Google Git
Sign in
apache / dubbo-go-pixiu / de9f1befd6a6e38513ea5e704a5488ed608df7d5 / . / pilot / pkg / features / pilot.go
blob: c3392a42b2df1853e498ef3fc523379adbc8cd7b [file] [log] [blame]
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package features
import (
"strings"
"time"
)
import (
"google.golang.org/protobuf/types/known/durationpb"
"istio.io/pkg/env"
"istio.io/pkg/log"
)
import (
"github.com/apache/dubbo-go-pixiu/pkg/config/constants"
"github.com/apache/dubbo-go-pixiu/pkg/jwt"
"github.com/apache/dubbo-go-pixiu/pkg/util/sets"
)
var (
MaxConcurrentStreams = env.RegisterIntVar(
"ISTIO_GPRC_MAXSTREAMS",
100000,
"Sets the maximum number of concurrent grpc streams.",
).Get()
// MaxRecvMsgSize The max receive buffer size of gRPC received channel of Pilot in bytes.
MaxRecvMsgSize = env.RegisterIntVar(
"ISTIO_GPRC_MAXRECVMSGSIZE",
4*1024*1024,
"Sets the max receive buffer size of gRPC stream in bytes.",
).Get()
traceSamplingVar = env.RegisterFloatVar(
"PILOT_TRACE_SAMPLING",
1.0,
"Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. "+
"Default is 1.0.",
)
TraceSampling = func() float64 {
f := traceSamplingVar.Get()
if f < 0.0 || f > 100.0 {
log.Warnf("PILOT_TRACE_SAMPLING out of range: %v", f)
return 1.0
}
return f
}()
// EnableIstioTags controls whether or not to configure Envoy with support for Istio-specific tags
// in trace spans. This is a temporary flag for controlling the feature that will be replaced by
// Telemetry API (or accepted as an always-on feature).
EnableIstioTags = env.RegisterBoolVar(
"PILOT_ENABLE_ISTIO_TAGS",
true,
"Determines whether or not trace spans generated by Envoy will include Istio-specific tags.",
).Get()
PushThrottle = env.RegisterIntVar(
"PILOT_PUSH_THROTTLE",
100,
"Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes",
).Get()
RequestLimit = env.RegisterFloatVar(
"PILOT_MAX_REQUESTS_PER_SECOND",
25.0,
"Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.",
).Get()
// FilterGatewayClusterConfig controls if a subset of clusters(only those required) should be pushed to gateways
// TODO enable by default once https://github.com/istio/istio/issues/28315 is resolved
// Currently this may cause a bug when we go from N clusters -> 0 clusters -> N clusters
FilterGatewayClusterConfig = env.RegisterBoolVar("PILOT_FILTER_GATEWAY_CLUSTER_CONFIG", false,
"If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway").Get()
DebounceAfter = env.RegisterDurationVar(
"PILOT_DEBOUNCE_AFTER",
100*time.Millisecond,
"The delay added to config/registry events for debouncing. This will delay the push by "+
"at least this interval. If no change is detected within this period, the push will happen, "+
" otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.",
).Get()
DebounceMax = env.RegisterDurationVar(
"PILOT_DEBOUNCE_MAX",
10*time.Second,
"The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks "+
"for this time, we'll trigger a push.",
).Get()
EnableEDSDebounce = env.RegisterBoolVar(
"PILOT_ENABLE_EDS_DEBOUNCE",
true,
"If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX."+
" EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled",
).Get()
SMDebounceAfter = env.RegisterDurationVar(
"PILOT_SM_DEBOUNCE_AFTER",
100*time.Millisecond,
"The delay added to config/registry events for debouncing. This will delay the push by "+
"at least this interval. If no change is detected within this period, the push will happen, "+
