision, e.g. "canary", and is the value used by the "istio.io/rev" label.

Functions

func InitGenerators

func InitGenerators(
	s *xds.DiscoveryServer,
	cg core.ConfigGenerator,
	systemNameSpace string,
	clusterID cluster.ID,
	internalDebugMux *http.ServeMux,
)

func TLSCipherSuites

func TLSCipherSuites(cipherNames []string) ([]uint16, error)

TLSCipherSuites returns a list of cipher suite IDs from the cipher suite names passed.

Types

type ConfigSourceAddressScheme

type ConfigSourceAddressScheme string

URL schemes supported by the config store

const (
	// fs:///PATH will load local files. This replaces --configDir.
	// example fs:///tmp/configroot
	// PATH can be mounted from a config map or volume
	File ConfigSourceAddressScheme = "fs"
	// xds://ADDRESS - load XDS-over-MCP sources
	// example xds://127.0.0.1:49133
	XDS ConfigSourceAddressScheme = "xds"
	// k8s:// - load in-cluster k8s controller
	// example k8s://
	Kubernetes ConfigSourceAddressScheme = "k8s"
)

type DiscoveryServerOptions

type DiscoveryServerOptions struct {
	// The listening address for HTTP (debug). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
	// a port number is automatically chosen.
	HTTPAddr string

	// The listening address for HTTPS (webhooks). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
	// a port number is automatically chosen.
	// If the address is empty, the secure port is disabled, and the
	// webhooks are registered on the HTTP port - a gateway in front will
	// terminate TLS instead.
	HTTPSAddr string

	// The listening address for gRPC. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
	// a port number is automatically chosen.
	GRPCAddr string

	// The listening address for the monitoring port. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
	// a port number is automatically chosen.
	MonitoringAddr string

	EnableProfiling bool

	// Optional TLS configuration
	TLSOptions TLSOptions

	// The listening address for secured gRPC. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
	// a port number is automatically chosen.
	SecureGRPCAddr string
}

DiscoveryServerOptions contains options for create a new discovery server instance.

type InjectionOptions

type InjectionOptions struct {
	// Directory of injection related config files.
	InjectionDirectory string
}

type PilotArgs

type PilotArgs struct {
	ServerOptions      DiscoveryServerOptions
	InjectionOptions   InjectionOptions
	PodName            string
	Namespace          string
	CniNamespace       string
	Revision           string
	MeshConfigFile     string
	NetworksConfigFile string
	RegistryOptions    RegistryOptions
	CtrlZOptions       *ctrlz.Options
	KeepaliveOptions   *keepalive.Options
	ShutdownDuration   time.Duration
	JwtRule            string
}

PilotArgs provides all of the configuration parameters for the Pilot discovery service.

func NewPilotArgs

func NewPilotArgs(initFuncs ...func(*PilotArgs)) *PilotArgs

NewPilotArgs constructs pilotArgs with default values.

func (*PilotArgs) Complete

func (p *PilotArgs) Complete() error

type RegistryOptions

type RegistryOptions struct {
	// If FileDir is set, the below kubernetes options are ignored
	FileDir string

	Registries []string

	// Kubernetes controller options
	KubeOptions kubecontroller.Options
	// ClusterRegistriesNamespace specifies where the multi-cluster secret resides
	ClusterRegistriesNamespace string
	KubeConfig                 string
}

RegistryOptions provide configuration options for the configuration controller. If FileDir is set, that directory will be monitored for CRD yaml files and will update the controller as those files change (This is used for testing purposes). Otherwise, a CRD client is created based on the configuration.

type Server

type Server struct {
	XDSServer *xds.DiscoveryServer

	ConfigStores []model.ConfigStoreController

	CA *ca.IstioCA
	RA ra.RegistrationAuthority

	// RWConfigStore is the configstore which allows updates, particularly for status.
	RWConfigStore model.ConfigStoreController
	// contains filtered or unexported fields
}

Server contains the runtime configuration for the Pilot discovery service.

func NewServer

func NewServer(args *PilotArgs, initFuncs ...func(*Server)) (*Server, error)

NewServer creates a new Server instance based on the provided arguments.

func (*Server) RotateDNSCertForK8sCA

func (s *Server) RotateDNSCertForK8sCA(stop <-chan struct{},
	defaultCACertPath string,
	signerName string,
	approveCsr bool,
	requestedLifetime time.Duration,
)

func (*Server) RunCA

func (s *Server) RunCA(grpc *grpc.Server)

RunCA will start the cert signing GRPC service on an existing server. Protected by installer options: the CA will be started only if the JWT token in /var/run/secrets is mounted. If it is missing - for example old versions of K8S that don't support such tokens - we will not start the cert-signing server, since pods will have no way to authenticate.

func (*Server) ServiceController

func (s *Server) ServiceController() *aggregate.Controller

func (*Server) Start

func (s *Server) Start(stop <-chan struct{}) error

Start starts all components of the error serving tap http serverPilot discovery service on the port specified in DiscoveryServerOptions. If Port == 0, a port number is automatically chosen. Content serving is started by this method, but is executed asynchronously. Serving can be canceled at any time by closing the provided stop channel.

func (*Server) WaitUntilCompletion

func (s *Server) WaitUntilCompletion()

WaitUntilCompletion waits for everything marked as a "required termination" to complete. This should be called before exiting.

type TLSOptions

type TLSOptions struct {
	// CaCertFile and related are set using CLI flags.
	CaCertFile      string
	CertFile        string
	KeyFile         string
	TLSCipherSuites []string
	CipherSuits     []uint16 // This is the parsed cipher suites
}

TLSOptions is optional TLS parameters for Istiod server.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL