| // Copyright Istio Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| package constants |
| |
| const ( |
| // UnspecifiedIP constant for empty IP address |
| UnspecifiedIP = "0.0.0.0" |
| |
| // AuthCertsPath is the path location for mTLS certificates |
| AuthCertsPath = "/etc/certs/" |
| |
| // CertChainFilename is mTLS chain file |
| CertChainFilename = "cert-chain.pem" |
| |
| // DefaultServerCertChain is the default path to the mTLS chain file |
| DefaultCertChain = AuthCertsPath + CertChainFilename |
| |
| // KeyFilename is mTLS private key |
| KeyFilename = "key.pem" |
| |
| // DefaultServerKey is the default path to the mTLS private key file |
| DefaultKey = AuthCertsPath + KeyFilename |
| |
| // RootCertFilename is mTLS root cert |
| RootCertFilename = "root-cert.pem" |
| |
| // DefaultRootCert is the default path to the mTLS root cert file |
| DefaultRootCert = AuthCertsPath + RootCertFilename |
| |
| // ConfigPathDir config directory for storing envoy json config files. |
| ConfigPathDir = "./etc/istio/proxy" |
| |
| // IstioDataDir is the directory to store binary data such as envoy core dump, profile, and downloaded Wasm modules. |
| IstioDataDir = "/var/lib/istio/data" |
| |
| // BinaryPathFilename envoy binary location |
| BinaryPathFilename = "/usr/local/bin/envoy" |
| |
| // ServiceClusterName service cluster name used in xDS calls |
| ServiceClusterName = "istio-proxy" |
| |
| // IstioIngressGatewayName is the internal gateway name assigned to ingress |
| IstioIngressGatewayName = "istio-autogenerated-k8s-ingress" |
| |
| KubernetesGatewayName = "istio-autogenerated-k8s-gateway" |
| |
| // IstioIngressNamespace is the namespace where Istio ingress controller is deployed |
| IstioIngressNamespace = "dubbo-system" |
| |
| // DefaultKubernetesDomain the default service domain suffix for Kubernetes, if not overridden in config. |
| // TODO(nmittler): Rename this to DefaultClusterLocalDomain. |
| // TODO(nmittler): Search/replace explicit usages of the string with this constant. |
| DefaultKubernetesDomain = "cluster.local" |
| |
| // DefaultClusterSetLocalDomain is the default domain suffix for Kubernetes Multi-Cluster Services (MCS) |
| // used for load balancing requests against endpoints across the ClusterSet (i.e. mesh). |
| DefaultClusterSetLocalDomain = "clusterset.local" |
| |
| // IstioLabel indicates that a workload is part of a named Istio system component. |
| IstioLabel = "istio" |
| |
| // IstioIngressLabelValue is value for IstioLabel that identifies an ingress workload. |
| // TODO we should derive this from IngressClass |
| IstioIngressLabelValue = "ingressgateway" |
| |
| // IstioSystemNamespace is the namespace where Istio's components are deployed |
| IstioSystemNamespace = "dubbo-system" |
| |
| // DefaultAuthenticationPolicyName is the name of the cluster-scoped authentication policy. Only |
| // policy with this name in the cluster-scoped will be considered. |
| DefaultAuthenticationPolicyName = "default" |
| |
| // IstioMeshGateway is the built in gateway for all sidecars |
| IstioMeshGateway = "mesh" |
| |
| // The data name in the ConfigMap of each namespace storing the root cert of non-Kube CA. |
| CACertNamespaceConfigMapDataName = "root-cert.pem" |
| |
| // PodInfoLabelsPath is the filepath that pod labels will be stored |
| // This is typically set by the downward API |
| PodInfoLabelsPath = "./etc/istio/pod/labels" |
| |
| // PodInfoAnnotationsPath is the filepath that pod annotations will be stored |
| // This is typically set by the downward API |
| PodInfoAnnotationsPath = "./etc/istio/pod/annotations" |
| |
| // DefaultServiceAccountName is the default service account to use for remote cluster access. |
| DefaultServiceAccountName = "istio-reader-service-account" |
| |
| // DefaultConfigServiceAccountName is the default service account to use for external Istiod config cluster access. |
| DefaultConfigServiceAccountName = "istiod" |
| |
| // KubeSystemNamespace is the system namespace where we place kubernetes system components. |
| KubeSystemNamespace string = "kube-system" |
| |
| // KubePublicNamespace is the namespace where we place kubernetes public info (ConfigMaps). |
| KubePublicNamespace string = "kube-public" |
| |
| // KubeNodeLeaseNamespace is the namespace for the lease objects associated with each kubernetes node. |
| KubeNodeLeaseNamespace string = "kube-node-lease" |
| |
| // LocalPathStorageNamespace is the namespace for dynamically provisioning persistent local storage with |
| // Kubernetes. Typically used with the Kind cluster: https://github.com/rancher/local-path-provisioner |
| LocalPathStorageNamespace string = "local-path-storage" |
| |
| TestVMLabel = "istio.io/test-vm" |
| |
| TestVMVersionLabel = "istio.io/test-vm-version" |
| |
| // Label to skip config comparison. |
| AlwaysPushLabel = "internal.istio.io/always-push" |
| |
| // InternalParentName declares the original resource of an internally-generate config. This is used by ingress and the gateway-api. |
| InternalParentName = "internal.istio.io/parent" |
| InternalRouteSemantics = "internal.istio.io/route-semantics" |
| RouteSemanticsIngress = "ingress" |
| RouteSemanticsGateway = "gateway" |
| |
| // TrustworthyJWTPath is the default 3P token to authenticate with third party services |
| TrustworthyJWTPath = "./var/run/secrets/tokens/istio-token" |
| |
| // CertProviderIstiod uses istiod self signed DNS certificates for the control plane |
| CertProviderIstiod = "istiod" |
| // CertProviderKubernetes uses the Kubernetes CSR API to generate a DNS certificate for the control plane |
| CertProviderKubernetes = "kubernetes" |
| // CertProviderKubernetesSignerPrefix uses the Kubernetes CSR API and the specified signer to generate a DNS certificate for the control plane |
| CertProviderKubernetesSignerPrefix = "k8s.io/" |
| // CertProviderCustom uses the custom root certificate mounted in a well known location for the control plane |
| CertProviderCustom = "custom" |
| // CertProviderNone does not create any certificates for the control plane. It is assumed that some external |
| // load balancer, such as an Istio Gateway, is terminating the TLS. |
| CertProviderNone = "none" |
| ) |