Documentation

Overview

Package sds implements secret discovery service in NodeAgent.

Index

Constants

View Source
const (
	// SecretType is used for secret discovery service to construct response.
	SecretType = "type.googleapis.com/envoy.api.v2.auth.Secret"

	// IngressGatewaySdsCaSuffix is the suffix of the sds resource name for root CA. All SDS requests
	// for root CA sent by ingress gateway have suffix -cacert.
	IngressGatewaySdsCaSuffix = "-cacert"
)

Variables

This section is empty.

Functions

func NewPlugins

func NewPlugins(in []string) []plugin.Plugin

NewPlugins returns a slice of default Plugins.

func NotifyProxy

func NotifyProxy(conID, resourceName string, secret *model.SecretItem) error

NotifyProxy send notification to proxy about secret update, SDS will close streaming connection if secret is nil.

Types

type Options

type Options struct {
	// EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies.
	EnableWorkloadSDS bool
	// WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies.
	WorkloadUDSPath string

	// EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent.
	EnableIngressGatewaySDS bool
	// IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with
	// ingress gateway proxies.
	IngressGatewayUDSPath string

	// CertFile is the path of Cert File for gRPC server TLS settings.
	CertFile string

	// KeyFile is the path of Key File for gRPC server TLS settings.
	KeyFile string

	// CAEndpoint is the CA endpoint to which node agent sends CSR request.
	CAEndpoint string

	// The CA provider name.
	CAProviderName string

	// TrustDomain corresponds to the trust root of a system.
	// https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
	TrustDomain string

	// PluginNames is plugins' name for certain authentication provider.
	PluginNames []string

	// The Vault CA address.
	VaultAddress string

	// The Vault auth path.
	VaultAuthPath string

	// The Vault role.
	VaultRole string

	// The Vault sign CSR path.
	VaultSignCsrPath string

	// The Vault TLS root certificate.
	VaultTLSRootCert string

	// AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT)
	AlwaysValidTokenFlag bool
}

Options provides all of the configuration parameters for secret discovery service.

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server is the gPRC server that exposes SDS through UDS.

func NewServer

func NewServer(options Options, workloadSecretCache, gatewaySecretCache cache.SecretManager) (*Server, error)

NewServer creates and starts the Grpc server for SDS.

func (*Server) Stop

func (s *Server) Stop()

Stop closes the gRPC server.