Documentation
¶
Index ¶
Constants ¶
const NoOverride = model.MTLSUnknown
NoOverride is an alias for MTLSUnknown to more clearly convey intent for InboundMTLSSettings
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type MTLSSettings ¶
type MTLSSettings struct {
// Port is the port this option applies for
Port uint32
// Mode is the mTLS mode to use
Mode model.MutualTLSMode
// TCP describes the tls context to use for TCP filter chains
TCP *tlsv3.DownstreamTlsContext
// HTTP describes the tls context to use for HTTP filter chains
HTTP *tlsv3.DownstreamTlsContext
}
MTLSSettings describes the mTLS options for a filter chain
type MergedPeerAuthentication ¶
type MergedPeerAuthentication struct {
// Mode is the overall mode of policy. May be overridden by PerPort
Mode model.MutualTLSMode
// PerPort is the per-port policy
PerPort map[uint32]model.MutualTLSMode
}
func ComposePeerAuthentication ¶
func ComposePeerAuthentication(rootNamespace string, configs []*config.Config) MergedPeerAuthentication
ComposePeerAuthentication returns the effective PeerAuthentication given the list of applicable configs. This list should contains at most 1 mesh-level and 1 namespace-level configs. Workload-level configs should not be in root namespace (this should be guaranteed by the caller, though they will be safely ignored in this function). If the input config list is empty, returns a default policy set to a PERMISSIVE. If there is at least one applicable config, returns should not be nil, and is a combined policy based on following rules: - It should have the setting from the most narrow scope (i.e workload-level is preferred over namespace-level, which is preferred over mesh-level). - When there are more than one policy in the same scope (i.e workload-level), the oldest one win. - UNSET will be replaced with the setting from the parent. I.e UNSET port-level config will be replaced with config from workload-level, UNSET in workload-level config will be replaced with one in namespace-level and so on.
type MtlsPolicy ¶
type MtlsPolicy interface {
// GetMutualTLSModeForPort gets the mTLS mode for the given port. If there is no port level setting, it
// returns the inherited namespace/mesh level setting.
GetMutualTLSModeForPort(endpointPort uint32) model.MutualTLSMode
}
func NewMtlsPolicy ¶
func NewMtlsPolicy(push *model.PushContext, namespace string, labels labels.Instance, isWaypoint bool) MtlsPolicy
NewMtlsPolicy returns a checker used to detect proxy mtls mode.
type PolicyApplier ¶
type PolicyApplier interface {
// InboundMTLSSettings returns inbound mTLS settings for a given workload port
InboundMTLSSettings(endpointPort uint32, node *model.Proxy, trustDomainAliases []string, modeOverride model.MutualTLSMode) MTLSSettings
// JwtFilter returns the JWT HTTP filter to enforce the underlying authentication policy.
// It may return nil, if no JWT validation is needed.
JwtFilter(useExtendedJwt, clearRouteCache bool) *hcm.HttpFilter
// AuthNFilter returns the (authn) HTTP filter to enforce the underlying authentication policy.
// It may return nil, if no authentication is needed.
AuthNFilter(forSidecar bool) *hcm.HttpFilter
// PortLevelSetting returns port level mTLS settings.
PortLevelSetting() map[uint32]model.MutualTLSMode
MtlsPolicy
}
PolicyApplier is the interface provides essential functionalities to help config Envoy (xDS) to enforce authentication policy. Each version of authentication policy will implement this interface.
func NewPolicyApplier ¶
func NewPolicyApplier(push *model.PushContext, proxy *model.Proxy, svc *model.Service) PolicyApplier
NewPolicyApplier returns the appropriate (policy) applier, depends on the versions of the policy exists for the given service innstance.
Source Files
Directories