istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/cmd/pilot-agent/options/options.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/cmd/pilot-agent/options/options.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package options
    16  
    17  import (
    18  	"path/filepath"
    19  	"time"
    20  
    21  	"istio.io/istio/pilot/cmd/pilot-agent/status"
    22  	"istio.io/istio/pkg/config/constants"
    23  	"istio.io/istio/pkg/env"
    24  	"istio.io/istio/pkg/jwt"
    25  	"istio.io/istio/pkg/security"
    26  	"istio.io/istio/pkg/wasm"
    27  )
    28  
    29  var (
    30  	InstanceIPVar        = env.Register("INSTANCE_IP", "", "")
    31  	PodNameVar           = env.Register("POD_NAME", "", "")
    32  	PodNamespaceVar      = env.Register("POD_NAMESPACE", "", "")
    33  	kubeAppProberNameVar = env.Register(status.KubeAppProberEnvName, "", "")
    34  	ProxyConfigEnv       = env.Register(
    35  		"PROXY_CONFIG",
    36  		"",
    37  		"The proxy configuration. This will be set by the injection - gateways will use file mounts.",
    38  	).Get()
    39  
    40  	serviceAccountVar = env.Register("SERVICE_ACCOUNT", "", "Name of service account")
    41  	clusterIDVar      = env.Register("ISTIO_META_CLUSTER_ID", "", "")
    42  	// Provider for XDS auth, e.g., gcp. By default, it is empty, meaning no auth provider.
    43  	xdsAuthProvider = env.Register("XDS_AUTH_PROVIDER", "", "Provider for XDS auth")
    44  
    45  	jwtPolicy = env.Register("JWT_POLICY", jwt.PolicyThirdParty,
    46  		"The JWT validation policy.")
    47  	// ProvCert is the environment controlling the use of pre-provisioned certs, for VMs.
    48  	// May also be used in K8S to use a Secret to bootstrap (as a 'refresh key'), but use short-lived tokens
    49  	// with extra SAN (labels, etc) in data path.
    50  	provCert = env.Register("PROV_CERT", "",
    51  		"Set to a directory containing provisioned certs, for VMs").Get()
    52  
    53  	// set to "SYSTEM" for ACME/public signed XDS servers.
    54  	xdsRootCA = env.Register("XDS_ROOT_CA", "",
    55  		"Explicitly set the root CA to expect for the XDS connection.").Get()
    56  
    57  	// set to "SYSTEM" for ACME/public signed CA servers.
    58  	caRootCA = env.Register("CA_ROOT_CA", "",
    59  		"Explicitly set the root CA to expect for the CA connection.").Get()
    60  
    61  	outputKeyCertToDir = env.Register("OUTPUT_CERTS", "",
    62  		"The output directory for the key and certificate. If empty, key and certificate will not be saved. "+
    63  			"Must be set for VMs using provisioning certificates.").Get()
    64  
    65  	caProviderEnv = env.Register("CA_PROVIDER", "Citadel", "name of authentication provider").Get()
    66  	caEndpointEnv = env.Register("CA_ADDR", "", "Address of the spiffe certificate provider. Defaults to discoveryAddress").Get()
    67  
    68  	trustDomainEnv = env.Register("TRUST_DOMAIN", "cluster.local",
    69  		"The trust domain for spiffe certificates").Get()
    70  
    71  	secretTTLEnv = env.Register("SECRET_TTL", 24*time.Hour,
    72  		"The cert lifetime requested by istio agent").Get()
    73  
    74  	fileDebounceDuration = env.Register("FILE_DEBOUNCE_DURATION", 100*time.Millisecond,
    75  		"The duration for which the file read operation is delayed once file update is detected").Get()
    76  
    77  	secretRotationGracePeriodRatioEnv = env.Register("SECRET_GRACE_PERIOD_RATIO", 0.5,
    78  		"The grace period ratio for the cert rotation, by default 0.5.").Get()
    79  	workloadRSAKeySizeEnv = env.Register("WORKLOAD_RSA_KEY_SIZE", 2048,
    80  		"Specify the RSA key size to use for workload certificates.").Get()
    81  	pkcs8KeysEnv = env.Register("PKCS8_KEY", false,
    82  		"Whether to generate PKCS#8 private keys").Get()
    83  	eccSigAlgEnv        = env.Register("ECC_SIGNATURE_ALGORITHM", "", "The type of ECC signature algorithm to use when generating private keys").Get()
    84  	eccCurvEnv          = env.Register("ECC_CURVE", "P256", "The elliptic curve to use when ECC_SIGNATURE_ALGORITHM is set to ECDSA").Get()
    85  	fileMountedCertsEnv = env.Register("FILE_MOUNTED_CERTS", false, "").Get()
    86  	credFetcherTypeEnv  = env.Register("CREDENTIAL_FETCHER_TYPE", security.JWT,
    87  		"The type of the credential fetcher. Currently supported types include GoogleComputeEngine").Get()
    88  	credIdentityProvider = env.Register("CREDENTIAL_IDENTITY_PROVIDER", "GoogleComputeEngine",
    89  		"The identity provider for credential. Currently default supported identity provider is GoogleComputeEngine").Get()
    90  	proxyXDSDebugViaAgent = env.Register("PROXY_XDS_DEBUG_VIA_AGENT", true,
    91  		"If set to true, the agent will listen on tap port and offer pilot's XDS istio.io/debug debug API there.").Get()
    92  	proxyXDSDebugViaAgentPort = env.Register("PROXY_XDS_DEBUG_VIA_AGENT_PORT", 15004,
    93  		"Agent debugging port.").Get()
    94  	// DNSCaptureByAgent is a copy of the env var in the init code.
