XDS Server
XDS Server
istiod 中 xds Server 分为Secure/insecure 两种
initSecureDiscoveryService
对于启用tls的DiscoveryService需要先初始化spiffe验证器,对应的方法为setPeerCertVerifier
setPeerCertVerifier
func (s *Server) setPeerCertVerifier(tlsOptions TLSOptions) error {
if tlsOptions.CaCertFile == "" && s.CA == nil && features.SpiffeBundleEndpoints == "" {
// Running locally without configured certs - no TLS mode
return nil
}
s.peerCertVerifier = spiffe.NewPeerCertVerifier()
var rootCertBytes []byte
var err error
// 判断是否手动指定
if tlsOptions.CaCertFile != "" {
if rootCertBytes, err = ioutil.ReadFile(tlsOptions.CaCertFile); err != nil {
return err
}
} else {
// 加载RA cert
if s.RA != nil {
rootCertBytes = append(rootCertBytes, s.RA.GetCAKeyCertBundle().GetRootCertPem()...)
}
// 加载CA cert
if s.CA != nil {
rootCertBytes = append(rootCertBytes, s.CA.GetCAKeyCertBundle().GetRootCertPem()...)
}
}
if len(rootCertBytes) != 0 {
// 根据信任域添加添加CA证书到certPools/generalCertPool
err := s.peerCertVerifier.AddMappingFromPEM(spiffe.GetTrustDomain(), rootCertBytes)
if err != nil {
log.Errorf("Add Root CAs into peerCertVerifier failed: %v", err)
return fmt.Errorf("add root CAs into peerCertVerifier failed: %v", err)
}
}
if features.SpiffeBundleEndpoints != "" {
certMap, err := spiffe.RetrieveSpiffeBundleRootCertsFromStringInput(
features.SpiffeBundleEndpoints, []*x509.Certificate{})
if err != nil {
return err
}
s.peerCertVerifier.AddMappings(certMap)
}
return nil
}在initSecureDiscoveryService初始化grpc server时通过该验证器进行验证客户端身份
具体验证客户端cert的逻辑如下
注册handler s.XDSServer.Register(s.secureGrpcServer)
StreamAggregatedResources 实现了envoy ADS接口
客户端身份认证
具体逻辑参见18节
处理请求的连接
主动推送
cds
eds
lds
nds
rds
Last updated
Was this helpful?