Documentation
¶
Overview ¶
Package proxy provides a reverse proxy that accepts client certificates and forwards Common Name and Organizations to backend API servers in HTTP headers. The proxy terminates client TLS and communicates with API servers via mTLS. Traffic is routed based on paths.
An example configuration:
- path: /services/ backend: https://localhost:6444 backend_server_ca: certs/kcp-ca-cert.pem proxy_client_cert: certs/proxy-client-cert.pem proxy_client_key: certs/proxy-client-key.pem
- path: / backend: https://localhost:6443 backend_server_ca: certs/kcp-ca-cert.pem proxy_client_cert: certs/proxy-client-cert.pem proxy_client_key: certs/proxy-client-key.pem
Index ¶
- func NewHandler(ctx context.Context, o *proxyoptions.Options, index index.Index) (http.Handler, error)
- func ShardURLFrom(ctx context.Context) *url.URL
- func WithProxyAuthHeaders(delegate http.Handler, userHeader, groupHeader string, ...) http.HandlerFunc
- func WithShardURL(parent context.Context, shardURL *url.URL) context.Context
- type CompletedConfig
- type Config
- type ExtraConfig
- type HttpHandler
- type PathMapping
- type Server
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewHandler ¶
func WithProxyAuthHeaders ¶
func WithProxyAuthHeaders(delegate http.Handler, userHeader, groupHeader string, extraHeaderPrefix string) http.HandlerFunc
WithProxyAuthHeaders does client cert termination by extracting the user and groups and passing them through access headers to the shard.
Types ¶
type CompletedConfig ¶ added in v0.9.0
type CompletedConfig struct {
// contains filtered or unexported fields
}
type Config ¶ added in v0.9.0
type Config struct {
Options *proxyoptions.Options
ExtraConfig
}
func (*Config) Complete ¶ added in v0.9.0
func (c *Config) Complete() (CompletedConfig, error)
Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
type ExtraConfig ¶ added in v0.9.0
type ExtraConfig struct {
// resolveIdentities is to be called on server start until it succeeds. It injects the kcp
// resource identities into the rest.Config used by the client. Only after it succeeds,
// the clients can wildcard-list/watch most kcp resources.
ResolveIdentities func(ctx context.Context) error
RootShardConfig *rest.Config
ShardsConfig *rest.Config
AuthenticationInfo genericapiserver.AuthenticationInfo
ServingInfo *genericapiserver.SecureServingInfo
AdditionalAuthEnabled bool
}
type HttpHandler ¶ added in v0.24.0
type HttpHandler struct {
// contains filtered or unexported fields
}
func (*HttpHandler) ServeHTTP ¶ added in v0.24.0
func (h *HttpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
type PathMapping ¶
type PathMapping struct {
Path string `json:"path"`
Backend string `json:"backend"`
BackendServerCA string `json:"backend_server_ca"`
ProxyClientCert string `json:"proxy_client_cert"`
ProxyClientKey string `json:"proxy_client_key"`
UserHeader string `json:"user_header,omitempty"`
GroupHeader string `json:"group_header,omitempty"`
ExtraHeaderPrefix string `json:"extra_header_prefix"`
}
PathMapping describes how to route traffic from a path to a backend server. Each Path is registered with the DefaultServeMux with a handler that delegates to the specified backend.
type Server ¶ added in v0.9.0
type Server struct {
CompletedConfig
Handler http.Handler
IndexController *index.Controller
}
Source Files
Directories