iap

package

v0.0.0-...-401afe1 Latest Latest Go to latest Published: Jan 23, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/jlewi/monogo

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func BackendIAPName(project string, backend string) string
func GetGCPBackend(client *kubernetes.Clientset, namespace string, serviceName string, ...) (string, error)
func GetGCPBackendFromIngress(ingress *v1.Ingress, namespace string, serviceName string) (string, error)
func GetGCPBackendFromService(client *kubernetes.Clientset, bkSvc *compute.BackendServicesClient, ...) (map[string]string, error)
type NegStatus
type Verifier
- func (v *Verifier) Email(iapJWT string) (string, error)
- func (v *Verifier) Verify(iapJWT string) error

Constants ¶

View Source

const (
	// JWTHeader is the name of the header containing the JWT set by IAP
	// https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers
	JWTHeader  = "x-goog-iap-jwt-assertion"
	EmailClaim = "email"
)

Variables ¶

This section is empty.

Functions ¶

func BackendIAPName ¶

func BackendIAPName(project string, backend string) string

BackendIAPName returns the full IAP resource name for the backend

func GetGCPBackend ¶

func GetGCPBackend(client *kubernetes.Clientset, namespace string, serviceName string, ingressName string) (string, error)

GetGCPBackend determines the GCP backend associated with the given K8s service. The backends are stored as annotations on the K8s ingress. An ingress can have multiple backends but these should be named off of the service.

func GetGCPBackendFromIngress ¶

func GetGCPBackendFromIngress(ingress *v1.Ingress, namespace string, serviceName string) (string, error)

GetGCPBackendFromIngress determines the GCP backend associated with the given K8s service. The backends are stored as annotations on the K8s ingress. An ingress can have multiple backends but these should be named off of the service.

func GetGCPBackendFromService ¶

func GetGCPBackendFromService(client *kubernetes.Clientset, bkSvc *compute.BackendServicesClient, project string, namespace string, serviceName string) (map[string]string, error)

GetGCPBackendFromService determines the GCP backend associated with the given K8s service. It fetches the Neg associated with the given K8s service from its annotations. It then loops over backendservices to find the backend associated with that neg.

Returns a mapping from neg name to backend service name.

There can be more than 1 neg associated with a backend service; because negs are port specific N.B. This was tested with the Gateway resource but it should work with the Ingress resource as well. It builds a mapping from BackendServices to Negs.

Types ¶

type NegStatus ¶

type NegStatus struct {
	NetworkEndpointGroups map[string]string `json:"network_endpoint_groups"`
	Zones                 []string          `json:"zones"`
}

type Verifier ¶

type Verifier struct {
	Aud string
}

Verifier is a Verifier for IAP JWTs.

func (*Verifier) Email ¶

func (v *Verifier) Email(iapJWT string) (string, error)

Email verifies the JWT and if its valid returns the email

func (*Verifier) Verify ¶

func (v *Verifier) Verify(iapJWT string) error

Verify verifies that the JWT header is properly signed by Google indicating the request went through IAP. https://cloud.google.com/iap/docs/signed-headers-howto#retrieving_the_user_identity

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL