istio: Index | Files | Directories

package istioagent

import ""


Package Files

agent.go xds_proxy.go


const (
    MetadataClientCertKey   = "ISTIO_META_TLS_CLIENT_KEY"
    MetadataClientCertChain = "ISTIO_META_TLS_CLIENT_CERT_CHAIN"
    MetadataClientRootCert  = "ISTIO_META_TLS_CLIENT_ROOT_CERT"
const (

    // CitadelCACertPath is the directory for Citadel CA certificate.
    // This is mounted from config map 'istio-ca-root-cert'. Part of startup,
    // this may be replaced with ./etc/certs, if a root-cert.pem is found, to
    // handle secrets mounted from non-citadel CAs.
    CitadelCACertPath = "./var/run/secrets/istio"

type Agent Uses

type Agent struct {
    // contains filtered or unexported fields

Agent contains the configuration of the agent, based on the injected environment: - SDS hostPath if node-agent was used - /etc/certs/key if Citadel or other mounted Secrets are used - root cert to use for connecting to XDS server - CA address, with proper defaults and detection

func NewAgent Uses

func NewAgent(proxyConfig *mesh.ProxyConfig, cfg *AgentConfig, sopts security.Options) *Agent

NewAgent hosts the functionality for local SDS and XDS. This consists of the local SDS server and associated clients to sign certificates (when not using files), and the local XDS proxy (including health checking for VMs and DNS proxying).

func (*Agent) Close Uses

func (sa *Agent) Close()

func (*Agent) FindRootCAForCA Uses

func (sa *Agent) FindRootCAForCA() string

Find the root CA to use when connecting to the CA (Istiod or external).

func (*Agent) FindRootCAForXDS Uses

func (sa *Agent) FindRootCAForXDS() string

explicit code to determine the root CA to be configured in bootstrap file. It may be different from the CA for the cert server - which is based on CA_ADDR Replaces logic in the template:

{{- if .provisioned_cert }}
 "filename": "{{(printf "%s%s" .provisioned_cert "/root-cert.pem") }}"
 {{- else if eq .pilot_cert_provider "kubernetes" }}
 "filename": "./var/run/secrets/"
 {{- else if eq .pilot_cert_provider "istiod" }}
 "filename": "./var/run/secrets/istio/root-cert.pem"
 {{- end }}

In addition it deals with the case the XDS server is on port 443, expected with a proper cert. /etc/ssl/certs/ca-certificates.crt

TODO: additional checks for existence. Fail early, instead of obscure envoy errors.

func (*Agent) Start Uses

func (sa *Agent) Start() error

Simplified SDS setup. This is called if and only if user has explicitly mounted a K8S JWT token, and is not using a hostPath mounted or external SDS server.

1. External CA: requires authenticating the trusted JWT AND validating the SAN against the JWT.

For example Google CA

2. Indirect, using istiod: using K8S cert.

type AgentConfig Uses

type AgentConfig struct {
    // ProxyXDSViaAgent if true will enable a local XDS proxy that will simply
    // ferry Envoy's XDS requests to istiod and responses back to envoy
    // This flag is temporary until the feature is stabilized.
    ProxyXDSViaAgent bool
    // DNSCapture indicates if the XDS proxy has dns capture enabled or not
    // This option will not be considered if proxyXDSViaAgent is false.
    DNSCapture bool
    // ProxyType is the type of proxy we are configured to handle
    ProxyType model.NodeType
    // ProxyNamespace to use for local dns resolution
    ProxyNamespace string
    // ProxyDomain is the DNS domain associated with the proxy (assumed
    // to include the namespace as well) (for local dns resolution)
    ProxyDomain string

    // XDSRootCerts is the location of the root CA for the XDS connection. Used for setting platform certs or
    // using custom roots.
    XDSRootCerts string

    // CARootCerts of the location of the root CA for the CA connection. Used for setting platform certs or
    // using custom roots.
    CARootCerts string

    // Extra headers to add to the XDS connection.
    XDSHeaders map[string]string

    // Is the proxy an IPv6 proxy
    IsIPv6 bool

    // Path to local UDS to communicate with Envoy
    XdsUdsPath string

AgentConfig contains additional config for the agent, not included in ProxyConfig. Most are from env variables ( still experimental ) or for testing only. Eventually most non-test settings should graduate to ProxyConfig Please don't add 100 parameters to the NewAgent function (or any other)!

type ProxyConnection Uses

type ProxyConnection struct {
    // contains filtered or unexported fields

type XdsProxy Uses

type XdsProxy struct {
    // contains filtered or unexported fields

XDS Proxy proxies all XDS requests from envoy to istiod, in addition to allowing subsystems inside the agent to also communicate with either istiod/envoy (eg dns, sds, etc). The goal here is to consolidate all xds related connections to istiod/envoy into a single tcp connection with multiple gRPC streams. TODO: Right now, the workloadSDS server and gatewaySDS servers are still separate connections. These need to be consolidated. TODO: consolidate/use ADSC struct - a lot of duplication.

func (*XdsProxy) DeltaAggregatedResources Uses

func (p *XdsProxy) DeltaAggregatedResources(server discovery.AggregatedDiscoveryService_DeltaAggregatedResourcesServer) error

func (*XdsProxy) HandleUpstream Uses

func (p *XdsProxy) HandleUpstream(ctx context.Context, con *ProxyConnection, xds discovery.AggregatedDiscoveryServiceClient) error

func (*XdsProxy) PersistRequest Uses

func (p *XdsProxy) PersistRequest(req *discovery.DiscoveryRequest)

PersistRequest sends a request to the currently connected proxy. Additionally, on any reconnection to the upstream XDS request we will resend this request.

func (*XdsProxy) RegisterStream Uses

func (p *XdsProxy) RegisterStream(c *ProxyConnection)

func (*XdsProxy) StreamAggregatedResources Uses

func (p *XdsProxy) StreamAggregatedResources(downstream discovery.AggregatedDiscoveryService_StreamAggregatedResourcesServer) error

Every time envoy makes a fresh connection to the agent, we reestablish a new connection to the upstream xds This ensures that a new connection between istiod and agent doesn't end up consuming pending messages from envoy as the new connection may not go to the same istiod. Vice versa case also applies.

func (*XdsProxy) UnregisterStream Uses

func (p *XdsProxy) UnregisterStream(c *ProxyConnection)



Package istioagent imports 42 packages (graph) and is imported by 2 packages. Updated 2021-01-17. Refresh now. Tools for package owners.