package authenticate

import "istio.io/istio/security/pkg/server/ca/authenticate"

Index ¶

• Constants
• type AuthSource
• type Authenticator
• type Caller
• type ClientCertAuthenticator
• func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*Caller, error)
• func (cca *ClientCertAuthenticator) AuthenticatorType() string
• type JwtAuthenticator
• func NewJwtAuthenticator(iss string, trustDomain, audience string) (*JwtAuthenticator, error)
• func (j *JwtAuthenticator) Authenticate(ctx context.Context) (*Caller, error)
• func (j JwtAuthenticator) AuthenticatorType() string
• type JwtPayload
• type KubeJWTAuthenticator
• func NewKubeJWTAuthenticator(client kubernetes.Interface, clusterID string, remoteKubeClientGetter RemoteKubeClientGetter, trustDomain, jwtPolicy string) *KubeJWTAuthenticator
• func (a *KubeJWTAuthenticator) Authenticate(ctx context.Context) (*Caller, error)
• func (a *KubeJWTAuthenticator) AuthenticatorType() string
• func (a *KubeJWTAuthenticator) GetKubeClient(clusterID string) kubernetes.Interface
• type RemoteKubeClientGetter

Package Files ¶

cert_authenticator.go kube_jwt.go model.go oidc.go

Constants ¶

const (
    ClientCertAuthenticatorType = "ClientCertAuthenticator"
)

const (
    IDTokenAuthenticatorType = "IDTokenAuthenticator"
)

const (
    KubeJWTAuthenticatorType = "KubeJWTAuthenticator"
)

type AuthSource ¶ Uses

type AuthSource int

AuthSource represents where authentication result is derived from.

const (
    AuthSourceClientCertificate AuthSource = iota
    AuthSourceIDToken
)

type Authenticator ¶ Uses

type Authenticator interface {
    Authenticate(ctx context.Context) (*Caller, error)
    AuthenticatorType() string
}

type Caller ¶ Uses

type Caller struct {
    AuthSource AuthSource
    Identities []string
}

Caller carries the identity and authentication source of a caller.

type ClientCertAuthenticator ¶ Uses

type ClientCertAuthenticator struct{}

ClientCertAuthenticator extracts identities from client certificate.

func (*ClientCertAuthenticator) Authenticate ¶ Uses

func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*Caller, error)

Authenticate extracts identities from presented client certificates. This method assumes that certificate chain has been properly validated before this method is called. In other words, this method does not do certificate chain validation itself.

func (*ClientCertAuthenticator) AuthenticatorType ¶ Uses

func (cca *ClientCertAuthenticator) AuthenticatorType() string

type JwtAuthenticator ¶ Uses

type JwtAuthenticator struct {
    // contains filtered or unexported fields
}

func NewJwtAuthenticator ¶ Uses

func NewJwtAuthenticator(iss string, trustDomain, audience string) (*JwtAuthenticator, error)

newJwtAuthenticator is used when running istiod outside of a cluster, to validate the tokens using OIDC K8S is created with --service-account-issuer, service-account-signing-key-file and service-account-api-audiences which enable OIDC.

func (*JwtAuthenticator) Authenticate ¶ Uses

func (j *JwtAuthenticator) Authenticate(ctx context.Context) (*Caller, error)

Authenticate - based on the old OIDC authenticator for mesh expansion.

func (JwtAuthenticator) AuthenticatorType ¶ Uses

func (j JwtAuthenticator) AuthenticatorType() string

type JwtPayload ¶ Uses

type JwtPayload struct {
    // Aud is the expected audience, defaults to istio-ca - but is based on istiod.yaml configuration.
    // If set to a different value - use the value defined by istiod.yaml. Env variable can
    // still override
    Aud []string `json:"aud"`

    // Exp is not currently used - we don't use the token for authn, just to determine k8s settings
    Exp int `json:"exp"`

    // Issuer - configured by K8S admin for projected tokens. Will be used to verify all tokens.
    Iss string `json:"iss"`

    Sub string `json:"sub"`
}

type KubeJWTAuthenticator ¶ Uses

type KubeJWTAuthenticator struct {
    // contains filtered or unexported fields
}

KubeJWTAuthenticator authenticates K8s JWTs.

func NewKubeJWTAuthenticator ¶ Uses

func NewKubeJWTAuthenticator(client kubernetes.Interface, clusterID string,
    remoteKubeClientGetter RemoteKubeClientGetter,
    trustDomain, jwtPolicy string) *KubeJWTAuthenticator

NewKubeJWTAuthenticator creates a new kubeJWTAuthenticator.

func (*KubeJWTAuthenticator) Authenticate ¶ Uses

func (a *KubeJWTAuthenticator) Authenticate(ctx context.Context) (*Caller, error)

Authenticate authenticates the call using the K8s JWT from the context. The returned Caller.Identities is in SPIFFE format.

func (*KubeJWTAuthenticator) AuthenticatorType ¶ Uses

func (a *KubeJWTAuthenticator) AuthenticatorType() string

func (*KubeJWTAuthenticator) GetKubeClient ¶ Uses

func (a *KubeJWTAuthenticator) GetKubeClient(clusterID string) kubernetes.Interface

type RemoteKubeClientGetter ¶ Uses

type RemoteKubeClientGetter func(clusterID string) kubernetes.Interface