Documentation ¶
Index ¶
- Constants
- func ApplyDefaultBackendConfig(ctx context.Context, config *BackendConfig, defaultConfig *BackendConfig)
- func ApplyDefaultPathConfig(ctx context.Context, config *PathConfig, defaultConfig *PathConfig)
- func BackendConfigPath(dir string) string
- func Checksum(b []byte) []byte
- func ConfigPath(dir string) string
- func CreateTLSCertPath(dir, name string) string
- func CreateTLSKeyPath(dir, name string) string
- func CreateTLSOCSPRespPath(dir, name string) string
- func FixupBackendConfig(ctx context.Context, config *BackendConfig)
- func FixupPathConfig(ctx context.Context, config *PathConfig)
- func GenerateCryptoKey(out, info []byte) error
- func MkdirAll(path string) error
- func MrubyRbPath(dir string) string
- func NewInitialQUICKeyingMaterials() ([]byte, error)
- func NewInitialTLSTicketKey() ([]byte, error)
- func NewQUICKeyingMaterial() ([]byte, error)
- func NewTLSTicketKey() ([]byte, error)
- func NormalizePEM(data []byte) ([]byte, error)
- func ReadConfig(ingConfig *IngressConfig, config *corev1.ConfigMap)
- func ReadLeafCertificate(certPEM []byte) (*x509.Certificate, error)
- func SortTLSCred(creds []*TLSCred)
- func TLSCredCompare(a, b *TLSCred) int
- func TLSCredShareSamePaths(a, b *TLSCred) bool
- func UpdateQUICKeyingMaterials(km []byte) ([]byte, error)
- func UpdateQUICKeyingMaterialsFunc(km []byte, newKeyingMaterialFunc func() ([]byte, error)) ([]byte, error)
- func UpdateTLSTicketKey(ticketKey []byte) ([]byte, error)
- func UpdateTLSTicketKeyFunc(ticketKey []byte, newTLSTicketKeyFunc func() ([]byte, error)) ([]byte, error)
- func VerifyCertificate(ctx context.Context, cert *x509.Certificate, currentTime time.Time) error
- func VerifyQUICKeyingMaterials(km []byte) error
- func VerifyTLSTicketKey(ticketKey []byte) error
- func WriteFile(path string, content []byte) error
- type Affinity
- type AffinityCookieSecure
- type AffinityCookieStickiness
- type Backend
- type BackendConfig
- func (pbc *BackendConfig) GetDNS() bool
- func (pbc *BackendConfig) GetProto() Protocol
- func (pbc *BackendConfig) GetSNI() string
- func (pbc *BackendConfig) GetTLS() bool
- func (pbc *BackendConfig) GetWeight() uint32
- func (pbc *BackendConfig) SetDNS(dns bool)
- func (pbc *BackendConfig) SetProto(proto Protocol)
- func (pbc *BackendConfig) SetSNI(sni string)
- func (pbc *BackendConfig) SetTLS(tls bool)
- func (pbc *BackendConfig) SetWeight(weight uint32)
- type BackendConfigMapper
- type BackendConfigMapping
- type ChecksumFile
- type IngressConfig
- type LoadBalancer
- type LoadBalancerConfig
- type PathConfig
- func (pc *PathConfig) GetAffinity() Affinity
- func (pc *PathConfig) GetAffinityCookieName() string
- func (pc *PathConfig) GetAffinityCookiePath() string
- func (pc *PathConfig) GetAffinityCookieSecure() AffinityCookieSecure
- func (pc *PathConfig) GetAffinityCookieStickiness() AffinityCookieStickiness
- func (pc *PathConfig) GetDoNotForward() bool
- func (pc *PathConfig) GetMruby() string
- func (pc *PathConfig) GetReadTimeout() *metav1.Duration
- func (pc *PathConfig) GetRedirectIfNotTLS() bool
- func (pc *PathConfig) GetWriteTimeout() *metav1.Duration
- func (pc *PathConfig) SetAffinity(affinity Affinity)
- func (pc *PathConfig) SetAffinityCookieName(affinityCookieName string)
- func (pc *PathConfig) SetAffinityCookiePath(affinityCookiePath string)
- func (pc *PathConfig) SetAffinityCookieSecure(affinityCookieSecure AffinityCookieSecure)
- func (pc *PathConfig) SetAffinityCookieStickiness(affinityCookieStickiness AffinityCookieStickiness)
- func (pc *PathConfig) SetDoNotForward(b bool)
- func (pc *PathConfig) SetMruby(mruby string)
- func (pc *PathConfig) SetReadTimeout(readTimeout metav1.Duration)
- func (pc *PathConfig) SetRedirectIfNotTLS(b bool)
- func (pc *PathConfig) SetWriteTimeout(writeTimeout metav1.Duration)
- type PathConfigMapper
- type PathConfigMapping
- type PrivateChecksumFile
- type Protocol
- type ServerReloader
- type TLSCred
- type Upstream
Constants ¶
const ( // QUICKeyingMaterialsSize is the size of QUIC keying materials in a binary form. QUICKeyingMaterialsSize = 68 // QUICKeyingMaterialsEncodedSize is the size of QUIC keying materials in a hex encoded form. QUICKeyingMaterialsEncodedSize = QUICKeyingMaterialsSize * 2 )
const ( // TLSTicketKeySize is the length of TLS ticket key. The default value is for AES-128-CBC encryption. TLSTicketKeySize = 48 // MaxTLSTicketKeyNum is the maximum number of TLS ticket keys retained in a Secret. MaxTLSTicketKeyNum = 12 )
const ( // NghttpxExtraConfigKey is a field name of extra nghttpx configuration in ConfigMap. NghttpxExtraConfigKey = "nghttpx-conf" // NghttpxMrubyFileContentKey is a field name of mruby script in ConfigMap. NghttpxMrubyFileContentKey = "nghttpx-mruby-file-content" )
Variables ¶
This section is empty.
Functions ¶
func ApplyDefaultBackendConfig ¶ added in v0.54.0
func ApplyDefaultBackendConfig(ctx context.Context, config *BackendConfig, defaultConfig *BackendConfig)
ApplyDefaultBackendConfig applies default field value specified in defaultConfig to config if a corresponding field is missing.
func ApplyDefaultPathConfig ¶ added in v0.33.0
func ApplyDefaultPathConfig(ctx context.Context, config *PathConfig, defaultConfig *PathConfig)
func BackendConfigPath ¶ added in v0.50.0
BackendConfigPath returns the path to nghttpx backend configuration file.
func ConfigPath ¶ added in v0.50.0
ConfigPath returns the path to nghttpx configuration file.
func CreateTLSCertPath ¶ added in v0.19.0
CreateTLSCertPath returns TLS certificate file path.
func CreateTLSKeyPath ¶ added in v0.19.0
CreateTLSKeyPath returns TLS private key file path.
func CreateTLSOCSPRespPath ¶ added in v0.24.0
CreateTLSOCSPRespPath returns TLS OCSP response file path.
func FixupBackendConfig ¶ added in v0.54.0
func FixupBackendConfig(ctx context.Context, config *BackendConfig)
FixupBackendConfig validates config, and fixes the invalid values inside it.
func FixupPathConfig ¶ added in v0.34.0
func FixupPathConfig(ctx context.Context, config *PathConfig)
FixupPathConfig validates config and fixes the invalid values inside it.
func GenerateCryptoKey ¶ added in v0.66.0
GenerateCryptoKey generates cryptographic key of length len(out) in out. info is an optional context information.
func MrubyRbPath ¶ added in v0.50.0
MrubyRbPath returns the path to nghttpx mruby.rb file.
func NewInitialQUICKeyingMaterials ¶ added in v0.66.0
func NewInitialTLSTicketKey ¶ added in v0.66.0
func NewQUICKeyingMaterial ¶ added in v0.52.0
NewQUICKeyingMaterial returns new QUIC keying material.
func NewTLSTicketKey ¶ added in v0.66.0
func NormalizePEM ¶ added in v0.47.0
NormalizePEM reads series of PEM encoded data and re-encode them in PEM format to remove anomalies.
func ReadConfig ¶ added in v0.18.0
func ReadConfig(ingConfig *IngressConfig, config *corev1.ConfigMap)
ReadConfig obtains the configuration defined by the user merged with the defaults.
func ReadLeafCertificate ¶ added in v0.64.0
func ReadLeafCertificate(certPEM []byte) (*x509.Certificate, error)
func SortTLSCred ¶ added in v0.68.0
func SortTLSCred(creds []*TLSCred)
SortTLSCred sorts creds in ascending order of Key.Path, Cert.Path, and OCSPResp.Path.
func TLSCredCompare ¶ added in v0.68.0
func TLSCredShareSamePaths ¶ added in v0.68.0
TLSCredShareSamePaths returns if a and b share the same Key.Path, Cert.path, and OCSPResp.Path.
func UpdateQUICKeyingMaterials ¶ added in v0.52.0
UpdateQUICKeyingMaterials calls UpdateQUICKeyingMaterialsFunc with NewQUICKeyingMaterial.
func UpdateQUICKeyingMaterialsFunc ¶ added in v0.66.0
func UpdateQUICKeyingMaterialsFunc(km []byte, newKeyingMaterialFunc func() ([]byte, error)) ([]byte, error)
UpdateQUICKeyingMaterialsFunc generates new keying material via newKeyingMaterialFunc, and rotates keying materials, then returns new QUIC keying materials. VerifyQUICKeyingMaterials should be called against km and ensure that it succeeds before calling this function.
km must include at least 2 keying materials. New keying material is placed to the last. Because the first keying material is used for encryption, new keying material is not used for encryption immediately. It is started to be used for encryption after the next rotation in order to ensure that all controllers see this keying material. The first 2 bits identifies the key, therefore at most 4 keying materials are retained. The oldest keying materials are discarded if the number of keys exceeds such limit.
The rotation works as follows:
1. Move the last keying material (which is the new keying material generated in the previous update) to the first. 2. Discard oldest keying materials if the number of keys exceeds 3. 3. Generate new keying material and place it to the last.
func UpdateTLSTicketKey ¶ added in v0.66.0
func UpdateTLSTicketKeyFunc ¶ added in v0.66.0
func UpdateTLSTicketKeyFunc(ticketKey []byte, newTLSTicketKeyFunc func() ([]byte, error)) ([]byte, error)
UpdateTLSTicketKeyFunc generates new key via newTLSTicketKeyFunc, and rotates keys, then returns new TLS ticket key. This function assumes that VerifyTLSTicketKey was called against ticketKey and succeeded.
ticketKey must include at least 2 keys. New key is placed to the last. Because the first key is used for encryption, new key is not used for encryption immediately. It starts encrypting TLS ticket after the next rotation in order to ensure that all controllers see this key. At most MaxTLSTicketKeyNum keys, including new key, are retained. The oldest keys are discarded if the number of keys exceeds MaxTLSTicketKeyNum.
The rotation works as follows:
1. Move the last key (which is the new key generated in the previous update) to the first. 2. Discard oldest keys if the number of keys exceeds MaxTLSTicketKeyNum - 1. 3. Generate new key and place it to the last.
func VerifyCertificate ¶ added in v0.44.0
VerifyCertificate verifies cert.
func VerifyQUICKeyingMaterials ¶ added in v0.52.0
VerifyQUICKeyingMaterials verifies that km is a well formatted QUIC keying material.