" otherwise we'll keep delaying until things settle, up to a max of PILOT_SM_DEBOUNCE_MAX.",
).Get()
SMDebounceMax = env.RegisterDurationVar(
"PILOT_SM_DEBOUNCE_MAX",
1*time.Second,
"The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks "+
"for this time, we'll trigger a push.",
).Get()
SMEnableDebounce = env.RegisterBoolVar(
"PILOT_SM_ENABLE_DEBOUNCE",
true,
"If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_SM_DEBOUNCE_AFTER and PILOT_SM_DEBOUNCE_MAX."+
" SNP register may be delayed, but there will be fewer pushes. By default this is enabled",
).Get()
SNPDebounceAfter = env.RegisterDurationVar(
"PILOT_SNP_DEBOUNCE_AFTER",
100*time.Millisecond,
"The delay added to config/registry events for debouncing. This will delay the push by "+
"at least this interval. If no change is detected within this period, the push will happen, "+
" otherwise we'll keep delaying until things settle, up to a max of PILOT_SNP_DEBOUNCE_MAX.",
).Get()
SNPDebounceMax = env.RegisterDurationVar(
"PILOT_SNP_DEBOUNCE_MAX",
1*time.Second,
"The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks "+
"for this time, we'll trigger a push.",
).Get()
SNPEnableDebounce = env.RegisterBoolVar(
"PILOT_SNP_ENABLE_DEBOUNCE",
true,
"If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_SNP_DEBOUNCE_AFTER and PILOT_SNP_DEBOUNCE_MAX."+
" SNP register may be delayed, but there will be fewer pushes. By default this is enabled",
).Get()
SendUnhealthyEndpoints = env.RegisterBoolVar(
"PILOT_SEND_UNHEALTHY_ENDPOINTS",
false,
"If enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing."+
" To avoid, sending traffic to non ready endpoints, enabling this flag, disables panic threshold in Envoy i.e. Envoy does not load balance requests"+
" to unhealthy/non-ready hosts even if the percentage of healthy hosts fall below minimum health percentage(panic threshold).",
).Get()
// HTTP10 will add "accept_http_10" to http outbound listeners. Can also be set only for specific sidecars via meta.
HTTP10 = env.RegisterBoolVar(
"PILOT_HTTP10",
false,
"Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.",
).Get()
// EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
// Pilot injects this outbound filter if the service port name is `mysql`.
EnableMysqlFilter = env.RegisterBoolVar(
"PILOT_ENABLE_MYSQL_FILTER",
false,
"EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.",
).Get()
// EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
// Pilot injects this outbound filter if the service port name is `redis`.
EnableRedisFilter = env.RegisterBoolVar(
"PILOT_ENABLE_REDIS_FILTER",
false,
"EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.",
).Get()
// EnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.
EnableMongoFilter = env.RegisterBoolVar(
"PILOT_ENABLE_MONGO_FILTER",
true,
"EnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.",
).Get()
// UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners so that it picks up the localhost
// address of the sender, which is an internal address, so that trusted headers are not sanitized.
UseRemoteAddress = env.RegisterBoolVar(
"PILOT_SIDECAR_USE_REMOTE_ADDRESS",
false,
"UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.",
).Get()
// SkipValidateTrustDomain tells the server proxy to not to check the peer's trust domain when
// mTLS is enabled in authentication policy.
SkipValidateTrustDomain = env.RegisterBoolVar(
"PILOT_SKIP_VALIDATE_TRUST_DOMAIN",
false,
"Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy").Get()
EnableAutomTLSCheckPolicies = env.RegisterBoolVar(
"ENABLE_AUTO_MTLS_CHECK_POLICIES", true,
"Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio} "+
" when server side policy enables mTLS PERMISSIVE or STRICT.").Get()
EnableProtocolSniffingForOutbound = env.RegisterBoolVar(
"PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND",
true,
"If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported",
).Get()
EnableProtocolSniffingForInbound = env.RegisterBoolVar(
"PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND",
true,
"If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported",
).Get()
EnableWasmTelemetry = env.RegisterBoolVar(
"ENABLE_WASM_TELEMETRY",
false,
"If enabled, Wasm-based telemetry will be enabled.",
).Get()
ScopeGatewayToNamespace = env.RegisterBoolVar(
"PILOT_SCOPE_GATEWAY_TO_NAMESPACE",
false,
"If enabled, a gateway workload can only select gateway resources in the same namespace. "+
"Gateways with same selectors in different namespaces will not be applicable.",
).Get()
// nolint
InboundProtocolDetectionTimeout, InboundProtocolDetectionTimeoutSet = env.RegisterDurationVar(
"PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT",
1*time.Second,
"Protocol detection timeout for inbound listener",
).Lookup()
EnableHeadlessService = env.RegisterBoolVar(
"PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS",
true,
"If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an "+
"outbound listener for each pod in a headless service. This feature should be disabled "+
"if headless services have a large number of pods.",
).Get()
EnableRemoteJwks = env.RegisterBoolVar(
"PILOT_JWT_ENABLE_REMOTE_JWKS",
false,
"If enabled, checks to see if the configured JwksUri in RequestAuthentication is a mesh cluster URL "+
"and configures remote Jwks to let Envoy fetch the Jwks instead of Istiod.",
).Get()
EnableEDSForHeadless = env.RegisterBoolVar(
"PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES",
false,
"If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, "+
"allowing the sidecar to load balance among pods in the headless service. This feature "+
"should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.",
).Get()
EnableDistributionTracking = env.RegisterBoolVar(
"PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING",
true,
"If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow "+
"users to interrogate which envoy has which config from the debug interface.",
).Get()
DistributionHistoryRetention = env.RegisterDurationVar(
"PILOT_DISTRIBUTION_HISTORY_RETENTION",
time.Minute*1,
"If enabled, Pilot will keep track of old versions of distributed config for this duration.",
).Get()
enableEndpointSliceController, endpointSliceControllerSpecified = env.RegisterBoolVar(
"PILOT_USE_ENDPOINT_SLICE",
false,
"If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. "+
"By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. "+
"Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used",
).Lookup()
MCSAPIGroup = env.RegisterStringVar("MCS_API_GROUP", "multicluster.x-k8s.io",
"The group to be used for the Kubernetes Multi-Cluster Services (MCS) API.").Get()
MCSAPIVersion = env.RegisterStringVar("MCS_API_VERSION", "v1alpha1",
"The version to be used for the Kubernets Multi-Cluster Services (MCS) API.").Get()
EnableMCSAutoExport = env.RegisterBoolVar(
"ENABLE_MCS_AUTO_EXPORT",
false,
"If enabled, istiod will automatically generate Kubernetes "+
"Multi-Cluster Services (MCS) ServiceExport resources for every "+
"service in the mesh. Services defined to be cluster-local in "+
"MeshConfig are excluded.",
).Get()
EnableMCSServiceDiscovery = env.RegisterBoolVar(
"ENABLE_MCS_SERVICE_DISCOVERY",
false,
"If enabled, istiod will enable Kubernetes Multi-Cluster "+
"Services (MCS) service discovery mode. In this mode, service "+
"endpoints in a cluster will only be discoverable within the "+
"same cluster unless explicitly exported via ServiceExport.").Get()
EnableMCSHost = env.RegisterBoolVar(
"ENABLE_MCS_HOST",
false,
"If enabled, istiod will configure a Kubernetes Multi-Cluster "+
"Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) "+
"for each service exported (via ServiceExport) in at least one "+
"cluster. Clients must, however, be able to successfully lookup "+
"these DNS hosts. That means that either Istio DNS interception "+
"must be enabled or an MCS controller must be used. Requires "+
"that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.").Get() &&
EnableMCSServiceDiscovery
EnableMCSClusterLocal = env.RegisterBoolVar(
"ENABLE_MCS_CLUSTER_LOCAL",
false,
"If enabled, istiod will treat the host "+
"`<svc>.<namespace>.svc.cluster.local` as defined by the "+
"Kubernetes Multi-Cluster Services (MCS) spec. In this mode, "+
"requests to `cluster.local` will be routed to only those "+
"endpoints residing within the same cluster as the client. "+
"Requires that both ENABLE_MCS_SERVICE_DISCOVERY and "+
"ENABLE_MCS_HOST also be enabled.").Get() &&
EnableMCSHost
EnableLegacyLBAlgorithmDefault = env.RegisterBoolVar(
"ENABLE_LEGACY_LB_ALGORITHM_DEFAULT",
false,
"If enabled, destinations for which no LB algorithm is specified will use the legacy "+
"default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can "+
"overburden endpoints, especially when weights are used.").Get()
EnableAnalysis = env.RegisterBoolVar(
"PILOT_ENABLE_ANALYSIS",
false,
"If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any "+
"Istio Resources",
).Get()
AnalysisInterval = func() time.Duration {
val, _ := env.RegisterDurationVar(
"PILOT_ANALYSIS_INTERVAL",
10*time.Second,
"If analysis is enabled, pilot will run istio analyzers using this value as interval in seconds "+
"Istio Resources",
).Lookup()
if val < 1*time.Second {
log.Warnf("PILOT_ANALYSIS_INTERVAL %s is too small, it will be set to default 10 seconds", val.String())
return 10 * time.Second
}
return val
}()
EnableStatus = env.RegisterBoolVar(
"PILOT_ENABLE_STATUS",
false,
"If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.",
).Get()
StatusUpdateInterval = env.RegisterDurationVar(
"PILOT_STATUS_UPDATE_INTERVAL",
500*time.Millisecond,
"Interval to update the XDS distribution status.",
).Get()
StatusQPS = env.RegisterFloatVar(
"PILOT_STATUS_QPS",
100,
"If status is enabled, controls the QPS with which status will be updated. "+
"See https://godoc.org/k8s.io/client-go/rest#Config QPS",
).Get()
StatusBurst = env.RegisterIntVar(
"PILOT_STATUS_BURST",
500,
"If status is enabled, controls the Burst rate with which status will be updated. "+
"See https://godoc.org/k8s.io/client-go/rest#Config Burst",
).Get()
StatusMaxWorkers = env.RegisterIntVar("PILOT_STATUS_MAX_WORKERS", 100, "The maximum number of workers"+
" Pilot will use to keep configuration status up to date. Smaller numbers will result in higher status latency, "+
"but larger numbers may impact CPU in high scale environments.").Get()
// IstiodServiceCustomHost allow user to bring a custom address or multiple custom addresses for istiod server
// for examples: 1. istiod.mycompany.com 2. istiod.mycompany.com,istiod-canary.mycompany.com
IstiodServiceCustomHost = env.RegisterStringVar("ISTIOD_CUSTOM_HOST", "",
"Custom host name of istiod that istiod signs the server cert. "+
"Multiple custom host names are supported, and multiple values are separated by commas.").Get()
PilotCertProvider = env.RegisterStringVar("PILOT_CERT_PROVIDER", constants.CertProviderIstiod,
"The provider of Pilot DNS certificate.").Get()
JwtPolicy = env.RegisterStringVar("JWT_POLICY", jwt.PolicyThirdParty,
"The JWT validation policy.").Get()
// Default request timeout for virtual services if a timeout is not configured in virtual service. It defaults to zero
// which disables timeout when it is not configured, to preserve the current behavior.
