envoy

package

v0.0.0-...-d2452cb Latest Latest Go to latest Published: Oct 31, 2024 License: Apache-2.0 Imports: 31 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/philipgough/prom-auth-proxy

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
type Backend
type BackendJWTAuth
type BackendOptions
type BackendTokenAuthConfig
type ClientCertInfo
- func (ci ClientCertInfo) String() string
type ExistingHeaderMutation
- func (ehm ExistingHeaderMutation) String() string
type GRPCServer
type HeaderAmendments
type HeaderMatcher
type HeaderMutation
type HeaderMutations
type JWTProvider
type JWTProviders
type LBACConfig
type LBACServerConfig
type MTLSConfig
type Options
- func (opts Options) BuildOrDie() string
type RBACPolicies
type ReadBackend
type RemoteJWKSURI
type TokenAuthConfig
type TokenReviewServer
type WriteBackend

Constants ¶

View Source

const (
	AdminPort = 9901

	ReadListenerPort = 8080

	WriteListenerPort = 8081
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Backend ¶

type Backend struct {
	// Address is the address of the backend service.
	Address string
	// Port is the port of the backend service.
	Port uint32
	// Scheme is the scheme of the backend service.
	// If empty, the scheme will be http.
	Scheme string
}

Backend represents a backend service that the proxy will route traffic to.

type BackendJWTAuth ¶

type BackendJWTAuth struct {
	// ProviderName is the name of the JWT provider.
	ProviderName string
	// Audiences of the JWT provider.
	// If not specified, the audiences in JWT will not be checked.
	Audiences []string
	// contains filtered or unexported fields
}

BackendJWTAuth is the per-backend configuration for JWT authentication.

type BackendOptions ¶

type BackendOptions struct {
	// BackendConfig is the configuration for the backend service.
	BackendConfig Backend
	// MatchRouteRegex is the regex that the backend service will match on.
	MatchRouteRegex string
	// HeaderMutations is the mutations to be applied to HTTP headers.
	// These mutations will be applied to the incoming HTTP request before it is matched with a route.
	HeaderMutations HeaderMutations
	// HeaderAmendments allows the addition and removal of headers after a route is matched but before the request is sent to the backend.
	HeaderAmendments HeaderAmendments
	// HeaderMatcher is the header matcher that matches a header name and value.
	HeaderMatcher *HeaderMatcher
	// TokenAuthConfig is the configuration for token authentication.
	TokenAuthConfig BackendTokenAuthConfig
	// MTLSConfig is the configuration for mTLS.
	MTLSConfig *MTLSConfig
	// contains filtered or unexported fields
}

BackendOptions is the configuration for the backend service.

type BackendTokenAuthConfig ¶

type BackendTokenAuthConfig struct {
	// JWTAuth is the JWT authentication configuration.
	// If not specified, the JWT authentication will not be enabled.
	JWTAuth *BackendJWTAuth
	// EnableTokenReview enables token review.
	// If not specified, token review will not be enabled.
	EnableKubernetesTokenReview bool
}

BackendTokenAuthConfig is the per-backend configuration for token authentication. Only one of JWTAuth or EnableKubernetesTokenReview can be specified. If neither is specified, token authentication will not be enabled. If both are specified, the configuration will be invalid.

type ClientCertInfo ¶

type ClientCertInfo int

ClientCertInfo represents some aspect of the client certificate that can be extracted. These values can be extracted from the client certificate and used to add as a header to the request.

const (
	// ClientCertInfoPeerIPSan is ip addresses present in the SAN of the peer certificate
	ClientCertInfoPeerIPSan ClientCertInfo = iota
	// ClientCertInfoPeerDNSSan is dns names present in the SAN of the peer certificate
	ClientCertInfoPeerDNSSan
	// ClientCertInfoPeerURISan is URIs present in the SAN of the peer certificate
	ClientCertInfoPeerURISan
	// ClientCertInfoPeerEmailSAN is email addresses present in the SAN of the peer certificate
	ClientCertInfoPeerEmailSAN
	// ClientCertInfoPeerOtherNamesSAN is OtherNames present in the SAN of the peer certificate
	ClientCertInfoPeerOtherNamesSAN
	// ClientCertInfoPeerSubject is the subject of the peer certificate
	ClientCertInfoPeerSubject
	// ClientCertInfoPeerIssuer is the issuer of the peer certificate
	ClientCertInfoPeerIssuer
)

func (ClientCertInfo) String ¶

func (ci ClientCertInfo) String() string

String returns the string representation of the ClientCertInfo.

type ExistingHeaderMutation ¶

type ExistingHeaderMutation struct {
	// FromRequestHeader specifies the header to look for in the incoming HTTP request.
	FromRequestHeader string
}

ExistingHeaderMutation represents a mutation that extracts a value from an existing HTTP request header. It contains the name of the header to look for in the incoming HTTP request.

func (ExistingHeaderMutation) String ¶

func (ehm ExistingHeaderMutation) String() string

String returns the string representation of the ExistingHeaderMutation.

type GRPCServer ¶

type GRPCServer struct {
	// Address is the address to listen on for requests.
	Address string
	// Port is the port to listen on for gRPC requests.
	Port uint32
}

GRPCServer is the configuration for the gRPC server.

type HeaderAmendments ¶

type HeaderAmendments struct {
	// AddHeaders is a map of headers to add to the request.
	AddHeaders map[string]string
	// RemoveHeaders is a list of headers to remove from the request.
	RemoveHeaders []string
}

HeaderAmendments allows the addition and removal of headers after a route is matched but before the request is sent to the backend.

type HeaderMatcher ¶

type HeaderMatcher struct {
	Name  string
	Regex string
}

HeaderMatcher represents a header matcher that matches a header name and value. This can be used to enforce that a header is present and has a specific value.

type HeaderMutation ¶

type HeaderMutation struct {
	// SetHeader is the name of the header to be set.
	SetHeader string
	// FromValue is the value to set the header to, implementing the fmt.Stringer interface.
	FromValue fmt.Stringer
}

HeaderMutation represents a mutation to be applied to HTTP headers. It contains the header to be set and the value to set it to.

type HeaderMutations ¶

type HeaderMutations []HeaderMutation

HeaderMutations is a list of HeaderMutation.

type JWTProvider ¶

type JWTProvider struct {
	// Issuer URI of the JWT provider.
	Issuer string
	// RemoteJWKsURI is the URI of the JWKs endpoint
	RemoteJWKsURI RemoteJWKSURI
	// LocalJWK is the local JWKs.
	// If provided it is preferred over RemoteJWKsURI.
	LocalJWKs *string
}

JWTProvider defines the JWT provider configuration.

type JWTProviders ¶

type JWTProviders map[string]JWTProvider

JWTProviders is a map of JWT provider names to JWT providers.

type LBACConfig ¶

type LBACConfig struct {
	ServerConfig LBACServerConfig
	// LBACPolicies is the list of CEL policies for label based access control.
	LBACPolicies []lbac.RawPolicy
}

LBACConfig is the configuration for label based access control.

type LBACServerConfig ¶

type LBACServerConfig GRPCServer

LBACServerConfig is the configuration for the label-based access control server. This is a server that implements the ExternalProcessor interface.

type MTLSConfig ¶

type MTLSConfig struct {
	// TrustedCA is the path to the trusted CA certificate.
	TrustedCA string
	// ServerCert is the path to the server certificate.
	ServerCert string
	// ServerKey is the path to the server key.
	ServerKey string
	// MatchSANs is the list of SANs to match.
	// If not specified, the SANs in the server certificate will not be checked.
	MatchSANs []string
}

MTLSConfig is the configuration for mTLS.

type Options ¶

type Options struct {
	// Signal is the signal that the gateway manages. EG Metrics, Logs, Traces.
	Signal string
	// ReadOptions is the configuration for the read backend service.
	ReadOptions *ReadBackend
	// WriteOptions is the configuration for the write backend service.
	WriteOptions *WriteBackend
	// TokenAuthConfig is the configuration for token authentication/authorization.
	TokenAuthConfig *TokenAuthConfig
}

Options is the configuration for the gateway.

func (Options) BuildOrDie ¶

func (opts Options) BuildOrDie() string

BuildOrDie returns raw YAML configuration for envoy proxy or panics if it fails.

type RBACPolicies ¶

type RBACPolicies map[string]string

RBACPolicies is the list of named CEL policies for role based access control.

type ReadBackend ¶

type ReadBackend struct {
	BackendOptions
	// RBACPolicies is the list of CEL policies for role based access control.
	RBACPolicies RBACPolicies
	LBACConfig   *LBACConfig
}

ReadBackend represents the configuration for the read backend service.

type RemoteJWKSURI ¶

type RemoteJWKSURI struct {
	// URI is the URI of the remote JWKs endpoint.
	URI string
	// Port is the port of the remote JWKs URI.
	// If not specified, the default port of 443 will be used.
	Port uint32
}

RemoteJWKSURI is the configuration for the remote JWKs URI.

type TokenAuthConfig ¶

type TokenAuthConfig struct {
	JWTProviders JWTProviders
	// TokenReview is the configuration for the token review server.
	TokenReview *TokenReviewServer
}

TokenAuthConfig is the configuration for token authentication. Only one of JWTProviders or TokenReview can be specified.

type TokenReviewServer ¶

type TokenReviewServer GRPCServer

TokenReviewServer is the configuration for the token review server.

type WriteBackend ¶

type WriteBackend struct {
	// RBACPolicies is the list of CEL policies for role based access control.
	RBACPolicies RBACPolicies
	BackendOptions
}

WriteBackend represents the configuration for the write backend service.

Source Files ¶

View all Source files

config.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL