1// Copyright 2018 Istio Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15package settings 16 17import ( 18 "bytes" 19 "fmt" 20 "time" 21 22 "google.golang.org/grpc" 23 24 "k8s.io/client-go/kubernetes" 25 "k8s.io/client-go/rest" 26 27 "istio.io/pkg/ctrlz" 28 "istio.io/pkg/probe" 29 30 "istio.io/istio/galley/pkg/config/util/kuberesource" 31 "istio.io/istio/pkg/config/schema/snapshots" 32 "istio.io/istio/pkg/keepalive" 33 "istio.io/istio/pkg/mcp/creds" 34 "istio.io/istio/pkg/webhooks/validation/controller" 35 "istio.io/istio/pkg/webhooks/validation/server" 36) 37 38const ( 39 defaultProbeCheckInterval = 2 * time.Second 40 defaultLivenessProbeFilePath = "/healthLiveness" 41 defaultReadinessProbeFilePath = "/healthReadiness" 42 43 defaultConfigMapFolder = "/etc/config/" 44 defaultMeshConfigFolder = "/etc/mesh-config/" 45 defaultAccessListFile = defaultConfigMapFolder + "accesslist.yaml" 46 defaultMeshConfigFile = defaultMeshConfigFolder + "mesh" 47 defaultDomainSuffix = "cluster.local" 48) 49 50// Args contains the startup arguments to instantiate Galley. 51type Args struct { // nolint:maligned 52 // The path to kube configuration file. 53 KubeConfig string 54 55 // KubeInterface has an already created K8S interface, will be reused instead of creating a new one 56 KubeInterface *kubernetes.Clientset 57 58 // InsecureGRPC is an existing GRPC server, will be used by Galley instead of creating its own 59 InsecureGRPC *grpc.Server 60 61 // SecureGRPC is an existing GRPC server, will be used by Galley instead of creating its own 62 SecureGRPC *grpc.Server 63 64 // KubeRestConfig has a rest config, common with other components 65 KubeRestConfig *rest.Config 66 67 // resync period to be passed to the K8s machinery. 68 ResyncPeriod time.Duration 69 70 // Address to use for Galley's gRPC API. 71 APIAddress string 72 73 // Maximum size of individual received gRPC messages 74 MaxReceivedMessageSize uint 75 76 // Maximum number of outstanding RPCs per connection 77 MaxConcurrentStreams uint 78 79 // Initial Window Size for gRPC connections 80 InitialWindowSize uint 81 82 // Initial Connection Window Size for gRPC connections 83 InitialConnectionWindowSize uint 84 85 // The credential options to use for MCP. 86 CredentialOptions *creds.Options 87 88 // The introspection options to use 89 IntrospectionOptions *ctrlz.Options 90 91 // AccessListFile is the YAML file that specifies ids of the allowed mTLS peers. 92 AccessListFile string 93 94 // ConfigPath is the path for Galley specific config files 95 ConfigPath string 96 97 // ExcludedResourceKinds is a list of resource kinds for which no source events will be triggered. 98 // DEPRECATED 99 ExcludedResourceKinds []string 100 101 // MeshConfigFile is the path for mesh config 102 MeshConfigFile string 103 104 // DNS Domain suffix to use while constructing Ingress based resources. 105 DomainSuffix string 106 107 // SinkAddress should be set to the address of a MCP Resource 108 // Sink service that Galley will dial out to. Leaving empty disables 109 // sink. 110 SinkAddress string 111 112 // SinkAuthMode should be set to a name of an authentication plugin, 113 // see the istio.io/istio/galley/pkg/autplugins package. 114 SinkAuthMode string 115 116 // SinkMeta list of key=values to attach as gRPC stream metadata to 117 // outgoing Sink connections. 118 SinkMeta []string 119 120 // Enables gRPC-level tracing 121 EnableGRPCTracing bool 122 123 // Insecure gRPC service is used for the MCP server. CertificateFile and KeyFile is ignored. 124 Insecure bool 125 126 // Enable galley server mode 127 EnableServer bool 128 129 // Enable service discovery / endpoint processing. 130 EnableServiceDiscovery bool 131 132 // Enable Config Analysis service, that will analyze and update CRD status. UseOldProcessor must be set to false. 133 EnableConfigAnalysis bool 134 135 // DisableResourceReadyCheck disables the CRD readiness check. This 136 // allows Galley to start when not all supported CRD are 137 // registered with the kube-apiserver. 138 // DEPRECATED 139 DisableResourceReadyCheck bool 140 141 // WatchConfigFiles if set to true, enables Fsnotify watcher for watching and signaling config file changes. 142 // Default is false 143 WatchConfigFiles bool 144 145 // keep-alive options for the MCP gRPC Server. 