authn

package
v0.0.0-...-e7c9706 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

View Source
const NoOverride = model.MTLSUnknown

NoOverride is an alias for MTLSUnknown to more clearly convey intent for InboundMTLSSettings

Variables

This section is empty.

Functions

This section is empty.

Types

type MTLSSettings

type MTLSSettings struct {
	// Port is the port this option applies for
	Port uint32
	// Mode is the mTLS  mode to use
	Mode model.MutualTLSMode
	// TCP describes the tls context to use for TCP filter chains
	TCP *tlsv3.DownstreamTlsContext
	// HTTP describes the tls context to use for HTTP filter chains
	HTTP *tlsv3.DownstreamTlsContext
}

MTLSSettings describes the mTLS options for a filter chain

type MergedPeerAuthentication

type MergedPeerAuthentication struct {
	// Mode is the overall mode of policy. May be overridden by PerPort
	Mode model.MutualTLSMode
	// PerPort is the per-port policy
	PerPort map[uint32]model.MutualTLSMode
}

func ComposePeerAuthentication

func ComposePeerAuthentication(rootNamespace string, configs []*config.Config) MergedPeerAuthentication

ComposePeerAuthentication returns the effective PeerAuthentication given the list of applicable configs. This list should contains at most 1 mesh-level and 1 namespace-level configs. Workload-level configs should not be in root namespace (this should be guaranteed by the caller, though they will be safely ignored in this function). If the input config list is empty, returns a default policy set to a PERMISSIVE. If there is at least one applicable config, returns should not be nil, and is a combined policy based on following rules: - It should have the setting from the most narrow scope (i.e workload-level is preferred over namespace-level, which is preferred over mesh-level). - When there are more than one policy in the same scope (i.e workload-level), the oldest one win. - UNSET will be replaced with the setting from the parent. I.e UNSET port-level config will be replaced with config from workload-level, UNSET in workload-level config will be replaced with one in namespace-level and so on.

type MtlsPolicy

type MtlsPolicy interface {
	// GetMutualTLSModeForPort gets the mTLS mode for the given port. If there is no port level setting, it
	// returns the inherited namespace/mesh level setting.
	GetMutualTLSModeForPort(endpointPort uint32) model.MutualTLSMode
}

func NewMtlsPolicy

func NewMtlsPolicy(push *model.PushContext, namespace string, labels labels.Instance, isWaypoint bool) MtlsPolicy

NewMtlsPolicy returns a checker used to detect proxy mtls mode.

type PolicyApplier

type PolicyApplier interface {
	// InboundMTLSSettings returns inbound mTLS settings for a given workload port
	InboundMTLSSettings(endpointPort uint32, node *model.Proxy, trustDomainAliases []string, modeOverride model.MutualTLSMode) MTLSSettings

	// JwtFilter returns the JWT HTTP filter to enforce the underlying authentication policy.
	// It may return nil, if no JWT validation is needed.
	JwtFilter(clearRouteCache bool) *hcm.HttpFilter

	// PortLevelSetting returns port level mTLS settings.
	PortLevelSetting() map[uint32]model.MutualTLSMode

	MtlsPolicy
}

PolicyApplier is the interface provides essential functionalities to help config Envoy (xDS) to enforce authentication policy. Each version of authentication policy will implement this interface.

func NewPolicyApplier

func NewPolicyApplier(push *model.PushContext, proxy *model.Proxy, svc *model.Service) PolicyApplier

NewPolicyApplier returns the appropriate (policy) applier, depends on the versions of the policy exists for the given service innstance.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL