istio: istio.io/istio/security/pkg/nodeagent/sds Index | Files

package sds

import "istio.io/istio/security/pkg/nodeagent/sds"

Package sds implements secret discovery service in NodeAgent.

Index

Package Files

monitoring.go sdsservice.go server.go

Constants

const (
    // SecretType is used for secret discovery service to construct response.
    SecretType = "type.googleapis.com/envoy.api.v2.auth.Secret"

    // JWTPath is the path to the JWT token used for authentication.
    // Note the use of "./", meaning on tests and VMs it is possible to use without root access.
    // Pilot-agent runs with PWD=/
    JWTPath = "./var/run/secrets/tokens/istio-token"
)

func NewPlugins Uses

func NewPlugins(in []string) []plugin.Plugin

NewPlugins returns a slice of default Plugins.

func NotifyProxy Uses

func NotifyProxy(connKey cache.ConnKey, secret *model.SecretItem) error

NotifyProxy sends notification to proxy about secret update, SDS will close streaming connection if secret is nil.

type ClientDebug Uses

type ClientDebug struct {
    ConnectionID string `json:"connection_id"`
    ProxyID      string `json:"proxy"`
    ResourceName string `json:"resource_name"`

    // fields from secret item
    CertificateChain string `json:"certificate_chain"`
    RootCert         string `json:"root_cert"`
    CreatedTime      string `json:"created_time"`
    ExpireTime       string `json:"expire_time"`
}

ClientDebug represents a single SDS connection to the ndoe agent

type Debug Uses

type Debug struct {
    Clients []ClientDebug `json:"clients"`
}

Debug represents all clients connected to this node agent endpoint and their supplied secrets

type Options Uses

type Options struct {
    // PluginNames is plugins' name for certain authentication provider.
    PluginNames []string

    // WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies.
    WorkloadUDSPath string

    // IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with
    // ingress gateway proxies.
    IngressGatewayUDSPath string

    // CertFile is the path of Cert File for gRPC server TLS settings.
    CertFile string

    // KeyFile is the path of Key File for gRPC server TLS settings.
    KeyFile string

    // CAEndpoint is the CA endpoint to which node agent sends CSR request.
    CAEndpoint string

    // The CA provider name.
    CAProviderName string

    // TrustDomain corresponds to the trust root of a system.
    // https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
    TrustDomain string

    // The Vault CA address.
    VaultAddress string

    // The Vault auth path.
    VaultAuthPath string

    // The Vault role.
    VaultRole string

    // The Vault sign CSR path.
    VaultSignCsrPath string

    // The Vault TLS root certificate.
    VaultTLSRootCert string

    // GrpcServer is an already configured (shared) grpc server. If set, the agent will just register on the server.
    GrpcServer *grpc.Server

    // Recycle job running interval (to clean up staled sds client connections).
    RecycleInterval time.Duration

    // Debug server port from which node_agent serves SDS configuration dumps
    DebugPort int

    // EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies.
    EnableWorkloadSDS bool

    // EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent.
    EnableIngressGatewaySDS bool

    // AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT)
    AlwaysValidTokenFlag bool

    // UseLocalJWT is set when the sds server should use its own local JWT, and not expect one
    // from the UDS caller. Used when it runs in the same container with Envoy.
    UseLocalJWT bool
}

Options provides all of the configuration parameters for secret discovery service.

type Server Uses

type Server struct {
    // contains filtered or unexported fields
}

Server is the gPRC server that exposes SDS through UDS.

func NewServer Uses

func NewServer(options Options, workloadSecretCache, gatewaySecretCache cache.SecretManager) (*Server, error)

NewServer creates and starts the Grpc server for SDS.

func (*Server) Stop Uses

func (s *Server) Stop()

Stop closes the gRPC server and debug server.

Package sds imports 29 packages (graph) and is imported by 4 packages. Updated 2019-12-06. Refresh now. Tools for package owners.