import "istio.io/istio/pkg/istio-agent"
const (
MetadataClientCertKey = "ISTIO_META_TLS_CLIENT_KEY"
MetadataClientCertChain = "ISTIO_META_TLS_CLIENT_CERT_CHAIN"
MetadataClientRootCert = "ISTIO_META_TLS_CLIENT_ROOT_CERT"
)const (
// CitadelCACertPath is the directory for Citadel CA certificate.
// This is mounted from config map 'istio-ca-root-cert'. Part of startup,
// this may be replaced with ./etc/certs, if a root-cert.pem is found, to
// handle secrets mounted from non-citadel CAs.
CitadelCACertPath = "./var/run/secrets/istio"
)type Agent struct {
// contains filtered or unexported fields
}Agent contains the configuration of the agent, based on the injected environment: - SDS hostPath if node-agent was used - /etc/certs/key if Citadel or other mounted Secrets are used - root cert to use for connecting to XDS server - CA address, with proper defaults and detection
func NewAgent(proxyConfig *mesh.ProxyConfig, cfg *AgentConfig, sopts security.Options) *Agent
NewAgent hosts the functionality for local SDS and XDS. This consists of the local SDS server and associated clients to sign certificates (when not using files), and the local XDS proxy (including health checking for VMs and DNS proxying).
Find the root CA to use when connecting to the CA (Istiod or external).
explicit code to determine the root CA to be configured in bootstrap file. It may be different from the CA for the cert server - which is based on CA_ADDR Replaces logic in the template:
{{- if .provisioned_cert }}
"filename": "{{(printf "%s%s" .provisioned_cert "/root-cert.pem") }}"
{{- else if eq .pilot_cert_provider "kubernetes" }}
"filename": "./var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
{{- else if eq .pilot_cert_provider "istiod" }}
"filename": "./var/run/secrets/istio/root-cert.pem"
{{- end }}
In addition it deals with the case the XDS server is on port 443, expected with a proper cert. /etc/ssl/certs/ca-certificates.crt
TODO: additional checks for existence. Fail early, instead of obscure envoy errors.
Simplified SDS setup. This is called if and only if user has explicitly mounted a K8S JWT token, and is not using a hostPath mounted or external SDS server.
1. External CA: requires authenticating the trusted JWT AND validating the SAN against the JWT.
For example Google CA
2. Indirect, using istiod: using K8S cert.
type AgentConfig struct {
// ProxyXDSViaAgent if true will enable a local XDS proxy that will simply
// ferry Envoy's XDS requests to istiod and responses back to envoy
// This flag is temporary until the feature is stabilized.
ProxyXDSViaAgent bool
// DNSCapture indicates if the XDS proxy has dns capture enabled or not
// This option will not be considered if proxyXDSViaAgent is false.
DNSCapture bool
// ProxyType is the type of proxy we are configured to handle
ProxyType model.NodeType
// ProxyNamespace to use for local dns resolution
ProxyNamespace string
// ProxyDomain is the DNS domain associated with the proxy (assumed
// to include the namespace as well) (for local dns resolution)
ProxyDomain string
// XDSRootCerts is the location of the root CA for the XDS connection. Used for setting platform certs or
// using custom roots.
XDSRootCerts string
// CARootCerts of the location of the root CA for the CA connection. Used for setting platform certs or
// using custom roots.
CARootCerts string
// Extra headers to add to the XDS connection.
XDSHeaders map[string]string
// Is the proxy an IPv6 proxy
IsIPv6 bool
// Path to local UDS to communicate with Envoy
XdsUdsPath string
}AgentConfig contains additional config for the agent, not included in ProxyConfig. Most are from env variables ( still experimental ) or for testing only. Eventually most non-test settings should graduate to ProxyConfig Please don't add 100 parameters to the NewAgent function (or any other)!
type ProxyConnection struct {
// contains filtered or unexported fields
}type XdsProxy struct {
// contains filtered or unexported fields
}XDS Proxy proxies all XDS requests from envoy to istiod, in addition to allowing subsystems inside the agent to also communicate with either istiod/envoy (eg dns, sds, etc). The goal here is to consolidate all xds related connections to istiod/envoy into a single tcp connection with multiple gRPC streams. TODO: Right now, the workloadSDS server and gatewaySDS servers are still separate connections. These need to be consolidated. TODO: consolidate/use ADSC struct - a lot of duplication.
func (p *XdsProxy) DeltaAggregatedResources(server discovery.AggregatedDiscoveryService_DeltaAggregatedResourcesServer) error
func (p *XdsProxy) HandleUpstream(ctx context.Context, con *ProxyConnection, xds discovery.AggregatedDiscoveryServiceClient) error
func (p *XdsProxy) PersistRequest(req *discovery.DiscoveryRequest)
PersistRequest sends a request to the currently connected proxy. Additionally, on any reconnection to the upstream XDS request we will resend this request.
func (p *XdsProxy) RegisterStream(c *ProxyConnection)
func (p *XdsProxy) StreamAggregatedResources(downstream discovery.AggregatedDiscoveryService_StreamAggregatedResourcesServer) error
Every time envoy makes a fresh connection to the agent, we reestablish a new connection to the upstream xds This ensures that a new connection between istiod and agent doesn't end up consuming pending messages from envoy as the new connection may not go to the same istiod. Vice versa case also applies.
func (p *XdsProxy) UnregisterStream(c *ProxyConnection)
| Path | Synopsis |
|---|---|
| health | |
| metrics |
Package istioagent imports 42 packages (graph) and is imported by 2 packages. Updated 2021-01-17. Refresh now. Tools for package owners.