istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/model/authentication.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package model 16 17 import ( 18 "time" 19 20 core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" 21 tls "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" 22 "google.golang.org/protobuf/types/known/durationpb" 23 ) 24 25 const ( 26 // SDSClusterName is the name of the cluster for SDS connections 27 SDSClusterName = "sds-grpc" 28 29 // SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert. 30 SDSDefaultResourceName = "default" 31 32 // SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert. 33 SDSRootResourceName = "ROOTCA" 34 ) 35 36 // Preconfigured SDS configs to avoid excessive memory allocations 37 var ( 38 defaultSDSConfig = &tls.SdsSecretConfig{ 39 Name: SDSDefaultResourceName, 40 SdsConfig: &core.ConfigSource{ 41 ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ 42 ApiConfigSource: &core.ApiConfigSource{ 43 ApiType: core.ApiConfigSource_GRPC, 44 SetNodeOnFirstMessageOnly: true, 45 TransportApiVersion: core.ApiVersion_V3, 46 GrpcServices: []*core.GrpcService{ 47 { 48 TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ 49 EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ClusterName: SDSClusterName}, 50 }, 51 }, 52 }, 53 }, 54 }, 55 ResourceApiVersion: core.ApiVersion_V3, 56 InitialFetchTimeout: durationpb.New(time.Second * 0), 57 }, 58 } 59 rootSDSConfig = &tls.SdsSecretConfig{ 60 Name: SDSRootResourceName, 61 SdsConfig: &core.ConfigSource{ 62 ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ 63 ApiConfigSource: &core.ApiConfigSource{ 64 ApiType: core.ApiConfigSource_GRPC, 65 SetNodeOnFirstMessageOnly: true, 66 TransportApiVersion: core.ApiVersion_V3, 67 GrpcServices: []*core.GrpcService{ 68 { 69 TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ 70 EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ClusterName: SDSClusterName}, 71 }, 72 }, 73 }, 74 }, 75 }, 76 ResourceApiVersion: core.ApiVersion_V3, 77 InitialFetchTimeout: durationpb.New(time.Second * 0), 78 }, 79 } 80 ) 81 82 // ConstructSdsSecretConfig constructs SDS Secret Configuration for workload proxy. 83 func ConstructSdsSecretConfig(name string) *tls.SdsSecretConfig { 84 if name == "" { 85 return nil 86 } 87 88 if name == SDSDefaultResourceName { 89 return defaultSDSConfig 90 } 91 if name == SDSRootResourceName { 92 return rootSDSConfig 93 } 94 95 cfg := &tls.SdsSecretConfig{ 96 Name: name, 97 SdsConfig: &core.ConfigSource{ 98 ConfigSourceSpecifier: &core.ConfigSource_ApiConfigSource{ 99 ApiConfigSource: &core.ApiConfigSource{ 100 SetNodeOnFirstMessageOnly: true, 101 ApiType: core.ApiConfigSource_GRPC, 102 TransportApiVersion: core.ApiVersion_V3, 103 GrpcServices: []*core.GrpcService{ 104 { 105 TargetSpecifier: &core.GrpcService_EnvoyGrpc_{ 106 EnvoyGrpc: &core.GrpcService_EnvoyGrpc{ClusterName: SDSClusterName}, 107 }, 108 }, 109 }, 110 }, 111 }, 112 ResourceApiVersion: core.ApiVersion_V3, 113 }, 114 } 115 116 return cfg 117 }