1// Copyright 2018 Istio Authors
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package settings
16
17import (
18	"bytes"
19	"fmt"
20	"time"
21
22	"google.golang.org/grpc"
23
24	"k8s.io/client-go/kubernetes"
25	"k8s.io/client-go/rest"
26
27	"istio.io/pkg/ctrlz"
28	"istio.io/pkg/probe"
29
30	"istio.io/istio/galley/pkg/config/util/kuberesource"
31	"istio.io/istio/pkg/config/schema/snapshots"
32	"istio.io/istio/pkg/keepalive"
33	"istio.io/istio/pkg/mcp/creds"
34	"istio.io/istio/pkg/webhooks/validation/controller"
35	"istio.io/istio/pkg/webhooks/validation/server"
36)
37
38const (
39	defaultProbeCheckInterval     = 2 * time.Second
40	defaultLivenessProbeFilePath  = "/healthLiveness"
41	defaultReadinessProbeFilePath = "/healthReadiness"
42
43	defaultConfigMapFolder  = "/etc/config/"
44	defaultMeshConfigFolder = "/etc/mesh-config/"
45	defaultAccessListFile   = defaultConfigMapFolder + "accesslist.yaml"
46	defaultMeshConfigFile   = defaultMeshConfigFolder + "mesh"
47	defaultDomainSuffix     = "cluster.local"
48)
49
50// Args contains the startup arguments to instantiate Galley.
51type Args struct { // nolint:maligned
52	// The path to kube configuration file.
53	KubeConfig string
54
55	// KubeInterface has an already created K8S interface, will be reused instead of creating a new one
56	KubeInterface *kubernetes.Clientset
57
58	// InsecureGRPC is an existing GRPC server, will be used by Galley instead of creating its own
59	InsecureGRPC *grpc.Server
60
61	// SecureGRPC is an existing GRPC server, will be used by Galley instead of creating its own
62	SecureGRPC *grpc.Server
63
64	// KubeRestConfig has a rest config, common with other components
65	KubeRestConfig *rest.Config
66
67	// resync period to be passed to the K8s machinery.
68	ResyncPeriod time.Duration
69
70	// Address to use for Galley's gRPC API.
71	APIAddress string
72
73	// Maximum size of individual received gRPC messages
74	MaxReceivedMessageSize uint
75
76	// Maximum number of outstanding RPCs per connection
77	MaxConcurrentStreams uint
78
79	// Initial Window Size for gRPC connections
80	InitialWindowSize uint
81
82	// Initial Connection Window Size for gRPC connections
83	InitialConnectionWindowSize uint
84
85	// The credential options to use for MCP.
86	CredentialOptions *creds.Options
87
88	// The introspection options to use
89	IntrospectionOptions *ctrlz.Options
90
91	// AccessListFile is the YAML file that specifies ids of the allowed mTLS peers.
92	AccessListFile string
93
94	// ConfigPath is the path for Galley specific config files
95	ConfigPath string
96
97	// ExcludedResourceKinds is a list of resource kinds for which no source events will be triggered.
98	// DEPRECATED
99	ExcludedResourceKinds []string
100
101	// MeshConfigFile is the path for mesh config
102	MeshConfigFile string
103
104	// DNS Domain suffix to use while constructing Ingress based resources.
105	DomainSuffix string
106
107	// SinkAddress should be set to the address of a MCP Resource
108	// Sink service that Galley will dial out to. Leaving empty disables
109	// sink.
110	SinkAddress string
111
112	// SinkAuthMode should be set to a name of an authentication plugin,
113	// see the istio.io/istio/galley/pkg/autplugins package.
114	SinkAuthMode string
115
116	// SinkMeta list of key=values to attach as gRPC stream metadata to
117	// outgoing Sink connections.
118	SinkMeta []string
119
120	// Enables gRPC-level tracing
121	EnableGRPCTracing bool
122
123	// Insecure gRPC service is used for the MCP server. CertificateFile and KeyFile is ignored.
124	Insecure bool
125
126	// Enable galley server mode
127	EnableServer bool
128
129	// Enable service discovery / endpoint processing.
130	EnableServiceDiscovery bool
131
132	// Enable Config Analysis service, that will analyze and update CRD status. UseOldProcessor must be set to false.
133	EnableConfigAnalysis bool
134
135	// DisableResourceReadyCheck disables the CRD readiness check. This
136	// allows Galley to start when not all supported CRD are
137	// registered with the kube-apiserver.
138	// DEPRECATED
139	DisableResourceReadyCheck bool
140
141	// WatchConfigFiles if set to true, enables Fsnotify watcher for watching and signaling config file changes.
142	// Default is false
143	WatchConfigFiles bool
144
145	// keep-alive options for the MCP gRPC Server.
146	KeepAlive *keepalive.Options
147
148	// Enable the validating webhook server.
149	EnableValidationServer bool
150
151	// Enable a controller to manage the lifecycle of the validatingwebhookconfiguration.
152	EnableValidationController bool
153
154	ValidationWebhookServerArgs     server.Options
155	ValidationWebhookControllerArgs controller.Options
156
157	Liveness        probe.Options
158	Readiness       probe.Options
159	MonitoringPort  uint
160	EnableProfiling bool
161	PprofPort       uint
162
163	Snapshots       []string
164	TriggerSnapshot string
165}
166
167// DefaultArgs allocates an Args struct initialized with Galley's default configuration.
