Affected by 
Documentation
¶
Overview ¶
Package config is a configuration abstraction that facilitates enabling Pomerium settings forvarious encoding types (JSON/YAML/ENVARS) and methods.
Index ¶
- Constants
- Variables
- func DecodePolicyBase64Hook() mapstructure.DecodeHookFunc
- func DecodePolicyHookFunc() mapstructure.DecodeHookFunc
- func GetEnvoyDNSLookupFamily(value string) envoy_config_cluster_v3.Cluster_DnsLookupFamily
- func IsAll(s string) bool
- func IsAuthenticate(s string) bool
- func IsAuthorize(s string) bool
- func IsDataBroker(s string) bool
- func IsProxy(s string) bool
- func IsValidService(s string) bool
- func NewHTTPTransport(src Source) http.RoundTripper
- func ValidateDNSLookupFamily(value string) error
- type AtomicOptions
- type AutocertOptions
- type ChangeDispatcher
- type ChangeListener
- type Config
- type FileOrEnvironmentSource
- type FileWatcherSource
- type HasWeight
- type LogManager
- type MetricsManager
- type Options
- func (o *Options) ApplySettings(settings *config.Settings)
- func (o *Options) Checksum() uint64
- func (o *Options) GetAllPolicies() []Policy
- func (o *Options) GetAuthenticateURL() (*url.URL, error)
- func (o *Options) GetAuthorizeURL() (*url.URL, error)
- func (o *Options) GetDataBrokerURL() (*url.URL, error)
- func (o *Options) GetForwardAuthURL() (*url.URL, error)
- func (o *Options) GetOauthOptions() (oauth.Options, error)
- func (o *Options) Validate() error
- type Policy
- type PolicyRedirect
- type Source
- type StaticSource
- type StringSlice
- type StringURL
- type SubPolicy
- type TraceManager
- type TracingOptions
- type WeightedURL
- type WeightedURLs
Constants ¶
View Source
const ( // ServiceAll represents running all services in "all-in-one" mode ServiceAll = "all" // ServiceProxy represents running the proxy service component ServiceProxy = "proxy" // ServiceAuthorize represents running the authorize service component ServiceAuthorize = "authorize" // ServiceAuthenticate represents running the authenticate service component ServiceAuthenticate = "authenticate" // ServiceCache represents running the cache service component ServiceCache = "cache" // ServiceDataBroker represents running the databroker service component ServiceDataBroker = "databroker" // StorageRedisName is the name of the redis storage backend StorageRedisName = "redis" // StorageInMemoryName is the name of the in-memory storage backend StorageInMemoryName = "memory" )
View Source
const ( DNSLookupFamilyAuto = "AUTO" DNSLookupFamilyV4Only = "V4_ONLY" DNSLookupFamilyV6Only = "V6_ONLY" )
DNSLookupFamily values.
View Source
const DefaultAlternativeAddr = ":5443"
DefaultAlternativeAddr is the address used is two services are competing over the same listener. Typically this is invisible to the end user (e.g. localhost) gRPC server, or is used for healthchecks (authorize only service)
View Source
const DisableHeaderKey = "disable"
DisableHeaderKey is the key used to check whether to disable setting header
Variables ¶
View Source
var AllDNSLookupFamilies = []string{DNSLookupFamilyV6Only, DNSLookupFamilyV4Only, DNSLookupFamilyAuto}
AllDNSLookupFamilies are all the available DNSLookupFamily values.
View Source
var EnvoyAdminURL = &url.URL{Host: "127.0.0.1:9901", Scheme: "http"}
EnvoyAdminURL indicates where the envoy control plane is listening
Functions ¶
func DecodePolicyBase64Hook ¶ added in v0.12.2
func DecodePolicyBase64Hook() mapstructure.DecodeHookFunc
func DecodePolicyHookFunc ¶ added in v0.12.2
func DecodePolicyHookFunc() mapstructure.DecodeHookFunc
func GetEnvoyDNSLookupFamily ¶ added in v0.11.0
func GetEnvoyDNSLookupFamily(value string) envoy_config_cluster_v3.Cluster_DnsLookupFamily
GetEnvoyDNSLookupFamily gets the envoy DNS lookup family.
func IsAuthenticate ¶
IsAuthenticate checks to see if we should be running the authenticate service
func IsAuthorize ¶
IsAuthorize checks to see if we should be running the authorize service
func IsDataBroker ¶ added in v0.12.2
IsDataBroker checks to see if we should be running the databroker service
func IsValidService ¶
IsValidService checks to see if a service is a valid service mode
func NewHTTPTransport ¶ added in v0.11.0
func NewHTTPTransport(src Source) http.RoundTripper
NewHTTPTransport creates a new http transport. If CA or CAFile is set, the transport will add the CA to system cert pool.
func ValidateDNSLookupFamily ¶ added in v0.11.0
ValidateDNSLookupFamily validates the value to confirm its one of the available DNS lookup families.
Types ¶
type AtomicOptions ¶ added in v0.11.0
type AtomicOptions struct {
// contains filtered or unexported fields
}
AtomicOptions are Options that can be access atomically.
func NewAtomicOptions ¶ added in v0.11.0
func NewAtomicOptions() *AtomicOptions
NewAtomicOptions creates a new AtomicOptions.
func (*AtomicOptions) Load ¶ added in v0.11.0
func (a *AtomicOptions) Load() *Options
Load loads the options.
func (*AtomicOptions) Store ¶ added in v0.11.0
func (a *AtomicOptions) Store(options *Options)
Store stores the options.
type AutocertOptions ¶ added in v0.10.0
type AutocertOptions struct {
// Enable enables fully automated certificate management including issuance
// and renewal from LetsEncrypt. Must be used in conjunction with Folder.
Enable bool `mapstructure:"autocert" yaml:"autocert,omitempty"`
// UseStaging tells autocert to use Let's Encrypt's staging CA which
// has less strict usage limits then the (default) production CA.
//
// https://letsencrypt.org/docs/staging-environment/
UseStaging bool `mapstructure:"autocert_use_staging" yaml:"autocert_use_staging,omitempty"`
// MustStaple will cause autocert to request a certificate with
// status_request extension. This will allow the TLS client (the browser)
// to fail immediately if Pomerium failed to get an OCSP staple.
// See also https://tools.ietf.org/html/rfc7633
// Only used when Enable is true.
MustStaple bool `mapstructure:"autocert_must_staple" yaml:"autocert_must_staple,omitempty"`
// Folder specifies the location to store, and load autocert managed
// TLS certificates.
// defaults to $XDG_DATA_HOME/pomerium
Folder string `mapstructure:"autocert_dir" yaml:"autocert_dir,omitempty"`
}
AutocertOptions contains the options to control the behavior of autocert.
type ChangeDispatcher ¶ added in v0.10.0
A ChangeDispatcher manages listeners on config changes.
func (*ChangeDispatcher) OnConfigChange ¶ added in v0.10.0
func (dispatcher *ChangeDispatcher) OnConfigChange(li ChangeListener)
OnConfigChange adds a listener.
func (*ChangeDispatcher) Trigger ¶ added in v0.10.0
func (dispatcher *ChangeDispatcher) Trigger(cfg *Config)
Trigger triggers a change.
type ChangeListener ¶ added in v0.10.0
type ChangeListener = func(*Config)
A ChangeListener is called when configuration changes.
type Config ¶ added in v0.10.0
type Config struct {
Options *Options
AutoCertificates []tls.Certificate
}
Config holds pomerium configuration options.
func (*Config) AllCertificates ¶ added in v0.12.2
func (cfg *Config) AllCertificates() []tls.Certificate
AllCertificates returns all the certificates in the config.
type FileOrEnvironmentSource ¶ added in v0.10.0
type FileOrEnvironmentSource struct {
ChangeDispatcher
// contains filtered or unexported fields
}
A FileOrEnvironmentSource retrieves config options from a file or the environment.
func NewFileOrEnvironmentSource ¶ added in v0.10.0
func NewFileOrEnvironmentSource(configFile string) (*FileOrEnvironmentSource, error)
NewFileOrEnvironmentSource creates a new FileOrEnvironmentSource.
func (*FileOrEnvironmentSource) GetConfig ¶ added in v0.10.0
func (src *FileOrEnvironmentSource) GetConfig() *Config
GetConfig gets the config.
type FileWatcherSource ¶ added in v0.12.2
type FileWatcherSource struct {
ChangeDispatcher
// contains filtered or unexported fields
}
FileWatcherSource is a config source which triggers a change any time a file in the options changes.
func NewFileWatcherSource ¶ added in v0.12.2
func NewFileWatcherSource(underlying Source) *FileWatcherSource
NewFileWatcherSource creates a new FileWatcherSource.
func (*FileWatcherSource) GetConfig ¶ added in v0.12.2
func (src *FileWatcherSource) GetConfig() *Config
GetConfig gets the underlying config.
type HasWeight ¶ added in v0.12.2
type HasWeight bool
HasWeight indicates if url group has weights assigned
type LogManager ¶ added in v0.11.0
type LogManager struct {
// contains filtered or unexported fields
}
The LogManager configures logging based on options.
func NewLogManager ¶ added in v0.11.0
func NewLogManager(src Source) *LogManager
NewLogManager creates a new LogManager.
