server

command
v1.0.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 2, 2017 License: Apache-2.0 Imports: 45 Imported by: 0

README

Proof of concept Server

This server starts up a gRPC reverse proxy.

Configuration

Driven through two config files:

--kedge_config_backendpool_config command line content or read from file using --kedge_config_backendpool_config_path:

{
  "grpc": {
    "backends": [
      {
        "name": "controller",
        "balancer": "ROUND_ROBIN",
        "interceptors": [
          {
            "prometheus": true
          }
        ],
        "srv": {
          "dns_name": "controller.eu1-prod.internal.improbable.io"
        }
      }
    ]
  },
  "http": {
    "backends": [
      {
        "name": "controller",
        "balancer": "ROUND_ROBIN",
        "srv": {
          "dns_name": "controller.metrics.eu1-prod.internal.improbable.io"
        }
      }
    ]
  }
}

--kedge_config_director_config command line content or read from file using --kedge_config_director_config_path:

{
  "grpc": {
    "routes": [
      {
        "backend_name": "controller",
        "service_name_matcher": "*",
        "authority_matcher": "controller.ext.cluster.local"
      }
    ]
  },
  "http": {
    "routes": [
      {
        "backend_name": "controller",
        "host_matcher": "controller.ext.cluster.local"
      }
    ],
    "adhoc_rules": [
      {
        "dns_name_matcher": "*.pod.cluster.local",
        "port": {
          "allowed_ranges": [
            {
              "from": 40,
              "to": 10000
            }
          ]
        }
      }
     ]
  }
}

Running:

Here's an example that runs the server listening on four ports (80 for debug HTTP, 443 for HTTPS+gRPCTLS, 444 for gRPCTLS), and requiring client side certs:

go build 
./server \
  --server_grpc_tls_port=444 \
  --server_http_port=80 \
  --server_http_tls_port=443 \ 
  --server_tls_cert_file=../misc/localhost.crt \ 
  --server_tls_key_file=../misc/localhost.key \
  --server_tls_client_ca_files=../misc/ca.crt \ 
  --server_tls_client_cert_required=true \
  --kedge_config_director_config_path=../misc/director.json \
  --kedge_config_backendpool_config_path=../misc/backendpool.json 

Optionally you can skip client's side cert requirement and perform authorization based on JWT OIDC ID token (in case you are already have some OIDC provider running, that supports filling permissions into ID token claim):

go build 
./server \
  --server_grpc_tls_port=444 \
  --server_http_port=80 \
  --server_http_tls_port=443 \ 
  --server_tls_cert_file=../misc/localhost.crt \
  --server_tls_key_file=../misc/localhost.key \
  --server_tls_client_ca_files=../misc/ca.crt \
  --server_tls_client_cert_required=false \
  --kedge_config_director_config_path=../misc/director.json \
  --kedge_config_backendpool_config_path=../misc/backendpool.json \
  --server_oidc_provider_url = "https://issuer.example.org" \
  --server_oidc_client_id = "some-client-id" \
  --server_oidc_perms_claim = "perms" \
  --server_oidc_required_perm = "perms-prod-example"

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL