istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/istio-clean-iptables/pkg/config/config.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/istio-clean-iptables/pkg/config/config.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package config
    16  
    17  import (
    18  	"encoding/json"
    19  	"fmt"
    20  	"os/user"
    21  
    22  	"github.com/miekg/dns"
    23  
    24  	"istio.io/istio/pkg/env"
    25  	"istio.io/istio/pkg/log"
    26  	netutil "istio.io/istio/pkg/util/net"
    27  	types "istio.io/istio/tools/istio-iptables/pkg/config"
    28  	"istio.io/istio/tools/istio-iptables/pkg/constants"
    29  )
    30  
    31  func DefaultConfig() *Config {
    32  	return &Config{
    33  		OwnerGroupsInclude: constants.OwnerGroupsInclude.DefaultValue,
    34  		OwnerGroupsExclude: constants.OwnerGroupsExclude.DefaultValue,
    35  	}
    36  }
    37  
    38  // Command line options
    39  // nolint: maligned
    40  type Config struct {
    41  	DryRun                  bool     `json:"DRY_RUN"`
    42  	ProxyUID                string   `json:"PROXY_UID"`
    43  	ProxyGID                string   `json:"PROXY_GID"`
    44  	RedirectDNS             bool     `json:"REDIRECT_DNS"`
    45  	DNSServersV4            []string `json:"DNS_SERVERS_V4"`
    46  	DNSServersV6            []string `json:"DNS_SERVERS_V6"`
    47  	CaptureAllDNS           bool     `json:"CAPTURE_ALL_DNS"`
    48  	OwnerGroupsInclude      string   `json:"OUTBOUND_OWNER_GROUPS_INCLUDE"`
    49  	OwnerGroupsExclude      string   `json:"OUTBOUND_OWNER_GROUPS_EXCLUDE"`
    50  	InboundInterceptionMode string   `json:"INBOUND_INTERCEPTION_MODE"`
    51  	InboundTProxyMark       string   `json:"INBOUND_TPROXY_MARK"`
    52  }
    53  
    54  func (c *Config) String() string {
    55  	output, err := json.MarshalIndent(c, "", "\t")
    56  	if err != nil {
    57  		log.Fatalf("Unable to marshal config object: %v", err)
    58  	}
    59  	return string(output)
    60  }
    61  
    62  func (c *Config) Print() {
    63  	fmt.Println("Variables:")
    64  	fmt.Println("----------")
    65  	fmt.Printf("PROXY_UID=%s\n", c.ProxyUID)
    66  	fmt.Printf("PROXY_GID=%s\n", c.ProxyGID)
    67  	fmt.Printf("DNS_CAPTURE=%t\n", c.RedirectDNS)
    68  	fmt.Printf("CAPTURE_ALL_DNS=%t\n", c.CaptureAllDNS)
    69  	fmt.Printf("DNS_SERVERS=%s,%s\n", c.DNSServersV4, c.DNSServersV6)
    70  	fmt.Printf("OUTBOUND_OWNER_GROUPS_INCLUDE=%s\n", c.OwnerGroupsInclude)
    71  	fmt.Printf("OUTBOUND_OWNER_GROUPS_EXCLUDE=%s\n", c.OwnerGroupsExclude)
    72  	fmt.Println("")
    73  }
    74  
    75  func (c *Config) Validate() error {
    76  	return types.ValidateOwnerGroups(c.OwnerGroupsInclude, c.OwnerGroupsExclude)
    77  }
    78  
    79  var envoyUserVar = env.Register(constants.EnvoyUser, "istio-proxy", "Envoy proxy username")
    80  
    81  func (c *Config) FillConfigFromEnvironment() {
    82  	// Fill in env-var only options
    83  	c.OwnerGroupsInclude = constants.OwnerGroupsInclude.Get()
    84  	c.OwnerGroupsExclude = constants.OwnerGroupsExclude.Get()
    85  	c.InboundInterceptionMode = constants.IstioInboundInterceptionMode.Get()
    86  	c.InboundTProxyMark = constants.IstioInboundTproxyMark.Get()
    87  	// TODO: Make this more configurable, maybe with an allowlist of users to be captured for output instead of a denylist.
    88  	if c.ProxyUID == "" {
    89  		usr, err := user.Lookup(envoyUserVar.Get())
    90  		var userID string
    91  		// Default to the UID of ENVOY_USER
    92  		if err != nil {
    93  			userID = constants.DefaultProxyUID
    94  		} else {
    95  			userID = usr.Uid
    96  		}
    97  		c.ProxyUID = userID
    98  	}
    99  
   100  	// For TPROXY as its uid and gid are same.
   101  	if c.ProxyGID == "" {
   102  		c.ProxyGID = c.ProxyUID
   103  	}
   104  	// Lookup DNS nameservers. We only do this if DNS is enabled in case of some obscure theoretical
   105  	// case where reading /etc/resolv.conf could fail.
   106  	// If capture all DNS option is enabled, we don't need to read from the dns resolve conf. All
   107  	// traffic to port 53 will be captured.
   108  	if c.RedirectDNS && !c.CaptureAllDNS {
   109  		dnsConfig, err := dns.ClientConfigFromFile("/etc/resolv.conf")
   110  		if err != nil {
   111  			log.Fatalf("failed to load /etc/resolv.conf: %v", err)
   112  		}
   113  		c.DNSServersV4, c.DNSServersV6 = netutil.IPsSplitV4V6(dnsConfig.Servers)
   114  	}
   115  }