Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func StartCargoWall ¶
func StartCargoWall(cmd *StartCmd, hooks *StartHooks) error
Types ¶
type CIMode ¶
type CIMode string
CIMode is the active CI integration mode, derived from which preset flag was passed. Drives log labels and which auto-allow defaults are applied.
type CLI ¶
type CLI struct {
Globals
Start StartCmd `cmd:"" help:"Start the Cargowall eBPF firewall"`
Summary SummaryCmd `cmd:"" help:"Generate audit summary correlating events with GitHub Actions steps"`
WaitReady WaitReadyCmd `cmd:"" name:"wait-ready" help:"Block until the cargowall ready sentinel appears"`
Stop StopCmd `cmd:"" help:"Send SIGTERM to a backgrounded cargowall process and wait for it to exit"`
}
type ExecuteFn ¶
type ExecuteFn func(cmd *StartCmd, hooks *StartHooks) error
type GitHubActionsHandler ¶
type GitHubActionsHandler struct {
// contains filtered or unexported fields
}
GitHubActionsHandler is a slog.Handler that formats logs for GitHub Actions. It uses GitHub's workflow commands for annotations: - ::debug::message - ::notice::message - ::warning::message - ::error::message
func NewGitHubActionsHandler ¶
func NewGitHubActionsHandler(debug bool) *GitHubActionsHandler
NewGitHubActionsHandler creates a new GitHub Actions compatible log handler.
type GitHubStep ¶
type GitHubStep struct {
Name string `json:"name"`
Number int `json:"number"`
StartedAt time.Time `json:"started_at"`
CompletedAt time.Time `json:"completed_at"`
}
GitHubStep represents a step from the GitHub API
type Globals ¶
type Globals struct {
Version VersionFlag `name:"version" help:"Print version information and quit"`
Debug bool `name:"debug" help:"Enable debug mode"`
}
type StartCmd ¶
type StartCmd struct {
Execute ExecuteFn `kong:"-"`
Logger *slog.Logger `kong:"-"`
LoggerShutdown func(context.Context) error `kong:"-"`
Version string `kong:"-"` // Version passed from main
Hooks *StartHooks `kong:"-"`
// Configuration
Config string `help:"Path to configuration file" default:"/etc/cargowall/config.json" env:"CARGOWALL_CONFIG"`
Interface string `help:"Network interface to attach to (auto-detect if empty)" env:"CARGOWALL_INTERFACE"`
Token string `help:"codecargo token" env:"CODECARGO_AUTH_TOKEN"`
ApiUrl string `help:"CodeCargo API URL to fetch policy from" name:"api-url" env:"CARGOWALL_API_URL"`
JobKey string `help:"CI job key for job-level policy resolution" name:"job-key" env:"CARGOWALL_JOB_KEY"`
// Runtime options
DisableDNSTracking bool `help:"Disable DNS tracking and hostname resolution" default:"false"`
DNSUpstream string `help:"Upstream DNS server to forward queries to" required:"" env:"CARGOWALL_DNS_UPSTREAM"`
// CI presets — bundles the orthogonal flags below with sensible defaults
// for the named CI environment.
GithubAction bool `` /* 226-byte string literal not displayed */
GitlabCI bool `` /* 234-byte string literal not displayed */
// Orthogonal CI plumbing flags — usable on any CI system (or standalone).
// Each is also implied by a CI preset above.
DNSRedirectIptables bool `` /* 167-byte string literal not displayed */
DockerDNSInterception bool `` /* 193-byte string literal not displayed */
DNSQueryFiltering bool `` /* 128-byte string literal not displayed */
PrepopulateDNSCache bool `` /* 163-byte string literal not displayed */
AutoAllowCloudMetadata bool `` /* 193-byte string literal not displayed */
AutoAllowGitHubHosts bool `` /* 178-byte string literal not displayed */
AutoAllowGitlabHosts bool `` /* 169-byte string literal not displayed */
// Sudo lockdown (CI security hardening)
SudoLockdown bool `help:"Enable sudo lockdown to prevent firewall bypass" default:"false" env:"CARGOWALL_SUDO_LOCKDOWN"`
SudoAllowCommands string `` /* 174-byte string literal not displayed */
// Audit mode and logging
AuditMode bool `help:"Monitor and log connections without blocking (audit only)" default:"false" env:"CARGOWALL_AUDIT_MODE"`
AuditLog string `help:"Path to write JSON audit log for step correlation" env:"CARGOWALL_AUDIT_LOG"`
// Pre-existing connection handling
AllowExistingConnections bool `` /* 157-byte string literal not displayed */
// Pidfile pairs with the `cargowall stop` subcommand. Backgrounding is
// delegated to the shell (`cargowall start --pidfile X &`) — true Unix
// daemonization isn't worth the Go runtime complexity for CI use.
