github.com/cilium/cilium@v1.16.2/pkg/hubble/relay/server/option.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package server 5 6 import ( 7 "crypto/tls" 8 9 grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus" 10 "github.com/sirupsen/logrus" 11 "google.golang.org/grpc" 12 13 "github.com/cilium/cilium/pkg/crypto/certloader" 14 "github.com/cilium/cilium/pkg/hubble/relay/defaults" 15 "github.com/cilium/cilium/pkg/hubble/relay/observer" 16 "github.com/cilium/cilium/pkg/logging" 17 "github.com/cilium/cilium/pkg/logging/logfields" 18 "github.com/cilium/cilium/pkg/time" 19 ) 20 21 // MinTLSVersion defines the minimum TLS version clients are expected to 22 // support in order to establish a connection to the hubble-relay server. 23 const MinTLSVersion = tls.VersionTLS13 24 25 // options stores all the configuration values for the hubble-relay server. 26 type options struct { 27 peerTarget string 28 dialTimeout time.Duration 29 retryTimeout time.Duration 30 listenAddress string 31 healthListenAddress string 32 metricsListenAddress string 33 log logrus.FieldLogger 34 serverTLSConfig certloader.ServerConfigBuilder 35 insecureServer bool 36 clientTLSConfig certloader.ClientConfigBuilder 37 clusterName string 38 insecureClient bool 39 observerOptions []observer.Option 40 grpcMetrics *grpc_prometheus.ServerMetrics 41 grpcUnaryInterceptors []grpc.UnaryServerInterceptor 42 grpcStreamInterceptors []grpc.StreamServerInterceptor 43 } 44 45 // defaultOptions is the reference point for default values. 46 var defaultOptions = options{ 47 peerTarget: defaults.PeerTarget, 48 dialTimeout: defaults.DialTimeout, 49 retryTimeout: defaults.RetryTimeout, 50 listenAddress: defaults.ListenAddress, 51 healthListenAddress: defaults.HealthListenAddress, 52 log: logging.DefaultLogger.WithField(logfields.LogSubsys, "hubble-relay"), 53 } 54 55 // DefaultOptions to include in the server. Other packages may extend this 56 // in their init() function. 57 var DefaultOptions []Option 58 59 // Option customizes the configuration of the hubble-relay server. 60 type Option func(o *options) error 61 62 // WithPeerTarget sets the URL of the hubble peer service to connect to. 63 func WithPeerTarget(t string) Option { 64 return func(o *options) error { 65 o.peerTarget = t 66 return nil 67 } 68 } 69 70 // WithDialTimeout sets the dial timeout that is used when establishing a 71 // connection to a hubble peer. 72 func WithDialTimeout(t time.Duration) Option { 73 return func(o *options) error { 74 o.dialTimeout = t 75 return nil 76 } 77 } 78 79 // WithRetryTimeout sets the duration to wait before attempting to re-connect 80 // to a hubble peer when the connection is lost. 81 func WithRetryTimeout(t time.Duration) Option { 82 return func(o *options) error { 83 o.retryTimeout = t 84 return nil 85 } 86 } 87 88 // WithHealthListenAddress sets the listen address for the hubble-relay gRPC health server. 89 func WithHealthListenAddress(a string) Option { 90 return func(o *options) error { 91 o.healthListenAddress = a 92 return nil 93 } 94 } 95 96 // WithListenAddress sets the listen address for the hubble-relay server. 97 func WithListenAddress(a string) Option { 98 return func(o *options) error { 99 o.listenAddress = a 100 return nil 101 } 102 } 103 104 // WithMetricsListenAddress sets the listen address for the hubble-relay server. 105 func WithMetricsListenAddress(a string) Option { 106 return func(o *options) error { 107 o.metricsListenAddress = a 108 return nil 109 } 110 } 111 112 // WithSortBufferMaxLen sets the maximum number of flows that can be buffered 113 // for sorting before being sent to the client. The provided value must be 114 // greater than 0 and is to be understood per client request. Therefore, it is 115 // advised to keep the value moderate (a value between 30 and 100 should 116 // constitute a good choice in most cases). 117 func WithSortBufferMaxLen(i int) Option { 118 return func(o *options) error { 119 o.observerOptions = append(o.observerOptions, observer.WithSortBufferMaxLen(i)) 120 return nil 121 } 122 } 123 124 // WithSortBufferDrainTimeout sets the sort buffer drain timeout value. For 125 // flows requests where the total number of flows cannot be determined 126 // (typically for flows requests in follow mode), a flow is taken out of the 127 // buffer and sent to the client after duration d if the buffer is not full. 128 // This value must be greater than 0. Setting this value too low would render 129 // the flows sorting operation ineffective. A value between 500 milliseconds 130 // and 3 seconds should be constitute a good choice in most cases. 131 func WithSortBufferDrainTimeout(d time.Duration) Option { 132 return func(o *options) error { 133 o.observerOptions = append(o.observerOptions, observer.WithSortBufferDrainTimeout(d)) 134 return nil 135 } 136 } 137 138 // WithErrorAggregationWindow sets a time window during which errors with the 139 // same error message are coalesced. The aggregated error is forwarded to the 140 // downstream consumer either when the window expires or when a new, different 141 // error occurs (whichever happens first) 142 func WithErrorAggregationWindow(d time.Duration) Option { 143 return func(o *options) error { 144 o.observerOptions = append(o.observerOptions, observer.WithErrorAggregationWindow(d)) 145 return nil 146 } 147 } 148 149 // WithLogger set the logger used by hubble-relay. 150 func WithLogger(log logrus.FieldLogger) Option { 151 return func(o *options) error { 152 o.log = log 153 return nil 154 } 155 } 156 157 // WithServerTLS sets the transport credentials for the server based on TLS. 158 func WithServerTLS(cfg certloader.ServerConfigBuilder) Option { 159 return func(o *options) error { 160 o.serverTLSConfig = cfg 161 return nil 162 } 163 } 164 165 // WithInsecureServer disables transport security. Transport security is 166 // required for the server unless WithInsecureServer is set (not recommended). 167 func WithInsecureServer() Option { 168 return func(o *options) error { 169 o.insecureServer = true 170 return nil 171 } 172 } 173 174 // WithClientTLS sets the transport credentials for connecting to peers based 175 // on the provided TLS configuration. 176 func WithClientTLS(cfg certloader.ClientConfigBuilder) Option { 177 return func(o *options) error { 178 o.clientTLSConfig = cfg 179 return nil 180 } 181 } 182 183 // WithInsecureClient disables transport security for connection to Hubble 184 // server instances. Transport security is required to WithInsecureClient is 185 // set (not recommended). 186 func WithInsecureClient() Option { 187 return func(o *options) error { 188 o.insecureClient = true 189 return nil 190 } 191 } 192 193 // WithLocalClusterName sets the cluster name for the peer service 194 // so that it knows how to construct the proper TLSServerName 195 // to validate mTLS in the K8s Peer service. 196 func WithLocalClusterName(clusterName string) Option { 197 return func(o *options) error { 198 o.clusterName = clusterName 199 return nil 200 } 201 } 202 203 // WithGRPCMetrics configures the server with the specified prometheus gPRC 204 // ServerMetrics. 205 func WithGRPCMetrics(grpcMetrics *grpc_prometheus.ServerMetrics) Option { 206 return func(o *options) error { 207 o.grpcMetrics = grpcMetrics 208 return nil 209 } 210 } 211 212 // WithGRPCStreamInterceptor configures the server with the given gRPC server stream interceptors 213 func WithGRPCStreamInterceptor(interceptors ...grpc.StreamServerInterceptor) Option { 214 return func(o *options) error { 215 o.grpcStreamInterceptors = append(o.grpcStreamInterceptors, interceptors...) 216 return nil 217 } 218 } 219 220 // WithGRPCUnaryInterceptor configures the server with the given gRPC server stream interceptors 221 func WithGRPCUnaryInterceptor(interceptors ...grpc.UnaryServerInterceptor) Option { 222 return func(o *options) error { 223 o.grpcUnaryInterceptors = append(o.grpcUnaryInterceptors, interceptors...) 224 return nil 225 } 226 }