func VerifyTLSTicketKey ¶ added in v0.66.0
Types ¶
type AffinityCookieSecure ¶ added in v0.28.0
type AffinityCookieSecure string
const ( // AffinityCookieSecureAuto indicates that secure attribute is set based on underlying protocol. AffinityCookieSecureAuto AffinityCookieSecure = "auto" // AffinityCookieSecureYes indicates that secure attribute is set. AffinityCookieSecureYes AffinityCookieSecure = "yes" // AffinityCookieSecureNo indicates that secure attribute is not set. AffinityCookieSecureNo AffinityCookieSecure = "no" )
type AffinityCookieStickiness ¶ added in v0.54.0
type AffinityCookieStickiness string
const ( // AffinityCookieStickinessLoose indicates loose affinity cookie stickiness. AffinityCookieStickinessLoose AffinityCookieStickiness = "loose" // AffinityCookieStickinessStrict indicates strict affinity cookie stickiness. AffinityCookieStickinessStrict AffinityCookieStickiness = "strict" )
type Backend ¶ added in v0.54.0
type Backend struct { Address string Port string Protocol Protocol TLS bool SNI string DNS bool Group string Weight uint32 }
Backend describes a server in an nghttpx upstream
func NewDefaultBackend ¶ added in v0.54.0
func NewDefaultBackend() Backend
NewDefaultBackend return a Backend to be use as default server that returns 503.
type BackendConfig ¶ added in v0.54.0
type BackendConfig struct { // backend application protocol. At the moment, this should be either ProtocolH2 or ProtocolH1. Proto *Protocol `json:"proto,omitempty"` // true if backend connection requires TLS TLS *bool `json:"tls,omitempty"` // SNI hostname for backend TLS connection SNI *string `json:"sni,omitempty"` // DNS is true if backend hostname is resolved dynamically rather than start up or configuration reloading. DNS *bool `json:"dns,omitempty"` // Weight is a weight of backend selection. Weight *uint32 `json:"weight,omitempty"` }
BackendConfig is a backend configuration obtained from ingress annotation, specified per service port
func (*BackendConfig) GetDNS ¶ added in v0.54.0
func (pbc *BackendConfig) GetDNS() bool
func (*BackendConfig) GetProto ¶ added in v0.54.0
func (pbc *BackendConfig) GetProto() Protocol
func (*BackendConfig) GetSNI ¶ added in v0.54.0
func (pbc *BackendConfig) GetSNI() string
func (*BackendConfig) GetTLS ¶ added in v0.54.0
func (pbc *BackendConfig) GetTLS() bool
func (*BackendConfig) GetWeight ¶ added in v0.54.0
func (pbc *BackendConfig) GetWeight() uint32
func (*BackendConfig) SetDNS ¶ added in v0.54.0
func (pbc *BackendConfig) SetDNS(dns bool)
func (*BackendConfig) SetProto ¶ added in v0.54.0
func (pbc *BackendConfig) SetProto(proto Protocol)
func (*BackendConfig) SetSNI ¶ added in v0.54.0
func (pbc *BackendConfig) SetSNI(sni string)
func (*BackendConfig) SetTLS ¶ added in v0.54.0
func (pbc *BackendConfig) SetTLS(tls bool)
func (*BackendConfig) SetWeight ¶ added in v0.54.0
func (pbc *BackendConfig) SetWeight(weight uint32)
type BackendConfigMapper ¶ added in v0.54.0
type BackendConfigMapper struct { DefaultBackendConfig *BackendConfig BackendConfigMapping BackendConfigMapping }
BackendConfigMapper is a convenient object for querying BackendConfig for given service and port.
func NewBackendConfigMapper ¶ added in v0.54.0
func NewBackendConfigMapper(defaultBackendConfig *BackendConfig, backendConfigMapping BackendConfigMapping) *BackendConfigMapper
NewBackendConfigMapper returns new BackendConfigMapper.
func (*BackendConfigMapper) ConfigFor ¶ added in v0.54.0
func (bcm *BackendConfigMapper) ConfigFor(ctx context.Context, svc, port string) *BackendConfig
ConfigFor returns BackendConfig for given svc and port. svc is Service name, and port is either a named Service port or a numeric port number.
type BackendConfigMapping ¶ added in v0.54.0
type BackendConfigMapping map[string]map[string]*BackendConfig
type ChecksumFile ¶ added in v0.19.0
ChecksumFile represents a file with path, its arbitrary content, and its checksum.
