GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → projectcontour → contour-authserver

projectcontour / contour-authserver

Licence: Apache-2.0 License
An Envoy-compatible authorization server.

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
shell
77523 projects
Dockerfile
14818 projects

Labels

envoycontourauthorization-backends

Projects that are alternatives of or similar to contour-authserver

Contour
Contour is a Kubernetes ingress controller using Envoy proxy.
Stars: ✭ 2,985 (+12878.26%)
Mutual labels:  envoy, contour
ego-demo
Envoy filters in Go
Stars: ✭ 34 (+47.83%)
Mutual labels:  envoy
envoy-proxy-demos
Set of Envoy Proxy feature demos (Envoy v2 API supported)
Stars: ✭ 63 (+173.91%)
Mutual labels:  envoy
oidc-filter
A WASM plugin for Envoy supporting the Open ID Connect Authorization Flow, extending Istio's JWT functionality
Stars: ✭ 40 (+73.91%)
Mutual labels:  envoy
meshery
Meshery, the cloud native manager
Stars: ✭ 1,587 (+6800%)
Mutual labels:  envoy
envoy-nats-streaming
No description or website provided.
Stars: ✭ 28 (+21.74%)
Mutual labels:  envoy
laravel-envoy-scripts
Here I have compiled my Laravel Envoy scripts to deploy different projects.
Stars: ✭ 16 (-30.43%)
Mutual labels:  envoy
contour-plus
Enhance contour for external-dns and cert-manager
Stars: ✭ 26 (+13.04%)
Mutual labels:  contour
ocaml-grpc-envoy
Using OCaml + gRPC via Envoy
Stars: ✭ 41 (+78.26%)
Mutual labels:  envoy
apiclarity
Reconstruct Open API Specifications from real-time workload traffic seamlessly.
Stars: ✭ 290 (+1160.87%)
Mutual labels:  envoy
kourier
Kourier is a Knative Serving Ingress. It has been adopted by Knative, and we keep developing it at: github.com/knative/net-kourier
Stars: ✭ 47 (+104.35%)
Mutual labels:  envoy
atlas
Secure Distributed Thanos Deployment using an Observability Cluster
Stars: ✭ 39 (+69.57%)
Mutual labels:  envoy
proxy-wasm-cpp-host
WebAssembly for Proxies (C++ host implementation)
Stars: ✭ 55 (+139.13%)
Mutual labels:  envoy
crossover
Minimal sufficient Envoy xDS for Kubernetes that knows https://smi-spec.io/
Stars: ✭ 69 (+200%)
Mutual labels:  envoy
katacoda-scenarios
Katacoda Scenarios for Envoy Proxy
Stars: ✭ 26 (+13.04%)
Mutual labels:  envoy
flightpath
XDS to run Envoy as an edge proxy for Consul Connect.
Stars: ✭ 15 (-34.78%)
Mutual labels:  envoy
kubernetes workshop
Kubernetes is an open source Container Orchestration System for automatic deployment, scaling, and management of Containerized application. Kubernetes gives you the freedom to take advantage of on-premise, hybrid or public cloud infrastructure. Kubernetes helps you to scale both horizontally and vertically depends on the load.
Stars: ✭ 27 (+17.39%)
Mutual labels:  envoy
envoyproxy doc ZH CN
envoyproxy 智能代理中文参考文档 v1.5.0
Stars: ✭ 75 (+226.09%)
Mutual labels:  envoy
consul-envoy
Consul to Envoy API listener
Stars: ✭ 35 (+52.17%)
Mutual labels:  envoy
meshem
A simple implementation for Envoy's control plane
Stars: ✭ 22 (-4.35%)
Mutual labels:  envoy
View All Similar Projects ➔

contour-authserver

contour-authserver implements the Envoy external authorization GRPC protocol (both v2 and v3). It can be used for testing Envoy external authorization. contour-authserver has two authorization backends that are selected by subcommands.

testserver

Usage:

Run a testing authentication server

Usage:
  contour-authserver testserver [OPTIONS]

Flags:
      --address string         The address the authentication endpoint binds to. (default ":9090")
  -h, --help                   help for testserver
      --tls-ca-path string     Path to the TLS CA certificate bundle.
      --tls-cert-path string   Path to the TLS server certificate.
      --tls-key-path string    Path to the TLS server key.

