Documentation
¶
Overview ¶
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Index ¶
- Variables
- type CopperArgosMode
- type DerivedCertSubject
- type DerivedK8sSecretBackup
- type DerivedRoleCert
- type DerivedServiceCert
- type DerivedTargetDomainRoles
- type DerivedTokenFile
- type DerivedTokenServer
- type DomainRole
- type HeaderTokenMode
- type IdentityConfig
- type LocalCertMode
- type RestAPIMode
- type TLS
- type TokenFileConfig
- type X509File
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // TODO: deprecate: ATHENZ_SIA_DEFAULT_COUNTRY, ATHENZ_SIA_DEFAULT_PROVINCE, ATHENZ_SIA_DEFAULT_ORGANIZATION, ATHENZ_SIA_DEFAULT_ORGANIZATIONAL_UNIT // TODO: add DEFAULT_SUBJECT='OU=Athenz' after the deprecation // default values for X.509 certificate signing request DEFAULT_COUNTRY string DEFAULT_PROVINCE string DEFAULT_ORGANIZATION string DEFAULT_ORGANIZATIONAL_UNIT = "Athenz" // default values for role tokens and access tokens DEFAULT_TOKEN_REFRESH = 30 * time.Minute DEFAULT_TOKEN_EXPIRY_RAW = "0" DEFAULT_TOKEN_EXPIRY = time.Duration(0) DEFAULT_TOKEN_SERVER_TIMEOUT = 3 * time.Second // DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES may be overwritten with go build option (e.g. "-X identity.DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES=5") DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES_RAW = "5" DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES = 5 DEFAULT_ENDPOINT string DEFAULT_ROLE_AUTH_HEADER = "Athenz-Role-Auth" DEFAULT_DNS_SUFFIX = "athenz.cloud" DEFAULT_ROLE_CERT_FILENAME_DELIMITER = ":role." DEFAULT_ACCESS_TOKEN_FILENAME_DELIMITER = ":role." DEFAULT_ROLE_TOKEN_FILENAME_DELIMITER = ":role." DEFAULT_INTERMEDIATE_CERT_BUNDLE string // default values for graceful shutdown DEFAULT_SHUTDOWN_TIMEOUT = 5 * time.Second DEFAULT_SHUTDOWN_DELAY = time.Duration(0) // default maximum elapsed time on initialization DEFAULT_MAX_ELAPSED_TIME_ON_INIT = 1 * time.Minute )
View Source
var ( // VERSION is a constant storing the SIA version, provided by the build argument in go build VERSION string // VERSION is a constant storing the SIA build date, provided by the build argument in go build BUILD_DATE string // APP_NAME is a constant storing the binary name, provided by the command line APP_NAME = filepath.Base(os.Args[0]) // USER_AGENT is a constant storing the User-Agent Header value, computed on package loading USER_AGENT = fmt.Sprintf("%s/%s", APP_NAME, VERSION) )
View Source
var ErrHelp = flag.ErrHelp
View Source
var ErrVersion = errors.New("flag: version requested")
Functions ¶
This section is empty.
Types ¶
type CopperArgosMode ¶ added in v3.3.0
type CopperArgosMode struct {
Use bool
Provider string // provider service name
Sans []string
Subject *pkix.Name // subject field for instance certificate
Cert X509File // X509File for cert, if needed
Key X509File // X509File for key, if needed
GetKeyPath func() string // function to get the key path, if needed
AthenzDomainName string
AthenzServiceName string
}
type DerivedCertSubject ¶ added in v3.5.0
type DerivedCertSubject struct {
// contains filtered or unexported fields
}
type DerivedK8sSecretBackup ¶ added in v3.3.0
type DerivedK8sSecretBackup struct {
Use bool
UseRead bool
UseWrite bool
Secret string // Secret name that your service cert is stored in
// Ns string // Namespace that your Secret is stored in
Raw string // Raw string of the backup config: "", "read", "write", "read,write"; Used for log purpose only
}
type DerivedRoleCert ¶ added in v3.3.0
type DerivedRoleCert struct {
Use bool // if fetching role certificate is enabled (de facto standard)
TargetDomainRoles []DomainRole // domain roles to fetch role certificates for
Format string // format for role certificate file output (i.e. /var/run/athenz/rolecerts/{{domain}}:role.{{role}}.cert.pem).