Pidfile string `help:"Write the cargowall process pid to this file (used with 'cargowall stop')" default:"" env:"CARGOWALL_PIDFILE"`
// ReadyFile path is shared with `cargowall wait-ready` via the same
// default and env var, so the two subcommands always agree.
ReadyFile string `help:"Path to write the readiness sentinel file" default:"/tmp/cargowall-ready" env:"CARGOWALL_READY_FILE"`
}
func (*StartCmd) AfterApply ¶
AfterApply expands the active CI preset into the orthogonal flags it implies. `--github-action` and `--gitlab-ci` are conveniences that turn on the underlying plumbing flags so users don't have to enumerate each one. The presets are mutually exclusive — if both are set, CIMode()'s precedence rule (GitHub wins) is the single source of truth.
type StartHooks ¶
type StepEvents ¶
type StepEvents struct {
Step GitHubStep
Events []events.AuditEvent
}
StepEvents groups events by step
type StopCmd ¶
type StopCmd struct {
Pidfile string `help:"Path to the pidfile written by 'cargowall start --pidfile X'" required:"" env:"CARGOWALL_PIDFILE"`
Timeout time.Duration `help:"How long to wait for the process to exit after SIGTERM" default:"15s"`
Remove bool `help:"Remove the pidfile after a successful stop" default:"true"`
}
StopCmd reads a pidfile written by `cargowall start --pidfile X`, sends SIGTERM to that process, and waits for it to exit (so subsequent CI teardown steps can rely on iptables/Docker DNS having been restored).
type SummaryCmd ¶
type SummaryCmd struct {
AuditLog string `help:"Path to audit log JSON file" required:""`
Steps string `help:"JSON array of step timing from GitHub API" required:""`
// API push flags (optional — skip API push if api-url is not set)
ApiUrl string `help:"CodeCargo API URL for pushing results" name:"api-url"`
Token string `help:"OIDC bearer token for API authentication"`
JobName string `help:"GitHub Actions job name" name:"job-name"`
JobKey string `help:"GitHub Actions job key (github.job)" name:"job-key"`
Mode string `help:"CargoWall mode (enforce/audit)"`
DefaultAction string `help:"Default action type (allow/deny)" name:"default-action"`
JobRunId uint64 `help:"GitHub Actions job run ID" name:"job-run-id"`
JobStatus string `help:"GitHub Actions job status (success/failure/canceled/cancelled/timed_out)" name:"job-status"`
// contains filtered or unexported fields
}
SummaryCmd generates a markdown summary correlating audit events with GitHub Actions steps
func (*SummaryCmd) Run ¶
func (c *SummaryCmd) Run() error
type VersionFlag ¶
type VersionFlag string
func (VersionFlag) BeforeApply ¶
func (VersionFlag) Decode ¶
func (v VersionFlag) Decode(ctx *kong.DecodeContext) error
func (VersionFlag) IsBool ¶
func (v VersionFlag) IsBool() bool
type WaitReadyCmd ¶
type WaitReadyCmd struct {
ReadyFile string `help:"Path to the ready sentinel file" default:"/tmp/cargowall-ready" env:"CARGOWALL_READY_FILE"`
Timeout time.Duration `help:"How long to wait before giving up" default:"30s"`
Interval time.Duration `help:"Polling interval" default:"100ms"`
}
WaitReadyCmd blocks until cargowall writes its ready sentinel, or until the timeout elapses. Used by shell-driven CI scripts to gate the build step on the firewall being attached and the policy loaded.
func (*WaitReadyCmd) Run ¶
func (c *WaitReadyCmd) Run() error
Source Files
Click to show internal directories.
Click to hide internal directories.