Back to godoc.org
istio.io/istio/security/pkg/nodeagent/sds

package sds

v0.0.0 (7af0740)
Latest Go to latest
Published: 2 hours ago | License: Apache-2.0 | Module: istio.io/istio

Overview

Package sds implements secret discovery service in NodeAgent.

Index

Constants

const (
	// SecretType is used for secret discovery service to construct response.
	SecretType = "type.googleapis.com/envoy.api.v2.auth.Secret"
)

func NewPlugins

func NewPlugins(in []string) []plugin.Plugin

NewPlugins returns a slice of default Plugins.

func NotifyProxy

func NotifyProxy(connKey cache.ConnKey, secret *model.SecretItem) error

NotifyProxy sends notification to proxy about secret update, SDS will close streaming connection if secret is nil.

type ClientDebug

type ClientDebug struct {
	ConnectionID string `json:"connection_id"`
	ProxyID      string `json:"proxy"`
	ResourceName string `json:"resource_name"`

	// fields from secret item
	CertificateChain string `json:"certificate_chain"`
	RootCert         string `json:"root_cert"`
	CreatedTime      string `json:"created_time"`
	ExpireTime       string `json:"expire_time"`
}

ClientDebug represents a single SDS connection to the ndoe agent

type Debug

type Debug struct {
	Clients []ClientDebug `json:"clients"`
}

Debug represents all clients connected to this node agent endpoint and their supplied secrets

type Options

type Options struct {
	// PluginNames is plugins' name for certain authentication provider.
	PluginNames []string

	// WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies.
	WorkloadUDSPath string

	// IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with
	// ingress gateway proxies.
	IngressGatewayUDSPath string

	// CertFile is the path of Cert File for gRPC server TLS settings.
	CertFile string

	// KeyFile is the path of Key File for gRPC server TLS settings.
	KeyFile string

	// CAEndpoint is the CA endpoint to which node agent sends CSR request.
	CAEndpoint string

	// The CA provider name.
	CAProviderName string

	// TrustDomain corresponds to the trust root of a system.
	// https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
	TrustDomain string

	// The Vault CA address.
	VaultAddress string

	// The Vault auth path.
	VaultAuthPath string

	// The Vault role.
	VaultRole string

	// The Vault sign CSR path.
	VaultSignCsrPath string

	// The Vault TLS root certificate.
	VaultTLSRootCert string

	// GrpcServer is an already configured (shared) grpc server. If set, the agent will just register on the server.
	GrpcServer *grpc.Server

	// Recycle job running interval (to clean up staled sds client connections).
	RecycleInterval time.Duration

	// Debug server port from which node_agent serves SDS configuration dumps
	DebugPort int

	// EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies.
	EnableWorkloadSDS bool

	// EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent.
	EnableIngressGatewaySDS bool

	// AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT)
	AlwaysValidTokenFlag bool

	// UseLocalJWT is set when the sds server should use its own local JWT, and not expect one
	// from the UDS caller. Used when it runs in the same container with Envoy.
	UseLocalJWT bool

	// Whether to generate PKCS#8 private keys.
	Pkcs8Keys bool

	// PilotCertProvider is the provider of the Pilot certificate.
	PilotCertProvider string

	// JWTPath is the path for the JWT token
	JWTPath string

	// OutputKeyCertToDir is the directory for output the key and certificate
	OutputKeyCertToDir string

	// Existing certs, for VM or existing certificates
	CertsDir string

	// whether  ControlPlaneAuthPolicy is MUTUAL_TLS
	TLSEnabled bool

	// ClusterID is the cluster ID
	ClusterID string

	// The type of Elliptical Signature algorithm to use
	// when generating private keys. Currently only ECDSA is supported.
	ECCSigAlg string

	// FileMountedCerts indicates file mounted certs.
	FileMountedCerts bool
}

Options provides all of the configuration parameters for secret discovery service.

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server is the gPRC server that exposes SDS through UDS.

func NewServer

func NewServer(options Options, workloadSecretCache, gatewaySecretCache cache.SecretManager) (*Server, error)

NewServer creates and starts the Grpc server for SDS.

func (*Server) Stop

func (s *Server) Stop()

Stop closes the gRPC server and debug server.

Documentation was rendered with GOOS=linux and GOARCH=amd64.

Jump to identifier

Keyboard shortcuts

? : This menu
f or F : Jump to identifier