// format for role certificate key file output (i.e. /var/run/athenz/rolecerts/{{domain}}:role.{{role}}.key.pem)
// empty "" means no separate key file output feature enabled.
KeyFormat string
Delimiter string // delimiter to separate domain and role name in the file name.
Subject *pkix.Name // subject field for role certificate
}
type DerivedServiceCert ¶ added in v3.3.0
type DerivedServiceCert struct {
CopperArgos CopperArgosMode
LocalCert LocalCertMode // Use 3rd party provided service cert instead of CopperArgos
}
type DerivedTargetDomainRoles ¶ added in v3.3.0
type DerivedTargetDomainRoles struct {
// contains filtered or unexported fields
}
type DerivedTokenFile ¶ added in v3.3.0
type DerivedTokenFile struct {
AccessToken TokenFileConfig
RoleToken TokenFileConfig
}
type DerivedTokenServer ¶ added in v3.3.0
type DerivedTokenServer struct {
Use bool // whether to use the token server
HeaderToken HeaderTokenMode // header token mode configuration
RestAPI RestAPIMode // rest api mode configuration
Addr string // token server address
ShutdownDelay time.Duration // Shutdown delay for gracefully shutting down the Token Server
ShutdownTimeout time.Duration // Shutdown timeout for gracefully shutting down the Token Server
ServerTimeout time.Duration // Timeout for receiving a request from a tenant and sending a response
TLS TLS // TLS configuration for token server
}
type DomainRole ¶
func (DomainRole) String ¶
func (dr DomainRole) String() string
type HeaderTokenMode ¶ added in v3.3.0
HeaderTokenMode is a mode that exchanges information such as domain and role tokens with tenants by attaching it to the request and response headers. TODO: Consider whether there is a better name for the struct.
type IdentityConfig ¶
type IdentityConfig struct {
Init bool
Endpoint string
DNSSuffix string
Refresh time.Duration
DelayJitterSeconds int64
CaCertFile string
IntermediateCertBundle string
Namespace string
ServiceAccount string
SaTokenFile string
PodIP net.IP
PodUID string
PodName string
Reloader *util.CertReloader
ServerCACert string
K8sSecretBackup DerivedK8sSecretBackup
// ServiceCerts Derived State and its related fields:
ServiceCert DerivedServiceCert
// RoleCerts Derived State and its related fields:
RoleCert DerivedRoleCert
// Token Cache Derived State and its related fields:
TokenTargetDomainRoles []DomainRole // TODO: Will be migrated into DerivedTargetDomainRoles
TokenFile DerivedTokenFile
// Token Server Derived State and its related fields:
TokenServer DerivedTokenServer
TokenRefresh time.Duration
TokenExpiry time.Duration
TokenType string
MetricsServerAddr string
HealthCheckAddr string
HealthCheckEndpoint string
DeleteInstanceID bool
LogDir string
LogLevel string
// contains filtered or unexported fields
}
IdentityConfig from cmd line args
func DefaultIdentityConfig ¶
func DefaultIdentityConfig() *IdentityConfig
func LoadConfig ¶
func LoadConfig(program string, args []string) (*IdentityConfig, error)
LoadConfig reads from ENV and args, and then returns an IdentityConfig object (precedence: args > ENV > default).
type LocalCertMode ¶ added in v3.3.0
type RestAPIMode ¶ added in v3.3.0
type RestAPIMode struct {
Use bool
}
RestAPIMode is a mode that exchanges information such as domain and role tokens with tenants by attaching it to the POST request and response body.
type TLS ¶ added in v3.3.0
TLS is a struct that summarizes the configuration details for enabling TLS communication between tenants and SIA.
type TokenFileConfig ¶ added in v3.3.0
Source Files
Click to show internal directories.
Click to hide internal directories.