MCPcopy
hub / github.com/istio/istio / initSecureDiscoveryService

Method initSecureDiscoveryService

pilot/pkg/bootstrap/server.go:779–840  ·  view source on GitHub ↗

initialize secureGRPCServer.

(args *PilotArgs, trustDomain string)

Source from the content-addressed store, hash-verified

777
778// initialize secureGRPCServer.
779func (s *Server) initSecureDiscoveryService(args *PilotArgs, trustDomain string) error {
780 if args.ServerOptions.SecureGRPCAddr == "" {
781 log.Info("The secure discovery port is disabled, multiplexing on httpAddr ")
782 return nil
783 }
784
785 peerCertVerifier, err := s.createPeerCertVerifier(args.ServerOptions.TLSOptions, trustDomain)
786 if err != nil {
787 return err
788 }
789 if peerCertVerifier == nil {
790 // Running locally without configured certs - no TLS mode
791 log.Warnf("The secure discovery service is disabled")
792 return nil
793 }
794 log.Info("initializing secure discovery service")
795
796 cfg := &tls.Config{
797 GetCertificate: s.getIstiodCertificate,
798 ClientAuth: tls.VerifyClientCertIfGiven,
799 ClientCAs: peerCertVerifier.GetGeneralCertPool(),
800 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
801 err := peerCertVerifier.VerifyPeerCert(rawCerts, verifiedChains)
802 if err != nil {
803 log.Infof("Could not verify certificate: %v", err)
804 }
805 return err
806 },
807 MinVersion: tls.VersionTLS12,
808 CipherSuites: args.ServerOptions.TLSOptions.CipherSuites,
809 }
810 if args.ServerOptions.TLSOptions.MinVersion != 0 {
811 cfg.MinVersion = args.ServerOptions.TLSOptions.MinVersion
812 }
813 // Compliance for xDS server TLS.
814 sec_model.EnforceGoCompliance(cfg)
815
816 tlsCreds := credentials.NewTLS(cfg)
817
818 s.secureGrpcAddress = args.ServerOptions.SecureGRPCAddr
819
820 interceptors := []grpc.UnaryServerInterceptor{
821 // setup server prometheus monitoring (as final interceptor in chain)
822 grpcprom.UnaryServerInterceptor,
823 }
824 opts := istiogrpc.ServerOptions(args.KeepaliveOptions, xdspkg.RecordRecvSize, interceptors...)
825 opts = append(opts, grpc.Creds(tlsCreds))
826
827 s.secureGrpcServer = grpc.NewServer(opts...)
828 s.XDSServer.Register(s.secureGrpcServer)
829 reflection.Register(s.secureGrpcServer)
830
831 s.addStartFunc("secure gRPC", func(stop <-chan struct{}) error {
832 go func() {
833 <-stop
834 s.secureGrpcServer.Stop()
835 }()
836 return nil

Callers 1

NewServerFunction · 0.95

Calls 9

addStartFuncMethod · 0.95
InfoFunction · 0.92
WarnfFunction · 0.92
InfofFunction · 0.92
GetGeneralCertPoolMethod · 0.80
VerifyPeerCertMethod · 0.80
RegisterMethod · 0.65
StopMethod · 0.65

Tested by

no test coverage detected