istio
158 строк · 8.1 Кб
1// Copyright Istio Authors
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package options
16
17import (
18"path/filepath"
19"time"
20
21"istio.io/istio/pilot/cmd/pilot-agent/status"
22"istio.io/istio/pkg/config/constants"
23"istio.io/istio/pkg/env"
24"istio.io/istio/pkg/jwt"
25"istio.io/istio/pkg/security"
26"istio.io/istio/pkg/wasm"
27)
28
29var (
30InstanceIPVar = env.Register("INSTANCE_IP", "", "")
31PodNameVar = env.Register("POD_NAME", "", "")
32PodNamespaceVar = env.Register("POD_NAMESPACE", "", "")
33kubeAppProberNameVar = env.Register(status.KubeAppProberEnvName, "", "")
34ProxyConfigEnv = env.Register(
35"PROXY_CONFIG",
36"",
37"The proxy configuration. This will be set by the injection - gateways will use file mounts.",
38).Get()
39
40serviceAccountVar = env.Register("SERVICE_ACCOUNT", "", "Name of service account")
41clusterIDVar = env.Register("ISTIO_META_CLUSTER_ID", "", "")
42// Provider for XDS auth, e.g., gcp. By default, it is empty, meaning no auth provider.
43xdsAuthProvider = env.Register("XDS_AUTH_PROVIDER", "", "Provider for XDS auth")
44
45jwtPolicy = env.Register("JWT_POLICY", jwt.PolicyThirdParty,
46"The JWT validation policy.")
47// ProvCert is the environment controlling the use of pre-provisioned certs, for VMs.
48// May also be used in K8S to use a Secret to bootstrap (as a 'refresh key'), but use short-lived tokens
49// with extra SAN (labels, etc) in data path.
50provCert = env.Register("PROV_CERT", "",
51"Set to a directory containing provisioned certs, for VMs").Get()
52
53// set to "SYSTEM" for ACME/public signed XDS servers.
54xdsRootCA = env.Register("XDS_ROOT_CA", "",
55"Explicitly set the root CA to expect for the XDS connection.").Get()
56
57// set to "SYSTEM" for ACME/public signed CA servers.
58caRootCA = env.Register("CA_ROOT_CA", "",
59"Explicitly set the root CA to expect for the CA connection.").Get()
60
61outputKeyCertToDir = env.Register("OUTPUT_CERTS", "",
62"The output directory for the key and certificate. If empty, key and certificate will not be saved. "+
63"Must be set for VMs using provisioning certificates.").Get()
64
65caProviderEnv = env.Register("CA_PROVIDER", "Citadel", "name of authentication provider").Get()
66caEndpointEnv = env.Register("CA_ADDR", "", "Address of the spiffe certificate provider. Defaults to discoveryAddress").Get()
67
68trustDomainEnv = env.Register("TRUST_DOMAIN", "cluster.local",
69"The trust domain for spiffe certificates").Get()
70
71secretTTLEnv = env.Register("SECRET_TTL", 24*time.Hour,
72"The cert lifetime requested by istio agent").Get()
73
74fileDebounceDuration = env.Register("FILE_DEBOUNCE_DURATION", 100*time.Millisecond,
75"The duration for which the file read operation is delayed once file update is detected").Get()
76
77secretRotationGracePeriodRatioEnv = env.Register("SECRET_GRACE_PERIOD_RATIO", 0.5,
78"The grace period ratio for the cert rotation, by default 0.5.").Get()
79workloadRSAKeySizeEnv = env.Register("WORKLOAD_RSA_KEY_SIZE", 2048,
80"Specify the RSA key size to use for workload certificates.").Get()
81pkcs8KeysEnv = env.Register("PKCS8_KEY", false,
82"Whether to generate PKCS#8 private keys").Get()
83eccSigAlgEnv = env.Register("ECC_SIGNATURE_ALGORITHM", "", "The type of ECC signature algorithm to use when generating private keys").Get()
84eccCurvEnv = env.Register("ECC_CURVE", "P256", "The elliptic curve to use when ECC_SIGNATURE_ALGORITHM is set to ECDSA").Get()
85fileMountedCertsEnv = env.Register("FILE_MOUNTED_CERTS", false, "").Get()
86credFetcherTypeEnv = env.Register("CREDENTIAL_FETCHER_TYPE", security.JWT,
87"The type of the credential fetcher. Currently supported types include GoogleComputeEngine").Get()
88credIdentityProvider = env.Register("CREDENTIAL_IDENTITY_PROVIDER", "GoogleComputeEngine",
89"The identity provider for credential. Currently default supported identity provider is GoogleComputeEngine").Get()
90proxyXDSDebugViaAgent = env.Register("PROXY_XDS_DEBUG_VIA_AGENT", true,
91"If set to true, the agent will listen on tap port and offer pilot's XDS istio.io/debug debug API there.").Get()
92proxyXDSDebugViaAgentPort = env.Register("PROXY_XDS_DEBUG_VIA_AGENT_PORT", 15004,
93"Agent debugging port.").Get()
94// DNSCaptureByAgent is a copy of the env var in the init code.