testserver will authorize any path that contains the string allow, and will reject other requests with a 401 status code.

htpasswd

Usage:

Run a htpasswd basic authentication server

Usage:
  contour-authserver htpasswd [OPTIONS]

Flags:
      --address string             The address the authentication endpoint binds to. (default ":9090")
      --auth-realm string          Basic authentication realm. (default "default")
  -h, --help                       help for htpasswd
      --metrics-address string     The address the metrics endpoint binds to. (default ":8080")
      --selector string            Selector (label-query) to filter Secrets, supports '=', '==', and '!='.
      --tls-ca-path string         Path to the TLS CA certificate bundle.
      --tls-cert-path string       Path to the TLS server certificate.
      --tls-key-path string        Path to the TLS server key.
      --watch-namespaces strings   The list of namespaces to watch for Secrets.

htpasswd Secrets

The htpasswd backend implements HTTP basic authentication against a set of Secrets that contain htpasswd formatted data. The htpasswd data must be stored in the auth key, which is compatible with ingress-nginx auth-file Secrets.

The htpasswd backend only accesses Secrets that are annotated with projectcontour.io/auth-type: basic.

Secrets that are annotated with the projectcontour.io/auth-realm will only be used if the annotation value matches the value of the --auth-realm flag. The projectcontour.io/auth-realm: * annotation explicitly marks a Secret as being valid for all realms. This is equivalent to omitting the annotation.

When it authenticates a request, the htpasswd backend injects the Auth-Username and Auth-Realm headers, which contain the authenticated user name and the basic authentication realm respectively.

The --watch-namespaces flag specifies the namespaces where the htpasswd backend will discover Secrets. If this flag is empty, Secrets from all namespaces will be used.

The --selector flag accepts a label selector that can be used to further restrict which Secrets the htpasswd backend will consume.

oidc

Usage:

Run a oidc authentication server

Usage:
  contour-authserver oidc [OPTIONS]

Flags:
      --config string              Path to config file ( yaml format )
  -h, --help                       help for htpasswd
      --tls-ca-path string         Path to the TLS CA certificate bundle.
      --tls-cert-path string       Path to the TLS server certificate.
      --tls-key-path string        Path to the TLS server key.

Oidc configuration can be specified with configmaps. Please visit DexIDP for more detail.

## The following entries are the variables  accepted by the Contour OIDC module.
## server address and port 
address: ":9443"

## OIDC issuer URL 
issuerURL: "http://<path to your SSO server>"

## App redirect path ( usually point back to app url)
redirectURL: "https://<path to your applications>"
redirectPath: "/callback"
allowEmptyClientSecret: false
scopes:
- openid
- profile
- email
- offline_access
usernameClaim: "nickname"
emailClaim: ""
serveTLS: false
clientID: "<your client id>"
clientSecret: "<your client secret>"

Request Headers

Both authorization backends emit the Auth-Handler header, which publishes the name of the backend that approved or rejected the authorization.

The authorization context is also reflected into HTTP headers prefixed with Auth-Context-. Note that This can generate malformed HTTP headers. The testserver backend always creates the context headers, but the htpasswd backend only does so for authenticated requests (i.e. the origin server gets them bu the client never does.)

Deploying contour-authserver

The recommended way to deploy contour-authserver is to use the Kustomize deployment YAML. This will deploy services for testserver , htpasswd and oidc backends. For developer deployments, Skaffold seems to work reasonably well.

There are no versioned releases or container images yet.

Releasing contour-authserver

Maintainers who need to release a new version of contour-authserver can follow the following steps:

# Ensure that you have a Github token either in $GITHUB_TOKEN or in ~/.config/goreleaser/github_token.
# Ensure that goreleaser is installed.

# Tag the release.
$ ./hack/make-release-tag.sh $OLDVERS $NEWVERS

# Push the release tag to Github.
$ git push origin $NEWVERS

# Build and release binaries and Docker images.
$ make release

# Log in with the Contour build account to push the images.
$ docker login -u projectcontourbuilder
$ docker push projectcontour/contour-authserver:$NEWVERS
$ docker push projectcontour/contour-authserver:latest

# Log out of the Contour build account.
$ docker logout
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].