istio: istio.io/istio/pilot/pkg/security/model Index | Files

package model

import "istio.io/istio/pilot/pkg/security/model"

Index

Package Files

authentication.go log.go trace.go

Constants

const (
    // SDSStatPrefix is the human readable prefix to use when emitting statistics for the SDS service.
    SDSStatPrefix = "sdsstat"

    // SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert.
    SDSDefaultResourceName = "default"

    // SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert.
    SDSRootResourceName = "ROOTCA"

    // K8sSATrustworthyJwtFileName is the token volume mount file name for k8s trustworthy jwt token.
    K8sSATrustworthyJwtFileName = "/var/run/secrets/tokens/istio-token"

    // FileBasedMetadataPlugName is File Based Metadata credentials plugin name.
    FileBasedMetadataPlugName = "envoy.grpc_credentials.file_based_metadata"

    // K8sSAJwtTokenHeaderKey is the request header key for k8s jwt token.
    // Binary header name must has suffix "-bin", according to https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md.
    K8sSAJwtTokenHeaderKey = "istio_sds_credentials_header-bin"

    // IngressGatewaySdsUdsPath is the UDS path for ingress gateway to get credentials via SDS.
    IngressGatewaySdsUdsPath = "unix:/var/run/ingress_gateway/sds"

    // IngressGatewaySdsCaSuffix is the suffix of the sds resource name for root CA.
    IngressGatewaySdsCaSuffix = "-cacert"

    // IstioJwtFilterName is the name for the Istio Jwt filter. This should be the same
    // as the name defined in
    // https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/http_filter_factory.cc#L50
    IstioJwtFilterName = "jwt-auth"

    // EnvoyJwtFilterName is the name of the Envoy JWT filter. This should be the same as the name defined
    // in https://github.com/envoyproxy/envoy/blob/v1.9.1/source/extensions/filters/http/well_known_names.h#L48
    EnvoyJwtFilterName = "envoy.filters.http.jwt_authn"

    // AuthnFilterName is the name for the Istio AuthN filter. This should be the same
    // as the name defined in
    // https://github.com/istio/proxy/blob/master/src/envoy/http/authn/http_filter_factory.cc#L30
    AuthnFilterName = "istio_authn"
)

func ConstructSdsSecretConfig Uses

func ConstructSdsSecretConfig(name, sdsUdsPath string, metadata *model.NodeMetadata) *auth.SdsSecretConfig

ConstructSdsSecretConfig constructs SDS Sececret Configuration for workload proxy.

func ConstructSdsSecretConfigForGatewayListener Uses

func ConstructSdsSecretConfigForGatewayListener(name, sdsUdsPath string) *auth.SdsSecretConfig

ConstructSdsSecretConfigForGatewayListener constructs SDS secret configuration for ingress gateway.

func ConstructValidationContext Uses

func ConstructValidationContext(rootCAFilePath string, subjectAltNames []string) *auth.CommonTlsContext_ValidationContext

ConstructValidationContext constructs ValidationContext in CommonTLSContext.

func ConstructgRPCCallCredentials Uses

func ConstructgRPCCallCredentials(tokenFileName, headerKey string) []*core.GrpcService_GoogleGrpc_CallCredentials

ConstructgRPCCallCredentials is used to construct SDS config which is only available from 1.1

type MutualTLSMode Uses

type MutualTLSMode int

MutualTLSMode is the mutule TLS mode specified by authentication policy.

const (
    // MTLSUnknown is used to indicate the variable hasn't been initialized correctly (with the authentication policy).
    MTLSUnknown MutualTLSMode = iota

    // MTLSDisable if authentication policy disable mTLS.
    MTLSDisable

    // MTLSPermissive if authentication policy enable mTLS in permissive mode.
    MTLSPermissive

    // MTLSStrict if authentication policy enable mTLS in strict mode.
    MTLSStrict
)

func (MutualTLSMode) String Uses

func (mode MutualTLSMode) String() string

String converts MutualTLSMode to human readable string for debugging.

type TraceConfig Uses

type TraceConfig struct {
    ClientSampling  float64
    RandomSampling  float64
    OverallSampling float64
}

TraceConfig values are percentages 0.0 - 100.0

func GetTraceConfig Uses

func GetTraceConfig() TraceConfig

GetTraceConfig returns configured TraceConfig

Package model imports 9 packages (graph) and is imported by 5 packages. Updated 2019-10-20. Refresh now. Tools for package owners.