Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthSource

type AuthSource int

AuthSource represents where authentication result is derived from.

const (
	AuthSourceClientCertificate AuthSource = iota
	AuthSourceIDToken
)

type Caller

type Caller struct {
	AuthSource AuthSource
	Identities []string
}

Caller carries the identity and authentication source of a caller.

type ClientCertAuthenticator

type ClientCertAuthenticator struct{}

ClientCertAuthenticator extracts identities from client certificate.

func (*ClientCertAuthenticator) Authenticate

func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*Caller, error)

Authenticate extracts identities from presented client certificates. This method assumes that certificate chain has been properly validated before this method is called. In other words, this method does not do certificate chain validation itself.

type IDTokenAuthenticator

type IDTokenAuthenticator struct {
	// contains filtered or unexported fields
}

IDTokenAuthenticator extracts identity from JWT. The JWT is required to be transmitted using the "Bearer" authentication scheme.

func NewIDTokenAuthenticator

func NewIDTokenAuthenticator(aud string) (*IDTokenAuthenticator, error)

NewIDTokenAuthenticator creates a new IDTokenAuthenticator.

func (*IDTokenAuthenticator) Authenticate

func (a *IDTokenAuthenticator) Authenticate(ctx context.Context) (*Caller, error)

Authenticate authenticates a caller using the JWT in the context.

type KubeJWTAuthenticator

type KubeJWTAuthenticator struct {
	// contains filtered or unexported fields
}

KubeJWTAuthenticator authenticates K8s JWTs.

func NewKubeJWTAuthenticator

func NewKubeJWTAuthenticator(k8sAPIServerURL, caCertPath, jwtPath, trustDomain string) (*KubeJWTAuthenticator, error)

NewKubeJWTAuthenticator creates a new kubeJWTAuthenticator.

func (*KubeJWTAuthenticator) Authenticate

func (a *KubeJWTAuthenticator) Authenticate(ctx context.Context) (*Caller, error)

Authenticate authenticates the call using the K8s JWT from the context. The returned Caller.Identities is in SPIFFE format.