Documentation
¶
Index ¶
- Constants
- func BuildAuthNFilter(policy *authn.Policy, proxyType model.NodeType) *http_conn.HttpFilter
- func BuildJwtFilter(policy *authn.Policy) *http_conn.HttpFilter
- func CollectJwtSpecs(policy *authn.Policy) []*authn.Jwt
- func ConvertPolicyToAuthNFilterConfig(policy *authn.Policy, proxyType model.NodeType) *authn_filter.FilterConfig
- func ConvertPolicyToJwtConfig(policy *authn.Policy, useInlinePublicKey bool) *jwtfilter.JwtAuthentication
- func JwksURIClusterName(hostname string, port *model.Port) string
- func NewPlugin() plugin.Plugin
- func OutputLocationForJwtIssuer(issuer string) string
- func RequireTLS(policy *authn.Policy, proxyType model.NodeType) (bool, *authn.MutualTls)
- type Plugin
- func (Plugin) OnInboundCluster(env model.Environment, node model.Proxy, service *model.Service, ...)
- func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
- func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
- func (Plugin) OnOutboundCluster(env model.Environment, node model.Proxy, service *model.Service, ...)
- func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
- func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
- func (Plugin) RequireTLSMultiplexing(mesh *meshconfig.MeshConfig, store model.IstioConfigStore, ...) bool
Constants ¶
const ( // JwtFilterName is the name for the Jwt filter. This should be the same // as the name defined in // https://github.com/istio/proxy/blob/master/src/envoy/http/jwt_auth/http_filter_factory.cc#L50 JwtFilterName = "jwt-auth" // AuthnFilterName is the name for the Istio AuthN filter. This should be the same // as the name defined in // https://github.com/istio/proxy/blob/master/src/envoy/http/authn/http_filter_factory.cc#L30 AuthnFilterName = "istio_authn" // EnvoyTLSInspectorFilterName is the name for Envoy TLS sniffing listener filter. EnvoyTLSInspectorFilterName = "envoy.listener.tls_inspector" // EnvoyRawBufferMatch is the transport protocol name when tls multiplexed is used. EnvoyRawBufferMatch = "raw_buffer" // EnvoyTLSMatch is the transport protocol name when tls multiplexed is used. EnvoyTLSMatch = "tls" )
Variables ¶
This section is empty.
Functions ¶
func BuildAuthNFilter ¶
BuildAuthNFilter returns authn filter for the given policy. If policy is nil, returns nil.
func BuildJwtFilter ¶
func BuildJwtFilter(policy *authn.Policy) *http_conn.HttpFilter
BuildJwtFilter returns a Jwt filter for all Jwt specs in the policy.
func CollectJwtSpecs ¶
CollectJwtSpecs returns a list of all JWT specs (ponters) defined the policy. This provides a convenient way to iterate all Jwt specs.
func ConvertPolicyToAuthNFilterConfig ¶
func ConvertPolicyToAuthNFilterConfig(policy *authn.Policy, proxyType model.NodeType) *authn_filter.FilterConfig
ConvertPolicyToAuthNFilterConfig returns an authn filter config corresponding for the input policy.
func ConvertPolicyToJwtConfig ¶
func ConvertPolicyToJwtConfig(policy *authn.Policy, useInlinePublicKey bool) *jwtfilter.JwtAuthentication
ConvertPolicyToJwtConfig converts policy into Jwt filter config for envoy.
func JwksURIClusterName ¶
JwksURIClusterName returns cluster name for the jwks URI. This should be used to override the name for outbound cluster that are added for Jwks URI so that they can be referred correctly in the JWT filter config.
func OutputLocationForJwtIssuer ¶
OutputLocationForJwtIssuer returns the header location that should be used to output payload if authentication succeeds.
Types ¶
type Plugin ¶
type Plugin struct{}
Plugin implements Istio mTLS auth
func (Plugin) OnInboundCluster ¶
func (Plugin) OnInboundCluster(env model.Environment, node model.Proxy, service *model.Service, servicePort *model.Port, cluster *xdsapi.Cluster)
OnInboundCluster implements the Plugin interface method.
func (Plugin) OnInboundListener ¶
func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
OnInboundListener is called whenever a new listener is added to the LDS output for a given service Can be used to add additional filters (e.g., mixer filter) or add more stuff to the HTTP connection manager on the inbound path
func (Plugin) OnInboundRouteConfiguration ¶
func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
OnInboundRouteConfiguration implements the Plugin interface method.
func (Plugin) OnOutboundCluster ¶
func (Plugin) OnOutboundCluster(env model.Environment, node model.Proxy, service *model.Service, servicePort *model.Port, cluster *xdsapi.Cluster)
OnOutboundCluster implements the Plugin interface method.
func (Plugin) OnOutboundListener ¶
func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error
OnOutboundListener is called whenever a new outbound listener is added to the LDS output for a given service Can be used to add additional filters on the outbound path
func (Plugin) OnOutboundRouteConfiguration ¶
func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)
OnOutboundRouteConfiguration implements the Plugin interface method.
func (Plugin) RequireTLSMultiplexing ¶
func (Plugin) RequireTLSMultiplexing(mesh *meshconfig.MeshConfig, store model.IstioConfigStore, hostname model.Hostname, port *model.Port) bool
RequireTLSMultiplexing returns true if any one of MTLS mode is `PERMISSIVE`.
Source Files