jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-05-28 14:47:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

support xds auth (#117)

Browse Source
This commit is contained in:
澄潭
2023-01-04 17:52:07 +08:00
committed by GitHub
parent 79c894373c
commit 4a69d9e605
4 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
go.mod
View File

@@ -70,6 +70,7 @@ require (
github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect github.com/cncf/xds/go v0.0.0-20220520190051-1e77728a1eaa // indirect
github.com/containerd/continuity v0.1.0 // indirect github.com/containerd/continuity v0.1.0 // indirect
github.com/coreos/go-oidc/v3 v3.1.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect
github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect
github.com/docker/cli v20.10.7+incompatible // indirect github.com/docker/cli v20.10.7+incompatible // indirect

1
go.sum
View File

@@ -354,6 +354,7 @@ github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmeka
github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw=
github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo= github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=

5
helm/higress/templates/controller-clusterrole.yaml
View File

@@ -45,3 +45,8 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["services"] resources: ["services"]
verbs: ["get", "watch", "list", "update", "patch", "create", "delete"] verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
# Used to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]

18
pkg/bootstrap/server.go
View File

@@ -25,6 +25,7 @@ import (
"google.golang.org/grpc/reflection" "google.golang.org/grpc/reflection"
"istio.io/api/mesh/v1alpha1" "istio.io/api/mesh/v1alpha1"
configaggregate "istio.io/istio/pilot/pkg/config/aggregate" configaggregate "istio.io/istio/pilot/pkg/config/aggregate"
"istio.io/istio/pilot/pkg/features"
istiogrpc "istio.io/istio/pilot/pkg/grpc" istiogrpc "istio.io/istio/pilot/pkg/grpc"
"istio.io/istio/pilot/pkg/model" "istio.io/istio/pilot/pkg/model"
"istio.io/istio/pilot/pkg/server" "istio.io/istio/pilot/pkg/server"
@@ -37,6 +38,9 @@ import (
"istio.io/istio/pkg/config/schema/gvk" "istio.io/istio/pkg/config/schema/gvk"
"istio.io/istio/pkg/keepalive" "istio.io/istio/pkg/keepalive"
istiokube "istio.io/istio/pkg/kube" istiokube "istio.io/istio/pkg/kube"
"istio.io/istio/pkg/security"
"istio.io/istio/security/pkg/server/ca/authenticate"
"istio.io/istio/security/pkg/server/ca/authenticate/kubeauth"
"istio.io/pkg/env" "istio.io/pkg/env"
"istio.io/pkg/ledger" "istio.io/pkg/ledger"
"istio.io/pkg/log" "istio.io/pkg/log"
@@ -149,6 +153,7 @@ func NewServer(args *ServerArgs) (*Server, error) {
s.initHttpServer, s.initHttpServer,
s.initConfigController, s.initConfigController,
s.initRegistryEventHandlers, s.initRegistryEventHandlers,
s.initAuthenticators,
} }
for _, f := range initFuncList { for _, f := range initFuncList {
@@ -156,6 +161,7 @@ func NewServer(args *ServerArgs) (*Server, error) {
return nil, err return nil, err
} }
} }
s.server.RunComponent(func(stop <-chan struct{}) error { s.server.RunComponent(func(stop <-chan struct{}) error {
s.kubeClient.RunAndWait(stop) s.kubeClient.RunAndWait(stop)
return nil return nil
@@ -332,6 +338,18 @@ func (s *Server) initGrpcServer() error {
return nil return nil
} }
func (s *Server) initAuthenticators() error {
authenticators := []security.Authenticator{
&authenticate.ClientCertAuthenticator{},
}
authenticators = append(authenticators,
kubeauth.NewKubeJWTAuthenticator(s.environment.Watcher, s.kubeClient, s.RegistryOptions.KubeOptions.ClusterID, nil, features.JwtPolicy))
if features.XDSAuth {
s.xdsServer.Authenticators = authenticators
}
return nil
}
func (s *Server) initKubeClient() error { func (s *Server) initKubeClient() error {
if s.kubeClient != nil { if s.kubeClient != nil {
// Already initialized by startup arguments // Already initialized by startup arguments