Documentation
¶
Index ¶
- Constants
- Variables
- type AccessProxy
- func (g *AccessProxy) GetAllBackends() []*Backend
- func (g *AccessProxy) GetBackend(name string) (*Backend, bool)
- func (g *AccessProxy) GetBackendByHost(host string) (*Backend, bool)
- func (g *AccessProxy) GetBackendByHostname(hostname string) (*Backend, bool)
- func (g *AccessProxy) GetBackendsByRole(role *Role) ([]*Backend, error)
- func (g *AccessProxy) Load(dir string) error
- func (g *AccessProxy) ReloadConfig() error
- func (g *AccessProxy) Setup(backends []*Backend) error
- type AuthProxyHTTP
- type AuthorizationEngine
- func (a *AuthorizationEngine) GetAllRoles() []*Role
- func (a *AuthorizationEngine) GetRPCPermission(name string) (*RPCPermission, bool)
- func (a *AuthorizationEngine) GetRole(name string) (*Role, error)
- func (a *AuthorizationEngine) Load(dir string) error
- func (a *AuthorizationEngine) ReloadConfig() error
- func (a *AuthorizationEngine) Setup(roles []*Role, rpcPermissions []*RPCPermission) error
- type Backend
- type Binding
- type Certificate
- type CertificateAuthority
- type CertificateAuthorityLocal
- type CertificateAuthorityVault
- type Config
- type Credential
- type Dashboard
- type Datastore
- type DatastoreEtcd
- type DatastoreMySQL
- type Duration
- type HTTPBackend
- type HTTPBackendSelector
- type IdentityProvider
- type Location
- type Logger
- type Permission
- type RPCPermission
- type RPCServer
- type Role
- type Session
- type SocketBackend
- type Template
Constants ¶
View Source
const (
EmbedEtcdUrlFilename = "embed_etcd_url"
)
Variables ¶
View Source
var SystemRPCPermission = &RPCPermission{ Name: "system:proxy", Allow: []string{ "proxy.rpc.certificateauthority.watchrevokedcert", "proxy.rpc.certificateauthority.newservercert", "proxy.rpc.certificateauthority.getrevokedlist", "proxy.rpc.cluster.defragmentdatastore", "proxy.rpc.authority.signrequest", "proxy.rpc.authority.getpublickey", }, }
View Source
var SystemRole = &Role{ Name: "system:proxy", Bindings: []*Binding{ {RPC: "system:proxy"}, }, System: true, }
Functions ¶
This section is empty.
Types ¶
type AccessProxy ¶
type AccessProxy struct {
ProxyFile string `json:"proxy_file,omitempty"`
HTTP *AuthProxyHTTP `json:"http,omitempty"`
RPCServer string `json:"rpc_server,omitempty"`
Credential *Credential `json:"credential,omitempty"`
Backends []*Backend `json:"-"`
AuthEndpoint string `json:"-"`
TokenEndpoint string `json:"-"`
ServerNameHost string `json:"-"`
// contains filtered or unexported fields
}
func (*AccessProxy) GetAllBackends ¶
func (g *AccessProxy) GetAllBackends() []*Backend
func (*AccessProxy) GetBackend ¶
func (g *AccessProxy) GetBackend(name string) (*Backend, bool)
func (*AccessProxy) GetBackendByHost ¶
func (g *AccessProxy) GetBackendByHost(host string) (*Backend, bool)
GetBackendByHost is finding Backend by Host header
func (*AccessProxy) GetBackendByHostname ¶
func (g *AccessProxy) GetBackendByHostname(hostname string) (*Backend, bool)
func (*AccessProxy) GetBackendsByRole ¶
func (g *AccessProxy) GetBackendsByRole(role *Role) ([]*Backend, error)
func (*AccessProxy) Load ¶
func (g *AccessProxy) Load(dir string) error
func (*AccessProxy) ReloadConfig ¶ added in v0.11.0
func (g *AccessProxy) ReloadConfig() error
func (*AccessProxy) Setup ¶
func (g *AccessProxy) Setup(backends []*Backend) error
type AuthProxyHTTP ¶
type AuthProxyHTTP struct {
Bind string `json:"bind,omitempty"`
BindHttp string `json:"bind_http,omitempty"`
BindInternalApi string `json:"bind_internal_api,omitempty"`
ServerName string `json:"server_name,omitempty"`
Certificate *Certificate `json:"certificate,omitempty"`
Session *Session `json:"session,omitempty"`
// Deprecated.