func (*LogManager) Close ¶ added in v0.11.0
func (mgr *LogManager) Close() error
Close closes the log manager.
func (*LogManager) OnConfigChange ¶ added in v0.11.0
func (mgr *LogManager) OnConfigChange(cfg *Config)
OnConfigChange is called whenever configuration changes.
type MetricsManager ¶ added in v0.11.0
type MetricsManager struct {
// contains filtered or unexported fields
}
A MetricsManager manages metrics for a given configuration.
func NewMetricsManager ¶ added in v0.11.0
func NewMetricsManager(src Source) *MetricsManager
NewMetricsManager creates a new MetricsManager.
func (*MetricsManager) Close ¶ added in v0.11.0
func (mgr *MetricsManager) Close() error
Close closes any underlying http server.
func (*MetricsManager) OnConfigChange ¶ added in v0.11.0
func (mgr *MetricsManager) OnConfigChange(cfg *Config)
OnConfigChange updates the metrics manager when configuration is changed.
type Options ¶
type Options struct {
// Debug outputs human-readable logs to Stdout.
Debug bool `mapstructure:"pomerium_debug" yaml:"pomerium_debug,omitempty"`
// LogLevel sets the global override for log level. All Loggers will use at least this value.
// Possible options are "info","warn","debug" and "error". Defaults to "info".
LogLevel string `mapstructure:"log_level" yaml:"log_level,omitempty"`
// ProxyLogLevel sets the log level for the proxy service.
// Possible options are "info","warn", and "error". Defaults to the value of `LogLevel`.
ProxyLogLevel string `mapstructure:"proxy_log_level" yaml:"proxy_log_level,omitempty"`
// requests between services.
SharedKey string `mapstructure:"shared_secret" yaml:"shared_secret,omitempty"`
// Services is a list enabled service mode. If none are selected, "all" is used.
// Available options are : "all", "authenticate", "proxy".
Services string `mapstructure:"services" yaml:"services,omitempty"`
// Addr specifies the host and port on which the server should serve
// HTTPS requests. If empty, ":443" (localhost:443) is used.
Addr string `mapstructure:"address" yaml:"address,omitempty"`
// InsecureServer when enabled disables all transport security.
// In this mode, Pomerium is susceptible to man-in-the-middle attacks.
// This should be used only for testing.
InsecureServer bool `mapstructure:"insecure_server" yaml:"insecure_server,omitempty"`
// DNSLookupFamily is the DNS IP address resolution policy.
// If this setting is not specified, the value defaults to AUTO.
DNSLookupFamily string `mapstructure:"dns_lookup_family" yaml:"dns_lookup_family,omitempty"`
CertificateFiles []certificateFilePair `mapstructure:"certificates" yaml:"certificates,omitempty"`
// Cert and Key is the x509 certificate used to create the HTTPS server.
Cert string `mapstructure:"certificate" yaml:"certificate,omitempty"`
Key string `mapstructure:"certificate_key" yaml:"certificate_key,omitempty"`
// CertFile and KeyFile is the x509 certificate used to hydrate TLSCertificate
CertFile string `mapstructure:"certificate_file" yaml:"certificate_file,omitempty"`
KeyFile string `mapstructure:"certificate_key_file" yaml:"certificate_key_file,omitempty"`
Certificates []tls.Certificate `mapstructure:"-" yaml:"-"`
// HttpRedirectAddr, if set, specifies the host and port to run the HTTP
// to HTTPS redirect server on. If empty, no redirect server is started.
HTTPRedirectAddr string `mapstructure:"http_redirect_addr" yaml:"http_redirect_addr,omitempty"`
// Timeout settings : https://github.com/pomerium/pomerium/issues/40
ReadTimeout time.Duration `mapstructure:"timeout_read" yaml:"timeout_read,omitempty"`
WriteTimeout time.Duration `mapstructure:"timeout_write" yaml:"timeout_write,omitempty"`
IdleTimeout time.Duration `mapstructure:"timeout_idle" yaml:"timeout_idle,omitempty"`
// Policies define per-route configuration and access control policies.
Policies []Policy `mapstructure:"policy"`
PolicyFile string `mapstructure:"policy_file" yaml:"policy_file,omitempty"`
// AdditionalPolicies are any additional policies added to the options.
AdditionalPolicies []Policy `yaml:"-"`
// AuthenticateURL represents the externally accessible http endpoints
// used for authentication requests and callbacks
AuthenticateURLString string `mapstructure:"authenticate_service_url" yaml:"authenticate_service_url,omitempty"`
AuthenticateURL *url.URL `yaml:"-"`
// SignOutRedirectURL represents the url that user will be redirected to after signing out.
