Documentation
¶
Overview ¶
Package gatekeeper provides a standalone credential-injecting TLS proxy.
Credentials are pre-configured in gatekeeper.yaml and injected for all proxied requests matching the host. Access control is via network policy (who can reach the proxy) and an optional static auth token.
For per-caller credential isolation (run registration, token-scoped credentials), use the daemon package, which provides a management API over a Unix socket.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ResolveSource ¶
func ResolveSource(cfg SourceConfig) (credentialsource.CredentialSource, error)
ResolveSource creates a CredentialSource from a SourceConfig. Returns an error if the config contains fields not relevant to the selected type.
Types ¶
type Config ¶
type Config struct {
Proxy ProxyConfig `yaml:"proxy"`
TLS TLSConfig `yaml:"tls"`
Credentials []CredentialConfig `yaml:"credentials"`
Network NetworkConfig `yaml:"network"`
Log LogConfig `yaml:"log"`
}
Config represents a Gate Keeper configuration file.
func LoadConfig ¶
LoadConfig reads and parses a Gate Keeper config from a file path.
func ParseConfig ¶
ParseConfig parses a Gate Keeper config from YAML bytes.
type CredentialConfig ¶
type CredentialConfig struct {
Host string `yaml:"host"` // Target host (e.g., "api.github.com")
Header string `yaml:"header,omitempty"` // Header name (default: "Authorization")
Prefix string `yaml:"prefix,omitempty"` // Auth scheme prefix (e.g., "Bearer", "token"); auto-detected if omitted
Source SourceConfig `yaml:"source"`
Grant string `yaml:"grant,omitempty"` // Optional label for logging
}
CredentialConfig describes a credential to resolve and inject. Host specifies which requests receive the credential. Header names the HTTP header to set (defaults to "Authorization"). Grant is an optional label used for logging.
When the header is "Authorization", the proxy needs a full header value including the auth scheme (e.g., "Bearer token123"). If the source value is a bare token without a scheme prefix, the gatekeeper auto-detects the correct scheme from known token prefixes (GitHub ghp_/gho_/etc.) or defaults to "Bearer". Set Prefix to override the auto-detected scheme.
type LogConfig ¶
type LogConfig struct {
Level string `yaml:"level"` // Log level (e.g., "debug", "info", "warn", "error")
Format string `yaml:"format"` // Output format ("json" or "text")
Output string `yaml:"output"` // Destination ("stderr", "stdout", or a file path; default: stderr)
}
LogConfig configures logging.
type NetworkConfig ¶
NetworkConfig configures network policy.
type ProxyConfig ¶
type ProxyConfig struct {
Port int `yaml:"port"`
Host string `yaml:"host"`
AuthToken string `yaml:"auth_token,omitempty"` // Optional token clients must provide via Proxy-Authorization
}
ProxyConfig configures the proxy listener.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server is the Gate Keeper server. It manages a TLS-intercepting proxy with statically configured credentials.
func New ¶
New creates a new Gate Keeper server from the given configuration. The context is used for credential fetching (e.g., AWS Secrets Manager) and can be used to cancel startup if the process receives a signal.
func (*Server) ProxyAddr ¶
ProxyAddr returns the proxy listener's actual address (host:port). Returns empty string if the proxy has not started.
type SourceConfig ¶
type SourceConfig struct {
Type string `yaml:"type"` // "env", "static", "aws-secretsmanager"
Var string `yaml:"var,omitempty"` // for env source
Value string `yaml:"value,omitempty"` // for static source
Secret string `yaml:"secret,omitempty"` // for aws-secretsmanager
Region string `yaml:"region,omitempty"` // for aws-secretsmanager
}
SourceConfig describes where to read a credential value from.
Source Files
Directories