Decoded, not verified
Claim decoding is only routing. Never treat a relay match as authentication or authorization.
Matching happens in two tiers. The routing layer can first narrow which requests reach the relay; the relay then decides which connected developer owns each candidate request.
A feed: list is an optional Istio pre-filter used only by mode: divert:
feed: - path: /api/v2/ - header: x-debug-user - header: x-environment value: devEntries are OR’d:
path is a URI prefix;header without value matches presence;header with value is an exact match.Requests outside the feed go directly to the target and never reach the relay. Requests inside it still need to match a registered client rule.
feed is ignored by mirror, inbound-mirror, and inbound-divert.
The laptop CLI reads .outprobe.yaml, selects the first rule containing a matcher, and registers that rule on every tunnel worker. The relay has no static identity config.
For a top-level claim:
rules: - type: jwt property: "" matchers: - key: email value: you@example.comGiven this token payload:
{ "sub": "user-123", "email": "you@example.com"}outprobe extracts email and compares it exactly with the configured value.
For providers that namespace custom claims, split the namespace and claim name:
rules: - type: jwt property: https://your-org.example.com/ matchers: - key: email value: you@example.comThis selects https://your-org.example.com/email from the decoded claims object.
Use a header when a token claim is unavailable or manual opt-in is preferable:
rules: - type: header matchers: - key: x-debug-user value: denisGo’s HTTP header lookup is case-insensitive. The value comparison is exact.
The config schema is intentionally list-shaped for future expansion, but the current CLI uses:
jwt and header as relay identity types.Identity has no flag or environment override. Put it in .outprobe.yaml; flags and env vars override deployment fields only.
A relay registry can hold clients with different rules at once:
| Developer | Type | Selector | Value |
|---|---|---|---|
| A | jwt |
email |
a@example.com |
| B | jwt |
namespaced sub |
user-b |
| C | header |
x-debug-user |
charlie |
Rules are evaluated in registration order. First registered wins if two rules match the same request. Once a client’s final worker disconnects, its registration is removed.
Decoded, not verified
Claim decoding is only routing. Never treat a relay match as authentication or authorization.
Stable, non-secret values
Prefer a value such as email or subject ID. Do not place bearer tokens or other secrets in the config.
The relay sees candidate traffic
In divert mode the relay sees its feed; in inbound-mirror it sees every inbound copy. Keep it up only while debugging.
Passthrough auth stays intact
The local service receives the original headers, while real-pod passthrough follows the target’s normal mesh and app security path.