/
envoy.istio
/
istio
GigaCode
beta
ОбзорЦентр заботыВойти

istio

Форк
0
Ветки: 75Коммиты: 22559Теги: 336
istio
/pilot
/cmd
/pilot-agent
/options
/
options.go 
158 строк · 8.1 Кб
1
// Copyright Istio Authors
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     http://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14


15
package options
16


17
import (
18
	"path/filepath"
19
	"time"
20


21
	"istio.io/istio/pilot/cmd/pilot-agent/status"
22
	"istio.io/istio/pkg/config/constants"
23
	"istio.io/istio/pkg/env"
24
	"istio.io/istio/pkg/jwt"
25
	"istio.io/istio/pkg/security"
26
	"istio.io/istio/pkg/wasm"
27
)
28


29
var (
30
	InstanceIPVar        = env.Register("INSTANCE_IP", "", "")
31
	PodNameVar           = env.Register("POD_NAME", "", "")
32
	PodNamespaceVar      = env.Register("POD_NAMESPACE", "", "")
33
	kubeAppProberNameVar = env.Register(status.KubeAppProberEnvName, "", "")
34
	ProxyConfigEnv       = env.Register(
35
		"PROXY_CONFIG",
36
		"",
37
		"The proxy configuration. This will be set by the injection - gateways will use file mounts.",
38
	).Get()
39


40
	serviceAccountVar = env.Register("SERVICE_ACCOUNT", "", "Name of service account")
41
	clusterIDVar      = env.Register("ISTIO_META_CLUSTER_ID", "", "")
42
	// Provider for XDS auth, e.g., gcp. By default, it is empty, meaning no auth provider.
43
	xdsAuthProvider = env.Register("XDS_AUTH_PROVIDER", "", "Provider for XDS auth")
44


45
	jwtPolicy = env.Register("JWT_POLICY", jwt.PolicyThirdParty,
46
		"The JWT validation policy.")
47
	// ProvCert is the environment controlling the use of pre-provisioned certs, for VMs.
48
	// May also be used in K8S to use a Secret to bootstrap (as a 'refresh key'), but use short-lived tokens
49
	// with extra SAN (labels, etc) in data path.
50
	provCert = env.Register("PROV_CERT", "",
51
		"Set to a directory containing provisioned certs, for VMs").Get()
52


53
	// set to "SYSTEM" for ACME/public signed XDS servers.
54
	xdsRootCA = env.Register("XDS_ROOT_CA", "",
55
		"Explicitly set the root CA to expect for the XDS connection.").Get()
56


57
	// set to "SYSTEM" for ACME/public signed CA servers.
58
	caRootCA = env.Register("CA_ROOT_CA", "",
59
		"Explicitly set the root CA to expect for the CA connection.").Get()
60


61
	outputKeyCertToDir = env.Register("OUTPUT_CERTS", "",
62
		"The output directory for the key and certificate. If empty, key and certificate will not be saved. "+
63
			"Must be set for VMs using provisioning certificates.").Get()
64


65
	caProviderEnv = env.Register("CA_PROVIDER", "Citadel", "name of authentication provider").Get()
66
	caEndpointEnv = env.Register("CA_ADDR", "", "Address of the spiffe certificate provider. Defaults to discoveryAddress").Get()
67


68
	trustDomainEnv = env.Register("TRUST_DOMAIN", "cluster.local",
69
		"The trust domain for spiffe certificates").Get()
70


71
	secretTTLEnv = env.Register("SECRET_TTL", 24*time.Hour,
72
		"The cert lifetime requested by istio agent").Get()
73


74
	fileDebounceDuration = env.Register("FILE_DEBOUNCE_DURATION", 100*time.Millisecond,
75
		"The duration for which the file read operation is delayed once file update is detected").Get()
76


77
	secretRotationGracePeriodRatioEnv = env.Register("SECRET_GRACE_PERIOD_RATIO", 0.5,
78
		"The grace period ratio for the cert rotation, by default 0.5.").Get()
79
	workloadRSAKeySizeEnv = env.Register("WORKLOAD_RSA_KEY_SIZE", 2048,
80
		"Specify the RSA key size to use for workload certificates.").Get()
81
	pkcs8KeysEnv = env.Register("PKCS8_KEY", false,
82
		"Whether to generate PKCS#8 private keys").Get()
83
	eccSigAlgEnv        = env.Register("ECC_SIGNATURE_ALGORITHM", "", "The type of ECC signature algorithm to use when generating private keys").Get()
84
	eccCurvEnv          = env.Register("ECC_CURVE", "P256", "The elliptic curve to use when ECC_SIGNATURE_ALGORITHM is set to ECDSA").Get()
85
	fileMountedCertsEnv = env.Register("FILE_MOUNTED_CERTS", false, "").Get()
86
	credFetcherTypeEnv  = env.Register("CREDENTIAL_FETCHER_TYPE", security.JWT,
87
		"The type of the credential fetcher. Currently supported types include GoogleComputeEngine").Get()
88
	credIdentityProvider = env.Register("CREDENTIAL_IDENTITY_PROVIDER", "GoogleComputeEngine",
89
		"The identity provider for credential. Currently default supported identity provider is GoogleComputeEngine").Get()
90
	proxyXDSDebugViaAgent = env.Register("PROXY_XDS_DEBUG_VIA_AGENT", true,
91
		"If set to true, the agent will listen on tap port and offer pilot's XDS istio.io/debug debug API there.").Get()
92
	proxyXDSDebugViaAgentPort = env.Register("PROXY_XDS_DEBUG_VIA_AGENT_PORT", 15004,
93
		"Agent debugging port.").Get()
94
	// DNSCaptureByAgent is a copy of the env var in the init code.
95
	DNSCaptureByAgent = env.Register("ISTIO_META_DNS_CAPTURE", false,
96
		"If set to true, enable the capture of outgoing DNS packets on port 53, redirecting to istio-agent on :15053")
97


