README
¶
XDS Bootstrap
- NAMESPACE
- Location
GCP specific config
From MDS:
- PROJECT_ID
- PROJECT_NUMBER
From GKE MDS (only when running in GKE):
- CLUSTER_NAME
- CLUSTER_LOCATION
MDS
- instanceID
- Tokens
- project id
K8S JWT
{
"aud": [
"https://container.googleapis.com/v1/projects/costin-asm1/locations/us-central1-c/clusters/big1"
],
"exp": 1706276151,
"iat": 1674740151,
"iss": "https://container.googleapis.com/v1/projects/costin-asm1/locations/us-central1-c/clusters/big1",
"kubernetes.io": {
"namespace": "fortio-asm",
"pod": {
"name": "fortio-7b8dd44578-m8l5g",
"uid": "b32a3b54-31c9-429c-bddf-25fbe9960a96"
},
"serviceaccount": {
"name": "default",
"uid": "3f5d5c4f-0e16-4c0c-9339-3df707d47e2c"
},
"warnafter": 1674743758
},
"nbf": 1674740151,
"sub": "system:serviceaccount:fortio-asm:default"
}
Documentation
¶
Index ¶
- func LoadKubeconfig() (*meshauth.KubeConfig, error)
- type GRPCServer
- type GenerateBootstrapOptions
- type MeshCertProvider
- type MeshCerts
- type XDSCreds
- func (x *XDSCreds) Build(config json.RawMessage) (credentials.Bundle, error)
- func (x *XDSCreds) Name() string
- func (x *XDSCreds) NewWithMode(mode string) (credentials.Bundle, error)
- func (x *XDSCreds) PerRPCCredentials() credentials.PerRPCCredentials
- func (x *XDSCreds) TransportCredentials() credentials.TransportCredentials
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadKubeconfig ¶
func LoadKubeconfig() (*meshauth.KubeConfig, error)
Load a kube config file for meshauth. Used to bootstrap auth.
Types ¶
type GRPCServer ¶
type GRPCServer interface {
RegisterService(*grpc.ServiceDesc, interface{})
Serve(net.Listener) error
Stop()
GracefulStop()
GetServiceInfo() map[string]grpc.ServiceInfo
}
GRPCServer is the interface implemented by both grpc
func GenerateGRPCXDS ¶
func GenerateGRPCXDS(opts *GenerateBootstrapOptions) (GRPCServer, error)
GenerateBootstrap will write a Istio bootstrap file in the location expected by gRPC, using Istio environment variables:
XDS_ADDR - the address of the XDS server, defaults to istiod.istio-system.svc:15010 if cert not set, and 15012 if root cert found POD_NAMESPACE, LABELS - based on standard mounts ISTIO_META_env variables used like in regular Istio ...
type MeshCertProvider ¶
type MeshCertProvider struct {
}
func (*MeshCertProvider) Name ¶
func (c *MeshCertProvider) Name() string
func (*MeshCertProvider) ParseConfig ¶
func (c *MeshCertProvider) ParseConfig(i interface{}) (*certprovider.BuildableConfig, error)
type MeshCerts ¶
type MeshCerts struct {
}
func (*MeshCerts) KeyMaterial ¶
func (c *MeshCerts) KeyMaterial(ctx context.Context) (*certprovider.KeyMaterial, error)
type XDSCreds ¶
type XDSCreds struct {
}
XDSCreds provides credentials for authenticating with the XDS server. Token: - Istio-ca path - k8s token - MDS - if available - google default credentials
Client certs: - workload id files - old istio files
TransportCredentials also sets the expected CA and SAN for the server.
func (*XDSCreds) Build ¶
func (x *XDSCreds) Build(config json.RawMessage) (credentials.Bundle, error)
func (*XDSCreds) NewWithMode ¶
func (x *XDSCreds) NewWithMode(mode string) (credentials.Bundle, error)
func (*XDSCreds) PerRPCCredentials ¶
func (x *XDSCreds) PerRPCCredentials() credentials.PerRPCCredentials
func (*XDSCreds) TransportCredentials ¶
func (x *XDSCreds) TransportCredentials() credentials.TransportCredentials
Source Files