func CreatePerPatternMrubyChecksumFile ¶ added in v0.33.0
func CreatePerPatternMrubyChecksumFile(dir string, mruby []byte) *ChecksumFile
CreatePerPatternMrubyChecksumFile creates ChecksumFile for given mruby content.
func (*ChecksumFile) GetPath ¶ added in v0.68.0
func (c *ChecksumFile) GetPath() string
type IngressConfig ¶
type IngressConfig struct { Upstreams []*Upstream TLS bool DefaultTLSCred *TLSCred SubTLSCred []*TLSCred // https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-n // Set the number of worker threads. Workers int32 // https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-worker-process-grace-shutdown-period // WorkerProcessGraceShutdownPeriod is the maximum period for an nghttpx worker process to terminate gracefully. WorkerProcessGraceShutdownPeriod time.Duration // https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-max-worker-processes // MaxWorkerProcesses is the maximum number of nghttpx worker processes which are spawned in every configuration reload. MaxWorkerProcesses int32 // ExtraConfig is the extra configurations in a format that nghttpx accepts in --conf. ExtraConfig string // MrubyFileContent is the extra mruby script. It is saved in the container disk space, and will be referenced by mruby-file from // configuration file. MrubyFile *ChecksumFile // HealthzMruby is the mruby script to setup healthz endpoint. It is only enabled when deferred shutdown period is configured. HealthzMruby *ChecksumFile // HealthPort is the port for health monitor endpoint. HealthPort int32 // APIPort is the port for API endpoint. APIPort int32 // ConfDir is the path to the directory which includes nghttpx configuration files. ConfDir string // HTTPPort is the port to listen to for HTTP (non-TLS) request. HTTPPort int32 // HTTPSPort is the port to listen to for HTTPS (TLS) request. HTTPSPort int32 // FetchOCSPRespFromSecret is true if OCSP response is fetched from TLS secret. FetchOCSPRespFromSecret bool // ProxyProto toggles the use of PROXY protocol for all public-facing frontends. ProxyProto bool // HTTP3 enables HTTP/3. HTTP3 bool // QUICSecretFile is the file which contains QUIC keying materials. QUICSecretFile *PrivateChecksumFile ShareTLSTicketKey bool // TLSTicketKeyFiles is the list of files that contain TLS ticket key. TLSTicketKeyFiles []*PrivateChecksumFile }
IngressConfig describes an nghttpx configuration
type LoadBalancer ¶ added in v0.55.0
type LoadBalancer struct {
// contains filtered or unexported fields
}
LoadBalancer starts nghttpx and reloads its configuration on demand. It implements ServerReloader.
func NewLoadBalancer ¶ added in v0.55.0
func NewLoadBalancer(config LoadBalancerConfig) (*LoadBalancer, error)
NewLoadBalancer creates new LoadBalancer.
func (*LoadBalancer) CheckAndReload ¶ added in v0.55.0
func (lb *LoadBalancer) CheckAndReload(ctx context.Context, ingressCfg *IngressConfig) (bool, error)
CheckAndReload checks whether the nghttpx configuration changed and if so, makes nghttpx reload its configuration.
The current running nghttpx master process executes new nghttpx with new configuration. If its invocation succeeds, current nghttpx is going to shutdown gracefully. The invocation of new process may fail due to invalid configurations.