98
	// DNSCaptureAddr is the address to listen.
99
	DNSCaptureAddr = env.Register("DNS_PROXY_ADDR", "localhost:15053",
100
		"Custom address for the DNS proxy. If it ends with :53 and running as root allows running without iptable DNS capture")
101


102
	DNSForwardParallel = env.Register("DNS_FORWARD_PARALLEL", false,
103
		"If set to true, agent will send parallel DNS queries to all upstream nameservers")
104


105
	// Ability of istio-agent to retrieve proxyConfig via XDS for dynamic configuration updates
106
	enableProxyConfigXdsEnv = env.Register("PROXY_CONFIG_XDS_AGENT", false,
107
		"If set to true, agent retrieves dynamic proxy-config updates via xds channel").Get()
108


109
	wasmInsecureRegistries = env.Register("WASM_INSECURE_REGISTRIES", "",
110
		"allow agent pull wasm plugin from insecure registries or https server, for example: 'localhost:5000,docker-registry:5000'").Get()
111


112
	wasmModuleExpiry = env.Register("WASM_MODULE_EXPIRY", wasm.DefaultModuleExpiry,
113
		"cache expiration duration for a wasm module.").Get()
114


115
	wasmPurgeInterval = env.Register("WASM_PURGE_INTERVAL", wasm.DefaultPurgeInterval,
116
		"interval between checking the expiration of wasm modules").Get()
117


118
	wasmHTTPRequestTimeout = env.Register("WASM_HTTP_REQUEST_TIMEOUT", wasm.DefaultHTTPRequestTimeout,
119
		"timeout per a HTTP request for pulling a Wasm module via http/https").Get()
120


121
	wasmHTTPRequestMaxRetries = env.Register("WASM_HTTP_REQUEST_MAX_RETRIES", wasm.DefaultHTTPRequestMaxRetries,
122
		"maximum number of HTTP/HTTPS request retries for pulling a Wasm module via http/https").Get()
123


124
	enableWDSEnv = env.Register("PEER_METADATA_DISCOVERY", false,
125
		"If set to true, enable the peer metadata discovery extension in Envoy").Get()
126


127
	envoyStatusPortEnv = env.Register("ENVOY_STATUS_PORT", 15021,
128
		"Envoy health status port value").Get()
129
	envoyPrometheusPortEnv = env.Register("ENVOY_PROMETHEUS_PORT", 15090,
130
		"Envoy prometheus redirection port value").Get()
131


132
	// Defined by https://github.com/grpc/proposal/blob/c5722a35e71f83f07535c6c7c890cf0c58ec90c0/A27-xds-global-load-balancing.md#xdsclient-and-bootstrap-file
133
	grpcBootstrapEnv = env.Register("GRPC_XDS_BOOTSTRAP", filepath.Join(constants.ConfigPathDir, "grpc-bootstrap.json"),
134
		"Path where gRPC expects to read a bootstrap file. Agent will generate one if set.").Get()
135


136
	disableEnvoyEnv = env.Register("DISABLE_ENVOY", false,
137
		"Disables all Envoy agent features.").Get()
138


139
	// certSigner is cert signer for workload cert
140
	certSigner = env.Register("ISTIO_META_CERT_SIGNER", "",
141
		"The cert signer info for workload cert")
142


143
	istiodSAN = env.Register("ISTIOD_SAN", "",
144
		"Override the ServerName used to validate Istiod certificate. "+
145
			"Can be used as an alternative to setting /etc/hosts for VMs - discovery address will be an IP:port")
146


147
	minimumDrainDurationEnv = env.Register("MINIMUM_DRAIN_DURATION",
148
		5*time.Second,
149
		"The minimum duration for which agent waits before it checks for active connections and terminates proxy "+
150
			"when number of active connections become zero").Get()
151


152
	exitOnZeroActiveConnectionsEnv = env.Register("EXIT_ON_ZERO_ACTIVE_CONNECTIONS",
153
		false,
154
		"When set to true, terminates proxy when number of active connections become zero during draining").Get()
155


156
	useExternalWorkloadSDSEnv = env.Register("USE_EXTERNAL_WORKLOAD_SDS", false,
157
		"When set to true, the istio-agent will require an external SDS and will throw an error if the workload SDS socket is not found").Get()
158
)
159

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.