The Guard is a HTTP Server that responds to requests on http://localhost:8000/auth and authenticates the header Authorization: Bearer JWT
against the configured ISSUER, AUDIENCE and authorizes the request agains a comma separated list of subjects.
This application is designed to use with Forward Auth, specifically for ingress-nginx, enable with this annotation:
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: "http://oauth-guard.monitor.svc.cluster.local:8000/auth"
ISSUER
- Required. A issuer to verify JWT against. Must support the${ISSUER}.well-known/openid-configuration
endpoint.AUDIENCE
- Required. The configured Audience in the token.SUBJECTS
- Required. Comma seperated list of subjects that are authorized.LOG_LEVEL
- Defaults to info.LOG_PRETTY
- Defaults to json. Output is ANSI colored text instead of json.
You need Go installed. Linting is done by golangci-lint
Go modules are used for dependency management. See link for information how to add, upgrade and remove dependencies. E.g. To update radix-operator
dependency:
- list versions:
go list -m -versions github.com/coreos/go-oidc/v3
- update:
go get github.com/coreos/go-oidc/v3@v3.10.0
The following env vars are needed. Useful default values in brackets.
LOG_PRETTY=True ISSUER=https://issuer-url/ AUDIENCE=some-audience SUBJECTS=default,kubernetes,somename go run .
- run
make lint
We follow the semantic version as recommended by go.
-
tag
in git repository (inmain
branch):Run following command to set
tag
(with corresponding version)git tag v1.0.0 git push origin v1.0.0
TODO
Radix API makes use of GitHub Actions for build checking in every pull request to the main
branch. Refer to the configuration file of the workflow for more details.
Read our contributing guidelines