Package sds implements secret discovery service in NodeAgent.



View Source
const (
	// SecretType is used for secret discovery service to construct response.
	SecretType = ""

	// IngressGatewaySdsCaSuffix is the suffix of the sds resource name for root CA. All SDS requests
	// for root CA sent by ingress gateway have suffix -cacert.
	IngressGatewaySdsCaSuffix = "-cacert"


This section is empty.


func NewPlugins

func NewPlugins(in []string) []plugin.Plugin

NewPlugins returns a slice of default Plugins.

func NotifyProxy

func NotifyProxy(conID, resourceName string, secret *model.SecretItem) error

NotifyProxy send notification to proxy about secret update, SDS will close streaming connection if secret is nil.


type Options

type Options struct {
	// EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies.
	EnableWorkloadSDS bool
	// WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies.
	WorkloadUDSPath string

	// EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent.
	EnableIngressGatewaySDS bool
	// IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with
	// ingress gateway proxies.
	IngressGatewayUDSPath string

	// CertFile is the path of Cert File for gRPC server TLS settings.
	CertFile string

	// KeyFile is the path of Key File for gRPC server TLS settings.
	KeyFile string

	// CAEndpoint is the CA endpoint to which node agent sends CSR request.
	CAEndpoint string

	// The CA provider name.
	CAProviderName string

	// TrustDomain corresponds to the trust root of a system.
	TrustDomain string

	// PluginNames is plugins' name for certain authentication provider.
	PluginNames []string

	// The Vault CA address.
	VaultAddress string

	// The Vault auth path.
	VaultAuthPath string

	// The Vault role.
	VaultRole string

	// The Vault sign CSR path.
	VaultSignCsrPath string

	// The Vault TLS root certificate.
	VaultTLSRootCert string

	// AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT)
	AlwaysValidTokenFlag bool

Options provides all of the configuration parameters for secret discovery service.

type Server

type Server struct {
	// contains filtered or unexported fields

Server is the gPRC server that exposes SDS through UDS.

func NewServer

func NewServer(options Options, workloadSecretCache, gatewaySecretCache cache.SecretManager) (*Server, error)

NewServer creates and starts the Grpc server for SDS.

func (*Server) Stop

func (s *Server) Stop()

Stop closes the gRPC server.