istio: Index | Files

package bootstrap

import ""


Package Files

certcontroller.go configcontroller.go istio_ca.go mesh.go monitoring.go options.go server.go servicecontroller.go sidecarinjector.go util.go validation.go webhook.go


const (
    HTTPSHandlerReadyPath = "/httpsReady"


var (
    KubernetesCAProvider = "kubernetes"
    IstiodCAProvider     = "istiod"
var (
    // LocalCertDir replaces the "cert-chain", "signing-cert" and "signing-key" flags in citadel - Istio installer is
    // requires a secret named "cacerts" with specific files inside.
    LocalCertDir = env.RegisterStringVar("ROOT_CA_DIR", "./etc/cacerts",
        "Location of a local or mounted CA root")

    SelfSignedCACertTTL = env.RegisterDurationVar("CITADEL_SELF_SIGNED_CA_CERT_TTL",
        "The TTL of self-signed CA root certificate.")

    // ThirdPartyJWTPath is the well-known location of the projected K8S JWT. This is mounted on all workloads, as well as istiod.
    ThirdPartyJWTPath = "./var/run/secrets/tokens/istio-token"
var (
    // DefaultPlugins is the default list of plugins to enable, when no plugin(s)
    // is specified through the command line
    DefaultPlugins = []string{
var PodNamespaceVar = env.RegisterStringVar("POD_NAMESPACE", constants.IstioSystemNamespace, "")
var RevisionVar = env.RegisterStringVar("REVISION", "", "")

RevisionVar is the value of the Istio control plane revision, e.g. "canary", and is the value used by the "" label.

type ConfigSourceAddressScheme Uses

type ConfigSourceAddressScheme string

URL schemes supported by the config store

const (
    // fs:///PATH will load local files. This replaces --configDir.
    // example fs:///tmp/configroot
    // PATH can be mounted from a config map or volume
    File ConfigSourceAddressScheme = "fs"
    // xds://ADDRESS - load XDS-over-MCP sources
    // example xds://
    XDS ConfigSourceAddressScheme = "xds"
    // k8s:// - load in-cluster k8s controller
    // example k8s://
    Kubernetes ConfigSourceAddressScheme = "k8s"

type DiscoveryServerOptions Uses

type DiscoveryServerOptions struct {
    // The listening address for HTTP (debug). If the port in the address is empty or "0" (as in "" or "[::1]:0")
    // a port number is automatically chosen.
    HTTPAddr string

    // The listening address for HTTPS (webhooks). If the port in the address is empty or "0" (as in "" or "[::1]:0")
    // a port number is automatically chosen.
    // If the address is empty, the secure port is disabled, and the
    // webhooks are registred on the HTTP port - a gateway in front will
    // terminate TLS instead.
    HTTPSAddr string

    // The listening address for gRPC. If the port in the address is empty or "0" (as in "" or "[::1]:0")
    // a port number is automatically chosen.
    GRPCAddr string

    // The listening address for the monitoring port. If the port in the address is empty or "0" (as in "" or "[::1]:0")
    // a port number is automatically chosen.
    MonitoringAddr string

    EnableProfiling bool

    // Optional TLS configuration
    TLSOptions TLSOptions

    // The listening address for secured gRPC. If the port in the address is empty or "0" (as in "" or "[::1]:0")
    // a port number is automatically chosen.
    SecureGRPCAddr string

DiscoveryServerOptions contains options for create a new discovery server instance.

type InjectionOptions Uses

type InjectionOptions struct {
    // Directory of injection related config files.
    InjectionDirectory string

type PilotArgs Uses

type PilotArgs struct {
    ServerOptions      DiscoveryServerOptions
    InjectionOptions   InjectionOptions
    PodName            string
    Namespace          string
    Revision           string
    MeshConfigFile     string
    NetworksConfigFile string
    RegistryOptions    RegistryOptions
    CtrlZOptions       *ctrlz.Options
    Plugins            []string
    KeepaliveOptions   *keepalive.Options
    ShutdownDuration   time.Duration

PilotArgs provides all of the configuration parameters for the Pilot discovery service.

func NewPilotArgs Uses

func NewPilotArgs(initFuncs ...func(*PilotArgs)) *PilotArgs

NewPilotArgs constructs pilotArgs with default values.

type RegistryOptions Uses

type RegistryOptions struct {
    // If FileDir is set, the below kubernetes options are ignored
    FileDir string

    Registries []string

    // Kubernetes controller options
    KubeOptions kubecontroller.Options
    // ClusterRegistriesNamespace specifies where the multi-cluster secret resides
    ClusterRegistriesNamespace string
    KubeConfig                 string

    // DistributionTracking control
    DistributionCacheRetention time.Duration

    // DistributionTracking control
    DistributionTrackingEnabled bool

RegistryOptions provide configuration options for the configuration controller. If FileDir is set, that directory will be monitored for CRD yaml files and will update the controller as those files change (This is used for testing purposes). Otherwise, a CRD client is created based on the configuration.

type Server Uses

type Server struct {
    XDSServer *xds.DiscoveryServer

    ConfigStores []model.ConfigStoreCache

    HTTPListener       net.Listener
    GRPCListener       net.Listener
    SecureGrpcListener net.Listener

    CA  *ca.IstioCA
    RA  ra.RegistrationAuthority
    // contains filtered or unexported fields

Server contains the runtime configuration for the Pilot discovery service.

func NewServer Uses

func NewServer(args *PilotArgs) (*Server, error)

NewServer creates a new Server instance based on the provided arguments.

func (*Server) EnableCA Uses

func (s *Server) EnableCA() bool

EnableCA returns whether CA functionality is enabled in istiod. The logic of this function is from the logic of whether running CA in RunCA(). The reason for moving this logic from RunCA into EnableCA() is to have a central consistent endpoint to get whether CA functionality is enabled in istiod. EnableCA() is called in multiple places.

func (*Server) RunCA Uses

func (s *Server) RunCA(grpc *grpc.Server, ca caserver.CertificateAuthority, opts *caOptions)

RunCA will start the cert signing GRPC service on an existing server. Protected by installer options: the CA will be started only if the JWT token in /var/run/secrets is mounted. If it is missing - for example old versions of K8S that don't support such tokens - we will not start the cert-signing server, since pods will have no way to authenticate.

func (*Server) ServiceController Uses

func (s *Server) ServiceController() *aggregate.Controller

func (*Server) Start Uses

func (s *Server) Start(stop <-chan struct{}) error

Start starts all components of the Pilot discovery service on the port specified in DiscoveryServerOptions. If Port == 0, a port number is automatically chosen. Content serving is started by this method, but is executed asynchronously. Serving can be canceled at any time by closing the provided stop channel.

func (*Server) WaitUntilCompletion Uses

func (s *Server) WaitUntilCompletion()

WaitUntilCompletion waits for everything marked as a "required termination" to complete. This should be called before exiting.

type TLSOptions Uses

type TLSOptions struct {
    CaCertFile string
    CertFile   string
    KeyFile    string

Optional TLS parameters for Istiod server.

Package bootstrap imports 87 packages (graph) and is imported by 4 packages. Updated 2021-01-18. Refresh now. Tools for package owners.