proxy

package

v1.11.0 Latest Latest Go to latest Published: Sep 12, 2023 License: GPL-3.0 Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/k8spin/prometheus-multi-tenant-proxy

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func AuthHandler(auth Auth, whitelist []string, handler http.HandlerFunc) http.HandlerFunc
func LogRequest(handler http.HandlerFunc) http.HandlerFunc
func Serve(c *cli.Context) error
type AWSSigner
- func NewAWSSigner() *AWSSigner
type Auth
type BasicAuth
- func NewBasicAuth(configLocation string) *BasicAuth
type JwtAuth
- func NewJwtAuth(config string) *JwtAuth
type NamespaceClaim
type ReversePrometheusRoundTripper
- func (r *ReversePrometheusRoundTripper) Director(req *http.Request)
- func (r *ReversePrometheusRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

Constants ¶

View Source

const (
	// AwsRegionEnvVar is the environment variable that specifies the AWS region
	AwsRegionEnvVar = "AWS_REGION"
	// AwsServiceEnvVar is the environment variable that specifies the AWS service
	AwsServiceEnvVar = "AWS_SERVICE_NAME"

	// AwsRegionDefault is the default AWS region used for signing
	AwsRegionDefault = "us-east-1"
	// AwsServiceDefault is the default AWS service used for signing
	AwsServiceDefault = "aps"
)

View Source

const (
	//Namespaces Key used to pass prometheus tenant id though the middleware context
	Namespaces key = iota
	//Labels Key used to pass prometheus additional labels though the middleware context
	Labels key = iota
)

Variables ¶

This section is empty.

Functions ¶

func AuthHandler ¶ added in v1.6.0

func AuthHandler(auth Auth, whitelist []string, handler http.HandlerFunc) http.HandlerFunc

AuthHandler returns au authentication middleware handler

func LogRequest ¶

func LogRequest(handler http.HandlerFunc) http.HandlerFunc

LogRequest can be used as a middleware chain to log every request before proxying the request

Types ¶

type AWSSigner ¶ added in v1.8.0

type AWSSigner struct {
	// contains filtered or unexported fields
}

AWSSigner is a wrapper around the AWS SDK's Signer Signing is required to use the proxy against an AWS prometheus service endpoint. HTTP requests will be signed using the AWS credentials from the environment and the AWS_DEFAULT_REGION (default=us-east-1) and AWS_SERVICE_NAME (default=aps). See https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html and https://docs.aws.amazon.com/sdk-for-go/api/service/signer for more details.

func NewAWSSigner ¶ added in v1.8.0

func NewAWSSigner() *AWSSigner

NewAWSSigner creates a new AWS Signer using credentials from environment variables.

func (*AWSSigner) Sign ¶ added in v1.8.0

func (s *AWSSigner) Sign(req *http.Request) error

Sign signs the HTTP request using the AWS Signer, meaning it adds the proper Authorization header using signature v4. See https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html

func (*AWSSigner) SignAfter ¶ added in v1.8.0

func (s *AWSSigner) SignAfter(director func(*http.Request)) func(*http.Request)

SignAfter wraps an existing Director function (see https://pkg.go.dev/net/http/httputil#ReverseProxy). The request will be signed after the transformation by the original director.

func (*AWSSigner) String ¶ added in v1.8.0

func (s *AWSSigner) String() string

type Auth ¶ added in v1.6.0

type Auth interface {
	// IsAuthorized authenticates a request and returns the list of namespaces the user has access to
	IsAuthorized(r *http.Request) (bool, []string, map[string]string)
	// WriteUnauthorisedResponse writes an HTTP response in case the user is forbidden
	WriteUnauthorisedResponse(w http.ResponseWriter)
	// Load loads or reloads the configuration
	Load() bool
}

Auth implements an authentication middleware

type BasicAuth ¶

type BasicAuth struct {
	// contains filtered or unexported fields
}

BasicAuth can be used as a middleware chain to authenticate users with Basic authentication before proxying a request

func NewBasicAuth ¶ added in v1.6.0

func NewBasicAuth(configLocation string) *BasicAuth

NewBasicAuth creates a BasicAuth, loading the Authn from configLocation

func (*BasicAuth) IsAuthorized ¶ added in v1.6.0

func (auth *BasicAuth) IsAuthorized(r *http.Request) (bool, []string, map[string]string)

IsAuthorized uses the basic authentication and the Authn file to authenticate a user and return the namespace he has access to

func (*BasicAuth) Load ¶ added in v1.6.0

func (auth *BasicAuth) Load() bool

Load loads or reload the Authn from the configuration file

func (*BasicAuth) WriteUnauthorisedResponse ¶ added in v1.6.0

func (auth *BasicAuth) WriteUnauthorisedResponse(w http.ResponseWriter)

WriteUnauthorisedResponse writes a 401 Unauthorized HTTP response with a redirect to basic authentication

type JwtAuth ¶ added in v1.6.0

type JwtAuth struct {
	// contains filtered or unexported fields
}

JwtAuth can be used as a middleware chain to authenticate users using a JWT token before proxying a request

func NewJwtAuth ¶ added in v1.6.0

func NewJwtAuth(config string) *JwtAuth

NewJwtAuth creates a JwtAuth by loaded a JWKS from either a file or an URL

func (*JwtAuth) IsAuthorized ¶ added in v1.6.0

func (auth *JwtAuth) IsAuthorized(r *http.Request) (bool, []string, map[string]string)

IsAuthorized validates the user by verifying the JWT token in the request and returning the namespaces claim found in token the payload.

func (*JwtAuth) Load ¶ added in v1.6.0

func (auth *JwtAuth) Load() bool

Load loads or reloads the JWKS from its config location (file or URL).

func (*JwtAuth) String ¶ added in v1.6.0

func (auth *JwtAuth) String() string

func (*JwtAuth) WriteUnauthorisedResponse ¶ added in v1.6.0

func (auth *JwtAuth) WriteUnauthorisedResponse(w http.ResponseWriter)

WriteUnauthorisedResponse writes a 401 Unauthorized HTTP response

type NamespaceClaim ¶ added in v1.6.0

type NamespaceClaim struct {
	// Namespaces contains the list of namespaces a user has access to
	Namespaces []string `json:"namespaces"`
	// Labels contains a map of labels that will be injected for the user
	Labels map[string]string `json:"labels"`
	jwt.RegisteredClaims
}

NamespaceClaim expected structure of the JWT token payload

type ReversePrometheusRoundTripper ¶ added in v1.3.0

type ReversePrometheusRoundTripper struct {
	// contains filtered or unexported fields
}

func (*ReversePrometheusRoundTripper) Director ¶ added in v1.3.0

func (r *ReversePrometheusRoundTripper) Director(req *http.Request)

func (*ReversePrometheusRoundTripper) RoundTrip ¶ added in v1.3.0

func (r *ReversePrometheusRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL