/
option.go
226 lines (199 loc) · 7.31 KB
/
option.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package server
import (
"crypto/tls"
grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
"github.com/sirupsen/logrus"
"google.golang.org/grpc"
"github.com/cilium/cilium/pkg/crypto/certloader"
"github.com/cilium/cilium/pkg/hubble/relay/defaults"
"github.com/cilium/cilium/pkg/hubble/relay/observer"
"github.com/cilium/cilium/pkg/logging"
"github.com/cilium/cilium/pkg/logging/logfields"
"github.com/cilium/cilium/pkg/time"
)
// MinTLSVersion defines the minimum TLS version clients are expected to
// support in order to establish a connection to the hubble-relay server.
const MinTLSVersion = tls.VersionTLS13
// options stores all the configuration values for the hubble-relay server.
type options struct {
peerTarget string
dialTimeout time.Duration
retryTimeout time.Duration
listenAddress string
healthListenAddress string
metricsListenAddress string
log logrus.FieldLogger
serverTLSConfig certloader.ServerConfigBuilder
insecureServer bool
clientTLSConfig certloader.ClientConfigBuilder
clusterName string
insecureClient bool
observerOptions []observer.Option
grpcMetrics *grpc_prometheus.ServerMetrics
grpcUnaryInterceptors []grpc.UnaryServerInterceptor
grpcStreamInterceptors []grpc.StreamServerInterceptor
}
// defaultOptions is the reference point for default values.
var defaultOptions = options{
peerTarget: defaults.PeerTarget,
dialTimeout: defaults.DialTimeout,
retryTimeout: defaults.RetryTimeout,
listenAddress: defaults.ListenAddress,
healthListenAddress: defaults.HealthListenAddress,
log: logging.DefaultLogger.WithField(logfields.LogSubsys, "hubble-relay"),
}
// DefaultOptions to include in the server. Other packages may extend this
// in their init() function.
var DefaultOptions []Option
// Option customizes the configuration of the hubble-relay server.
type Option func(o *options) error
// WithPeerTarget sets the URL of the hubble peer service to connect to.
func WithPeerTarget(t string) Option {
return func(o *options) error {
o.peerTarget = t
return nil
}
}
// WithDialTimeout sets the dial timeout that is used when establishing a
// connection to a hubble peer.
func WithDialTimeout(t time.Duration) Option {
return func(o *options) error {
o.dialTimeout = t
return nil
}
}
// WithRetryTimeout sets the duration to wait before attempting to re-connect
// to a hubble peer when the connection is lost.
func WithRetryTimeout(t time.Duration) Option {
return func(o *options) error {
o.retryTimeout = t
return nil
}
}
// WithHealthListenAddress sets the listen address for the hubble-relay gRPC health server.
func WithHealthListenAddress(a string) Option {
return func(o *options) error {
o.healthListenAddress = a
return nil
}
}
// WithListenAddress sets the listen address for the hubble-relay server.
func WithListenAddress(a string) Option {
return func(o *options) error {
o.listenAddress = a
return nil
}
}
// WithMetricsListenAddress sets the listen address for the hubble-relay server.
func WithMetricsListenAddress(a string) Option {
return func(o *options) error {
o.metricsListenAddress = a
return nil
}
}
// WithSortBufferMaxLen sets the maximum number of flows that can be buffered
// for sorting before being sent to the client. The provided value must be
// greater than 0 and is to be understood per client request. Therefore, it is
// advised to keep the value moderate (a value between 30 and 100 should
// constitute a good choice in most cases).
func WithSortBufferMaxLen(i int) Option {
return func(o *options) error {
o.observerOptions = append(o.observerOptions, observer.WithSortBufferMaxLen(i))
return nil
}
}
// WithSortBufferDrainTimeout sets the sort buffer drain timeout value. For
// flows requests where the total number of flows cannot be determined
// (typically for flows requests in follow mode), a flow is taken out of the
// buffer and sent to the client after duration d if the buffer is not full.
// This value must be greater than 0. Setting this value too low would render
// the flows sorting operation ineffective. A value between 500 milliseconds
// and 3 seconds should be constitute a good choice in most cases.
func WithSortBufferDrainTimeout(d time.Duration) Option {
return func(o *options) error {
o.observerOptions = append(o.observerOptions, observer.WithSortBufferDrainTimeout(d))
return nil
}
}
// WithErrorAggregationWindow sets a time window during which errors with the
// same error message are coalesced. The aggregated error is forwarded to the
// downstream consumer either when the window expires or when a new, different
// error occurs (whichever happens first)
func WithErrorAggregationWindow(d time.Duration) Option {
return func(o *options) error {
o.observerOptions = append(o.observerOptions, observer.WithErrorAggregationWindow(d))
return nil
}
}
// WithLogger set the logger used by hubble-relay.
func WithLogger(log logrus.FieldLogger) Option {
return func(o *options) error {
o.log = log
return nil
}
}
// WithServerTLS sets the transport credentials for the server based on TLS.
func WithServerTLS(cfg certloader.ServerConfigBuilder) Option {
return func(o *options) error {
o.serverTLSConfig = cfg
return nil
}
}
// WithInsecureServer disables transport security. Transport security is
// required for the server unless WithInsecureServer is set (not recommended).
func WithInsecureServer() Option {
return func(o *options) error {
o.insecureServer = true
return nil
}
}
// WithClientTLS sets the transport credentials for connecting to peers based
// on the provided TLS configuration.
func WithClientTLS(cfg certloader.ClientConfigBuilder) Option {
return func(o *options) error {
o.clientTLSConfig = cfg
return nil
}
}
// WithInsecureClient disables transport security for connection to Hubble
// server instances. Transport security is required to WithInsecureClient is
// set (not recommended).
func WithInsecureClient() Option {
return func(o *options) error {
o.insecureClient = true
return nil
}
}
// WithLocalClusterName sets the cluster name for the peer service
// so that it knows how to construct the proper TLSServerName
// to validate mTLS in the K8s Peer service.
func WithLocalClusterName(clusterName string) Option {
return func(o *options) error {
o.clusterName = clusterName
return nil
}
}
// WithGRPCMetrics configures the server with the specified prometheus gPRC
// ServerMetrics.
func WithGRPCMetrics(grpcMetrics *grpc_prometheus.ServerMetrics) Option {
return func(o *options) error {
o.grpcMetrics = grpcMetrics
return nil
}
}
// WithGRPCStreamInterceptor configures the server with the given gRPC server stream interceptors
func WithGRPCStreamInterceptor(interceptors ...grpc.StreamServerInterceptor) Option {
return func(o *options) error {
o.grpcStreamInterceptors = append(o.grpcStreamInterceptors, interceptors...)
return nil
}
}
// WithGRPCUnaryInterceptor configures the server with the given gRPC server stream interceptors
func WithGRPCUnaryInterceptor(interceptors ...grpc.UnaryServerInterceptor) Option {
return func(o *options) error {
o.grpcUnaryInterceptors = append(o.grpcUnaryInterceptors, interceptors...)
return nil
}
}