Chiebot-Mirror
/
data-plane-api
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs: client ssl auth filter (#308)

Browse Source 
Signed-off-by: Matt Klein <mklein@lyft.com>
pull/249/merge
Matt Klein 8 years ago committed by htuch
parent 35d1afb69b
commit 2f7459baf7
6 changed files with 72 additions and 57 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      api/BUILD
  2. 29
      api/filter/network/client_ssl_auth.proto
  3. 1
      docs/build.sh
  4. 47
      docs/root/api-v1/network_filters/client_ssl_auth_filter.rst
  5. 45
      docs/root/configuration/network_filters/client_ssl_auth_filter.rst
  6. 6
      docs/root/intro/version_history.rst

1
api/BUILD
Unescape View File

@ -153,6 +153,7 @@ proto_library(
"//api/filter/http:lua", "//api/filter/http:lua",
"//api/filter/http:router", "//api/filter/http:router",
"//api/filter/http:transcoder", "//api/filter/http:transcoder",
"//api/filter/network:client_ssl_auth",
"//api/filter/network:http_connection_manager", "//api/filter/network:http_connection_manager",
"//api/filter/network:mongo_proxy", "//api/filter/network:mongo_proxy",
"//api/filter/network:redis_proxy", "//api/filter/network:redis_proxy",

29
api/filter/network/client_ssl_auth.proto
Unescape View File

@ -5,24 +5,29 @@ package envoy.api.v2.filter.network;
import "api/address.proto"; import "api/address.proto";
import "google/protobuf/duration.proto"; import "google/protobuf/duration.proto";
// Envoy provides a network filter that performs TLS client authentication import "validate/validate.proto";
// via principals fetched from a REST VPN service. This filter matches the
// presented client certificate hash against the principal list to // [#protodoc-title: Client TLS authentication]
// determine whether the connection should be allowed or not. Optional IP // Client TLS authentication
// white listing can also be configured. This functionality can be used to // :ref:`configuration overview <config_network_filters_client_ssl_auth>`.
// build edge proxy VPN support for web infrastructure.
message ClientSSLAuth { message ClientSSLAuth {
// The cluster manager cluster that runs the authentication service. The // The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs
// filter will connect to the service every 60s to fetch the list of // the authentication service. The filter will connect to the service every 60s to fetch the list
// principals. The service must support the expected REST API. // of principals. The service must support the expected :ref:`REST API
string auth_api_cluster = 1; // <config_network_filters_client_ssl_auth_rest_api>`.
// The prefix to use when emitting statistics. string auth_api_cluster = 1 [(validate.rules).string.min_bytes = 1];
string stat_prefix = 2;
// The prefix to use when emitting :ref:`statistics
// <config_network_filters_client_ssl_auth_stats>`.
string stat_prefix = 2 [(validate.rules).string.min_bytes = 1];
// Time in milliseconds between principal refreshes from the // Time in milliseconds between principal refreshes from the
// authentication service. Default is 60000 (60s). The actual fetch time // authentication service. Default is 60000 (60s). The actual fetch time
// will be this value plus a random jittered value between // will be this value plus a random jittered value between
// 0-refresh_delay_ms milliseconds. // 0-refresh_delay_ms milliseconds.
google.protobuf.Duration refresh_delay = 3; google.protobuf.Duration refresh_delay = 3;
// An optional list of IP address and subnet masks that should be white // An optional list of IP address and subnet masks that should be white
// listed for access by the filter. If no list is provided, there is no // listed for access by the filter. If no list is provided, there is no
// IP white list. // IP white list.

1
docs/build.sh
Unescape View File

@ -44,6 +44,7 @@ PROTO_RST="
/api/filter/http/lua/api/filter/http/lua.proto.rst /api/filter/http/lua/api/filter/http/lua.proto.rst
/api/filter/http/router/api/filter/http/router.proto.rst /api/filter/http/router/api/filter/http/router.proto.rst
/api/filter/http/transcoder/api/filter/http/transcoder.proto.rst /api/filter/http/transcoder/api/filter/http/transcoder.proto.rst
/api/filter/network/client_ssl_auth/api/filter/network/client_ssl_auth.proto.rst
/api/filter/network/http_connection_manager/api/filter/network/http_connection_manager.proto.rst /api/filter/network/http_connection_manager/api/filter/network/http_connection_manager.proto.rst
/api/filter/network/mongo_proxy/api/filter/network/mongo_proxy.proto.rst /api/filter/network/mongo_proxy/api/filter/network/mongo_proxy.proto.rst
/api/filter/network/redis_proxy/api/filter/network/redis_proxy.proto.rst /api/filter/network/redis_proxy/api/filter/network/redis_proxy.proto.rst

47
docs/root/api-v1/network_filters/client_ssl_auth_filter.rst
Unescape View File

@ -0,0 +1,47 @@
.. _config_network_filters_client_ssl_auth_v1:
Client TLS authentication
=========================
Client TLS authentication :ref:`configuration overview <config_network_filters_client_ssl_auth>`.
.. code-block:: json
{
"name": "client_ssl_auth",
"config": {
"auth_api_cluster": "...",
"stat_prefix": "...",
"refresh_delay_ms": "...",
"ip_white_list": []
}
}
auth_api_cluster
*(required, string)* The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs
the authentication service. The filter will connect to the service every 60s to fetch the list
of principals. The service must support the expected :ref:`REST API
<config_network_filters_client_ssl_auth_rest_api>`.
stat_prefix
*(required, string)* The prefix to use when emitting :ref:`statistics
<config_network_filters_client_ssl_auth_stats>`.
refresh_delay_ms
*(optional, integer)* Time in milliseconds between principal refreshes from the authentication
service. Default is 60000 (60s). The actual fetch time will be this value plus a random jittered
value between 0-refresh_delay_ms milliseconds.
ip_white_list
*(optional, array)* An optional list of IP address and subnet masks that should be white listed
for access by the filter. If no list is provided, there is no IP white list. The list is
specified as in the following example:
.. code-block:: json
[
"192.168.3.0/24",
"50.1.2.3/32",
"10.15.0.0/16",
"2001:abcd::/64"
]