defaultRequestTimeoutVar = env.RegisterDurationVar(
"ISTIO_DEFAULT_REQUEST_TIMEOUT",
0*time.Millisecond,
"Default Http and gRPC Request timeout",
)
DefaultRequestTimeout = func() *durationpb.Duration {
return durationpb.New(defaultRequestTimeoutVar.Get())
}()
LegacyIngressBehavior = env.RegisterBoolVar("PILOT_LEGACY_INGRESS_BEHAVIOR", false,
"If this is set to true, istio ingress will perform the legacy behavior, "+
"which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.").Get()
EnableGatewayAPI = env.RegisterBoolVar("PILOT_ENABLE_GATEWAY_API", true,
"If this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will "+
" be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.").Get()
EnableGatewayAPIStatus = env.RegisterBoolVar("PILOT_ENABLE_GATEWAY_API_STATUS", true,
"If this is set to true, gateway-api resources will have status written to them").Get()
EnableGatewayAPIDeploymentController = env.RegisterBoolVar("PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER", true,
"If this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc").Get()
ClusterName = env.RegisterStringVar("CLUSTER_ID", "Kubernetes",
"Defines the cluster and service registry that this Istiod instance is belongs to").Get()
ExternalIstiod = env.RegisterBoolVar("EXTERNAL_ISTIOD", false,
"If this is set to true, one Istiod will control remote clusters including CA.").Get()
EnableCAServer = env.RegisterBoolVar("ENABLE_CA_SERVER", true,
"If this is set to false, will not create CA server in istiod.").Get()
EnableDebugOnHTTP = env.RegisterBoolVar("ENABLE_DEBUG_ON_HTTP", true,
"If this is set to false, the debug interface will not be enabled, recommended for production").Get()
EnableUnsafeAdminEndpoints = env.RegisterBoolVar("UNSAFE_ENABLE_ADMIN_ENDPOINTS", false,
"If this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.").Get()
XDSAuth = env.RegisterBoolVar("XDS_AUTH", true,
"If true, will authenticate XDS clients.").Get()
EnableXDSIdentityCheck = env.RegisterBoolVar(
"PILOT_ENABLE_XDS_IDENTITY_CHECK",
true,
"If enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.",
).Get()
EnableServiceEntrySelectPods = env.RegisterBoolVar("PILOT_ENABLE_SERVICEENTRY_SELECT_PODS", true,
"If enabled, service entries with selectors will select pods from the cluster. "+
"It is safe to disable it if you are quite sure you don't need this feature").Get()
InjectionWebhookConfigName = env.RegisterStringVar("INJECTION_WEBHOOK_CONFIG_NAME", "istio-sidecar-injector",
"Name of the mutatingwebhookconfiguration to patch, if istioctl is not used.").Get()
ValidationWebhookConfigName = env.RegisterStringVar("VALIDATION_WEBHOOK_CONFIG_NAME", "istio-dubbo-system",
"Name of the validatingwebhookconfiguration to patch. Empty will skip using cluster admin to patch.").Get()
SpiffeBundleEndpoints = env.RegisterStringVar("SPIFFE_BUNDLE_ENDPOINTS", "",
"The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE "+
"bundle endpoint and uses it to verify client certifiates from that trust domain. The endpoint must be "+
"compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to "+
"https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . "+
"No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. "+
"Use || between <trustdomain, endpoint> tuples. Use | as delimiter between trust domain and endpoint in "+
"each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar").Get()
EnableXDSCaching = env.RegisterBoolVar("PILOT_ENABLE_XDS_CACHE", true,
"If true, Pilot will cache XDS responses.").Get()
// EnableCDSCaching determines if CDS caching is enabled. This is explicitly split out of ENABLE_XDS_CACHE,
// so that in case there are issues with the CDS cache we can just disable the CDS cache.
EnableCDSCaching = env.RegisterBoolVar("PILOT_ENABLE_CDS_CACHE", true,
"If true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.").Get()
// EnableRDSCaching determines if RDS caching is enabled. This is explicitly split out of ENABLE_XDS_CACHE,
// so that in case there are issues with the RDS cache we can just disable the RDS cache.
EnableRDSCaching = env.RegisterBoolVar("PILOT_ENABLE_RDS_CACHE", true,
"If true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.").Get()
EnableXDSCacheMetrics = env.RegisterBoolVar("PILOT_XDS_CACHE_STATS", false,
"If true, Pilot will collect metrics for XDS cache efficiency.").Get()
XDSCacheMaxSize = env.RegisterIntVar("PILOT_XDS_CACHE_SIZE", 60000,
"The maximum number of cache entries for the XDS cache.").Get()
// EnableLegacyFSGroupInjection has first-party-jwt as allowed because we only
// need the fsGroup configuration for the projected service account volume mount,
// which is only used by first-party-jwt. The installer will automatically
// configure this on Kubernetes 1.19+.
// Note: while this appears unused in the go code, this sets a default which is used in the injection template.
