Documentation ¶
Index ¶
- Constants
- Variables
- func BuildHttpFilters(globalSettings *extauthv1.Settings, listener *v1.HttpListener, ...) ([]plugins.StagedHttpFilter, error)
- type Plugin
- func (p *Plugin) HttpFilters(params plugins.Params, listener *v1.HttpListener) ([]plugins.StagedHttpFilter, error)
- func (p *Plugin) Init(params plugins.InitParams) error
- func (p *Plugin) ProcessRoute(params plugins.RouteParams, in *v1.Route, out *envoy_config_route_v3.Route) error
- func (p *Plugin) ProcessVirtualHost(params plugins.VirtualHostParams, in *v1.VirtualHost, ...) error
- func (p *Plugin) ProcessWeightedDestination(params plugins.RouteParams, in *v1.WeightedDestination, ...) error
Constants ¶
const ( DefaultAuthHeader = "x-user-id" HttpServerUri = "http://not-used.example.com/" )
const JWTFilterName = "envoy.filters.http.jwt_authn"
Variables ¶
var ( DefaultTimeout = prototime.DurationToProto(200 * time.Millisecond) NoServerRefErr = eris.New("no extauth server reference configured") ServerNotFound = func(usRef *core.ResourceRef) error { return eris.Errorf("extauth server upstream not found %s", usRef.String()) } InvalidStatusOnErrorErr = func(code uint32) error { return eris.Errorf("invalid statusOnError code: %d", code) } )
var FilterStage = plugins.DuringStage(plugins.AuthNStage)
Note that although this configures the "envoy.filters.http.ext_authz" filter, we still want the ordering to be within the AuthNStage because we are using this filter for authentication purposes
Functions ¶
func BuildHttpFilters ¶
func BuildHttpFilters( globalSettings *extauthv1.Settings, listener *v1.HttpListener, upstreams v1.UpstreamList, ) ([]plugins.StagedHttpFilter, error)
Types ¶
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
func NewCustomAuthPlugin ¶
func NewCustomAuthPlugin() *Plugin
func (*Plugin) HttpFilters ¶
func (p *Plugin) HttpFilters(params plugins.Params, listener *v1.HttpListener) ([]plugins.StagedHttpFilter, error)
func (*Plugin) ProcessRoute ¶
func (p *Plugin) ProcessRoute(params plugins.RouteParams, in *v1.Route, out *envoy_config_route_v3.Route) error
This function generates the ext_authz TypedPerFilterConfig for this route: - if the route defines custom auth configuration, set the filter correspondingly; - if auth is explicitly disabled, disable the filter (will apply by default also to WeightedDestinations); - else, do nothing (will inherit config from parent virtual host).
func (*Plugin) ProcessVirtualHost ¶
func (p *Plugin) ProcessVirtualHost( params plugins.VirtualHostParams, in *v1.VirtualHost, out *envoy_config_route_v3.VirtualHost, ) error
This function generates the ext_authz TypedPerFilterConfig for this virtual host. If the ext_authz filter was not configured on the listener, do nothing. If the filter is configured and the virtual host does not define an extauth configuration OR explicitly disables extauth, we disable the ext_authz filter. This is done to disable authentication by default on a virtual host and its child resources (routes, weighted destinations). Extauth is currently opt-in.
func (*Plugin) ProcessWeightedDestination ¶
func (p *Plugin) ProcessWeightedDestination( params plugins.RouteParams, in *v1.WeightedDestination, out *envoy_config_route_v3.WeightedCluster_ClusterWeight, ) error
This function generates the ext_authz TypedPerFilterConfig for this weightedDestination: - if the weightedDestination defines custom auth configuration, set the filter correspondingly; - if auth is explicitly disabled, disable the filter; - else, do nothing (will inherit config from parent virtual host and/or route).