168func DefaultArgs() *Args {
169	return &Args{
170		ResyncPeriod:                    0,
171		KubeConfig:                      "",
172		APIAddress:                      "tcp://0.0.0.0:9901",
173		MaxReceivedMessageSize:          1024 * 1024,
174		MaxConcurrentStreams:            1024,
175		InitialWindowSize:               1024 * 1024,
176		InitialConnectionWindowSize:     1024 * 1024 * 16,
177		IntrospectionOptions:            ctrlz.DefaultOptions(),
178		Insecure:                        false,
179		AccessListFile:                  defaultAccessListFile,
180		MeshConfigFile:                  defaultMeshConfigFile,
181		EnableServer:                    true,
182		CredentialOptions:               creds.DefaultOptions(),
183		ConfigPath:                      "",
184		DomainSuffix:                    defaultDomainSuffix,
185		DisableResourceReadyCheck:       false,
186		ExcludedResourceKinds:           kuberesource.DefaultExcludedResourceKinds(),
187		SinkMeta:                        make([]string, 0),
188		KeepAlive:                       keepalive.DefaultOption(),
189		ValidationWebhookServerArgs:     server.DefaultArgs(),
190		ValidationWebhookControllerArgs: controller.DefaultArgs(),
191		EnableValidationController:      true,
192		EnableValidationServer:          true,
193		MonitoringPort:                  15014,
194		EnableProfiling:                 false,
195		PprofPort:                       9094,
196		WatchConfigFiles:                false,
197		EnableConfigAnalysis:            false,
198		Liveness: probe.Options{
199			Path:           defaultLivenessProbeFilePath,
200			UpdateInterval: defaultProbeCheckInterval,
201		},
202		Readiness: probe.Options{
203			Path:           defaultReadinessProbeFilePath,
204			UpdateInterval: defaultProbeCheckInterval,
205		},
206		Snapshots:       []string{snapshots.Default},
207		TriggerSnapshot: snapshots.Default,
208	}
209}
210
211// String produces a stringified version of the arguments for debugging.
212func (a *Args) String() string {
213	buf := &bytes.Buffer{}
214
215	_, _ = fmt.Fprintf(buf, "KubeConfig: %s\n", a.KubeConfig)
216	_, _ = fmt.Fprintf(buf, "ResyncPeriod: %v\n", a.ResyncPeriod)
217	_, _ = fmt.Fprintf(buf, "APIAddress: %s\n", a.APIAddress)
218	_, _ = fmt.Fprintf(buf, "EnableGrpcTracing: %v\n", a.EnableGRPCTracing)
219	_, _ = fmt.Fprintf(buf, "MaxReceivedMessageSize: %d\n", a.MaxReceivedMessageSize)
220	_, _ = fmt.Fprintf(buf, "MaxConcurrentStreams: %d\n", a.MaxConcurrentStreams)
221	_, _ = fmt.Fprintf(buf, "InitialWindowSize: %v\n", a.InitialWindowSize)
222	_, _ = fmt.Fprintf(buf, "InitialConnectionWindowSize: %v\n", a.InitialConnectionWindowSize)
223	_, _ = fmt.Fprintf(buf, "IntrospectionOptions: %+v\n", *a.IntrospectionOptions)
224	_, _ = fmt.Fprintf(buf, "Insecure: %v\n", a.Insecure)
225	_, _ = fmt.Fprintf(buf, "AccessListFile: %s\n", a.AccessListFile)
226	_, _ = fmt.Fprintf(buf, "EnableServer: %v\n", a.EnableServer)
227	_, _ = fmt.Fprintf(buf, "KeyFile: %s\n", a.CredentialOptions.KeyFile)
228	_, _ = fmt.Fprintf(buf, "CertificateFile: %s\n", a.CredentialOptions.CertificateFile)
229	_, _ = fmt.Fprintf(buf, "CACertificateFile: %s\n", a.CredentialOptions.CACertificateFile)
230	_, _ = fmt.Fprintf(buf, "ConfigFilePath: %s\n", a.ConfigPath)
231	_, _ = fmt.Fprintf(buf, "MeshConfigFile: %s\n", a.MeshConfigFile)
232	_, _ = fmt.Fprintf(buf, "DomainSuffix: %s\n", a.DomainSuffix)
233	_, _ = fmt.Fprintf(buf, "DisableResourceReadyCheck: %v\n", a.DisableResourceReadyCheck)
234	_, _ = fmt.Fprintf(buf, "ExcludedResourceKinds: %v\n", a.ExcludedResourceKinds)
235	_, _ = fmt.Fprintf(buf, "SinkAddress: %v\n", a.SinkAddress)
236	_, _ = fmt.Fprintf(buf, "SinkAuthMode: %v\n", a.SinkAuthMode)
237	_, _ = fmt.Fprintf(buf, "SinkMeta: %v\n", a.SinkMeta)
238	_, _ = fmt.Fprintf(buf, "KeepAlive.MaxServerConnectionAge: %v\n", a.KeepAlive.MaxServerConnectionAge)
239	_, _ = fmt.Fprintf(buf, "KeepAlive.MaxServerConnectionAgeGrace: %v\n", a.KeepAlive.MaxServerConnectionAgeGrace)
240	_, _ = fmt.Fprintf(buf, "KeepAlive.Time: %v\n", a.KeepAlive.Time)
241	_, _ = fmt.Fprintf(buf, "KeepAlive.Timeout: %v\n", a.KeepAlive.Timeout)
242
243	return buf.String()
244}
245