istio: istio.io/istio/pilot/pkg/bootstrap Index | Files

package bootstrap

import "istio.io/istio/pilot/pkg/bootstrap"

Index

Package Files

certcontroller.go configcontroller.go istio_ca.go mesh.go monitoring.go multicluster.go namespacecontroller.go options.go server.go servicecontroller.go sidecarinjector.go util.go validation.go webhook.go

Constants

const (

    // The name of the ConfigMap in each namespace storing the root cert of non-Kube CA.
    CACertNamespaceConfigMap = "istio-ca-root-cert"
)

Variables

var (
    KubernetesCAProvider = "kubernetes"
    IstiodCAProvider     = "istiod"
)
var (
    // LocalCertDir replaces the "cert-chain", "signing-cert" and "signing-key" flags in citadel - Istio installer is
    // requires a secret named "cacerts" with specific files inside.
    LocalCertDir = env.RegisterStringVar("ROOT_CA_DIR", "./etc/cacerts",
        "Location of a local or mounted CA root")

    SelfSignedCACertTTL = env.RegisterDurationVar("CITADEL_SELF_SIGNED_CA_CERT_TTL",
        cmd.DefaultSelfSignedCACertTTL,
        "The TTL of self-signed CA root certificate.")

    // ThirdPartyJWTPath is the well-known location of the projected K8S JWT. This is mounted on all workloads, as well as istiod.
    ThirdPartyJWTPath = "./var/run/secrets/tokens/istio-token"
)
var (
    // FilepathWalkInterval dictates how often the file system is walked for config
    FilepathWalkInterval = 100 * time.Millisecond

    // PilotCertDir is the default location for mTLS certificates used by pilot
    // Visible for tests - at runtime can be set by PILOT_CERT_DIR environment variable.
    PilotCertDir = "/etc/certs/"

    // DefaultPlugins is the default list of plugins to enable, when no plugin(s)
    // is specified through the command line
    DefaultPlugins = []string{
        plugin.Authn,
        plugin.Authz,
        plugin.Health,
        plugin.Mixer,
    }
)
var PodNamespaceVar = env.RegisterStringVar("POD_NAMESPACE", "istio-system", "")

type CAOptions Uses

type CAOptions struct {
    // domain to use in SPIFFE identity URLs
    TrustDomain string
    Namespace   string
}

type ConfigArgs Uses

type ConfigArgs struct {
    ControllerOptions          kubecontroller.Options
    ClusterRegistriesNamespace string
    KubeConfig                 string
    FileDir                    string

    // DistributionTracking control
    DistributionCacheRetention time.Duration

    DisableInstallCRDs bool

    // DistributionTracking control
    DistributionTrackingEnabled bool
}

ConfigArgs provide configuration options for the configuration controller. If FileDir is set, that directory will be monitored for CRD yaml files and will update the controller as those files change (This is used for testing purposes). Otherwise, a CRD client is created based on the configuration.

type ConsulArgs Uses

type ConsulArgs struct {
    ServerURL string
}

ConsulArgs provides configuration for the Consul service registry.

type DiscoveryServiceOptions Uses

type DiscoveryServiceOptions struct {
    // The listening address for HTTP (debug). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    HTTPAddr string

    // The listening address for HTTPS (webhooks). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    HTTPSAddr string

    // The listening address for GRPC. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    GrpcAddr string

    // The listening address for the monitoring port. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    // a port number is automatically chosen.
    MonitoringAddr string

    EnableProfiling bool
}

DiscoveryServiceOptions contains options for create a new discovery service instance.

type InjectionOptions Uses

type InjectionOptions struct {
    // Directory of injection related config files.
    InjectionDirectory string
}

type MCPOptions Uses

type MCPOptions struct {
    MaxMessageSize        int
    InitialWindowSize     int
    InitialConnWindowSize int
}

type MeshArgs Uses

type MeshArgs struct {
    ConfigFile string
    // Used for test
    MixerAddress string
}

