Documentation
¶
Index ¶
- Constants
- func CanonicalCAPaths(runtimeConfigDir string) (keyPath, certPath, bundlePath string)
- func EnsureXDSMTLSMaterials(runtimeConfigDir string, insecureAllowed bool) error
- func GetClusterCABundlePath(runtimeConfigDir string) string
- func GetEnvoyXDSClientCertPaths(runtimeConfigDir string) (certPath, keyPath string)
- func GetXDSServerCertPaths(runtimeConfigDir string) (certPath, keyPath string)
- func LoadMinioProxyConfig() (*servicesConfig.MinioProxyConfig, error)
- func SaveMinioProxyConfig(cfg *servicesConfig.MinioProxyConfig) error
- type CertPaths
- func (c *CertPaths) ACMECert(domain string) string
- func (c *CertPaths) ACMEDir(domain string) string
- func (c *CertPaths) ACMEKey(domain string) string
- func (c *CertPaths) BaseDir() string
- func (c *CertPaths) CredsDir() string
- func (c *CertPaths) InternalCABundle() string
- func (c *CertPaths) InternalServerCert() string
- func (c *CertPaths) InternalServerKey() string
- func (c *CertPaths) PKICABundle() string
- func (c *CertPaths) PKICert(serviceName string) string
- func (c *CertPaths) PKIDir() string
- func (c *CertPaths) PKIKey(serviceName string) string
- func (c *CertPaths) TLSConfigDir() string
- type CorsPolicy
- type GatewayConfig
Constants ¶
const (
MinioContractPathVar = "/var/lib/globular/objectstore/minio.json"
)
Variables ¶
This section is empty.
Functions ¶
func CanonicalCAPaths ¶
CanonicalCAPaths returns the CA key, cert, and bundle paths under the canonical PKI root.
func EnsureXDSMTLSMaterials ¶
EnsureXDSMTLSMaterials verifies the xDS server/client certificates exist and generates them from the local CA if they are missing. When insecureAllowed is true, the function is a no-op to avoid writing TLS assets during explicit plaintext development runs.
func GetClusterCABundlePath ¶
GetClusterCABundlePath returns the canonical CA bundle path shared across control plane components.
func GetEnvoyXDSClientCertPaths ¶
GetEnvoyXDSClientCertPaths returns (cert, key) for the Envoy xDS client identity.
func GetXDSServerCertPaths ¶
GetXDSServerCertPaths returns (cert, key) for the xDS server identity. Paths are stable across rotations and rooted at the canonical PKI directory.
func LoadMinioProxyConfig ¶
func LoadMinioProxyConfig() (*servicesConfig.MinioProxyConfig, error)
LoadMinioProxyConfig locates the MinIO contract, falls back to etcd / env / legacy config, and validates input.
The on-disk contract at /var/lib/globular/objectstore/minio.json is a convenience written by the installer and the MinIO package pre-start hook, but the authoritative source of MinIO connection info is etcd (the cluster config). On nodes where the contract file got corrupted — e.g. overwritten with plain-text credentials instead of the JSON shape — we previously returned the parse error directly, which bubbled up as a 503 on the admin gateway. Treat a parse failure the same way we treat a missing file: log it, then fall through to etcd and env fallbacks. This mirrors the design principle that etcd is the single source of truth — the file is only a hint.
func SaveMinioProxyConfig ¶
func SaveMinioProxyConfig(cfg *servicesConfig.MinioProxyConfig) error
SaveMinioProxyConfig persists the MinIO contract to the canonical location.
