Documentation ¶
Index ¶
- Constants
- Variables
- type AccessProxy
- func (g *AccessProxy) GetAllBackends() []*Backend
- func (g *AccessProxy) GetBackend(name string) (*Backend, bool)
- func (g *AccessProxy) GetBackendByHost(host string) (*Backend, bool)
- func (g *AccessProxy) GetBackendByHostname(hostname string) (*Backend, bool)
- func (g *AccessProxy) GetBackendsByRole(role *Role) ([]*Backend, error)
- func (g *AccessProxy) Load(dir string) error
- func (g *AccessProxy) ReloadConfig() error
- func (g *AccessProxy) Setup(backends []*Backend) error
- type AuthProxyHTTP
- type AuthorizationEngine
- func (a *AuthorizationEngine) GetAllRoles() []*Role
- func (a *AuthorizationEngine) GetRPCPermission(name string) (*RPCPermission, bool)
- func (a *AuthorizationEngine) GetRole(name string) (*Role, error)
- func (a *AuthorizationEngine) Load(dir string) error
- func (a *AuthorizationEngine) ReloadConfig() error
- func (a *AuthorizationEngine) Setup(roles []*Role, rpcPermissions []*RPCPermission) error
- type Backend
- type Binding
- type Certificate
- type CertificateAuthority
- type CertificateAuthorityLocal
- type Config
- type Credential
- type Dashboard
- type Datastore
- type DatastoreEtcd
- type DatastoreMySQL
- type Duration
- type HTTPBackend
- type HTTPBackendSelector
- type IdentityProvider
- type Location
- type Logger
- type Permission
- type RPCPermission
- type RPCServer
- type Role
- type Session
- type SocketBackend
- type Template
Constants ¶
View Source
const (
EmbedEtcdUrlFilename = "embed_etcd_url"
)
Variables ¶
View Source
var SystemRPCPermission = &RPCPermission{ Name: "system:proxy", Allow: []string{ "proxy.rpc.certificateauthority.watchrevokedcert", "proxy.rpc.certificateauthority.newservercert", "proxy.rpc.cluster.defragmentdatastore", "proxy.rpc.authority.signrequest", "proxy.rpc.authority.getpublickey", }, }
View Source
var SystemRole = &Role{ Name: "system:proxy", Bindings: []*Binding{ {RPC: "system:proxy"}, }, System: true, }
Functions ¶
This section is empty.
Types ¶
type AccessProxy ¶
type AccessProxy struct { ProxyFile string `json:"proxy_file,omitempty"` HTTP *AuthProxyHTTP `json:"http,omitempty"` RPCServer string `json:"rpc_server,omitempty"` Credential *Credential `json:"credential,omitempty"` Backends []*Backend `json:"-"` AuthEndpoint string `json:"-"` TokenEndpoint string `json:"-"` ServerNameHost string `json:"-"` // contains filtered or unexported fields }
func (*AccessProxy) GetAllBackends ¶
func (g *AccessProxy) GetAllBackends() []*Backend
func (*AccessProxy) GetBackend ¶
func (g *AccessProxy) GetBackend(name string) (*Backend, bool)
func (*AccessProxy) GetBackendByHost ¶
func (g *AccessProxy) GetBackendByHost(host string) (*Backend, bool)
GetBackendByHost is finding Backend by Host header
func (*AccessProxy) GetBackendByHostname ¶
func (g *AccessProxy) GetBackendByHostname(hostname string) (*Backend, bool)
func (*AccessProxy) GetBackendsByRole ¶
func (g *AccessProxy) GetBackendsByRole(role *Role) ([]*Backend, error)
func (*AccessProxy) Load ¶
func (g *AccessProxy) Load(dir string) error
func (*AccessProxy) ReloadConfig ¶ added in v0.11.0
func (g *AccessProxy) ReloadConfig() error
func (*AccessProxy) Setup ¶
func (g *AccessProxy) Setup(backends []*Backend) error
type AuthProxyHTTP ¶
type AuthProxyHTTP struct { Bind string `json:"bind,omitempty"` BindHttp string `json:"bind_http,omitempty"` BindInternalApi string `json:"bind_internal_api,omitempty"` ServerName string `json:"server_name,omitempty"` Certificate *Certificate `json:"certificate,omitempty"` ExpectCT bool `json:"expect_ct,omitempty"` Session *Session `json:"session,omitempty"` }
type AuthorizationEngine ¶
type AuthorizationEngine struct { RoleFile string `json:"role_file,omitempty"` RPCPermissionFile string `json:"rpc_permission_file,omitempty"` RootUsers []string `json:"root_users,omitempty"` Roles []*Role `json:"-"` RPCPermissions []*RPCPermission `json:"-"` // contains filtered or unexported fields }
func (*AuthorizationEngine) GetAllRoles ¶
func (a *AuthorizationEngine) GetAllRoles() []*Role
func (*AuthorizationEngine) GetRPCPermission ¶
func (a *AuthorizationEngine) GetRPCPermission(name string) (*RPCPermission, bool)
func (*AuthorizationEngine) GetRole ¶
func (a *AuthorizationEngine) GetRole(name string) (*Role, error)
func (*AuthorizationEngine) Load ¶
func (a *AuthorizationEngine) Load(dir string) error
func (*AuthorizationEngine) ReloadConfig ¶ added in v0.11.0
func (a *AuthorizationEngine) ReloadConfig() error
func (*AuthorizationEngine) Setup ¶
func (a *AuthorizationEngine) Setup(roles []*Role, rpcPermissions []*RPCPermission) error
type Backend ¶
type Backend struct { Name string `json:"name"` // Name is an identifier FQDN string `json:"fqdn,omitempty"` HTTP []*HTTPBackend `json:"http,omitempty"` // Deprecated Agent bool `json:"agent,omitempty"` Permissions []*Permission `json:"permissions"` AllowRootUser bool `json:"allow_root_user,omitempty"` DisableAuthn bool `json:"disable_authn,omitempty"` // MaxSessionDuration is a maximum duration before session expire for specify backend. // When MaxSessionDuration is not empty, OIDC authentication is required even if the user submits a client certificate. MaxSessionDuration *Duration `json:"max_session_duration,omitempty"` AllowHttp bool `json:"allow_http,omitempty"` Socket *SocketBackend `json:"socket,omitempty"` BackendSelector *HTTPBackendSelector `json:"-"` }
type Certificate ¶
type Certificate struct { CertFile string `json:"cert_file"` KeyFile string `json:"key_file"` // contains filtered or unexported fields }
func (*Certificate) GetCertificate ¶
func (c *Certificate) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
func (*Certificate) Load ¶
func (c *Certificate) Load(dir string) error
func (*Certificate) ReloadCertificate ¶ added in v0.11.0
func (c *Certificate) ReloadCertificate() error
type CertificateAuthority ¶
type CertificateAuthority struct {
Local *CertificateAuthorityLocal `json:"local"`
}
func (*CertificateAuthority) Load ¶
func (ca *CertificateAuthority) Load(dir string) error
type CertificateAuthorityLocal ¶
type CertificateAuthorityLocal struct { CertFile string `json:"cert_file"` KeyFile string `json:"key_file"` Organization string `json:"organization"` OrganizationUnit string `json:"organization_unit"` Country string `json:"country"` Subject pkix.Name `json:"-"` Certificate *x509.Certificate `json:"-"` PrivateKey crypto.PrivateKey `json:"-"` CertPool *x509.CertPool `json:"-"` }
type Config ¶
type Config struct { AccessProxy *AccessProxy `json:"access_proxy,omitempty"` AuthorizationEngine *AuthorizationEngine `json:"authorization_engine,omitempty"` RPCServer *RPCServer `json:"rpc_server,omitempty"` Dashboard *Dashboard `json:"dashboard,omitempty"` IdentityProvider *IdentityProvider `json:"identity_provider,omitempty"` Datastore *Datastore `json:"datastore,omitempty"` CertificateAuthority *CertificateAuthority `json:"certificate_authority,omitempty"` Logger *Logger `json:"logger,omitempty"` }
type Credential ¶
type Credential struct { SigningPrivateKeyFile string `json:"signing_private_key_file,omitempty"` InternalTokenFile string `json:"internal_token_file,omitempty"` GithubWebHookSecretFile string `json:"github_webhook_secret_file,omitempty"` SigningPrivateKey *ecdsa.PrivateKey `json:"-"` SigningPublicKey ecdsa.PublicKey `json:"-"` InternalToken string `json:"-"` GithubWebhookSecret []byte `json:"-"` }
func (*Credential) Load ¶
func (c *Credential) Load(dir string) error
type Dashboard ¶
type Datastore ¶
type Datastore struct { *DatastoreEtcd `json:"etcd,omitempty"` *DatastoreMySQL `json:"mysql,omitempty"` }
func (*Datastore) GetEtcdClient ¶
type DatastoreEtcd ¶
type DatastoreEtcd struct { RawUrl string `json:"url"` DataDir string `json:"data_dir,omitempty"` // use only embed etcd Namespace string `json:"namespace,omitempty"` // use only etcd CACertFile string `json:"ca_cert_file,omitempty"` CertFile string `json:"cert_file,omitempty"` KeyFile string `json:"key_file,omitempty"` Url *url.URL `json:"-"` Embed bool `json:"-"` EtcdUrl *url.URL `json:"-"` Certificate tls.Certificate `json:"-"` CertPool *x509.CertPool `json:"-"` // contains filtered or unexported fields }
type DatastoreMySQL ¶
type HTTPBackend ¶ added in v0.11.0
type HTTPBackendSelector ¶ added in v0.11.0
type HTTPBackendSelector struct {
// contains filtered or unexported fields
}
func NewHTTPBackendSelector ¶ added in v0.11.0
func NewHTTPBackendSelector() *HTTPBackendSelector
func (*HTTPBackendSelector) Add ¶ added in v0.11.0
func (s *HTTPBackendSelector) Add(b *HTTPBackend)
func (*HTTPBackendSelector) Find ¶ added in v0.11.0
func (s *HTTPBackendSelector) Find(path string) *HTTPBackend
type IdentityProvider ¶
type IdentityProvider struct { Provider string `json:"provider"` // "google", "okta", "azure" or "custom" Issuer string `json:"issuer,omitempty"` // for "custom" ClientId string `json:"client_id"` ClientSecretFile string `json:"client_secret_file"` ExtraScopes []string `json:"extra_scopes,omitempty"` Domain string `json:"domain,omitempty"` // for Okta and AzureAD RedirectUrl string `json:"redirect_url"` ClientSecret string `json:"-"` }
func (*IdentityProvider) Load ¶
func (idp *IdentityProvider) Load(dir string) error
type Location ¶
type Location struct { Any string `json:"any,omitempty"` Get string `json:"get,omitempty"` Post string `json:"post,omitempty"` Put string `json:"put,omitempty"` Delete string `json:"delete,omitempty"` Head string `json:"head,omitempty"` Connect string `json:"connect,omitempty"` Options string `json:"options,omitempty"` Trace string `json:"trace,omitempty"` Patch string `json:"patch,omitempty"` }
type Logger ¶
type Permission ¶
type RPCPermission ¶
type Session ¶
type SocketBackend ¶ added in v0.11.0
Click to show internal directories.
Click to hide internal directories.