istio: istio.io/istio/pilot/pkg/security/model Index | Files

package model

import "istio.io/istio/pilot/pkg/security/model"

Index

Package Files

authentication.go log.go trace.go

Constants

const (
    // SDSStatPrefix is the human readable prefix to use when emitting statistics for the SDS service.
    SDSStatPrefix = "sdsstat"

    // SDSClusterName is the name of the cluster for SDS connections
    SDSClusterName = "sds-grpc"

    // SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert.
    SDSDefaultResourceName = "default"

    // SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert.
    SDSRootResourceName = "ROOTCA"

    // K8sSAJwtFileName is the token volume mount file name for k8s jwt token.
    K8sSAJwtFileName = "/var/run/secrets/kubernetes.io/serviceaccount/token"

    // K8sSATrustworthyJwtFileName is the token volume mount file name for k8s trustworthy jwt token.
    K8sSATrustworthyJwtFileName = "/var/run/secrets/tokens/istio-token"

    // FileBasedMetadataPlugName is File Based Metadata credentials plugin name.
    FileBasedMetadataPlugName = "envoy.grpc_credentials.file_based_metadata"

    // K8sSAJwtTokenHeaderKey is the request header key for k8s jwt token.
    // Binary header name must has suffix "-bin", according to https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md.
    K8sSAJwtTokenHeaderKey = "istio_sds_credentials_header-bin"

    // IngressGatewaySdsUdsPath is the UDS path for ingress gateway to get credentials via SDS.
    IngressGatewaySdsUdsPath = "unix:/var/run/ingress_gateway/sds"

    // SdsCaSuffix is the suffix of the sds resource name for root CA.
    SdsCaSuffix = "-cacert"

    // IstioJwtFilterName is the name for the Istio Jwt filter. This should be the same
    // as the name defined in
    // https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/http_filter_factory.cc#L50
    IstioJwtFilterName = "jwt-auth"

    // EnvoyJwtFilterName is the name of the Envoy JWT filter. This should be the same as the name defined
    // in https://github.com/envoyproxy/envoy/blob/v1.9.1/source/extensions/filters/http/well_known_names.h#L48
    EnvoyJwtFilterName = "envoy.filters.http.jwt_authn"

    // AuthnFilterName is the name for the Istio AuthN filter. This should be the same
    // as the name defined in
    // https://github.com/istio/proxy/blob/master/src/envoy/http/authn/http_filter_factory.cc#L30
    AuthnFilterName = "istio_authn"
)

func ConstructSdsSecretConfig Uses

func ConstructSdsSecretConfig(name, sdsUdsPath string) *auth.SdsSecretConfig

ConstructSdsSecretConfig constructs SDS Secret Configuration for workload proxy.

func ConstructSdsSecretConfigWithCustomUds Uses

func ConstructSdsSecretConfigWithCustomUds(name, sdsUdsPath string) *auth.SdsSecretConfig

ConstructSdsSecretConfigWithCustomUds constructs SDS secret configuration for ingress gateway.

func ConstructValidationContext Uses

func ConstructValidationContext(rootCAFilePath string, subjectAltNames []string) *auth.CommonTlsContext_ValidationContext

ConstructValidationContext constructs ValidationContext in CommonTLSContext.

func ConstructgRPCCallCredentials Uses

func ConstructgRPCCallCredentials(tokenFileName, headerKey string) []*core.GrpcService_GoogleGrpc_CallCredentials

ConstructgRPCCallCredentials is used to construct SDS config which is only available from 1.1

type TraceConfig Uses

type TraceConfig struct {
    ClientSampling  float64
    RandomSampling  float64
    OverallSampling float64
}

TraceConfig values are percentages 0.0 - 100.0

func GetTraceConfig Uses

func GetTraceConfig() TraceConfig

GetTraceConfig returns configured TraceConfig

Package model imports 8 packages (graph) and is imported by 14 packages. Updated 2020-03-04. Refresh now. Tools for package owners.