istio: istio.io/istio/pilot/pkg/security/model Index | Files

package model

import "istio.io/istio/pilot/pkg/security/model"

Index

Package Files

authentication.go

Constants

const (
    // SDSStatPrefix is the human readable prefix to use when emitting statistics for the SDS service.
    SDSStatPrefix = "sdsstat"

    // SDSClusterName is the name of the cluster for SDS connections
    SDSClusterName = "sds-grpc"

    // SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert.
    SDSDefaultResourceName = "default"

    // SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert.
    SDSRootResourceName = "ROOTCA"

    // K8sSAJwtFileName is the token volume mount file name for k8s jwt token.
    K8sSAJwtFileName = "/var/run/secrets/kubernetes.io/serviceaccount/token"

    // K8sSATrustworthyJwtFileName is the token volume mount file name for k8s trustworthy jwt token.
    K8sSATrustworthyJwtFileName = "/var/run/secrets/tokens/istio-token"

    // K8sSAJwtTokenHeaderKey is the request header key for k8s jwt token.
    // Binary header name must has suffix "-bin", according to https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md.
    K8sSAJwtTokenHeaderKey = "istio_sds_credentials_header-bin"

    // SdsCaSuffix is the suffix of the sds resource name for root CA.
    SdsCaSuffix = "-cacert"

    // EnvoyJwtFilterName is the name of the Envoy JWT filter. This should be the same as the name defined
    // in https://github.com/envoyproxy/envoy/blob/v1.9.1/source/extensions/filters/http/well_known_names.h#L48
    EnvoyJwtFilterName = "envoy.filters.http.jwt_authn"

    // AuthnFilterName is the name for the Istio AuthN filter. This should be the same
    // as the name defined in
    // https://github.com/istio/proxy/blob/master/src/envoy/http/authn/http_filter_factory.cc#L30
    AuthnFilterName = "istio_authn"

    // KubernetesSecretType is the name of a SDS secret stored in Kubernetes
    KubernetesSecretType    = "kubernetes"
    KubernetesSecretTypeURI = KubernetesSecretType + "://"
)

Variables

var (
    SDSAdsConfig = &core.ConfigSource{
        ConfigSourceSpecifier: &core.ConfigSource_Ads{
            Ads: &core.AggregatedConfigSource{},
        },
        ResourceApiVersion:  core.ApiVersion_V3,
        InitialFetchTimeout: features.InitialFetchTimeout,
    }
)

func ApplyCredentialSDSToServerCommonTLSContext Uses

func ApplyCredentialSDSToServerCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ServerTLSSettings)

ApplyCredentialSDSToServerCommonTLSContext applies the credentialName sds (Gateway/DestinationRule) to CommonTlsContext Used for building both gateway/sidecar TLS context

func ApplyCustomSDSToClientCommonTLSContext Uses

func ApplyCustomSDSToClientCommonTLSContext(tlsContext *tls.CommonTlsContext, tlsOpts *networking.ClientTLSSettings)

ApplyCustomSDSToClientCommonTLSContext applies the customized sds to CommonTlsContext Used for building upstream TLS context for egress gateway's TLS/mTLS origination

func ApplyToCommonTLSContext Uses

func ApplyToCommonTLSContext(tlsContext *tls.CommonTlsContext, metadata *model.NodeMetadata,
    sdsPath string, subjectAltNames []string, trustDomainAliases []string)

ApplyToCommonTLSContext completes the commonTlsContext

func ConstructSdsSecretConfig Uses

func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig

ConstructSdsSecretConfig constructs SDS Secret Configuration for workload proxy.

func ConstructSdsSecretConfigForCredential Uses

func ConstructSdsSecretConfigForCredential(name string) *tls.SdsSecretConfig

ConstructSdsSecretConfigForCredential constructs SDS secret configuration used from certificates referenced by credentialName in DestinationRule or Gateway. Currently this is served by a local SDS server, but in the future replaced by Istiod SDS server.

func ConstructValidationContext Uses

func ConstructValidationContext(rootCAFilePath string, subjectAltNames []string) *tls.CommonTlsContext_ValidationContext

ConstructValidationContext constructs ValidationContext in CommonTLSContext.

Package model imports 9 packages (graph) and is imported by 15 packages. Updated 2021-01-16. Refresh now. Tools for package owners.