hpaas -h
Usage of hpaas:
--config string path to config file (env: HPAAS_JWKS_URI) (default "hpaas.yaml")
Sample Config
# port to serve on. metrics server is started on this port+1
port: 8820
# enable debug logs
debug: true
# rego policy for authorization. inputs: input.claims(map), input.headers(map), input.request(map), input.method(string)
# caution - this one allows any request
rego_policy: |-
package hpaas.authz
default allow = true
# query the allow variable
rego_query: "data.hpaas.authz.allow"
# remote json web keys uri for verifying inbound JWTs
jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
# add list of helm repos to load at startup
repos:
- name: "stable"
url: "https://charts.helm.sh/stable"
Notes
graphQL API is served on :8820/graphql by default
gRPC API is served on :8820 by default
metrics server(prometheus/pprof) is served on :8821 by default
intended to be exposed publicly behind an SSL load balancer/ingress as an alternative to exposing your Kubernetes API
jwks uri is used to fetch public keys from a remote source in order to verify inbound JWTs - this is authentication
if no jwks uri is provided, inbound jwt's will not be verified(insecure)
a rego policy may be added to the hpaas config in order to implement fine-grainded authorization
if the rego policy is empty, a default allow-all policy will be used(insecure)
input attributes passed to the rego authorization policy on each client request include:
input.claims(map) - the payload/claims of the inbound jwt
input.headers(map)- the headers of the inbound request
input.request(map) - the payload of the inbound request
input.method(string) - the gRPC method of the inbound request