import "istio.io/istio/security/pkg/nodeagent/sds"
Package sds implements secret discovery service in NodeAgent.
monitoring.go sdsservice.go server.go
const (
// SecretType is used for secret discovery service to construct response.
SecretType = "type.googleapis.com/envoy.api.v2.auth.Secret"
)NewPlugins returns a slice of default Plugins.
NotifyProxy sends notification to proxy about secret update, SDS will close streaming connection if secret is nil.
type ClientDebug struct {
ConnectionID string `json:"connection_id"`
ProxyID string `json:"proxy"`
ResourceName string `json:"resource_name"`
// fields from secret item
CertificateChain string `json:"certificate_chain"`
RootCert string `json:"root_cert"`
CreatedTime string `json:"created_time"`
ExpireTime string `json:"expire_time"`
}ClientDebug represents a single SDS connection to the ndoe agent
type Debug struct {
Clients []ClientDebug `json:"clients"`
}Debug represents all clients connected to this node agent endpoint and their supplied secrets
type Options struct {
// PluginNames is plugins' name for certain authentication provider.
PluginNames []string
// WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies.
WorkloadUDSPath string
// IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with
// ingress gateway proxies.
IngressGatewayUDSPath string
// CertFile is the path of Cert File for gRPC server TLS settings.
CertFile string
// KeyFile is the path of Key File for gRPC server TLS settings.
KeyFile string
// CAEndpoint is the CA endpoint to which node agent sends CSR request.
CAEndpoint string
// The CA provider name.
CAProviderName string
// TrustDomain corresponds to the trust root of a system.
// https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
TrustDomain string
// The Vault CA address.
VaultAddress string
// The Vault auth path.
VaultAuthPath string
// The Vault role.
VaultRole string
// The Vault sign CSR path.
VaultSignCsrPath string
// The Vault TLS root certificate.
VaultTLSRootCert string
// GrpcServer is an already configured (shared) grpc server. If set, the agent will just register on the server.
GrpcServer *grpc.Server
// Recycle job running interval (to clean up staled sds client connections).
RecycleInterval time.Duration
// Debug server port from which node_agent serves SDS configuration dumps
DebugPort int
// EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies.
EnableWorkloadSDS bool
// EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent.
EnableIngressGatewaySDS bool
// AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT)
AlwaysValidTokenFlag bool
// UseLocalJWT is set when the sds server should use its own local JWT, and not expect one
// from the UDS caller. Used when it runs in the same container with Envoy.
UseLocalJWT bool
// Whether to generate PKCS#8 private keys.
Pkcs8Keys bool
// PilotCertProvider is the provider of the Pilot certificate.
PilotCertProvider string
// JWTPath is the path for the JWT token
JWTPath string
// OutputKeyCertToDir is the directory for output the key and certificate
OutputKeyCertToDir string
// Existing certs, for VM or existing certificates
CertsDir string
}Options provides all of the configuration parameters for secret discovery service.
type Server struct {
// contains filtered or unexported fields
}Server is the gPRC server that exposes SDS through UDS.
func NewServer(options Options, workloadSecretCache, gatewaySecretCache cache.SecretManager) (*Server, error)
NewServer creates and starts the Grpc server for SDS.
Stop closes the gRPC server and debug server.
Package sds imports 30 packages (graph) and is imported by 5 packages. Updated 2020-03-30. Refresh now. Tools for package owners.