type LoadBalancerConfig ¶ added in v0.55.0
type PathConfig ¶ added in v0.33.0
type PathConfig struct { // Mruby is mruby script Mruby *string `json:"mruby,omitempty"` // Affinity is session affinity method nghttpx supports. See affinity parameter in backend option of nghttpx. Affinity *Affinity `json:"affinity,omitempty"` // AffinityCookieName is a name of cookie to use for cookie-based session affinity. AffinityCookieName *string `json:"affinityCookieName,omitempty"` // AffinityCookiePath is a path of cookie for cookie-based session affinity. AffinityCookiePath *string `json:"affinityCookiePath,omitempty"` // AffinityCookieSecure controls whether Secure attribute is added to session affinity cookie. AffinityCookieSecure *AffinityCookieSecure `json:"affinityCookieSecure,omitempty"` // AffinityCookieStickiness controls the stickiness of affinity cookie. AffinityCookieStickiness *AffinityCookieStickiness `json:"affinityCookieStickiness,omitempty"` // ReadTimeout is a read timeout when this path is selected. ReadTimeout *metav1.Duration `json:"readTimeout,omitempty"` // WriteTimeout is a write timeout when this path is selected. WriteTimeout *metav1.Duration `json:"writeTimeout,omitempty"` // RedirectIfNotTLS, if set to true, redirects cleartext HTTP to HTTPS. RedirectIfNotTLS *bool `json:"redirectIfNotTLS,omitempty"` // DoNotForward, if set to true, does not forward a request to a backend. DoNotForward *bool `json:"doNotForward,omitempty"` }
PathConfig is per-pattern configuration obtained from Ingress annotation, specified per host and path pattern.
func ResolvePathConfig ¶ added in v0.33.0
func ResolvePathConfig(host, path string, defaultPathConfig *PathConfig, pathConfig PathConfigMapping) *PathConfig
ResolvePathConfig returns a PathConfig which should be used for the pattern denoted by host and path.
func (*PathConfig) GetAffinity ¶ added in v0.33.0
func (pc *PathConfig) GetAffinity() Affinity
func (*PathConfig) GetAffinityCookieName ¶ added in v0.33.0
func (pc *PathConfig) GetAffinityCookieName() string
func (*PathConfig) GetAffinityCookiePath ¶ added in v0.33.0
func (pc *PathConfig) GetAffinityCookiePath() string
func (*PathConfig) GetAffinityCookieSecure ¶ added in v0.33.0
func (pc *PathConfig) GetAffinityCookieSecure() AffinityCookieSecure
func (*PathConfig) GetAffinityCookieStickiness ¶ added in v0.54.0
func (pc *PathConfig) GetAffinityCookieStickiness() AffinityCookieStickiness
func (*PathConfig) GetDoNotForward ¶ added in v0.51.0
func (pc *PathConfig) GetDoNotForward() bool
func (*PathConfig) GetMruby ¶ added in v0.33.0
func (pc *PathConfig) GetMruby() string
func (*PathConfig) GetReadTimeout ¶ added in v0.34.0
func (pc *PathConfig) GetReadTimeout() *metav1.Duration
func (*PathConfig) GetRedirectIfNotTLS ¶ added in v0.40.0
func (pc *PathConfig) GetRedirectIfNotTLS() bool
func (*PathConfig) GetWriteTimeout ¶ added in v0.34.0
func (pc *PathConfig) GetWriteTimeout() *metav1.Duration
func (*PathConfig) SetAffinity ¶ added in v0.33.0
func (pc *PathConfig) SetAffinity(affinity Affinity)
func (*PathConfig) SetAffinityCookieName ¶ added in v0.33.0
func (pc *PathConfig) SetAffinityCookieName(affinityCookieName string)
func (*PathConfig) SetAffinityCookiePath ¶ added in v0.33.0
func (pc *PathConfig) SetAffinityCookiePath(affinityCookiePath string)
func (*PathConfig) SetAffinityCookieSecure ¶ added in v0.33.0
func (pc *PathConfig) SetAffinityCookieSecure(affinityCookieSecure AffinityCookieSecure)
func (*PathConfig) SetAffinityCookieStickiness ¶ added in v0.54.0
func (pc *PathConfig) SetAffinityCookieStickiness(affinityCookieStickiness AffinityCookieStickiness)
func (*PathConfig) SetDoNotForward ¶ added in v0.51.0
func (pc *PathConfig) SetDoNotForward(b bool)
func (*PathConfig) SetMruby ¶ added in v0.33.0
func (pc *PathConfig) SetMruby(mruby string)
func (*PathConfig) SetReadTimeout ¶ added in v0.34.0
func (pc *PathConfig) SetReadTimeout(readTimeout metav1.Duration)
func (*PathConfig) SetRedirectIfNotTLS ¶ added in v0.40.0
func (pc *PathConfig) SetRedirectIfNotTLS(b bool)
func (*PathConfig) SetWriteTimeout ¶ added in v0.34.0
func (pc *PathConfig) SetWriteTimeout(writeTimeout metav1.Duration)
type PathConfigMapper ¶ added in v0.54.0
type PathConfigMapper struct { DefaultPathConfig *PathConfig PathConfigMapping PathConfigMapping }
PathConfigMapper is a convenient object for querying PathConfig for given host and path.
