Documentation
¶
Index ¶
- Constants
- func CalculateCaPems(caPems *bytes.Buffer) *bytes.Buffer
- func GetSpiffeIdFromCert(cert *x509.Certificate) (*url.URL, error)
- func GetSpiffeIdFromCertChain(certs []*x509.Certificate) (*url.URL, error)
- func GetSpiffeIdFromIdentity(id identity.Identity) (*url.URL, error)
- func GetSpiffeIdFromTlsCertChain(tlsCerts []*tls.Certificate) (*url.URL, error)
- func ValidateSpiffeId(id *identity.TokenId, spiffeId *url.URL) error
- type Api
- type CertValidatingIdentity
- type Config
- type CtrlOptions
- type EdgeConfig
- type Enrollment
- type EnrollmentOption
- type HttpTimeouts
- type IdentityStatusConfig
- type IdentityStatusSource
- type NetworkConfig
- type RaftConfig
- type Totp
Constants ¶
View Source
const ( DefaultProfileMemoryInterval = 15 * time.Second DefaultHealthChecksBoltCheckInterval = 30 * time.Second DefaultHealthChecksBoltCheckTimeout = 20 * time.Second DefaultHealthChecksBoltCheckInitialDelay = 30 * time.Second DefaultRaftCommandHandlerMaxQueueSize = 250 // DefaultTlsHandshakeRateLimiterEnabled is whether the tls handshake rate limiter is enabled by default DefaultTlsHandshakeRateLimiterEnabled = false // TlsHandshakeRateLimiterMinSizeValue is the minimum size that can be configured for the tls handshake rate limiter // window range TlsHandshakeRateLimiterMinSizeValue = 5 // TlsHandshakeRateLimiterMaxSizeValue is the maximum size that can be configured for the tls handshake rate limiter // window range TlsHandshakeRateLimiterMaxSizeValue = 10000 // TlsHandshakeRateLimiterMetricOutstandingCount is the name of the metric tracking how many tasks are in process TlsHandshakeRateLimiterMetricOutstandingCount = "tls_handshake_limiter.in_process" // TlsHandshakeRateLimiterMetricCurrentWindowSize is the name of the metric tracking the current window size TlsHandshakeRateLimiterMetricCurrentWindowSize = "tls_handshake_limiter.window_size" // TlsHandshakeRateLimiterMetricWorkTimer is the name of the metric tracking how long successful tasks are taking to complete TlsHandshakeRateLimiterMetricWorkTimer = "tls_handshake_limiter.work_timer" // DefaultTlsHandshakeRateLimiterMaxWindow is the default max size for the tls handshake rate limiter DefaultTlsHandshakeRateLimiterMaxWindow = 1000 DefaultRouterDataModelEnabled = true DefaultRouterDataModelLogSize = 10_000 DefaultRouterDataModelListenerBufferSize = 1000 )
View Source
const ( DefaultEdgeApiActivityUpdateBatchSize = 250 DefaultEdgeAPIActivityUpdateInterval = 90 * time.Second MaxEdgeAPIActivityUpdateBatchSize = 10000 MinEdgeAPIActivityUpdateBatchSize = 1 MaxEdgeAPIActivityUpdateInterval = 10 * time.Minute MinEdgeAPIActivityUpdateInterval = time.Millisecond DefaultEdgeSessionTimeout = 30 * time.Minute MinEdgeSessionTimeout = 1 * time.Minute MinEdgeEnrollmentDuration = 5 * time.Minute DefaultEdgeEnrollmentDuration = 180 * time.Minute DefaultHttpIdleTimeout = 5000 * time.Millisecond DefaultHttpReadTimeout = 5000 * time.Millisecond DefaultHttpReadHeaderTimeout = 5000 * time.Millisecond DefaultHttpWriteTimeout = 100000 * time.Millisecond DefaultTotpDomain = "openziti.io" DefaultAuthRateLimiterEnabled = true DefaultAuthRateLimiterMaxSize = 250 DefaultAuthRateLimiterMinSize = 5 AuthRateLimiterMinSizeValue = 5 AuthRateLimiterMaxSizeValue = 1000 DefaultIdentityOnlineStatusScanInterval = time.Minute MinIdentityOnlineStatusScanInterval = time.Second DefaultIdentityOnlineStatusUnknownTimeout = 5 * time.Minute DefaultIdentityOnlineStatusSource = IdentityStatusSourceHybrid )
View Source
const ( DefaultOptionsCreateCircuitRetries = 2 DefaultOptionsCycleSeconds = 60 DefaultOptionsEnableLegacyLinkMgmt = false DefaultOptionsInitialLinkLatency = 65 * time.Second DefaultOptionsPendingLinkTimeout = 10 * time.Second DefaultOptionsMetricsReportInterval = time.Minute DefaultOptionsMinRouterCost = 10 DefaultOptionsRouterConnectChurnLimit = time.Minute DefaultOptionsRouterMessagingMaxWorkers = 100 DefaultOptionsRouterMessagingQueueSize = 100 DefaultOptionsRouteTimeout = 10 * time.Second DefaultOptionsSmartRerouteCap = 4 DefaultOptionsSmartRerouteFraction = 0.02 DefaultOptionsSmartRerouteMinCostDelta = 15 OptionsRouterCommMaxQueueSize = 1_000_000 OptionsRouterCommMaxWorkers = 10_000 )
Variables ¶
This section is empty.
