pkg/mesh/krun.go (12 lines): - line 83: // TODO: use service name as default - line 101: // TODO: use the GSA name as default namespace. - line 107: // TODO: use service name as default - line 123: // TODO: replace with Workloadlocation. Config cluster location not used. - line 152: // This will be loaded at startup (TODO: and periodically or on demand for dynamic changes - XDS may also - line 287: // TODO: if meshURL is set and is file:// or gke:// - use it directly - line 293: // TODO: on GKE detect KSA from the JWT or workload cert. - line 303: // TODO: detect the namespace from the JWT token if on GKE - line 349: // TODO: stop using this, use ProxyConfig.DiscoveryAddress instead - line 439: // TODO: trace on errors - line 446: // TODO: we may want to reload mesh-env, and adjust behavior ( log levels, etc) - line 505: // TODO: URL, like 'konfig' ( including gcp pseudo-URL like gcp://cluster.location.project/.... ) pkg/gcp/gcp-kubeconfig.go (8 lines): - line 57: // TODO: finish hub. - line 96: // TODO: detect if the cluster is k8s from some env ? - line 217: // TODO: Use MeshCA if citadel is not in cluster - line 231: // TODO: only if mesh_env contains a WorkloadCertificateConfig with endpoint starting with //privateca.googleapis.com - line 257: // TODO: attempt to get the config project ID from a label on the workload or project - line 322: // TODO: connect to cluster, find istiod - and keep trying until a working one is found ( fallback ) - line 365: // TODO: set default if not set ? - line 390: // First attempt to find a cluster in same region, with the name prefix istio (TODO: label or other way to identify pkg/mesh/istio.go (6 lines): - line 204: // TODO: use the trust domain from mesh-env - line 277: // TODO: add support for passing a long lived 1p JWT in a file, for local run - line 363: // TODO: look in /var... - line 373: // TODO: New version of Istio does this automatically, will be removed - line 578: // TODO: make the stdout/stderr available in a debug endpoint - line 582: // TODO: lookup istiod service and endpoints ( instead of using an ILB or external name) pkg/hbone/hboned.go (6 lines): - line 63: // TODO: refine the 'wildcard' to indicate http1/2 protocol - line 64: // TODO: this can be populated from a WorkloadGroup object, loaded from XDS or mesh env. - line 87: h2.ReadIdleTimeout = 10 * time.Minute // TODO: much larger to support long-lived connections - line 123: // connection will be forwarded to localhost:8080 ( TODO: custom port ). - line 125: // TODO: setting for app protocol=h2, http, tcp - initial impl uses tcp - line 145: // TODO: parse Envoy / hbone headers. pkg/sshd/tcpip.go (5 lines): - line 128: // TODO: log parse failure - line 137: // TODO: log listen failure - line 161: // TODO: log accept failure - line 180: // TODO: log failure to open channel - line 207: // TODO: log parse failure pkg/mesh/certs.go (5 lines): - line 22: // TODO: rotation - line 23: // TODO: save last cert in the chain to roots - line 24: // TODO: only use CAS if mesh-env is configured - line 67: // TODO: decode WorkloadCertificateConfig, use EC256 or RSA - line 309: // TODO: add the SAN, it is not required, server will fill up pkg/hbone/sni.go (4 lines): - line 34: d := net.Dialer{} // TODO: customizations - line 114: // TODO: if a session ID is provided, use it as a cookie and attempt - line 118: // TODO: in mesh, use one cypher suite (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) - line 254: // TODO: unmangle server name - port, mesh node manifests/hgate/service.yaml (4 lines): - line 15: # TODO: add a gateway injection - line 16: # TODO: add RBAC to create Service and WorkloadInstance for auto-registration - line 17: # TODO: option to use ILB ( requires Cloudrun connector ) or regular LB - can be used without connector - line 28: # TODO: fix whitebox mode to honor UNTRUSTED pkg/mesh/grpc_bootstrap.go (3 lines): - line 48: // TODO use structs from gRPC lib if created/exported - line 155: // TODO direct to CP should use secure channel (most likely JWT + TLS, but possibly allow mTLS) - line 177: // TODO use a more appropriate interval cmd/hbone/hbone.go (3 lines): - line 105: // TODO: k8s discovery for hgate - line 106: // TODO: -R to register to the gate, reverse proxy - line 107: // TODO: get certs pkg/hbone/io.go (3 lines): - line 31: // TODO: benchmark different sizes. - line 225: // TODO: close write - line 307: // TODO: callback to notify. This may happen if interface restarts, etc. manifests/sni-service-template.yaml (3 lines): - line 25: # TODO: replace K_SERVICE with K_SERVICE_BASE_URL, WORKLOAD_NAME with K_SERVICE - line 41: # TODO: auto-create this if it doesn't exist, in SNIGate - line 44: # TODO: support custom ports in cloudrun meshcon/meshconnectord/meshenv.go (3 lines): - line 51: // TODO: depending on error, move on or report a real error - line 129: // TODO: set CAS based on the WorkloadCertificate config - for now use the default name if Zatar is enabled - line 137: // TODO: use CAROOT_XXX to save multiple CAs (MeshCA, Citadel, other clusters) pkg/sts/sts.go (2 lines): - line 150: // TODO: better way to determine if the destination supports federated token directly. - line 208: // TODO: can be used with any GSA, if the permission to call generateAccessToken is granted. pkg/sshd/ssh.go (2 lines): - line 274: // TODO: track the session, for direct use - line 300: // TODO: allow connections to mesh VIPs pkg/k8s/k8s_client.go (2 lines): - line 77: // TODO: if env variable with cluster name/location are set - use that for context - line 86: // TODO: if env variable with cluster name/location are set - use that for context meshcon/meshconnectord/snigate.go (2 lines): - line 147: // TODO: extract 'version' from URL, convert it to cloudrun revision ? - line 148: // TODO: watcher on Service or ServiceEntry ( k8s or XDS ) to get annotation, allowing service name to be different pkg/sshd/ssh_exec.go (2 lines): - line 408: // // TODO: option/callback to allow agent forwarding - line 421: // TODO: debug log pkg/hbone/hbonec.go (2 lines): - line 82: // TODO: for host and port - assume mTLS, using system certs for the 'external' tunnel - line 83: // TODO: resolver call, to map to endpoint (including SNI routers or gateway) pkg/echo/echo.go (1 line): - line 82: // TODO: add delay (based on req) meshcon/meshconnectord/meshenv-gcp.go (1 line): - line 78: // TODO: find default tag, label, etc. cmd/krun/krun.go (1 line): - line 97: // TODO: wait for app ready before binding to port - using same CloudRun 'bind to port 8080' or proper health check pkg/mesh/app.go (1 line): - line 133: startupTimeout := 10 * time.Second // TODO: make customizable cloudbuild.yaml (1 line): - line 124: # TODO: combine gcloud, go, etc in single image - Istio build image is huge manifests/sidecar-imports.yaml (1 line): - line 4: # TODO: in 1.13, fix whitebox to not attempt to listent on priv ports. pkg/mesh/envoy.go (1 line): - line 38: // TODO: add a simplified template, customize from ProxyConfig.