45
docs/root/configuration/network_filters/client_ssl_auth_filter.rst
Unescape View File

@ -3,48 +3,9 @@
Client TLS authentication Client TLS authentication
========================= =========================
Client TLS authentication filter :ref:`architecture overview <arch_overview_ssl_auth_filter>`. * Client TLS authentication filter :ref:`architecture overview <arch_overview_ssl_auth_filter>`
* :ref:`v1 API reference <config_network_filters_client_ssl_auth_v1>`
.. code-block:: json * :ref:`v2 API reference <envoy_api_msg_filter.network.ClientSslAuth>`
{
"name": "client_ssl_auth",
"config": {
"auth_api_cluster": "...",
"stat_prefix": "...",
"refresh_delay_ms": "...",
"ip_white_list": []
}
}
auth_api_cluster
*(required, string)* The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs
the authentication service. The filter will connect to the service every 60s to fetch the list
of principals. The service must support the expected :ref:`REST API
<config_network_filters_client_ssl_auth_rest_api>`.
stat_prefix
*(required, string)* The prefix to use when emitting :ref:`statistics
<config_network_filters_client_ssl_auth_stats>`.
refresh_delay_ms
*(optional, integer)* Time in milliseconds between principal refreshes from the authentication
service. Default is 60000 (60s). The actual fetch time will be this value plus a random jittered
value between 0-refresh_delay_ms milliseconds.
ip_white_list
*(optional, array)* An optional list of IP address and subnet masks that should be white listed
for access by the filter. If no list is provided, there is no IP white list. The list is
specified as in the following example:
.. code-block:: json
[
"192.168.3.0/24",
"50.1.2.3/32",
"10.15.0.0/16",
"2001:abcd::/64"
]
.. _config_network_filters_client_ssl_auth_stats: .. _config_network_filters_client_ssl_auth_stats:

6
docs/root/intro/version_history.rst
Unescape View File

@ -10,7 +10,7 @@ Version history
* admin: added basic :ref:`Prometheus output <operations_admin_interface_stats>` for stats admin * admin: added basic :ref:`Prometheus output <operations_admin_interface_stats>` for stats admin
endpoint. Histograms are not currently output. endpoint. Histograms are not currently output.
* config: the :ref:`v2 API <config_overview_v2>` is now considered production ready. * config: the :ref:`v2 API <config_overview_v2>` is now considered production ready.
* config: added ::option:`--v2-config-only` CLI flag. * config: added :option:`--v2-config-only` CLI flag.
* cors: added :ref:`CORS filter <config_http_filters_cors>`. * cors: added :ref:`CORS filter <config_http_filters_cors>`.
* health check: added :ref:`x-envoy-immediate-health-check-fail * health check: added :ref:`x-envoy-immediate-health-check-fail
<config_http_filters_router_x-envoy-immediate-health-check-fail>` header support. <config_http_filters_router_x-envoy-immediate-health-check-fail>` header support.
@ -22,7 +22,7 @@ Version history
<envoy_api_msg_Cluster.RingHashLbConfig>`. This used to be configurable via runtime. The runtime <envoy_api_msg_Cluster.RingHashLbConfig>`. This used to be configurable via runtime. The runtime
configuration was deleted without deprecation as we are fairly certain no one is using it. configuration was deleted without deprecation as we are fairly certain no one is using it.
* log: added the ability to optionally log to a file instead of stderr via the * log: added the ability to optionally log to a file instead of stderr via the
::option:`--log-path` option. :option:`--log-path` option.
* listeners: added :ref:`drain_type <envoy_api_field_Listener.drain_type>` option. * listeners: added :ref:`drain_type <envoy_api_field_Listener.drain_type>` option.
* lua: added experimental :ref:`Lua filter <config_http_filters_lua>`. * lua: added experimental :ref:`Lua filter <config_http_filters_lua>`.
* mongo filter: added :ref:`fault injection <config_network_filters_mongo_proxy_fault_injection>`. * mongo filter: added :ref:`fault injection <config_network_filters_mongo_proxy_fault_injection>`.
@ -50,7 +50,7 @@ Version history
* runtime: added :ref:`comment capability <config_runtime_comments>`. * runtime: added :ref:`comment capability <config_runtime_comments>`.
* server: change default ::`-l` to info level. * server: change default ::`-l` to info level.
* stats: maximum stat/name sizes and maximum number of stats are now variable via the * stats: maximum stat/name sizes and maximum number of stats are now variable via the
::option:`--max-obj-name-len` and ::option:`--max-stats` options. :option:`--max-obj-name-len` and :option:`--max-stats` options.
* tcp proxy: added :ref:`access logging <envoy_api_field_filter.network.TcpProxy.access_log>`. * tcp proxy: added :ref:`access logging <envoy_api_field_filter.network.TcpProxy.access_log>`.
* tcp proxy: added :ref:`configurable connect retries * tcp proxy: added :ref:`configurable connect retries
<envoy_api_field_filter.network.TcpProxy.max_connect_attempts>`. <envoy_api_field_filter.network.TcpProxy.max_connect_attempts>`.

Write Preview
Loading…
Cancel
Save