Types ¶
type CertPaths ¶
type CertPaths struct {
// contains filtered or unexported fields
}
CertPaths provides standardized paths for TLS certificates and keys. All certificate locations should be accessed through this provider to keep path construction consistent and centralized.
func NewCertPaths ¶
NewCertPaths creates a CertPaths provider with the given base directory. The base directory is typically /var/lib/globular for production systems.
func (*CertPaths) ACMECert ¶
ACMECert returns the ACME fullchain certificate path for the given domain. /var/lib/globular/config/tls/acme/{domain}/fullchain.pem
func (*CertPaths) ACMEKey ¶
ACMEKey returns the ACME private key path for the given domain. /var/lib/globular/config/tls/acme/{domain}/privkey.pem
func (*CertPaths) BaseDir ¶
BaseDir returns the normalized base directory used for path construction.
func (*CertPaths) InternalCABundle ¶
InternalCABundle returns the internal CA bundle path. INV-PKI-1: Use canonical path /var/lib/globular/pki/ca.pem
func (*CertPaths) InternalServerCert ¶
InternalServerCert returns the internal server certificate path. INV-PKI-1: Use canonical path /var/lib/globular/pki/issued/services/service.crt
func (*CertPaths) InternalServerKey ¶
InternalServerKey returns the internal server private key path. INV-PKI-1: Use canonical path /var/lib/globular/pki/issued/services/service.key
func (*CertPaths) PKICABundle ¶
PKICABundle returns the PKI root CA bundle path. /var/lib/globular/pki/ca.pem
func (*CertPaths) PKICert ¶
PKICert returns a PKI-generated certificate path for the given service. /var/lib/globular/pki/{serviceName}/cert.pem
func (*CertPaths) PKIKey ¶
PKIKey returns a PKI-generated private key path for the given service. /var/lib/globular/pki/{serviceName}/key.pem
func (*CertPaths) TLSConfigDir ¶
TLSConfigDir returns the TLS config directory (/config/tls).
type CorsPolicy ¶
type CorsPolicy struct {
Enabled bool `json:"enabled"`
Mode string `json:"mode"` // "gateway" | "inherit" | "override" | "disabled"
AllowAllOrigins bool `json:"allow_all_origins"`
AllowedOrigins []string `json:"allowed_origins"`
AllowCredentials bool `json:"allow_credentials"`
AllowedMethods []string `json:"allowed_methods"`
AllowedHeaders []string `json:"allowed_headers"`
ExposedHeaders []string `json:"exposed_headers"`
MaxAgeSeconds int `json:"max_age_seconds"`
AllowPrivateNetwork bool `json:"allow_private_network"`
GrpcWebEnabled bool `json:"grpc_web_enabled"`
}
CorsPolicy is the structured CORS configuration shared by the gateway (top-level) and per-service overrides. It lives in internal/config so that both the globule package and the gateway handler packages can import it without creating circular dependencies.
func DefaultGatewayCorsPolicy ¶
func DefaultGatewayCorsPolicy() *CorsPolicy
DefaultGatewayCorsPolicy returns sensible defaults for the gateway-level policy.
func DefaultServiceCorsPolicy ¶
func DefaultServiceCorsPolicy() *CorsPolicy
DefaultServiceCorsPolicy returns the default per-service CORS policy (inherit from gateway).
func EffectivePolicy ¶
func EffectivePolicy(gateway, service *CorsPolicy) *CorsPolicy
EffectivePolicy computes the policy actually enforced for a service, given the gateway-level policy and the service's own policy.
type GatewayConfig ¶
type GatewayConfig struct {
Mode string `json:"mode"`
EnvoyHTTPAddr string `json:"envoy_http_addr"`
MaxUpload int64 `json:"max_upload"`
RateRPS int `json:"rate_rps"`
RateBurst int `json:"rate_burst"`
HTTPPort int `json:"http_port"`
HTTPSPort int `json:"https_port"`
Domain string `json:"domain,omitempty"`
Protocol string `json:"protocol,omitempty"`
}
GatewayConfig defines the settings used by the gateway when bootstrapping from an explicit configuration file.
func DefaultGatewayConfig ¶
func DefaultGatewayConfig() GatewayConfig
DefaultGatewayConfig returns the defaults used by the gateway CLI.
func LoadGatewayConfig ¶
func LoadGatewayConfig(path string) (GatewayConfig, error)
LoadGatewayConfig reads the JSON config at path and merges it with the defaults.
func (GatewayConfig) Validate ¶
func (c GatewayConfig) Validate() error
Validate ensures the configuration contains the fields required for startup.
Source Files