istio: istio.io/istio/pilot/pkg/bootstrap Index | Files

package bootstrap

import "istio.io/istio/pilot/pkg/bootstrap"

Index

Package Files

certcontroller.go configcontroller.go istio_ca.go mesh.go monitoring.go multicluster.go options.go server.go servicecontroller.go sidecarinjector.go util.go validation.go webhook.go

Constants

const (
    HTTPSHandlerReadyPath = "/httpsReady"
)

Variables

var (
    KubernetesCAProvider = "kubernetes"
    IstiodCAProvider     = "istiod"
)
var (
    // LocalCertDir replaces the "cert-chain", "signing-cert" and "signing-key" flags in citadel - Istio installer is
    // requires a secret named "cacerts" with specific files inside.
    LocalCertDir = env.RegisterStringVar("ROOT_CA_DIR", "./etc/cacerts",
        "Location of a local or mounted CA root")

    SelfSignedCACertTTL = env.RegisterDurationVar("CITADEL_SELF_SIGNED_CA_CERT_TTL",
        cmd.DefaultSelfSignedCACertTTL,
        "The TTL of self-signed CA root certificate.")

    // ThirdPartyJWTPath is the well-known location of the projected K8S JWT. This is mounted on all workloads, as well as istiod.
    ThirdPartyJWTPath = "./var/run/secrets/tokens/istio-token"
)
var (
    // DefaultPlugins is the default list of plugins to enable, when no plugin(s)
    // is specified through the command line
    DefaultPlugins = []string{
        plugin.Authn,
        plugin.Authz,
        plugin.Health,
        plugin.Mixer,
    }
)
var PodNamespaceVar = env.RegisterStringVar("POD_NAMESPACE", constants.IstioSystemNamespace, "")
var RevisionVar = env.RegisterStringVar("REVISION", "", "")

RevisionVar is the value of the Istio control plane revision, e.g. "canary", and is the value used by the "istio.io/rev" label.

type CAOptions Uses

type CAOptions struct {
    // domain to use in SPIFFE identity URLs
    TrustDomain string
    Namespace   string
}

type DiscoveryServerOptions Uses

type DiscoveryServerOptions struct {
    // The listening address for HTTP (debug). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    HTTPAddr string

    // The listening address for HTTPS (webhooks). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    HTTPSAddr string

    // The listening address for gRPC. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    GRPCAddr string

    // The listening address for the monitoring port. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    MonitoringAddr string

    EnableProfiling bool

    // Optional TLS configuration
    TLSOptions TLSOptions
}

DiscoveryServerOptions contains options for create a new discovery server instance.

type InjectionOptions Uses

type InjectionOptions struct {
    // Directory of injection related config files.
    InjectionDirectory string
}

type MCPOptions Uses

type MCPOptions struct {
    MaxMessageSize        int
    InitialWindowSize     int
    InitialConnWindowSize int
}

type PilotArgs Uses

type PilotArgs struct {
    ServerOptions      DiscoveryServerOptions
    InjectionOptions   InjectionOptions
    PodName            string
    Namespace          string
    Revision           string
    MeshConfigFile     string
    NetworksConfigFile string
    RegistryOptions    RegistryOptions
    CtrlZOptions       *ctrlz.Options
    Plugins            []string
    MCPOptions         MCPOptions
    KeepaliveOptions   *keepalive.Options
    ShutdownDuration   time.Duration
}

PilotArgs provides all of the configuration parameters for the Pilot discovery service.

func NewPilotArgs Uses

func NewPilotArgs(initFuncs ...func(*PilotArgs)) *PilotArgs

NewPilotArgs constructs pilotArgs with default values.

type RegistryOptions Uses

type RegistryOptions struct {
    // If FileDir is set, the below kubernetes options are ignored
    FileDir string

    Registries []string

    // Kubernetes controller options
    KubeOptions kubecontroller.Options
    // ClusterRegistriesNamespace specifies where the multi-cluster secret resides
    ClusterRegistriesNamespace string
    KubeConfig                 string

    // Consul options
    ConsulServerAddr string

    // DistributionTracking control
    DistributionCacheRetention time.Duration

    // DistributionTracking control
    DistributionTrackingEnabled bool
}

RegistryOptions provide configuration options for the configuration controller. If FileDir is set, that directory will be monitored for CRD yaml files and will update the controller as those files change (This is used for testing purposes). Otherwise, a CRD client is created based on the configuration.

type Server Uses

type Server struct {
    MonitorListeningAddr net.Addr

    // TODO(nmittler): Consider alternatives to exposing these directly
    EnvoyXdsServer *xds.DiscoveryServer

    ConfigStores []model.ConfigStoreCache

    HTTPListener       net.Listener
    GRPCListener       net.Listener
    SecureGrpcListener net.Listener

    DNSListener    net.Listener
    IstioDNSServer *dns.IstioDNS

    CA  *ca.IstioCA
    // contains filtered or unexported fields
}

Server contains the runtime configuration for the Pilot discovery service.

func NewServer Uses

func NewServer(args *PilotArgs) (*Server, error)

NewServer creates a new Server instance based on the provided arguments.

func (*Server) EnableCA Uses

func (s *Server) EnableCA() bool

EnableCA returns whether CA functionality is enabled in istiod. The logic of this function is from the logic of whether running CA in RunCA(). The reason for moving this logic from RunCA into EnableCA() is to have a central consistent endpoint to get whether CA functionality is enabled in istiod. EnableCA() is called in multiple places.

func (*Server) RunCA Uses

func (s *Server) RunCA(grpc *grpc.Server, ca caserver.CertificateAuthority, opts *CAOptions)

RunCA will start the cert signing GRPC service on an existing server. Protected by installer options: the CA will be started only if the JWT token in /var/run/secrets is mounted. If it is missing - for example old versions of K8S that don't support such tokens - we will not start the cert-signing server, since pods will have no way to authenticate.

func (*Server) ServiceController Uses

func (s *Server) ServiceController() *aggregate.Controller

func (*Server) Start Uses

func (s *Server) Start(stop <-chan struct{}) error

Start starts all components of the Pilot discovery service on the port specified in DiscoveryServerOptions. If Port == 0, a port number is automatically chosen. Content serving is started by this method, but is executed asynchronously. Serving can be canceled at any time by closing the provided stop channel.

func (*Server) WaitUntilCompletion Uses

func (s *Server) WaitUntilCompletion()

WaitUntilCompletion waits for everything marked as a "required termination" to complete. This should be called before exiting.

type TLSOptions Uses

type TLSOptions struct {
    CaCertFile string
    CertFile   string
    KeyFile    string
}

Optional TLS parameters for Istiod server.

Package bootstrap imports 92 packages (graph) and is imported by 7 packages. Updated 2020-07-04. Refresh now. Tools for package owners.