MeshArgs provide configuration options for the mesh. If ConfigFile is provided, an attempt will be made to load the mesh from the file. Otherwise, a default mesh will be used with optional overrides.

type NamespaceController Uses

type NamespaceController struct {
    // contains filtered or unexported fields
}

NamespaceController manages reconciles a configmap in each namespace with a desired set of data.

func NewNamespaceController Uses

func NewNamespaceController(data func() map[string]string, kubeClient kubernetes.Interface) *NamespaceController

NewNamespaceController returns a pointer to a newly constructed NamespaceController instance.

func (*NamespaceController) Run Uses

func (nc *NamespaceController) Run(stopCh <-chan struct{})

Run starts the NamespaceController until a value is sent to stopCh.

type PilotArgs Uses

type PilotArgs struct {
    DiscoveryOptions   DiscoveryServiceOptions
    InjectionOptions   InjectionOptions
    PodName            string
    Namespace          string
    Revision           string
    ServiceAccountName string
    Mesh               MeshArgs
    Config             ConfigArgs
    Service            ServiceArgs
    MeshConfig         *meshconfig.MeshConfig
    NetworksConfigFile string
    CtrlZOptions       *ctrlz.Options
    Plugins            []string
    MCPOptions         MCPOptions
    KeepaliveOptions   *istiokeepalive.Options
    // ForceStop is set as true when used for testing to make the server stop quickly
    ForceStop bool
}

PilotArgs provides all of the configuration parameters for the Pilot discovery service.

func NewPilotArgs Uses

func NewPilotArgs(initFuncs ...func(*PilotArgs)) *PilotArgs

NewPilotArgs constructs pilotArgs with default values.

type Server Uses

type Server struct {
    MonitorListeningAddr net.Addr

    // TODO(nmittler): Consider alternatives to exposing these directly
    EnvoyXdsServer *envoyv2.DiscoveryServer

    ConfigStores []model.ConfigStoreCache

    HTTPListener    net.Listener
    GRPCListener    net.Listener
    GRPCDNSListener net.Listener
    // contains filtered or unexported fields
}

Server contains the runtime configuration for the Pilot discovery service.

func NewServer Uses

func NewServer(args *PilotArgs) (*Server, error)

NewServer creates a new Server instance based on the provided arguments.

func (*Server) EnableCA Uses

func (s *Server) EnableCA() bool

EnableCA returns whether CA functionality is enabled in istiod. The logic of this function is from the logic of whether running CA in RunCA(). The reason for moving this logic from RunCA into EnableCA() is to have a central consistent endpoint to get whether CA functionality is enabled in istiod. EnableCA() is called in multiple places.

func (*Server) RunCA Uses

func (s *Server) RunCA(grpc *grpc.Server, ca caserver.CertificateAuthority, opts *CAOptions, stopCh <-chan struct{})

RunCA will start the cert signing GRPC service on an existing server. Protected by installer options: the CA will be started only if the JWT token in /var/run/secrets is mounted. If it is missing - for example old versions of K8S that don't support such tokens - we will not start the cert-signing server, since pods will have no way to authenticate.

func (*Server) ServiceController Uses

func (s *Server) ServiceController() *aggregate.Controller

func (*Server) Start Uses

func (s *Server) Start(stop <-chan struct{}) error

Start starts all components of the Pilot discovery service on the port specified in DiscoveryServiceOptions. If Port == 0, a port number is automatically chosen. Content serving is started by this method, but is executed asynchronously. Serving can be canceled at any time by closing the provided stop channel.

func (*Server) WaitUntilCompletion Uses

func (s *Server) WaitUntilCompletion()

WaitUntilCompletion waits for everything marked as a "required termination" to complete. This should be called before exiting.

type ServiceArgs Uses

type ServiceArgs struct {
    Registries []string
    Consul     ConsulArgs
}

ServiceArgs provides the composite configuration for all service registries in the system.

Package bootstrap imports 97 packages (graph) and is imported by 7 packages. Updated 2020-03-30. Refresh now. Tools for package owners.