EnableLegacyFSGroupInjection = env.RegisterBoolVar("ENABLE_LEGACY_FSGROUP_INJECTION", JwtPolicy != jwt.PolicyFirstParty,
"If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older "+
`(see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is "first-party-jwt".`).Get()
XdsPushSendTimeout = env.RegisterDurationVar(
"PILOT_XDS_SEND_TIMEOUT",
0*time.Second,
"The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.",
).Get()
RemoteClusterTimeout = env.RegisterDurationVar(
"PILOT_REMOTE_CLUSTER_TIMEOUT",
30*time.Second,
"After this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. "+
"Setting the timeout to 0 disables this behavior.",
).Get()
EnableTelemetryLabel = env.RegisterBoolVar("PILOT_ENABLE_TELEMETRY_LABEL", true,
"If true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.",
).Get()
EndpointTelemetryLabel = env.RegisterBoolVar("PILOT_ENDPOINT_TELEMETRY_LABEL", true,
"If true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.",
).Get()
MetadataExchange = env.RegisterBoolVar("PILOT_ENABLE_METADATA_EXCHANGE", true,
"If true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.",
).Get()
ALPNFilter = env.RegisterBoolVar("PILOT_ENABLE_ALPN_FILTER", true,
"If true, pilot will add Istio ALPN filters, required for proper protocol sniffing.",
).Get()
WorkloadEntryAutoRegistration = env.RegisterBoolVar("PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION", true,
"Enables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.").Get()
WorkloadEntryCleanupGracePeriod = env.RegisterDurationVar("PILOT_WORKLOAD_ENTRY_GRACE_PERIOD", 10*time.Second,
"The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the "+
"associated WorkloadEntry is cleaned up.").Get()
WorkloadEntryHealthChecks = env.RegisterBoolVar("PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKS", true,
"Enables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup").Get()
WorkloadEntryCrossCluster = env.RegisterBoolVar("PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY", true,
"If enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.").Get()
FlowControlTimeout = env.RegisterDurationVar(
"PILOT_FLOW_CONTROL_TIMEOUT",
15*time.Second,
"If set, the max amount of time to delay a push by. Depends on PILOT_ENABLE_FLOW_CONTROL.",
).Get()
EnableDestinationRuleInheritance = env.RegisterBoolVar(
"PILOT_ENABLE_DESTINATION_RULE_INHERITANCE",
false,
"If set, workload specific DestinationRules will inherit configurations settings from mesh and namespace level rules",
).Get()
WasmRemoteLoadConversion = env.RegisterBoolVar("ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSION", true,
"If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, "+
"and replaces Wasm module remote load with downloaded local module file.").Get()
PilotJwtPubKeyRefreshInterval = env.RegisterDurationVar(
"PILOT_JWT_PUB_KEY_REFRESH_INTERVAL",
20*time.Minute,
"The interval for istiod to fetch the jwks_uri for the jwks public key.",
).Get()
EnableInboundPassthrough = env.RegisterBoolVar(
"PILOT_ENABLE_INBOUND_PASSTHROUGH",
true,
"If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, "+
"requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP "+
"will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. "+
"The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. "+
"Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.",
).Get()
StripHostPort = env.RegisterBoolVar("ISTIO_GATEWAY_STRIP_HOST_PORT", false,
"If enabled, Gateway will remove any port from host/authority header "+
"before any processing of request by HTTP filters or routing.").Get()
// EnableUnsafeAssertions enables runtime checks to test assertions in our code. This should never be enabled in
// production; when assertions fail Istio will panic.
EnableUnsafeAssertions = env.RegisterBoolVar(
"UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONS",
false,
"If enabled, addition runtime asserts will be performed. "+
"These checks are both expensive and panic on failure. As a result, this should be used only for testing.",
).Get()
// EnableUnsafeDeltaTest enables runtime checks to test Delta XDS efficiency. This should never be enabled in
// production.
