github.com/polarismesh/polaris@v1.17.8/apiserver/xdsserverv3/resource/mtls.go (about) 1 /** 2 * Tencent is pleased to support the open source community by making Polaris available. 3 * 4 * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. 5 * 6 * Licensed under the BSD 3-Clause License (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * https://opensource.org/licenses/BSD-3-Clause 11 * 12 * Unless required by applicable law or agreed to in writing, software distributed 13 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 14 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 15 * specific language governing permissions and limitations under the License. 16 */ 17 18 package resource 19 20 import ( 21 core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" 22 tlstrans "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" 23 matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" 24 "github.com/golang/protobuf/ptypes/duration" 25 "google.golang.org/protobuf/proto" 26 "google.golang.org/protobuf/types/known/structpb" 27 ) 28 29 var DefaultSdsConfig = &core.ConfigSource{ 30 ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ 31 ApiConfigSource: &core.ApiConfigSource{ 32 ApiType: core.ApiConfigSource_GRPC, 33 TransportApiVersion: core.ApiVersion_V3, 34 GrpcServices: []*core.GrpcService{ 35 { 36 TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ 37 EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ 38 ClusterName: "sds-grpc", 39 }, 40 }, 41 }, 42 }, 43 SetNodeOnFirstMessageOnly: true, 44 }, 45 }, 46 InitialFetchTimeout: &duration.Duration{}, 47 ResourceApiVersion: core.ApiVersion_V3, 48 } 49 50 var MTLSTransportSocketMatch = &structpb.Struct{ 51 Fields: map[string]*structpb.Value{ 52 "acceptMTLS": {Kind: &structpb.Value_StringValue{StringValue: "true"}}, 53 }, 54 } 55 56 var OutboundCommonTLSContext = &tlstrans.CommonTlsContext{ 57 TlsCertificateSdsSecretConfigs: []*tlstrans.SdsSecretConfig{ 58 { 59 Name: "default", 60 SdsConfig: DefaultSdsConfig, 61 }, 62 }, 63 ValidationContextType: &tlstrans.CommonTlsContext_CombinedValidationContext{ 64 CombinedValidationContext: &tlstrans.CommonTlsContext_CombinedCertificateValidationContext{ 65 DefaultValidationContext: &tlstrans.CertificateValidationContext{}, 66 ValidationContextSdsSecretConfig: &tlstrans.SdsSecretConfig{ 67 Name: "ROOTCA", 68 SdsConfig: DefaultSdsConfig, 69 }, 70 }, 71 }, 72 } 73 74 var InboundCommonTLSContext = &tlstrans.CommonTlsContext{ 75 TlsParams: &tlstrans.TlsParameters{ 76 TlsMinimumProtocolVersion: tlstrans.TlsParameters_TLSv1_2, 77 CipherSuites: []string{ 78 "ECDHE-ECDSA-AES256-GCM-SHA384", 79 "ECDHE-RSA-AES256-GCM-SHA384", 80 "ECDHE-ECDSA-AES128-GCM-SHA256", 81 "ECDHE-RSA-AES128-GCM-SHA256", 82 "AES256-GCM-SHA384", 83 "AES128-GCM-SHA256", 84 }, 85 }, 86 TlsCertificateSdsSecretConfigs: []*tlstrans.SdsSecretConfig{ 87 { 88 Name: "default", 89 SdsConfig: DefaultSdsConfig, 90 }, 91 }, 92 ValidationContextType: &tlstrans.CommonTlsContext_CombinedValidationContext{ 93 CombinedValidationContext: &tlstrans.CommonTlsContext_CombinedCertificateValidationContext{ 94 DefaultValidationContext: &tlstrans.CertificateValidationContext{ 95 MatchSubjectAltNames: []*matcherv3.StringMatcher{ 96 { 97 MatchPattern: &matcherv3.StringMatcher_Prefix{ 98 Prefix: "spiffe://cluster.local/", 99 }, 100 }, 101 }, 102 }, 103 ValidationContextSdsSecretConfig: &tlstrans.SdsSecretConfig{ 104 Name: "ROOTCA", 105 SdsConfig: DefaultSdsConfig, 106 }, 107 }, 108 }, 109 } 110 111 func MakeTLSTransportSocket(ctx proto.Message) *core.TransportSocket { 112 tls := MustNewAny(ctx) 113 return &core.TransportSocket{ 114 Name: "envoy.transport_sockets.tls", 115 ConfigType: &core.TransportSocket_TypedConfig{ 116 TypedConfig: tls, 117 }, 118 } 119 }