146 KeepAlive *keepalive.Options 147 148 // Enable the validating webhook server. 149 EnableValidationServer bool 150 151 // Enable a controller to manage the lifecycle of the validatingwebhookconfiguration. 152 EnableValidationController bool 153 154 ValidationWebhookServerArgs server.Options 155 ValidationWebhookControllerArgs controller.Options 156 157 Liveness probe.Options 158 Readiness probe.Options 159 MonitoringPort uint 160 EnableProfiling bool 161 PprofPort uint 162 163 Snapshots []string 164 TriggerSnapshot string 165} 166 167// DefaultArgs allocates an Args struct initialized with Galley's default configuration. 168func DefaultArgs() *Args { 169 return &Args{ 170 ResyncPeriod: 0, 171 KubeConfig: "", 172 APIAddress: "tcp://0.0.0.0:9901", 173 MaxReceivedMessageSize: 1024 * 1024, 174 MaxConcurrentStreams: 1024, 175 InitialWindowSize: 1024 * 1024, 176 InitialConnectionWindowSize: 1024 * 1024 * 16, 177 IntrospectionOptions: ctrlz.DefaultOptions(), 178 Insecure: false, 179 AccessListFile: defaultAccessListFile, 180 MeshConfigFile: defaultMeshConfigFile, 181 EnableServer: true, 182 CredentialOptions: creds.DefaultOptions(), 183 ConfigPath: "", 184 DomainSuffix: defaultDomainSuffix, 185 DisableResourceReadyCheck: false, 186 ExcludedResourceKinds: kuberesource.DefaultExcludedResourceKinds(), 187 SinkMeta: make([]string, 0), 188 KeepAlive: keepalive.DefaultOption(), 189 ValidationWebhookServerArgs: server.DefaultArgs(), 190 ValidationWebhookControllerArgs: controller.DefaultArgs(), 191 EnableValidationController: true, 192 EnableValidationServer: true, 193 MonitoringPort: 15014, 194 EnableProfiling: false, 195 PprofPort: 9094, 196 WatchConfigFiles: false, 197 EnableConfigAnalysis: false, 198 Liveness: probe.Options{ 199 Path: defaultLivenessProbeFilePath, 200 UpdateInterval: defaultProbeCheckInterval, 201 }, 202 Readiness: probe.Options{ 203 Path: defaultReadinessProbeFilePath, 204 UpdateInterval: defaultProbeCheckInterval, 205 }, 206 Snapshots: []string{snapshots.Default}, 207 TriggerSnapshot: snapshots.Default, 208 } 209} 210 211// String produces a stringified version of the arguments for debugging. 212func (a *Args) String() string { 213 buf := &bytes.Buffer{} 214 215 _, _ = fmt.Fprintf(buf, "KubeConfig: %s\n", a.KubeConfig) 216 _, _ = fmt.Fprintf(buf, "ResyncPeriod: %v\n", a.ResyncPeriod) 217 _, _ = fmt.Fprintf(buf, "APIAddress: %s\n", a.APIAddress) 218 _, _ = fmt.Fprintf(buf, "EnableGrpcTracing: %v\n", a.EnableGRPCTracing) 219 _, _ = fmt.Fprintf(buf, "MaxReceivedMessageSize: %d\n", a.MaxReceivedMessageSize) 220 _, _ = fmt.Fprintf(buf, "MaxConcurrentStreams: %d\n", a.MaxConcurrentStreams) 221 _, _ = fmt.Fprintf(buf, "InitialWindowSize: %v\n", a.InitialWindowSize) 222 _, _ = fmt.Fprintf(buf, "InitialConnectionWindowSize: %v\n", a.InitialConnectionWindowSize) 223 _, _ = fmt.Fprintf(buf, "IntrospectionOptions: %+v\n", *a.IntrospectionOptions) 224 _, _ = fmt.Fprintf(buf, "Insecure: %v\n", a.Insecure) 225 _, _ = fmt.Fprintf(buf, "AccessListFile: %s\n", a.AccessListFile) 226 _, _ = fmt.Fprintf(buf, "EnableServer: %v\n", a.EnableServer) 227 _, _ = fmt.Fprintf(buf, "KeyFile: %s\n", a.CredentialOptions.KeyFile) 228 _, _ = fmt.Fprintf(buf, "CertificateFile: %s\n", a.CredentialOptions.CertificateFile) 229 _, _ = fmt.Fprintf(buf, "CACertificateFile: %s\n", a.CredentialOptions.CACertificateFile) 230 _, _ = fmt.Fprintf(buf, "ConfigFilePath: %s\n", a.ConfigPath) 231 _, _ = fmt.Fprintf(buf, "MeshConfigFile: %s\n", a.MeshConfigFile) 232 _, _ = fmt.Fprintf(buf, "DomainSuffix: %s\n", a.DomainSuffix) 233 _, _ = fmt.Fprintf(buf, "DisableResourceReadyCheck: %v\n", a.DisableResourceReadyCheck) 234 _, _ = fmt.Fprintf(buf, "ExcludedResourceKinds: %v\n", a.ExcludedResourceKinds) 235 _, _ = fmt.Fprintf(buf, "SinkAddress: %v\n", a.SinkAddress) 236 _, _ = fmt.Fprintf(buf, "SinkAuthMode: %v\n", a.SinkAuthMode) 237 _, _ = fmt.Fprintf(buf, "SinkMeta: %v\n", a.SinkMeta) 238 _, _ = fmt.Fprintf(buf, "KeepAlive.MaxServerConnectionAge: %v\n", a.KeepAlive.MaxServerConnectionAge) 239 _, _ = fmt.Fprintf(buf, "KeepAlive.MaxServerConnectionAgeGrace: %v\n", a.KeepAlive.MaxServerConnectionAgeGrace) 240 _, _ = fmt.Fprintf(buf, "KeepAlive.Time: %v\n", a.KeepAlive.Time) 241 _, _ = fmt.Fprintf(buf, "KeepAlive.Timeout: %v\n", a.KeepAlive.Timeout) 242 243 return buf.String() 244} 245