| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 |
- #!/command/with-contenv /bin/bash
- # shellcheck shell=bash
- # shellcheck disable=SC1091,SC1090,SC2035
- SCRIPT_ROOT=/etc/s6-overlay/scripts
- source "$SCRIPT_ROOT/base.sh"
- source "$GPUSTACK_GATEWAY_CONFIG"
- source "$SCRIPT_ROOT/default-variables.sh"
- export REVISION="default"
- export JWT_POLICY="none"
- export POD_NAME="higress-pilot"
- export POD_NAMESPACE="higress-system"
- export ROOT_CA_DIR="/etc/certs"
- export PILOT_CERT_PROVIDER="istiod"
- export PILOT_ENABLE_LDS_CACHE="false"
- export PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY="false"
- export PILOT_ENABLE_METADATA_EXCHANGE="false"
- export PILOT_SCOPE_GATEWAY_TO_NAMESPACE="true"
- export VALIDATION_ENABLED="false"
- export PILOT_TRACE_SAMPLING="1"
- export PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND="true"
- export PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND="true"
- export PILOT_ENABLE_ANALYSIS="false"
- export PILOT_ENABLE_GATEWAY_API="false"
- export PILOT_ENABLE_ALPHA_GATEWAY_API="false"
- export PILOT_ENABLE_GATEWAY_API_STATUS="false"
- export PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER="false"
- export PILOT_ENABLE_ALPN_FILTER="true"
- export VALIDATION_WEBHOOK_CONFIG_NAME=""
- export ISTIO_DUAL_STACK="false"
- export ENABLE_OPTIMIZED_CONFIG_REBUILD="false"
- export PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES="false"
- export DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD="10000"
- export ISTIO_GPRC_MAXRECVMSGSIZE="104857600"
- export ENBALE_SCOPED_RDS="true"
- export ON_DEMAND_RDS="false"
- export HOST_RDS_MERGE_SUBSET="false"
- export ENABLE_LEADER_ELECTION="false"
- export PRIORITIZED_LEADER_ELECTION="false"
- export INJECT_ENABLED="false"
- export CLUSTER_ID="Kubernetes"
- export CUSTOM_CA_CERT_NAME="higress-ca-root-cert"
- export DEBUG_AUTH="false"
- function initCerts() {
- RSA_KEY_LENGTH=4096
- createDir /etc/certs
- cd /etc/certs
- openssl req -newkey rsa:$RSA_KEY_LENGTH -nodes -keyout root-key.pem -x509 -days 36500 -out root-cert.pem >/dev/null 2>&1 <<EOF
- CN
- Shanghai
- Shanghai
- Higress
- Gateway
- Root CA
- rootca@higress.io
- EOF
- cat <<EOF >ca.cfg
- [req]
- distinguished_name = req_distinguished_name
- req_extensions = v3_req
- prompt = no
- [req_distinguished_name]
- C = CN
- ST = Shanghai
- L = Shanghai
- O = Higress
- CN = Higress CA
- [v3_req]
- keyUsage = keyCertSign
- basicConstraints = CA:TRUE
- subjectAltName = @alt_names
- [alt_names]
- DNS.1 = ca.higress.io
- EOF
- openssl genrsa -out ca-key.pem $RSA_KEY_LENGTH >/dev/null &&
- openssl req -new -key ca-key.pem -out ca-cert.csr -config ca.cfg -batch -sha256 >/dev/null 2>&1 &&
- openssl x509 -req -days 36500 -in ca-cert.csr -sha256 -CA root-cert.pem -CAkey root-key.pem -CAcreateserial -out ca-cert.pem -extensions v3_req -extfile ca.cfg >/dev/null 2>&1
- cp ca-cert.pem cert-chain.pem >/dev/null
- chmod a+r ca-key.pem
- cat <<EOF >gateway.cfg
- [req]
- distinguished_name = req_distinguished_name
- req_extensions = v3_req
- prompt = no
- [req_distinguished_name]
- C = CN
- ST = Shanghai
- L = Shanghai
- O = Higress
- CN = Higress Gateway
- [v3_req]
- keyUsage = digitalSignature, keyEncipherment
- subjectAltName = URI:spiffe://cluster.local/ns/higress-system/sa/higress-gateway
- EOF
- openssl genrsa -out gateway-key.pem $RSA_KEY_LENGTH > /dev/null \
- && openssl req -new -key gateway-key.pem -out gateway-cert.csr -config gateway.cfg -batch -sha256 > /dev/null 2>&1 \
- && openssl x509 -req -days 36500 -in gateway-cert.csr -sha256 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out gateway-cert.pem -extensions v3_req -extfile gateway.cfg > /dev/null 2>&1
- chmod a+r gateway-key.pem
- cat ca-cert.pem >> gateway-cert.pem
- mv gateway-cert.pem cert-chain.pem
- mv gateway-key.pem key.pem
- rm *.csr >/dev/null
- rm *.cfg >/dev/null
- cd -
- }
- set -e
- exec 2>&1
- initCerts
- export PILOT_FILTER_GATEWAY_CLUSTER_CONFIG="true"
- exec s6-notifyoncheck \
- -d -w 5000 -n 10 -s 3000 \
- -- \
- /usr/local/bin/pilot-discovery \
- discovery \
- --kubeconfig="${EMBEDDED_KUBECONFIG_PATH}" \
- --grpcAddr= \
- --secureGRPCAddr=localhost:15012 \
- --httpAddr=localhost:15010 \
- --httpsAddr= \
- --monitoringAddr= \
- --log_output_level=default:info \
- --domain=cluster.local \
- --keepaliveMaxServerConnectionAge=30m \
- --caCertFile=/etc/certs/ca-cert.pem \
- --meshConfig=/etc/istio/config/mesh \
- --networksConfig=/etc/istio/config/meshNetworks
|