func NewPathConfigMapper ¶ added in v0.54.0
func NewPathConfigMapper(defaultPathConfig *PathConfig, pathConfigMapping PathConfigMapping) *PathConfigMapper
NewPathConfigMapper returns new PathConfigMapper.
func (*PathConfigMapper) ConfigFor ¶ added in v0.54.0
func (pcm *PathConfigMapper) ConfigFor(host, path string) *PathConfig
ConfigFor returns PathConfig for given host and path.
type PathConfigMapping ¶ added in v0.54.0
type PathConfigMapping map[string]*PathConfig
type PrivateChecksumFile ¶ added in v0.52.0
type PrivateChecksumFile ChecksumFile
PrivateChecksumFile is a kind of ChecksumFile and it contains private data which should not be spilled out into log.
func CreateQUICSecretFile ¶ added in v0.52.0
func CreateQUICSecretFile(dir string, quicKeyingMaterials []byte) *PrivateChecksumFile
CreateQUICSecretFile creates given QUIC keying materials file.
func CreateTLSTicketKeyFiles ¶ added in v0.66.0
func CreateTLSTicketKeyFiles(dir string, ticketKey []byte) []*PrivateChecksumFile
CreateTLSTicketKeyFiles creates TLS ticket key files. This function assume that VerifyTLSTicketKey was called against ticketKey and succeeded.
func (PrivateChecksumFile) MarshalJSON ¶ added in v0.52.0
func (c PrivateChecksumFile) MarshalJSON() ([]byte, error)
type ServerReloader ¶ added in v0.55.0
type ServerReloader interface { // Start starts a nghttpx process using executable at path with configuration file at confPath, and waits for the process to finish. // If ctx is canceled, kill nghttpx process, and return. Start(ctx context.Context, path, confPath string) error // CheckAndReload checks whether the nghttpx configuration changed, and if so, make nghttpx reload its configuration. If reloading // is required, and it successfully issues reloading, returns true. If there is no need to reloading, it returns false. On error, // it returns false, and non-nil error. CheckAndReload(ctx context.Context, ingressCfg *IngressConfig) (bool, error) }
ServerReloader is the API to update underlying load balancer.
type TLSCred ¶
type TLSCred struct { Name string Key PrivateChecksumFile Cert ChecksumFile OCSPResp *ChecksumFile }
TLSCred stores TLS server private key, certificate file path, and optionally OCSP response. OCSP response must be DER encoded byte string.
func CreateTLSCred ¶ added in v0.19.0
CreateTLSCred creates TLSCred for given private key and certificate. ocspResp is optional, and could be nil.
func RemoveDuplicateTLSCred ¶ added in v0.68.0
RemoveDuplicateTLSCred removes duplicates from creds, which share the same Key.Path, Cert.Path, and OCSPResp.Path. It assumes that creds are sorted by SortTLSCred.
type Upstream ¶
type Upstream struct { Name string Ingress types.NamespacedName Host string Path string Backends []Backend RedirectIfNotTLS bool Mruby *ChecksumFile Affinity Affinity AffinityCookieName string AffinityCookiePath string AffinityCookieSecure AffinityCookieSecure AffinityCookieStickiness AffinityCookieStickiness ReadTimeout *metav1.Duration WriteTimeout *metav1.Duration DoNotForward bool }
Upstream describes an nghttpx upstream