SignOutRedirectURLString string `mapstructure:"signout_redirect_url" yaml:"signout_redirect_url,omitempty"`
SignOutRedirectURL *url.URL `yaml:"-"`
// AuthenticateCallbackPath is the path to the HTTP endpoint that will
// receive the response from your identity provider. The value must exactly
// match one of the authorized redirect URIs for the OAuth 2.0 client.
// Defaults to: `/oauth2/callback`
AuthenticateCallbackPath string `mapstructure:"authenticate_callback_path" yaml:"authenticate_callback_path,omitempty"`
// Session/Cookie management
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
CookieName string `mapstructure:"cookie_name" yaml:"cookie_name,omitempty"`
CookieSecret string `mapstructure:"cookie_secret" yaml:"cookie_secret,omitempty"`
CookieDomain string `mapstructure:"cookie_domain" yaml:"cookie_domain,omitempty"`
CookieSecure bool `mapstructure:"cookie_secure" yaml:"cookie_secure,omitempty"`
CookieHTTPOnly bool `mapstructure:"cookie_http_only" yaml:"cookie_http_only,omitempty"`
CookieExpire time.Duration `mapstructure:"cookie_expire" yaml:"cookie_expire,omitempty"`
// Identity provider configuration variables as specified by RFC6749
// https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
ClientID string `mapstructure:"idp_client_id" yaml:"idp_client_id,omitempty"`
ClientSecret string `mapstructure:"idp_client_secret" yaml:"idp_client_secret,omitempty"`
Provider string `mapstructure:"idp_provider" yaml:"idp_provider,omitempty"`
ProviderURL string `mapstructure:"idp_provider_url" yaml:"idp_provider_url,omitempty"`
Scopes []string `mapstructure:"idp_scopes" yaml:"idp_scopes,omitempty"`
ServiceAccount string `mapstructure:"idp_service_account" yaml:"idp_service_account,omitempty"`
// Identity provider refresh directory interval/timeout settings.
RefreshDirectoryTimeout time.Duration `mapstructure:"idp_refresh_directory_timeout" yaml:"idp_refresh_directory_timeout,omitempty"`
RefreshDirectoryInterval time.Duration `mapstructure:"idp_refresh_directory_interval" yaml:"idp_refresh_directory_interval,omitempty"`
QPS float64 `mapstructure:"idp_qps" yaml:"idp_qps"`
// RequestParams are custom request params added to the signin request as
// part of an Oauth2 code flow.
//
// https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
// https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters
RequestParams map[string]string `mapstructure:"idp_request_params" yaml:"idp_request_params,omitempty"`
// AuthorizeURL is the routable destination of the authorize service's
// gRPC endpoint. NOTE: As many load balancers do not support
// externally routed gRPC so this may be an internal location.
AuthorizeURLString string `mapstructure:"authorize_service_url" yaml:"authorize_service_url,omitempty"`
AuthorizeURL *url.URL `yaml:",omitempty"`
// Settings to enable custom behind-the-ingress service communication
OverrideCertificateName string `mapstructure:"override_certificate_name" yaml:"override_certificate_name,omitempty"`
CA string `mapstructure:"certificate_authority" yaml:"certificate_authority,omitempty"`
CAFile string `mapstructure:"certificate_authority_file" yaml:"certificate_authority_file,omitempty"`
// SigningKey is the private key used to add a JWT-signature to upstream requests.
// https://www.pomerium.io/docs/topics/getting-users-identity.html
SigningKey string `mapstructure:"signing_key" yaml:"signing_key,omitempty"`
SigningKeyAlgorithm string `mapstructure:"signing_key_algorithm" yaml:"signing_key_algorithm,omitempty"`
// Headers to set on all proxied requests. Add a 'disable' key map to turn off.
HeadersEnv string `yaml:",omitempty"`
Headers map[string]string `yaml:",omitempty"`
// List of JWT claims to insert as x-pomerium-claim-* headers on proxied requests
JWTClaimsHeaders []string `mapstructure:"jwt_claims_headers" yaml:"jwt_claims_headers,omitempty"`
// RefreshCooldown limits the rate a user can refresh her session
RefreshCooldown time.Duration `mapstructure:"refresh_cooldown" yaml:"refresh_cooldown,omitempty"`
DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"`
// Address/Port to bind to for prometheus metrics
MetricsAddr string `mapstructure:"metrics_address" yaml:"metrics_address,omitempty"`
// Tracing shared settings
TracingProvider string `mapstructure:"tracing_provider" yaml:"tracing_provider,omitempty"`
TracingSampleRate float64 `mapstructure:"tracing_sample_rate" yaml:"tracing_sample_rate,omitempty"`
// Datadog tracing address
TracingDatadogAddress string `mapstructure:"tracing_datadog_address" yaml:"tracing_datadog_address,omitempty"`
// Jaeger
//
// CollectorEndpoint is the full url to the Jaeger HTTP Thrift collector.