    95  	DNSCaptureByAgent = env.Register("ISTIO_META_DNS_CAPTURE", false,
    96  		"If set to true, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053")
    97  
    98  	// DNSCaptureAddr is the address to listen.
    99  	DNSCaptureAddr = env.Register("DNS_PROXY_ADDR", "localhost:15053",
   100  		"Custom address for the DNS proxy. If it ends with :53 and running as root allows running without iptable DNS capture")
   101  
   102  	DNSForwardParallel = env.Register("DNS_FORWARD_PARALLEL", false,
   103  		"If set to true, agent will send parallel DNS queries to all upstream nameservers")
   104  
   105  	// Ability of istio-agent to retrieve proxyConfig via XDS for dynamic configuration updates
   106  	enableProxyConfigXdsEnv = env.Register("PROXY_CONFIG_XDS_AGENT", false,
   107  		"If set to true, agent retrieves dynamic proxy-config updates via xds channel").Get()
   108  
   109  	wasmInsecureRegistries = env.Register("WASM_INSECURE_REGISTRIES", "",
   110  		"allow agent pull wasm plugin from insecure registries or https server, for example: 'localhost:5000,docker-registry:5000'").Get()
   111  
   112  	wasmModuleExpiry = env.Register("WASM_MODULE_EXPIRY", wasm.DefaultModuleExpiry,
   113  		"cache expiration duration for a wasm module.").Get()
   114  
   115  	wasmPurgeInterval = env.Register("WASM_PURGE_INTERVAL", wasm.DefaultPurgeInterval,
   116  		"interval between checking the expiration of wasm modules").Get()
   117  
   118  	wasmHTTPRequestTimeout = env.Register("WASM_HTTP_REQUEST_TIMEOUT", wasm.DefaultHTTPRequestTimeout,
   119  		"timeout per a HTTP request for pulling a Wasm module via http/https").Get()
   120  
   121  	wasmHTTPRequestMaxRetries = env.Register("WASM_HTTP_REQUEST_MAX_RETRIES", wasm.DefaultHTTPRequestMaxRetries,
   122  		"maximum number of HTTP/HTTPS request retries for pulling a Wasm module via http/https").Get()
   123  
   124  	enableWDSEnv = env.Register("PEER_METADATA_DISCOVERY", false,
   125  		"If set to true, enable the peer metadata discovery extension in Envoy").Get()
   126  
   127  	envoyStatusPortEnv = env.Register("ENVOY_STATUS_PORT", 15021,
   128  		"Envoy health status port value").Get()
   129  	envoyPrometheusPortEnv = env.Register("ENVOY_PROMETHEUS_PORT", 15090,
   130  		"Envoy prometheus redirection port value").Get()
   131  
   132  	// Defined by https://github.com/grpc/proposal/blob/c5722a35e71f83f07535c6c7c890cf0c58ec90c0/A27-xds-global-load-balancing.md#xdsclient-and-bootstrap-file
   133  	grpcBootstrapEnv = env.Register("GRPC_XDS_BOOTSTRAP", filepath.Join(constants.ConfigPathDir, "grpc-bootstrap.json"),
   134  		"Path where gRPC expects to read a bootstrap file. Agent will generate one if set.").Get()
   135  
   136  	disableEnvoyEnv = env.Register("DISABLE_ENVOY", false,
   137  		"Disables all Envoy agent features.").Get()
   138  
   139  	// certSigner is cert signer for workload cert
   140  	certSigner = env.Register("ISTIO_META_CERT_SIGNER", "",
   141  		"The cert signer info for workload cert")
   142  
   143  	istiodSAN = env.Register("ISTIOD_SAN", "",
   144  		"Override the ServerName used to validate Istiod certificate. "+
   145  			"Can be used as an alternative to setting /etc/hosts for VMs - discovery address will be an IP:port")
   146  
   147  	minimumDrainDurationEnv = env.Register("MINIMUM_DRAIN_DURATION",
   148  		5*time.Second,
   149  		"The minimum duration for which agent waits before it checks for active connections and terminates proxy "+
   150  			"when number of active connections become zero").Get()
   151  
   152  	exitOnZeroActiveConnectionsEnv = env.Register("EXIT_ON_ZERO_ACTIVE_CONNECTIONS",
   153  		false,
   154  		"When set to true, terminates proxy when number of active connections become zero during draining").Get()
   155  
   156  	useExternalWorkloadSDSEnv = env.Register("USE_EXTERNAL_WORKLOAD_SDS", false,
   157  		"When set to true, the istio-agent will require an external SDS and will throw an error if the workload SDS socket is not found").Get()
   158  )