95DNSCaptureByAgent = env.Register("ISTIO_META_DNS_CAPTURE", false,
96"If set to true, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053")
97
98// DNSCaptureAddr is the address to listen.
99DNSCaptureAddr = env.Register("DNS_PROXY_ADDR", "localhost:15053",
100"Custom address for the DNS proxy. If it ends with :53 and running as root allows running without iptable DNS capture")
101
102DNSForwardParallel = env.Register("DNS_FORWARD_PARALLEL", false,
103"If set to true, agent will send parallel DNS queries to all upstream nameservers")
104
105// Ability of istio-agent to retrieve proxyConfig via XDS for dynamic configuration updates
106enableProxyConfigXdsEnv = env.Register("PROXY_CONFIG_XDS_AGENT", false,
107"If set to true, agent retrieves dynamic proxy-config updates via xds channel").Get()
108
109wasmInsecureRegistries = env.Register("WASM_INSECURE_REGISTRIES", "",
110"allow agent pull wasm plugin from insecure registries or https server, for example: 'localhost:5000,docker-registry:5000'").Get()
111
112wasmModuleExpiry = env.Register("WASM_MODULE_EXPIRY", wasm.DefaultModuleExpiry,
113"cache expiration duration for a wasm module.").Get()
114
115wasmPurgeInterval = env.Register("WASM_PURGE_INTERVAL", wasm.DefaultPurgeInterval,
116"interval between checking the expiration of wasm modules").Get()
117
118wasmHTTPRequestTimeout = env.Register("WASM_HTTP_REQUEST_TIMEOUT", wasm.DefaultHTTPRequestTimeout,
119"timeout per a HTTP request for pulling a Wasm module via http/https").Get()
120
121wasmHTTPRequestMaxRetries = env.Register("WASM_HTTP_REQUEST_MAX_RETRIES", wasm.DefaultHTTPRequestMaxRetries,
122"maximum number of HTTP/HTTPS request retries for pulling a Wasm module via http/https").Get()
123
124enableWDSEnv = env.Register("PEER_METADATA_DISCOVERY", false,
125"If set to true, enable the peer metadata discovery extension in Envoy").Get()
126
127envoyStatusPortEnv = env.Register("ENVOY_STATUS_PORT", 15021,
128"Envoy health status port value").Get()
129envoyPrometheusPortEnv = env.Register("ENVOY_PROMETHEUS_PORT", 15090,
130"Envoy prometheus redirection port value").Get()
131
132// Defined by https://github.com/grpc/proposal/blob/c5722a35e71f83f07535c6c7c890cf0c58ec90c0/A27-xds-global-load-balancing.md#xdsclient-and-bootstrap-file
133grpcBootstrapEnv = env.Register("GRPC_XDS_BOOTSTRAP", filepath.Join(constants.ConfigPathDir, "grpc-bootstrap.json"),
134"Path where gRPC expects to read a bootstrap file. Agent will generate one if set.").Get()
135
136disableEnvoyEnv = env.Register("DISABLE_ENVOY", false,
137"Disables all Envoy agent features.").Get()
138
139// certSigner is cert signer for workload cert
140certSigner = env.Register("ISTIO_META_CERT_SIGNER", "",
141"The cert signer info for workload cert")
142
143istiodSAN = env.Register("ISTIOD_SAN", "",
144"Override the ServerName used to validate Istiod certificate. "+
145"Can be used as an alternative to setting /etc/hosts for VMs - discovery address will be an IP:port")
146
147minimumDrainDurationEnv = env.Register("MINIMUM_DRAIN_DURATION",
1485*time.Second,
149"The minimum duration for which agent waits before it checks for active connections and terminates proxy "+
150"when number of active connections become zero").Get()
151
152exitOnZeroActiveConnectionsEnv = env.Register("EXIT_ON_ZERO_ACTIVE_CONNECTIONS",
153false,
154"When set to true, terminates proxy when number of active connections become zero during draining").Get()
155
156useExternalWorkloadSDSEnv = env.Register("USE_EXTERNAL_WORKLOAD_SDS", false,
157"When set to true, the istio-agent will require an external SDS and will throw an error if the workload SDS socket is not found").Get()
158)
159