security

package
v1.12.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 17, 2023 License: Apache-2.0 Imports: 39 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CurrentNamespace

func CurrentNamespace() string

CurrentNamespace returns the namespace of this workload.

func CurrentNamespaceOrError added in v1.12.1

func CurrentNamespaceOrError() (string, error)

CurrentNamespaceOrError returns the namespace of this workload. If current Namespace is not found, error.

func GetAPIToken

func GetAPIToken() string

GetAPIToken returns the value of the api token from an environment variable.

func GetAppToken

func GetAppToken() string

GetAppToken returns the value of the app api token from an environment variable.

func SentryID

func SentryID(sentryTrustDomain spiffeid.TrustDomain, sentryNamespace string) (spiffeid.ID, error)

SentryID returns the SPIFFE ID of the sentry server.

Types

type Handler

type Handler interface {
	GRPCServerOptionMTLS() grpc.ServerOption
	GRPCServerOptionNoClientAuth() grpc.ServerOption
	GRPCDialOptionMTLSUnknownTrustDomain(ns, appID string) grpc.DialOption
	GRPCDialOptionMTLS(spiffeid.ID) grpc.DialOption

	TLSServerConfigNoClientAuth() *tls.Config
	NetListenerID(net.Listener, spiffeid.ID) net.Listener
	NetDialerID(context.Context, spiffeid.ID, time.Duration) func(network, addr string) (net.Conn, error)

	ControlPlaneTrustDomain() spiffeid.TrustDomain
	ControlPlaneNamespace() string
	CurrentTrustAnchors() ([]byte, error)

	WatchTrustAnchors(context.Context, chan<- []byte)
}

Handler implements middleware for client and server connection security.

type Options

type Options struct {
	// SentryAddress is the network address of the sentry server.
	SentryAddress string

	// ControlPlaneTrustDomain is the trust domain of the control plane
	// components.
	ControlPlaneTrustDomain string

	// ControlPlaneNamespace is the dapr namespace of the control plane
	// components.
	ControlPlaneNamespace string

	// TrustAnchors is the X.509 PEM encoded CA certificates for this Dapr
	// installation. Cannot be used with TrustAnchorsFile. TrustAnchorsFile is
	// preferred so changes to the file are automatically picked up.
	TrustAnchors []byte

	// TrustAnchorsFile is the path to the X.509 PEM encoded CA certificates for
	// this Dapr installation. Prefer this over TrustAnchors so changes to the
	// file are automatically picked up. Cannot be used with TrustAnchors.
	TrustAnchorsFile string

	// AppID is the application ID of this workload.
	AppID string

	// MTLS is true if mTLS is enabled.
	MTLSEnabled bool

	// OverrideCertRequestSource is used to override where certificates are requested
	// from. Default to an implementation requesting from Sentry.
	OverrideCertRequestSource RequestFn

	// WriteSVIDoDir is the directory to write the X.509 SVID certificate private
	// key pair to. This is highly discouraged since it results in the private
	// key being written to file.
	WriteSVIDToDir *string

	// Mode is the operation mode of this security instance (self-hosted or
	// Kubernetes).
	Mode modes.DaprMode
}

Options are the options for the security authenticator.

type Provider

type Provider interface {
	Run(context.Context) error
	Handler(context.Context) (Handler, error)
}

Provider is the security provider.

func New

func New(ctx context.Context, opts Options) (Provider, error)

type RequestFn

type RequestFn func(ctx context.Context, der []byte) ([]*x509.Certificate, error)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL