istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/bootstrap/options.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/bootstrap/options.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package bootstrap
    16  
    17  import (
    18  	"crypto/tls"
    19  	"fmt"
    20  	"time"
    21  
    22  	"istio.io/istio/pilot/pkg/features"
    23  	kubecontroller "istio.io/istio/pilot/pkg/serviceregistry/kube/controller"
    24  	"istio.io/istio/pkg/config/constants"
    25  	"istio.io/istio/pkg/ctrlz"
    26  	"istio.io/istio/pkg/env"
    27  	"istio.io/istio/pkg/keepalive"
    28  )
    29  
    30  // RegistryOptions provide configuration options for the configuration controller. If FileDir is set, that directory will
    31  // be monitored for CRD yaml files and will update the controller as those files change (This is used for testing
    32  // purposes). Otherwise, a CRD client is created based on the configuration.
    33  type RegistryOptions struct {
    34  	// If FileDir is set, the below kubernetes options are ignored
    35  	FileDir string
    36  
    37  	Registries []string
    38  
    39  	// Kubernetes controller options
    40  	KubeOptions kubecontroller.Options
    41  	// ClusterRegistriesNamespace specifies where the multi-cluster secret resides
    42  	ClusterRegistriesNamespace string
    43  	KubeConfig                 string
    44  
    45  	// DistributionTracking control
    46  	DistributionCacheRetention time.Duration
    47  
    48  	// DistributionTracking control
    49  	DistributionTrackingEnabled bool
    50  }
    51  
    52  // PilotArgs provides all of the configuration parameters for the Pilot discovery service.
    53  type PilotArgs struct {
    54  	ServerOptions      DiscoveryServerOptions
    55  	InjectionOptions   InjectionOptions
    56  	PodName            string
    57  	Namespace          string
    58  	CniNamespace       string
    59  	Revision           string
    60  	MeshConfigFile     string
    61  	NetworksConfigFile string
    62  	RegistryOptions    RegistryOptions
    63  	CtrlZOptions       *ctrlz.Options
    64  	KeepaliveOptions   *keepalive.Options
    65  	ShutdownDuration   time.Duration
    66  	JwtRule            string
    67  }
    68  
    69  // DiscoveryServerOptions contains options for create a new discovery server instance.
    70  type DiscoveryServerOptions struct {
    71  	// The listening address for HTTP (debug). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    72  	// a port number is automatically chosen.
    73  	HTTPAddr string
    74  
    75  	// The listening address for HTTPS (webhooks). If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    76  	// a port number is automatically chosen.
    77  	// If the address is empty, the secure port is disabled, and the
    78  	// webhooks are registered on the HTTP port - a gateway in front will
    79  	// terminate TLS instead.
    80  	HTTPSAddr string
    81  
    82  	// The listening address for gRPC. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    83  	// a port number is automatically chosen.
    84  	GRPCAddr string
    85  
    86  	// The listening address for the monitoring port. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    87  	// a port number is automatically chosen.
    88  	MonitoringAddr string
    89  
    90  	EnableProfiling bool
    91  
    92  	// Optional TLS configuration
    93  	TLSOptions TLSOptions
    94  
    95  	// The listening address for secured gRPC. If the port in the address is empty or "0" (as in "127.0.0.1:" or "[::1]:0")
    96  	// a port number is automatically chosen.
    97  	SecureGRPCAddr string
    98  }
    99  
   100  type InjectionOptions struct {
   101  	// Directory of injection related config files.
   102  	InjectionDirectory string
   103  }
   104  
   105  // TLSOptions is optional TLS parameters for Istiod server.
   106  type TLSOptions struct {
   107  	CaCertFile      string
   108  	CertFile        string
   109  	KeyFile         string
   110  	TLSCipherSuites []string
   111  	CipherSuits     []uint16 // This is the parsed cipher suites
   112  }
   113  
   114  var (
   115  	PodNamespace = env.Register("POD_NAMESPACE", constants.IstioSystemNamespace, "").Get()
   116  	PodName      = env.Register("POD_NAME", "", "").Get()
   117  	JwtRule      = env.Register("JWT_RULE", "",
   118  		"The JWT rule used by istiod authentication").Get()
   119  )
   120  
   121  // Revision is the value of the Istio control plane revision, e.g. "canary",
   122  // and is the value used by the "istio.io/rev" label.
   123  var Revision = env.Register("REVISION", "", "").Get()
   124  
   125  // NewPilotArgs constructs pilotArgs with default values.
   126  func NewPilotArgs(initFuncs ...func(*PilotArgs)) *PilotArgs {
   127  	p := &PilotArgs{}
   128  
   129  	// Apply Default Values.
   130  	p.applyDefaults()
   131  
   132  	// Apply custom initialization functions.
   133  	for _, fn := range initFuncs {
   134  		fn(p)
   135  	}
   136  
   137  	return p
   138  }
   139  
   140  // Apply default value to PilotArgs
   141  func (p *PilotArgs) applyDefaults() {
   142  	p.Namespace = PodNamespace
   143  	p.CniNamespace = PodNamespace
   144  	p.PodName = PodName
   145  	p.Revision = Revision
   146  	p.JwtRule = JwtRule
   147  	p.KeepaliveOptions = keepalive.DefaultOption()
   148  	p.RegistryOptions.DistributionTrackingEnabled = features.EnableDistributionTracking
   149  	p.RegistryOptions.DistributionCacheRetention = features.DistributionHistoryRetention
   150  	p.RegistryOptions.ClusterRegistriesNamespace = p.Namespace
   151  }
   152  
   153  func (p *PilotArgs) Complete() error {
   154  	cipherSuits, err := TLSCipherSuites(p.ServerOptions.TLSOptions.TLSCipherSuites)
   155  	if err != nil {
   156  		return err
   157  	}
   158  	p.ServerOptions.TLSOptions.CipherSuits = cipherSuits
   159  	return nil
   160  }
   161  
   162  func allCiphers() map[string]uint16 {
   163  	acceptedCiphers := make(map[string]uint16, len(tls.CipherSuites())+len(tls.InsecureCipherSuites()))
   164  	for _, cipher := range tls.InsecureCipherSuites() {
   165  		acceptedCiphers[cipher.Name] = cipher.ID
   166  	}
   167  	for _, cipher := range tls.CipherSuites() {
   168  		acceptedCiphers[cipher.Name] = cipher.ID
   169  	}
   170  	return acceptedCiphers
   171  }
   172  
   173  // TLSCipherSuites returns a list of cipher suite IDs from the cipher suite names passed.
   174  func TLSCipherSuites(cipherNames []string) ([]uint16, error) {
   175  	if len(cipherNames) == 0 {
   176  		return nil, nil
   177  	}
   178  	ciphersIntSlice := make([]uint16, 0)
   179  	possibleCiphers := allCiphers()
   180  	for _, cipher := range cipherNames {
   181  		intValue, ok := possibleCiphers[cipher]
   182  		if !ok {
   183  			return nil, fmt.Errorf("cipher suite %s not supported or doesn't exist", cipher)
   184  		}
   185  		ciphersIntSlice = append(ciphersIntSlice, intValue)
   186  	}
   187  	return ciphersIntSlice, nil
   188  }