istio: istio.io/istio/pilot/pkg/security/model Index | Files

package model

import "istio.io/istio/pilot/pkg/security/model"

Index

Package Files

authentication.go

Constants

const (
    // SDSStatPrefix is the human readable prefix to use when emitting statistics for the SDS service.
    SDSStatPrefix = "sdsstat"

    // SDSClusterName is the name of the cluster for SDS connections
    SDSClusterName = "sds-grpc"

    // SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert.
    SDSDefaultResourceName = "default"

    // SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert.
    SDSRootResourceName = "ROOTCA"

    // K8sSAJwtFileName is the token volume mount file name for k8s jwt token.
    K8sSAJwtFileName = "/var/run/secrets/kubernetes.io/serviceaccount/token"

    // K8sSATrustworthyJwtFileName is the token volume mount file name for k8s trustworthy jwt token.
    K8sSATrustworthyJwtFileName = "/var/run/secrets/tokens/istio-token"

    // K8sSAJwtTokenHeaderKey is the request header key for k8s jwt token.
    // Binary header name must has suffix "-bin", according to https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md.
    K8sSAJwtTokenHeaderKey = "istio_sds_credentials_header-bin"

    // GatewaySdsUdsPath is the UDS path for ingress gateway to get credentials via SDS.
    GatewaySdsUdsPath = "unix:./var/run/ingress_gateway/sds"

    // SdsCaSuffix is the suffix of the sds resource name for root CA.
    SdsCaSuffix = "-cacert"

    // EnvoyJwtFilterName is the name of the Envoy JWT filter. This should be the same as the name defined
    // in https://github.com/envoyproxy/envoy/blob/v1.9.1/source/extensions/filters/http/well_known_names.h#L48
    EnvoyJwtFilterName = "envoy.filters.http.jwt_authn"

    // AuthnFilterName is the name for the Istio AuthN filter. This should be the same
    // as the name defined in
    // https://github.com/istio/proxy/blob/master/src/envoy/http/authn/http_filter_factory.cc#L30
    AuthnFilterName = "istio_authn"
)

func ApplyCustomSDSToClientCommonTLSContext Uses

func ApplyCustomSDSToClientCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ClientTLSSettings, sdsUdsPath string)

ApplyCustomSDSToClientCommonTLSContext applies the customized sds to CommonTlsContext Used for building upstream TLS context for egress gateway's TLS/mTLS origination

func ApplyCustomSDSToServerCommonTLSContext Uses

func ApplyCustomSDSToServerCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ServerTLSSettings, sdsUdsPath string)

ApplyCustomSDSToServerCommonTLSContext applies the customized sds to CommonTlsContext Used for building both gateway/sidecar TLS context

func ApplyToCommonTLSContext Uses

func ApplyToCommonTLSContext(tlsContext *tls.CommonTlsContext, metadata *model.NodeMetadata, sdsPath string, subjectAltNames []string)

ApplyToCommonTLSContext completes the commonTlsContext for `ISTIO_MUTUAL` TLS mode

func ConstructSdsSecretConfig Uses

func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig

ConstructSdsSecretConfig constructs SDS Secret Configuration for workload proxy.

func ConstructSdsSecretConfigWithCustomUds Uses

func ConstructSdsSecretConfigWithCustomUds(name, sdsUdsPath string) *tls.SdsSecretConfig

ConstructSdsSecretConfigWithCustomUds constructs SDS secret configuration for ingress gateway.

func ConstructValidationContext Uses

func ConstructValidationContext(rootCAFilePath string, subjectAltNames []string) *tls.CommonTlsContext_ValidationContext

ConstructValidationContext constructs ValidationContext in CommonTLSContext.

Package model imports 9 packages (graph) and is imported by 12 packages. Updated 2020-08-09. Refresh now. Tools for package owners.