istio: Index | Files

package sds

import ""

Package sds implements secret discovery service in NodeAgent.


Package Files

adapter.go monitoring.go sdsservice.go server.go


const (
    // SecretType is used for secret discovery service to construct response.
    SecretTypeV2 = ""
    SecretTypeV3 = ""

func NewPlugins Uses

func NewPlugins(in []string) []plugin.Plugin

NewPlugins returns a slice of default Plugins.

func NotifyProxy Uses

func NotifyProxy(connKey cache.ConnKey, secret *model.SecretItem) error

NotifyProxy sends notification to proxy about secret update, SDS will close streaming connection if secret is nil.

type ClientDebug Uses

type ClientDebug struct {
    ConnectionID string `json:"connection_id"`
    ProxyID      string `json:"proxy"`
    ResourceName string `json:"resource_name"`

    // fields from secret item
    CertificateChain string `json:"certificate_chain"`
    RootCert         string `json:"root_cert"`
    CreatedTime      string `json:"created_time"`
    ExpireTime       string `json:"expire_time"`

ClientDebug represents a single SDS connection to the ndoe agent

type Debug Uses

type Debug struct {
    Clients []ClientDebug `json:"clients"`

Debug represents all clients connected to this node agent endpoint and their supplied secrets

type Options Uses

type Options struct {
    // PluginNames is plugins' name for certain authentication provider.
    PluginNames []string

    // WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies.
    WorkloadUDSPath string

    // IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with
    // ingress gateway proxies.
    IngressGatewayUDSPath string

    // CertFile is the path of Cert File for gRPC server TLS settings.
    CertFile string

    // KeyFile is the path of Key File for gRPC server TLS settings.
    KeyFile string

    // CAEndpoint is the CA endpoint to which node agent sends CSR request.
    CAEndpoint string

    // The CA provider name.
    CAProviderName string

    // TrustDomain corresponds to the trust root of a system.
    TrustDomain string

    // The Vault CA address.
    VaultAddress string

    // The Vault auth path.
    VaultAuthPath string

    // The Vault role.
    VaultRole string

    // The Vault sign CSR path.
    VaultSignCsrPath string

    // The Vault TLS root certificate.
    VaultTLSRootCert string

    // GrpcServer is an already configured (shared) grpc server. If set, the agent will just register on the server.
    GrpcServer *grpc.Server

    // Recycle job running interval (to clean up staled sds client connections).
    RecycleInterval time.Duration

    // Debug server port from which node_agent serves SDS configuration dumps
    DebugPort int

    // EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies.
    EnableWorkloadSDS bool

    // EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent.
    EnableIngressGatewaySDS bool

    // AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT)
    AlwaysValidTokenFlag bool

    // UseLocalJWT is set when the sds server should use its own local JWT, and not expect one
    // from the UDS caller. Used when it runs in the same container with Envoy.
    UseLocalJWT bool

    // Whether to generate PKCS#8 private keys.
    Pkcs8Keys bool

    // JWTPath is the path for the JWT token
    JWTPath string

    // OutputKeyCertToDir is the directory for output the key and certificate
    OutputKeyCertToDir string

    // Existing certs, for VM or existing certificates
    CertsDir string

    // whether  ControlPlaneAuthPolicy is MUTUAL_TLS
    TLSEnabled bool

    // ClusterID is the cluster ID
    ClusterID string

    // The type of Elliptical Signature algorithm to use
    // when generating private keys. Currently only ECDSA is supported.
    ECCSigAlg string

    // FileMountedCerts indicates file mounted certs.
    FileMountedCerts bool

Options provides all of the configuration parameters for secret discovery service.

type Server Uses

type Server struct {
    // contains filtered or unexported fields

Server is the gPRC server that exposes SDS through UDS.

func NewServer Uses

func NewServer(options Options, workloadSecretCache, gatewaySecretCache cache.SecretManager) (*Server, error)

NewServer creates and starts the Grpc server for SDS.

func (*Server) Stop Uses

func (s *Server) Stop()

Stop closes the gRPC server and debug server.

Package sds imports 34 packages (graph) and is imported by 5 packages. Updated 2020-07-07. Refresh now. Tools for package owners.