Documentation
¶
Index ¶
- Variables
- func GatewayFromContext(ctx context.Context) core.GatewayID
- func NewRequestHandler(logger hclog.Logger, store store.Store, secretManager SecretManager) *server.CallbackFuncs
- func NewSecretManager(client SecretClient, cache SecretCache, logger hclog.Logger) *secretManager
- func SPIFFEStreamMiddleware(logger hclog.Logger, store store.ReadStore) grpc.StreamServerInterceptor
- type CertificateFetcher
- type Manager
- type ManagerConfig
- type MultiSecretClient
- type RequestHandler
- type SDSServer
- type SecretCache
- type SecretClient
- type SecretManager
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidSecretProtocol = errors.New("secret protocol is not registered")
Functions ¶
func GatewayFromContext ¶
GatewayFromContext retrieves info about a gateway from the context or nil if there is none
func NewRequestHandler ¶
func NewRequestHandler(logger hclog.Logger, store store.Store, secretManager SecretManager) *server.CallbackFuncs
NewRequestHandler initializes a RequestHandler instance and wraps it in a github.com/envoyproxy/go-control-plane/pkg/server/v3,(*CallbackFuncs) so that it can be used by the stock go-control-plane server implementation
func NewSecretManager ¶
func NewSecretManager(client SecretClient, cache SecretCache, logger hclog.Logger) *secretManager
NewSecretManager returns a secret manager that manages the use of an underlying SecretClient and SecretCache to track and keep TLS secrets up-to-date.
func SPIFFEStreamMiddleware ¶
func SPIFFEStreamMiddleware(logger hclog.Logger, store store.ReadStore) grpc.StreamServerInterceptor
SPIFFEStreamMiddleware verifies the spiffe entries for the certificate and sets the client identidy on the request context. If no spiffe information is detected, or if the service is unknown, the request is rejected.
Types ¶
type CertificateFetcher ¶
type CertificateFetcher interface {
RootPool() *x509.CertPool
TLSCertificate() *tls.Certificate
}
CertificateFetcher is used to fetch the CA and server certificate that the server should use for TLS
type Manager ¶
type Manager struct {
ManagerConfig
// contains filtered or unexported fields
}
Manager wraps and manages an envoy process and its bootstrap configuration
func NewManager ¶
func NewManager(logger hclog.Logger, config ManagerConfig) *Manager
NewManager returns a new Manager isntance
func (*Manager) CommandArgs ¶
CommandArgs returns the actual command for the manager to invoke
func (*Manager) RenderBootstrap ¶
RenderBootstrap persists a bootstrapped envoy template to disk
type ManagerConfig ¶
type ManagerConfig struct {
ID string
Namespace string
Partition string
ConsulCA string
ConsulAddress string
ConsulXDSPort int
Token string
BootstrapFilePath string
LogLevel string
EnvoyBinary string
ExtraArgs []string
Output io.Writer
ForceTLS bool
}
ManagerConfig configures a Manager
type MultiSecretClient ¶
type MultiSecretClient struct {
// contains filtered or unexported fields
}
MultiSecretClient implements a registry of secret clients that handle fetching secrets based off of the protocol they're given in the secret name.
func NewMultiSecretClient ¶
func NewMultiSecretClient() *MultiSecretClient
func (*MultiSecretClient) FetchSecret ¶
func (*MultiSecretClient) Register ¶
func (m *MultiSecretClient) Register(protocol string, client SecretClient)
type RequestHandler ¶
type RequestHandler struct {
// contains filtered or unexported fields
}
RequestHandler implements the handlers for an SDS Delta server
func (*RequestHandler) OnStreamClosed ¶
func (r *RequestHandler) OnStreamClosed(streamID int64)
OnStreamClosed is invoked when an envoy instance disconnects from the server
func (*RequestHandler) OnStreamOpen ¶
func (r *RequestHandler) OnStreamOpen(ctx context.Context, streamID int64) error
OnStreamOpen is invoked when an envoy instance first connects to the server
func (*RequestHandler) OnStreamRequest ¶
func (r *RequestHandler) OnStreamRequest(streamID int64, req *discovery.DiscoveryRequest) error
OnStreamRequest is invoked when a request for resources comes in from the envoy instance
type SDSServer ¶
type SDSServer struct {
// contains filtered or unexported fields
}
SDSServer wraps a gRPC-based SDS Delta server
func NewSDSServer ¶
func NewSDSServer(logger hclog.Logger, fetcher CertificateFetcher, client SecretClient, store store.Store) *SDSServer
NEWSDSServer initializes an SDSServer instance
type SecretCache ¶
type SecretCache interface {
UpdateResource(name string, res types.Resource) error
DeleteResource(name string) error
}
SecretCache is used as an intermediate cache for pushing tls certificates into. In practice we're using github.com/envoyproxy/go-control-plane/pkg/cache.(*LinearCache) as the concrete struct that implements this and handles notifying watched gRPC streams when we push new requested resources into into or delete existing resources from the cache.
type SecretClient ¶
type SecretClient interface {
FetchSecret(ctx context.Context, name string) (*tls.Secret, time.Time, error)
}
SecretClient is used to retrieve TLS secrets. When a gRPC stream attempts to watch a secret we first check if we've already pushed it into our intermediate SecretCache, if we have, then we only increment a reference counter used to track the lifecycle of the watched secret. If we are not yet tracking the secret, we retrieve it remotely via the SecretClient.
type SecretManager ¶
type SecretManager interface {
// SetResourcesForNode sets a list of TLS certificates being tracked by the node
SetResourcesForNode(ctx context.Context, names []string, node string) error
// Watch is used for tracking an envoy node's TLS secrets of interest
Watch(ctx context.Context, names []string, node string) error
// Unwatch is used for removing a subset of an envoy node's TLS secrets
// from the list the node's secrets of interest
Unwatch(ctx context.Context, names []string, node string) error
// UnwatchAll is used to completely unwatch all a node's secrets
UnwatchAll(ctx context.Context, node string) error
// Manage is used for re-fetching expiring TLS certificates and updating them
Manage(ctx context.Context, forceInterval time.Duration)
}
SecretManager handles the lifecycle of watched TLS secrets. TODO Trim down this interface - Watch() and Unwatch() are never used
Source Files
Directories