ExpectCT bool `json:"expect_ct,omitempty"`
}
type AuthorizationEngine ¶
type AuthorizationEngine struct {
RoleFile string `json:"role_file,omitempty"`
RPCPermissionFile string `json:"rpc_permission_file,omitempty"`
RootUsers []string `json:"root_users,omitempty"`
Roles []*Role `json:"-"`
RPCPermissions []*RPCPermission `json:"-"`
// contains filtered or unexported fields
}
func (*AuthorizationEngine) GetAllRoles ¶
func (a *AuthorizationEngine) GetAllRoles() []*Role
func (*AuthorizationEngine) GetRPCPermission ¶
func (a *AuthorizationEngine) GetRPCPermission(name string) (*RPCPermission, bool)
func (*AuthorizationEngine) GetRole ¶
func (a *AuthorizationEngine) GetRole(name string) (*Role, error)
func (*AuthorizationEngine) Load ¶
func (a *AuthorizationEngine) Load(dir string) error
func (*AuthorizationEngine) ReloadConfig ¶ added in v0.11.0
func (a *AuthorizationEngine) ReloadConfig() error
func (*AuthorizationEngine) Setup ¶
func (a *AuthorizationEngine) Setup(roles []*Role, rpcPermissions []*RPCPermission) error
type Backend ¶
type Backend struct {
Name string `json:"name"` // Name is an identifier
Description string `json:"description,omitempty"`
FQDN string `json:"fqdn,omitempty"`
HTTP []*HTTPBackend `json:"http,omitempty"`
Permissions []*Permission `json:"permissions"`
AllowRootUser bool `json:"allow_root_user,omitempty"`
DisableAuthn bool `json:"disable_authn,omitempty"`
// MaxSessionDuration is a maximum duration before session expire for specify backend.
// When MaxSessionDuration is not empty, OIDC authentication is required even if the user submits a client certificate.
MaxSessionDuration *Duration `json:"max_session_duration,omitempty"`
AllowHttp bool `json:"allow_http,omitempty"`
Socket *SocketBackend `json:"socket,omitempty"`
BackendSelector *HTTPBackendSelector `json:"-"`
Host string `json:"-"`
// contains filtered or unexported fields
}
type Certificate ¶
type Certificate struct {
CertFile string `json:"cert_file"`
KeyFile string `json:"key_file"`
// contains filtered or unexported fields
}
func (*Certificate) GetCertificate ¶
func (c *Certificate) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error)
func (*Certificate) Load ¶
func (c *Certificate) Load(dir string) error
func (*Certificate) ReloadCertificate ¶ added in v0.11.0
func (c *Certificate) ReloadCertificate() error
type CertificateAuthority ¶
type CertificateAuthority struct {
Local *CertificateAuthorityLocal `json:"local,omitempty"`
Vault *CertificateAuthorityVault `json:"vault,omitempty"`
CertPool *x509.CertPool `json:"-"`
Certificate *x509.Certificate `json:"-"`
}
func (*CertificateAuthority) Load ¶
func (ca *CertificateAuthority) Load(dir string) error
type CertificateAuthorityLocal ¶
type CertificateAuthorityLocal struct {
CertFile string `json:"cert_file"`
KeyFile string `json:"key_file"`
Organization string `json:"organization"`
OrganizationUnit string `json:"organization_unit"`
Country string `json:"country"`
Subject pkix.Name `json:"-"`
PrivateKey crypto.PrivateKey `json:"-"`
}
type CertificateAuthorityVault ¶ added in v0.12.0
type Config ¶
type Config struct {
AccessProxy *AccessProxy `json:"access_proxy,omitempty"`
AuthorizationEngine *AuthorizationEngine `json:"authorization_engine,omitempty"`
RPCServer *RPCServer `json:"rpc_server,omitempty"`
Dashboard *Dashboard `json:"dashboard,omitempty"`
IdentityProvider *IdentityProvider `json:"identity_provider,omitempty"`
Datastore *Datastore `json:"datastore,omitempty"`
CertificateAuthority *CertificateAuthority `json:"certificate_authority,omitempty"`
Logger *Logger `json:"logger,omitempty"`
}
type Credential ¶
type Credential struct {
SigningPrivateKeyFile string `json:"signing_private_key_file,omitempty"`
InternalTokenFile string `json:"internal_token_file,omitempty"`
GithubWebHookSecretFile string `json:"github_webhook_secret_file,omitempty"`
SigningPrivateKey *ecdsa.PrivateKey `json:"-"`
SigningPublicKey ecdsa.PublicKey `json:"-"`
InternalToken string `json:"-"`
GithubWebhookSecret []byte `json:"-"`
}
func (*Credential) Load ¶
func (c *Credential) Load(dir string) error
type Dashboard ¶
type Datastore ¶
type Datastore struct {
*DatastoreEtcd `json:"etcd,omitempty"`
*DatastoreMySQL `json:"mysql,omitempty"`
}
func (*Datastore) GetEtcdClient ¶
type DatastoreEtcd ¶
type DatastoreEtcd struct {
RawUrl string `json:"url"`
DataDir string `json:"data_dir,omitempty"` // use only embed etcd
Namespace string `json:"namespace,omitempty"` // use only etcd
CACertFile string `json:"ca_cert_file,omitempty"`
CertFile string `json:"cert_file,omitempty"`
KeyFile string `json:"key_file,omitempty"`
Url *url.URL `json:"-"`
Embed bool `json:"-"`
EtcdUrl *url.URL `json:"-"`
Certificate tls.Certificate `json:"-"`
CertPool *x509.CertPool `json:"-"`
// contains filtered or unexported fields
}
type DatastoreMySQL ¶
type HTTPBackend ¶ added in v0.11.0
type HTTPBackendSelector ¶ added in v0.11.0
type HTTPBackendSelector struct {
// contains filtered or unexported fields
}
func NewHTTPBackendSelector ¶ added in v0.11.0
func NewHTTPBackendSelector() *HTTPBackendSelector
func (*HTTPBackendSelector) Add ¶ added in v0.11.0
func (s *HTTPBackendSelector) Add(b *HTTPBackend)
func (*HTTPBackendSelector) Find ¶ added in v0.11.0
func (s *HTTPBackendSelector) Find(path string) *HTTPBackend
type IdentityProvider ¶
type IdentityProvider struct {
Provider string `json:"provider"` // "google", "okta", "azure" or "custom"
Issuer string `json:"issuer,omitempty"` // for "custom"
ClientId string `json:"client_id"`
ClientSecretFile string `json:"client_secret_file"`
ExtraScopes []string `json:"extra_scopes,omitempty"`
Domain string `json:"domain,omitempty"` // for Okta and AzureAD
RedirectUrl string `json:"redirect_url"`
ClientSecret string `json:"-"`
}
func (*IdentityProvider) Load ¶
func (idp *IdentityProvider) Load(dir string) error
type Location ¶
type Location struct {
Any string `json:"any,omitempty"`
Get string `json:"get,omitempty"`
Post string `json:"post,omitempty"`
Put string `json:"put,omitempty"`
Delete string `json:"delete,omitempty"`
Head string `json:"head,omitempty"`
Connect string `json:"connect,omitempty"`
Options string `json:"options,omitempty"`
Trace string `json:"trace,omitempty"`
Patch string `json:"patch,omitempty"`
}
type Logger ¶
type Permission ¶
type RPCPermission ¶
type Session ¶
type SocketBackend ¶ added in v0.11.0
Source Files
Click to show internal directories.
Click to hide internal directories.