Functions ¶
func CalculateCaPems ¶
CalculateCaPems takes the supplied caPems buffer as a set of PEM Certificates separated by new lines. Duplicate certificates are removed, and the result is returned as a bytes.Buffer of PEM Certificates separated by new lines.
func GetSpiffeIdFromCert ¶ added in v1.1.6
func GetSpiffeIdFromCert(cert *x509.Certificate) (*url.URL, error)
GetSpiffeIdFromCert will search a x509 certificate for a trust domain encoded as a spiffe:// URI SAN. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first SPIFFE id looking up the chain is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
func GetSpiffeIdFromCertChain ¶ added in v1.1.6
func GetSpiffeIdFromCertChain(certs []*x509.Certificate) (*url.URL, error)
GetSpiffeIdFromCertChain cycles through a slice of certificates that goes from leaf up CAs. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first encountered SPIFFE id looking up the chain back to the root CA is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
func GetSpiffeIdFromIdentity ¶ added in v1.1.6
GetSpiffeIdFromIdentity will search an Identity for a trust domain encoded as a spiffe:// URI SAN starting from the server cert and up its signing chain. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first SPIFFE id looking up the chain back to the root CA is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
func GetSpiffeIdFromTlsCertChain ¶ added in v1.1.6
func GetSpiffeIdFromTlsCertChain(tlsCerts []*tls.Certificate) (*url.URL, error)
GetSpiffeIdFromTlsCertChain will search a tls certificate chain for a trust domain encoded as a spiffe:// URI SAN. Each certificate must contain 0 or 1 spiffe:// URI SAN. The first SPIFFE id looking up the chain is returned. If no SPIFFE id is encountered, nil is returned. Errors are returned for parsing and processing errors only.
Types ¶
type CertValidatingIdentity ¶ added in v1.1.6
func (*CertValidatingIdentity) ClientTLSConfig ¶ added in v1.1.6
func (self *CertValidatingIdentity) ClientTLSConfig() *tls.Config
func (*CertValidatingIdentity) ServerTLSConfig ¶ added in v1.1.6
func (self *CertValidatingIdentity) ServerTLSConfig() *tls.Config
func (*CertValidatingIdentity) VerifyConnection ¶ added in v1.1.6
func (self *CertValidatingIdentity) VerifyConnection(state tls.ConnectionState) error
type Config ¶
type Config struct {
Id *identity.TokenId
SpiffeIdTrustDomain *url.URL
AdditionalTrustDomains []*url.URL
Raft *RaftConfig
Network *NetworkConfig
Edge *EdgeConfig
Db boltz.Db
Trace struct {
Handler *channel.TraceHandler
}
Profile struct {
Memory struct {
Path string
Interval time.Duration
}
CPU struct {
Path string
}
}
Ctrl struct {
Listener transport.Address
Options *CtrlOptions
}
HealthChecks struct {
BoltCheck struct {
Interval time.Duration
Timeout time.Duration
InitialDelay time.Duration
}
}
RouterDataModel common.RouterDataModelConfig
CommandRateLimiter command.RateLimiterConfig
TlsHandshakeRateLimiter command.AdaptiveRateLimiterConfig
Src map[interface{}]interface{}
}
func LoadConfig ¶ added in v1.1.6
type CtrlOptions ¶ added in v1.1.6
type CtrlOptions struct {
*channel.Options
NewListener *transport.Address
AdvertiseAddress *transport.Address
RouterHeartbeatOptions *channel.HeartbeatOptions
PeerHeartbeatOptions *channel.HeartbeatOptions
}
CtrlOptions extends channel.Options to include support for additional, non-channel specific options (e.g. NewListener)
type EdgeConfig ¶ added in v1.1.6
type EdgeConfig struct {
Enabled bool
Api Api
Enrollment Enrollment
IdentityStatusConfig IdentityStatusConfig
Totp Totp
AuthRateLimiter command.AdaptiveRateLimiterConfig
// contains filtered or unexported fields
}
func LoadEdgeConfigFromMap ¶ added in v1.1.6
func LoadEdgeConfigFromMap(configMap map[interface{}]interface{}) (*EdgeConfig, error)
func NewEdgeConfig ¶ added in v1.1.6
func NewEdgeConfig() *EdgeConfig
func (*EdgeConfig) AddCaPems ¶ added in v1.1.6
func (c *EdgeConfig) AddCaPems(caPems []byte)
AddCaPems adds a byte array of certificates to the current buffered list of CAs. The certificates should be in PEM format separated by new lines. RefreshCas should be called after all calls to AddCaPems are completed.
func (*EdgeConfig) CaCerts ¶ added in v1.1.6
func (c *EdgeConfig) CaCerts() []*x509.Certificate
func (*EdgeConfig) CaPems ¶ added in v1.1.6
func (c *EdgeConfig) CaPems() []byte
func (*EdgeConfig) RefreshCas ¶ added in v1.1.6
func (c *EdgeConfig) RefreshCas()
func (*EdgeConfig) SessionTimeoutDuration ¶ added in v1.1.6
func (c *EdgeConfig) SessionTimeoutDuration() time.Duration
type Enrollment ¶
type Enrollment struct {
SigningCert identity.Identity
SigningCertConfig identity.Config
SigningCertCaPem []byte
EdgeIdentity EnrollmentOption
EdgeRouter EnrollmentOption
}
type EnrollmentOption ¶
type HttpTimeouts ¶
type HttpTimeouts struct {
ReadTimeoutDuration time.Duration
ReadHeaderTimeoutDuration time.Duration
WriteTimeoutDuration time.Duration
IdleTimeoutsDuration time.Duration
}
func DefaultHttpTimeouts ¶
func DefaultHttpTimeouts() *HttpTimeouts
type IdentityStatusConfig ¶ added in v1.2.0
type IdentityStatusConfig struct {
Source IdentityStatusSource
ScanInterval time.Duration
UnknownTimeout time.Duration
}
type IdentityStatusSource ¶ added in v1.2.0
type IdentityStatusSource uint32
const ( IdentityStatusSourceHeartbeats IdentityStatusSource = 1 IdentityStatusSourceConnectEvents IdentityStatusSource = 2 IdentityStatusSourceHybrid IdentityStatusSource = 3 )
type NetworkConfig ¶ added in v1.1.6
type NetworkConfig struct {
CreateCircuitRetries uint32
CycleSeconds uint32
EnableLegacyLinkMgmt bool
InitialLinkLatency time.Duration
IntervalAgeThreshold time.Duration
MetricsReportInterval time.Duration
MinRouterCost uint16
PendingLinkTimeout time.Duration
RouteTimeout time.Duration
RouterConnectChurnLimit time.Duration
RouterComm struct {
QueueSize uint32
MaxWorkers uint32
}
Smart struct {
RerouteFraction float32
RerouteCap uint32
MinCostDelta uint32
}
}
func DefaultNetworkConfig ¶ added in v1.1.6
func DefaultNetworkConfig() *NetworkConfig
func LoadNetworkConfig ¶ added in v1.1.6
func LoadNetworkConfig(src map[interface{}]interface{}) (*NetworkConfig, error)
type RaftConfig ¶ added in v1.1.6
type RaftConfig struct {
Recover bool
DataDir string
AdvertiseAddress transport.Address
InitialMembers []string
CommandHandlerOptions struct {
MaxQueueSize uint16
}
SnapshotInterval *time.Duration
SnapshotThreshold *uint32
TrailingLogs *uint32
MaxAppendEntries *uint32
ElectionTimeout time.Duration
CommitTimeout *time.Duration
HeartbeatTimeout time.Duration
LeaderLeaseTimeout time.Duration
LogLevel *string
Logger hclog.Logger
WarnWhenLeaderlessFor time.Duration
}
Source Files
Click to show internal directories.
Click to hide internal directories.