EnableUnsafeDeltaTest = env.RegisterBoolVar(
"UNSAFE_PILOT_ENABLE_DELTA_TEST",
false,
"If enabled, addition runtime tests for Delta XDS efficiency are added. "+
"These checks are extremely expensive, so this should be used only for testing, not production.",
).Get()
DeltaXds = env.RegisterBoolVar("ISTIO_DELTA_XDS", false,
"If enabled, pilot will only send the delta configs as opposed to the state of the world on a "+
"Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.").Get()
PartialFullPushes = env.RegisterBoolVar("PILOT_PARTIAL_FULL_PUSHES", false,
"If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. "+
"This occurs for EDS in many cases regardless of this setting.").Get()
EnableLegacyIstioMutualCredentialName = env.RegisterBoolVar("PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME",
false,
"If enabled, Gateway's with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. "+
"This is to retain legacy behavior only and not recommended for use beyond migration.").Get()
EnableLegacyAutoPassthrough = env.RegisterBoolVar(
"PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH",
false,
"If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. "+
"This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.").Get()
SharedMeshConfig = env.RegisterStringVar("SHARED_MESH_CONFIG", "",
"Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.").Get()
MultiRootMesh = env.RegisterBoolVar("ISTIO_MULTIROOT_MESH", false,
"If enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS").Get()
EnableEnvoyFilterMetrics = env.RegisterBoolVar("PILOT_ENVOY_FILTER_STATS", false,
"If true, Pilot will collect metrics for envoy filter operations.").Get()
EnableRouteCollapse = env.RegisterBoolVar("PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATION", true,
"If true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.").Get()
MulticlusterHeadlessEnabled = env.RegisterBoolVar("ENABLE_MULTICLUSTER_HEADLESS", true,
"If true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.").Get()
ResolveHostnameGateways = env.RegisterBoolVar("RESOLVE_HOSTNAME_GATEWAYS", true,
"If true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.").Get()
CertSignerDomain = env.RegisterStringVar("CERT_SIGNER_DOMAIN", "", "The cert signer domain info").Get()
AutoReloadPluginCerts = env.RegisterBoolVar(
"AUTO_RELOAD_PLUGIN_CERTS",
false,
"If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs."+
"Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.").Get()
RewriteTCPProbes = env.RegisterBoolVar(
"REWRITE_TCP_PROBES",
true,
"If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.",
).Get()
EnableQUICListeners = env.RegisterBoolVar("PILOT_ENABLE_QUIC_LISTENERS", false,
"If true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways "+
"if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)").Get()
VerifyCertAtClient = env.RegisterBoolVar("VERIFY_CERTIFICATE_AT_CLIENT", false,
"If enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.").Get()
PrioritizedLeaderElection = env.RegisterBoolVar("PRIORITIZED_LEADER_ELECTION", true,
"If enabled, the default revision will steal leader locks from non-default revisions").Get()
EnableTLSOnSidecarIngress = env.RegisterBoolVar("ENABLE_TLS_ON_SIDECAR_INGRESS", false,
"If enabled, the TLS configuration on Sidecar.ingress will take effect").Get()
EnableAutoSni = env.RegisterBoolVar("ENABLE_AUTO_SNI", false,
"If enabled, automatically set SNI when `DestinationRules` do not specify the same").Get()
InsecureKubeConfigOptions = func() sets.Set {
v := env.RegisterStringVar(
"PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS",
"",
"Comma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication."+
"Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), "+
"`clientKey`, `clientCertificate`, `tokenFile`, and `exec`.").Get()
return sets.New(strings.Split(v, ",")...)
}()
VerifySDSCertificate = env.RegisterBoolVar("VERIFY_SDS_CERTIFICATE", true,
"If enabled, certificates fetched from SDS server will be verified before sending back to proxy.").Get()
CanonicalServiceForMeshExternalServiceEntry = env.RegisterBoolVar("LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIES", false,
"If enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populated"+
"in the cluster metadata for those endpoints.").Get()
)
// EnableEndpointSliceController returns the value of the feature flag and whether it was actually specified.
func EnableEndpointSliceController() (value bool, ok bool) {
return enableEndpointSliceController, endpointSliceControllerSpecified
}
// UnsafeFeaturesEnabled returns true if any unsafe features are enabled.
func UnsafeFeaturesEnabled() bool {
return EnableUnsafeAdminEndpoints || EnableUnsafeAssertions
}