// For example, http://localhost:14268/api/traces
TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint" yaml:"tracing_jaeger_collector_endpoint,omitempty"`
// Zipkin
//
// ZipkinEndpoint configures the zipkin collector URI
// Example: http://zipkin:9411/api/v2/spans
TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint" yaml:"tracing_jaeger_agent_endpoint,omitempty"`
ZipkinEndpoint string `mapstructure:"tracing_zipkin_endpoint" yaml:"tracing_zipkin_endpoint"`
// GRPCAddr specifies the host and port on which the server should serve
// gRPC requests. If running in all-in-one mode, ":5443" (localhost:5443) is used.
GRPCAddr string `mapstructure:"grpc_address" yaml:"grpc_address,omitempty"`
// GRPCInsecure disables transport security.
// If running in all-in-one mode, defaults to true.
GRPCInsecure bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
GRPCClientDNSRoundRobin bool `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
// GRPCServerMaxConnectionAge sets MaxConnectionAge in the grpc ServerParameters used to create GRPC Services
GRPCServerMaxConnectionAge time.Duration `mapstructure:"grpc_server_max_connection_age" yaml:"grpc_server_max_connection_age,omitempty"`
// GRPCServerMaxConnectionAgeGrace sets MaxConnectionAgeGrace in the grpc ServerParameters used to create GRPC Services
GRPCServerMaxConnectionAgeGrace time.Duration `mapstructure:"grpc_server_max_connection_age_grace,omitempty" yaml:"grpc_server_max_connection_age_grace,omitempty"` //nolint: lll
// ForwardAuthEndpoint allows for a given route to be used as a forward-auth
// endpoint instead of a reverse proxy. Some third-party proxies that do not
// have rich access control capabilities (nginx, envoy, ambassador, traefik)
// allow you to delegate and authenticate each request to your website
// with an external server or service. Pomerium can be configured to accept
// these requests with this switch
ForwardAuthURLString string `mapstructure:"forward_auth_url" yaml:"forward_auth_url,omitempty"`
ForwardAuthURL *url.URL `yaml:",omitempty"`
// DataBrokerURL is the routable destination of the databroker service's gRPC endpiont.
DataBrokerURLString string `mapstructure:"databroker_service_url" yaml:"databroker_service_url,omitempty"`
DataBrokerURL *url.URL `yaml:",omitempty"`
// DataBrokerStorageType is the storage backend type that databroker will use.
// Supported type: memory, redis
DataBrokerStorageType string `mapstructure:"databroker_storage_type" yaml:"databroker_storage_type,omitempty"`
// DataBrokerStorageConnectionString is the data source name for storage backend.
DataBrokerStorageConnectionString string `mapstructure:"databroker_storage_connection_string" yaml:"databroker_storage_connection_string,omitempty"`
DataBrokerStorageCertFile string `mapstructure:"databroker_storage_cert_file" yaml:"databroker_storage_cert_file,omitempty"`
DataBrokerStorageCertKeyFile string `mapstructure:"databroker_storage_key_file" yaml:"databroker_storage_key_file,omitempty"`
DataBrokerStorageCAFile string `mapstructure:"databroker_storage_ca_file" yaml:"databroker_storage_ca_file,omitempty"`
DataBrokerStorageCertSkipVerify bool `mapstructure:"databroker_storage_tls_skip_verify" yaml:"databroker_storage_tls_skip_verify,omitempty"`
DataBrokerCertificate *tls.Certificate `mapstructure:"-" yaml:"-"`
// ClientCA is the base64-encoded certificate authority to validate client mTLS certificates against.
ClientCA string `mapstructure:"client_ca" yaml:"client_ca,omitempty"`
// ClientCAFile points to a file that contains the certificate authority to validate client mTLS certificates against.
ClientCAFile string `mapstructure:"client_ca_file" yaml:"client_ca_file,omitempty"`
// GoogleCloudServerlessAuthenticationServiceAccount is the service account to use for GCP serverless authentication.
// If unset, the GCP metadata server will be used to query for identity tokens.
GoogleCloudServerlessAuthenticationServiceAccount string `` //nolint
/* 141-byte string literal not displayed */
// UseProxyProtocol configures the HTTP listener to require the HAProxy proxy protocol (either v1 or v2) on incoming requests.
UseProxyProtocol bool `mapstructure:"require_proxy_protocol" yaml:"require_proxy_protocol,omitempty" json:"require_proxy_protocol,omitempty"`
AutocertOptions `mapstructure:",squash" yaml:",inline"`
// SkipXffAppend instructs proxy not to append its IP address to x-forwarded-for header.
