istio: istio.io/istio/security/pkg/server/ca/authenticate Index | Files | Directories

package authenticate

import "istio.io/istio/security/pkg/server/ca/authenticate"

Index

Package Files

cert_authenticator.go common.go oidc.go

Constants

const (
    ClientCertAuthenticatorType = "ClientCertAuthenticator"
)
const (
    IDTokenAuthenticatorType = "IDTokenAuthenticator"
)
const (
    // IdentityTemplate is the SPIFFE format template of the identity.
    IdentityTemplate = "spiffe://%s/ns/%s/sa/%s"
)

type ClientCertAuthenticator Uses

type ClientCertAuthenticator struct{}

ClientCertAuthenticator extracts identities from client certificate.

func (*ClientCertAuthenticator) Authenticate Uses

func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*security.Caller, error)

Authenticate extracts identities from presented client certificates. This method assumes that certificate chain has been properly validated before this method is called. In other words, this method does not do certificate chain validation itself.

func (*ClientCertAuthenticator) AuthenticatorType Uses

func (cca *ClientCertAuthenticator) AuthenticatorType() string

type JwtAuthenticator Uses

type JwtAuthenticator struct {
    // contains filtered or unexported fields
}

func NewJwtAuthenticator Uses

func NewJwtAuthenticator(jwtRule *v1beta1.JWTRule, trustDomain string) (*JwtAuthenticator, error)

newJwtAuthenticator is used when running istiod outside of a cluster, to validate the tokens using OIDC K8S is created with --service-account-issuer, service-account-signing-key-file and service-account-api-audiences which enable OIDC.

func (*JwtAuthenticator) Authenticate Uses

func (j *JwtAuthenticator) Authenticate(ctx context.Context) (*security.Caller, error)

Authenticate - based on the old OIDC authenticator for mesh expansion.

func (JwtAuthenticator) AuthenticatorType Uses

func (j JwtAuthenticator) AuthenticatorType() string

type JwtPayload Uses

type JwtPayload struct {
    // Aud is the expected audience, defaults to istio-ca - but is based on istiod.yaml configuration.
    // If set to a different value - use the value defined by istiod.yaml. Env variable can
    // still override
    Aud []string `json:"aud"`

    // Exp is not currently used - we don't use the token for authn, just to determine k8s settings
    Exp int `json:"exp"`

    // Issuer - configured by K8S admin for projected tokens. Will be used to verify all tokens.
    Iss string `json:"iss"`

    Sub string `json:"sub"`
}

Directories

PathSynopsis
kubeauth

Package authenticate imports 10 packages (graph) and is imported by 5 packages. Updated 2021-01-25. Refresh now. Tools for package owners.