Documentation

Index

Constants

View Source
const (
	FilterName        = "envoy.ext_authz"
	DefaultAuthHeader = "x-user-id"
	HttpServerUri     = "http://not-used.example.com/"
)

Variables

View Source
var (
	DefaultTimeout = 200 * time.Millisecond
	NoServerRefErr = errors.New("no extauth server reference configured")
	ServerNotFound = func(usRef *core.ResourceRef) error {
		return errors.Errorf("extauth server upstream not found %s", usRef.String())
	}
	InvalidStatusOnErrorErr = func(code uint32) error {
		return errors.Errorf("invalid statusOnError code", code)
	}
)

Note that although this configures the "envoy.ext_authz" filter, we still want the ordering to be within the AuthNStage because we are using this filter for authentication purposes

Functions

func BuildHttpFilters

func BuildHttpFilters(settings *extauthv1.Settings, upstreams v1.UpstreamList) ([]plugins.StagedHttpFilter, error)

Types

type Plugin

type Plugin struct {
	// contains filtered or unexported fields
}

func NewCustomAuthPlugin

func NewCustomAuthPlugin() *Plugin

func (*Plugin) HttpFilters

func (p *Plugin) HttpFilters(params plugins.Params, _ *v1.HttpListener) ([]plugins.StagedHttpFilter, error)

func (*Plugin) Init

func (p *Plugin) Init(params plugins.InitParams) error

func (*Plugin) ProcessRoute

func (p *Plugin) ProcessRoute(params plugins.RouteParams, in *v1.Route, out *route.Route) error

This function generates the ext_authz PerFilterConfig for this route: - if the route defines custom auth configuration, set the filter correspondingly; - if auth is explicitly disabled, disable the filter (will apply by default also to WeightedDestinations); - else, do nothing (will inherit config from parent virtual host).

func (*Plugin) ProcessVirtualHost

func (p *Plugin) ProcessVirtualHost(params plugins.VirtualHostParams, in *v1.VirtualHost, out *route.VirtualHost) error

This function generates the ext_authz PerFilterConfig for this virtual host. If the ext_authz filter was not configured on the listener, do nothing. If the filter is configured and the virtual host does not define an extauth configuration OR explicitly disables extauth, we disable the ext_authz filter. This is done to disable authentication by default on a virtual host and its child resources (routes, weighted destinations). Extauth is currently opt-in.

func (*Plugin) ProcessWeightedDestination

func (p *Plugin) ProcessWeightedDestination(params plugins.RouteParams, in *v1.WeightedDestination, out *route.WeightedCluster_ClusterWeight) error

This function generates the ext_authz PerFilterConfig for this weightedDestination: - if the weightedDestination defines custom auth configuration, set the filter correspondingly; - if auth is explicitly disabled, disable the filter; - else, do nothing (will inherit config from parent virtual host and/or route).