// see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html?highlight=skip_xff_append#x-forwarded-for
SkipXffAppend bool `mapstructure:"skip_xff_append" yaml:"skip_xff_append,omitempty" json:"skip_xff_append,omitempty"`
// contains filtered or unexported fields
}
Options are the global environmental flags used to set up pomerium's services. Use NewXXXOptions() methods for a safely initialized data structure.
func NewDefaultOptions ¶
func NewDefaultOptions() *Options
NewDefaultOptions returns a copy the default options. It's the caller's responsibility to do a follow up Validate call.
func (*Options) ApplySettings ¶ added in v0.11.0
ApplySettings modifies the config options using the given protobuf settings.
func (*Options) GetAllPolicies ¶ added in v0.12.2
GetAllPolicies gets all the policies in the options.
func (*Options) GetAuthenticateURL ¶ added in v0.9.0
GetAuthenticateURL returns the AuthenticateURL in the options or 127.0.0.1.
func (*Options) GetAuthorizeURL ¶ added in v0.9.0
GetAuthorizeURL returns the AuthorizeURL in the options or 127.0.0.1:5443.
func (*Options) GetDataBrokerURL ¶ added in v0.10.0
GetDataBrokerURL returns the DataBrokerURL in the options or 127.0.0.1:5443.
func (*Options) GetForwardAuthURL ¶ added in v0.9.0
GetForwardAuthURL returns the ForwardAuthURL in the options or 127.0.0.1.
func (*Options) GetOauthOptions ¶ added in v0.10.0
GetOauthOptions gets the oauth.Options for the given config options.
type Policy ¶
type Policy struct {
From string `mapstructure:"from" yaml:"from"`
To WeightedURLs `mapstructure:"to" yaml:"to"`
// LbWeights are optional load balancing weights applied to endpoints specified in To
// this field exists for compatibility with mapstructure
LbWeights []uint32 `mapstructure:"_to_weights,omitempty" json:"-" yaml:"-"`
// Redirect is used for a redirect action instead of `To`
Redirect *PolicyRedirect `mapstructure:"redirect" yaml:"redirect"`
// Identity related policy
AllowedUsers []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
Source *StringURL `yaml:",omitempty" json:"source,omitempty" hash:"ignore"`
// Additional route matching options
Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
Path string `mapstructure:"path" yaml:"path,omitempty" json:"path,omitempty"`
Regex string `mapstructure:"regex" yaml:"regex,omitempty" json:"regex,omitempty"`
// Path Rewrite Options
PrefixRewrite string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
RegexRewritePattern string `mapstructure:"regex_rewrite_pattern" yaml:"regex_rewrite_pattern,omitempty" json:"regex_rewrite_pattern,omitempty"`
RegexRewriteSubstitution string `` //nolint
/* 129-byte string literal not displayed */
// Host Rewrite Options
HostRewrite string `mapstructure:"host_rewrite" yaml:"host_rewrite,omitempty" json:"host_rewrite,omitempty"`
HostRewriteHeader string `mapstructure:"host_rewrite_header" yaml:"host_rewrite_header,omitempty" json:"host_rewrite_header,omitempty"`
HostPathRegexRewritePattern string `` //nolint
/* 144-byte string literal not displayed */
HostPathRegexRewriteSubstitution string `` //nolint
/* 159-byte string literal not displayed */
// Allow unauthenticated HTTP OPTIONS requests as per the CORS spec
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight,omitempty"`
// Allow any public request to access this route. **Bypasses authentication**
AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access,omitempty"`
// Allow any authenticated user
AllowAnyAuthenticatedUser bool `mapstructure:"allow_any_authenticated_user" yaml:"allow_any_authenticated_user,omitempty"`
// UpstreamTimeout is the route specific timeout. Must be less than the global
// timeout. If unset, route will fallback to the proxy's DefaultUpstreamTimeout.
UpstreamTimeout time.Duration `mapstructure:"timeout" yaml:"timeout,omitempty"`
// Enable proxying of websocket connections by removing the default timeout handler.
// Caution: Enabling this feature could result in abuse via DOS attacks.
AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets,omitempty"`
// AllowSPDY enables proxying of SPDY upgrade requests
AllowSPDY bool `mapstructure:"allow_spdy" yaml:"allow_spdy,omitempty"`
// TLSSkipVerify controls whether a client verifies the server's certificate
// chain and host name.
// If TLSSkipVerify is true, TLS accepts any certificate presented by the
// server and any host name in that certificate.
// In this mode, TLS is susceptible to man-in-the-middle attacks.
// This should be used only for testing.
TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify,omitempty"`
// TLSServerName overrides the hostname in the `to` field. This is useful
// if your backend is an HTTPS server with a valid certificate, but you
// want to communicate to the backend with an internal hostname (e.g.
// Docker container name).
TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name,omitempty"`
// TLSCustomCA defines the root certificate to use with a given
// route when verifying server certificates.
TLSCustomCA string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca,omitempty"`
TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file,omitempty"`
// Contains the x.509 client certificate to present to the upstream host.
TLSClientCert string `mapstructure:"tls_client_cert" yaml:"tls_client_cert,omitempty"`
TLSClientKey string `mapstructure:"tls_client_key" yaml:"tls_client_key,omitempty"`
TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file,omitempty"`
TLSClientKeyFile string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file,omitempty"`
ClientCertificate *tls.Certificate `yaml:",omitempty" hash:"ignore"`
// TLSDownstreamClientCA defines the root certificate to use with a given route to verify
// downstream client certificates (e.g. from a user's browser).
TLSDownstreamClientCA string `mapstructure:"tls_downstream_client_ca" yaml:"tls_downstream_client_ca,omitempty"`
TLSDownstreamClientCAFile string `mapstructure:"tls_downstream_client_ca_file" yaml:"tls_downstream_client_ca_file,omitempty"`
// SetRequestHeaders adds a collection of headers to the upstream request
// in the form of key value pairs. Note bene, this will overwrite the
// value of any existing value of a given header key.
SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers,omitempty"`
// RemoveRequestHeaders removes a collection of headers from an upstream request.
// Note that this has lower priority than `SetRequestHeaders`, if you specify `X-Custom-Header` in both
// `SetRequestHeaders` and `RemoveRequestHeaders`, then the header won't be removed.
RemoveRequestHeaders []string `mapstructure:"remove_request_headers" yaml:"remove_request_headers,omitempty"`
// PreserveHostHeader disables host header rewriting.
//
// This option only takes affect if the destination is a DNS name. If the destination is an IP address,
// use SetRequestHeaders to explicitly set the "Host" header.
//
// https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
PreserveHostHeader bool `mapstructure:"preserve_host_header" yaml:"preserve_host_header,omitempty"`
// PassIdentityHeaders controls whether to add a user's identity headers to the upstream request.
// These includes:
//
// - X-Pomerium-Jwt-Assertion
// - X-Pomerium-Claim-*
//
PassIdentityHeaders bool `mapstructure:"pass_identity_headers" yaml:"pass_identity_headers,omitempty"`
// KubernetesServiceAccountToken is the kubernetes token to use for upstream requests.
KubernetesServiceAccountToken string `mapstructure:"kubernetes_service_account_token" yaml:"kubernetes_service_account_token,omitempty"`
// KubernetesServiceAccountTokenFile contains the kubernetes token to use for upstream requests.
KubernetesServiceAccountTokenFile string `mapstructure:"kubernetes_service_account_token_file" yaml:"kubernetes_service_account_token_file,omitempty"`
// EnableGoogleCloudServerlessAuthentication adds "Authorization: Bearer ID_TOKEN" headers
// to upstream requests.
EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"` //nolint
SubPolicies []SubPolicy `mapstructure:"sub_policies" yaml:"sub_policies,omitempty" json:"sub_policies,omitempty"`
EnvoyOpts *envoy_config_cluster_v3.Cluster `mapstructure:"_envoy_opts" yaml:"-" json:"-"`
}
Policy contains route specific configuration and access settings.
func NewPolicyFromProto ¶ added in v0.10.0
NewPolicyFromProto creates a new Policy from a protobuf policy config route.
func (*Policy) Matches ¶ added in v0.11.0
Matches returns true if the policy would match the given URL.
type PolicyRedirect ¶ added in v0.12.2
type PolicyRedirect struct {
HTTPSRedirect *bool `mapstructure:"https_redirect" yaml:"https_redirect,omitempty" json:"https_redirect,omitempty"`
SchemeRedirect *string `mapstructure:"scheme_redirect" yaml:"scheme_redirect,omitempty" json:"scheme_redirect,omitempty"`
HostRedirect *string `mapstructure:"host_redirect" yaml:"host_redirect,omitempty" json:"host_redirect,omitempty"`
PortRedirect *uint32 `mapstructure:"port_redirect" yaml:"port_redirect,omitempty" json:"port_redirect,omitempty"`
PathRedirect *string `mapstructure:"path_redirect" yaml:"path_redirect,omitempty" json:"path_redirect,omitempty"`
PrefixRewrite *string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
ResponseCode *int32 `mapstructure:"response_code" yaml:"response_code,omitempty" json:"response_code,omitempty"`
StripQuery *bool `mapstructure:"strip_query" yaml:"strip_query,omitempty" json:"strip_query,omitempty"`
}
PolicyRedirect is a route redirect action.
type Source ¶ added in v0.10.0
type Source interface {
GetConfig() *Config
OnConfigChange(ChangeListener)
}
A Source gets configuration.
type StaticSource ¶ added in v0.10.0
type StaticSource struct {
// contains filtered or unexported fields
}
A StaticSource always returns the same config. Useful for testing.
func NewStaticSource ¶ added in v0.10.0
func NewStaticSource(cfg *Config) *StaticSource
NewStaticSource creates a new StaticSource.
func (*StaticSource) GetConfig ¶ added in v0.10.0
func (src *StaticSource) GetConfig() *Config
GetConfig gets the config.
func (*StaticSource) OnConfigChange ¶ added in v0.10.0
func (src *StaticSource) OnConfigChange(li ChangeListener)
OnConfigChange is ignored for the StaticSource.
func (*StaticSource) SetConfig ¶ added in v0.11.0
func (src *StaticSource) SetConfig(cfg *Config)
SetConfig sets the config.
type StringSlice ¶ added in v0.12.2
type StringSlice []string
A StringSlice is a slice of strings.
func NewStringSlice ¶ added in v0.12.2
func NewStringSlice(values ...string) StringSlice
NewStringSlice creatse a new StringSlice.
func (*StringSlice) UnmarshalJSON ¶ added in v0.12.2
func (slc *StringSlice) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals a JSON document into the string slice.
func (*StringSlice) UnmarshalYAML ¶ added in v0.12.2
func (slc *StringSlice) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML unmarshals a YAML document into the string slice. UnmarshalJSON is reused as the actual implementation.
type StringURL ¶ added in v0.8.0
StringURL stores a URL as a string in json.
func (*StringURL) MarshalJSON ¶ added in v0.8.0
MarshalJSON returns the URLs host as json.
type SubPolicy ¶ added in v0.10.0
type SubPolicy struct {
ID string `mapstructure:"id" yaml:"id" json:"id"`
Name string `mapstructure:"name" yaml:"name" json:"name"`
AllowedUsers []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
Rego []string `mapstructure:"rego" yaml:"rego" json:"rego,omitempty"`
}
A SubPolicy is a protobuf Policy within a protobuf Route.
type TraceManager ¶ added in v0.11.0
type TraceManager struct {
// contains filtered or unexported fields
}
A TraceManager manages setting up a trace exporter based on configuration options.
func NewTraceManager ¶ added in v0.11.0
func NewTraceManager(src Source) *TraceManager
NewTraceManager creates a new TraceManager.
func (*TraceManager) Close ¶ added in v0.11.0
func (mgr *TraceManager) Close() error
Close closes any underlying trace exporter.
func (*TraceManager) OnConfigChange ¶ added in v0.11.0
func (mgr *TraceManager) OnConfigChange(cfg *Config)
OnConfigChange updates the manager whenever the configuration is changed.
type TracingOptions ¶ added in v0.9.0
type TracingOptions = trace.TracingOptions
TracingOptions are the options for tracing.
func NewTracingOptions ¶ added in v0.9.0
func NewTracingOptions(o *Options) (*TracingOptions, error)
NewTracingOptions builds a new TracingOptions from core Options
type WeightedURL ¶ added in v0.12.2
type WeightedURL struct {
URL url.URL
// LbWeight is a relative load balancer weight for this upstream URL
// zero means not assigned
LbWeight uint32
}
WeightedURL is a way to specify an upstream with load balancing weight attached to it
func ParseWeightedURL ¶ added in v0.12.2
func ParseWeightedURL(dst string) (*WeightedURL, error)
ParseWeightedURL parses url that has an optional weight appended to it
func (*WeightedURL) String ¶ added in v0.12.2
func (u *WeightedURL) String() string
func (*WeightedURL) Validate ¶ added in v0.12.2
func (u *WeightedURL) Validate() error
type WeightedURLs ¶ added in v0.12.2
type WeightedURLs []WeightedURL
func ParseWeightedUrls ¶ added in v0.12.2
func ParseWeightedUrls(urls ...string) (WeightedURLs, error)
ParseWeightedUrls parses
func (WeightedURLs) Flatten ¶ added in v0.12.2
func (urls WeightedURLs) Flatten() ([]string, []uint32, error)
Flatten converts weighted url array into indidual arrays of urls and weights
func (WeightedURLs) Validate ¶ added in v0.12.2
func (urls WeightedURLs) Validate() (HasWeight, error)
Validate checks that URLs are valid, and either all or none have weights assigned
Source Files
Click to show internal directories.
Click to hide internal directories.