config

package
v0.0.0-...-7097cd0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 30, 2024 License: Apache-2.0, BSD-2-Clause-Views, BSD-3-Clause, + 1 more Imports: 15 Imported by: 61

Documentation

Index

Constants

View Source
const (
	LOAD_BALANCE_RR           string = "round-robin"
	LOAD_BALANCE_LC           string = "least-connection"
	AZ_PREF_NONE              string = "none"
	AZ_PREF_LOCAL             string = "locally-optimistic"
	SHARD_ALL                 string = "all"
	SHARD_SEGMENTS            string = "segments"
	SHARD_SHARED_AND_SEGMENTS string = "shared-and-segments"
	ALWAYS_FORWARD            string = "always_forward"
	SANITIZE_SET              string = "sanitize_set"
	FORWARD                   string = "forward"
	REDACT_QUERY_PARMS_NONE   string = "none"
	REDACT_QUERY_PARMS_ALL    string = "all"
	REDACT_QUERY_PARMS_HASH   string = "hash"
)

Variables

View Source
var (
	LoadBalancingStrategies         = []string{LOAD_BALANCE_RR, LOAD_BALANCE_LC}
	AZPreferences                   = []string{AZ_PREF_NONE, AZ_PREF_LOCAL}
	AllowedShardingModes            = []string{SHARD_ALL, SHARD_SEGMENTS, SHARD_SHARED_AND_SEGMENTS}
	AllowedForwardedClientCertModes = []string{ALWAYS_FORWARD, FORWARD, SANITIZE_SET}
	AllowedQueryParmRedactionModes  = []string{REDACT_QUERY_PARMS_NONE, REDACT_QUERY_PARMS_ALL, REDACT_QUERY_PARMS_HASH}
)

Functions

func InitClientCertMetadataRules

func InitClientCertMetadataRules(rules []VerifyClientCertificateMetadataRule, certs []*x509.Certificate) error

InitClientCertMetadataRules compares the defined rules against client CAs set in `client_ca_certs`. When a rule is found that does not have a corresponding client CA (based on the CA's subject) that matches the rule, startup will fail.

This is to avoid defining a rule with a minor typo that would then not apply at all and would make the whole additional metadata check moot.

func IsLoadBalancingAlgorithmValid

func IsLoadBalancingAlgorithmValid(lbAlgo string) bool

func VerifyClientCertMetadata

func VerifyClientCertMetadata(rules []VerifyClientCertificateMetadataRule, chains [][]*x509.Certificate, logger *slog.Logger) error

VerifyClientCertMetadata checks for the certificate chain received from the tls.Config.VerifyPeerCertificate function callback, whether any configured VerifyClientCertificateMetadataRule applies.

If a rule does apply, it is evaluated.

Returns an error if there is an applicable rule which does not find a valid client certificate subject.

Types

type AccessLog

type AccessLog struct {
	File            string `yaml:"file"`
	EnableStreaming bool   `yaml:"enable_streaming"`
}

type BackendConfig

type BackendConfig struct {
	ClientAuthCertificate tls.Certificate
	MaxConns              int64            `yaml:"max_conns"`
	MaxAttempts           int              `yaml:"max_attempts"`
	TLSPem                `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}

type CertSubject

type CertSubject struct {
	Country            []string `yaml:"country"`
	Organization       []string `yaml:"organization"`
	OrganizationalUnit []string `yaml:"organizational_unit"`
	CommonName         string   `yaml:"common_name"`
	SerialNumber       string   `yaml:"serial_number"`
	Locality           []string `yaml:"locality"`
	Province           []string `yaml:"province"`
	StreetAddress      []string `yaml:"street_address"`
	PostalCode         []string `yaml:"postal_code"`
}

CertSubject defines the same fields as pkix.Name and allows YAML declaration of said fields. This is used to express distinguished names for certificate subjects in a comparable manner.

func (CertSubject) ToName

func (c CertSubject) ToName() pkix.Name

ToName converts this CertSubject to a pkix.Name.

type Config

type Config struct {
	Status                         StatusConfig      `yaml:"status,omitempty"`
	Nats                           NatsConfig        `yaml:"nats,omitempty"`
	Logging                        LoggingConfig     `yaml:"logging,omitempty"`
	Port                           uint16            `yaml:"port,omitempty"`
	Prometheus                     PrometheusConfig  `yaml:"prometheus,omitempty"`
	Index                          uint              `yaml:"index,omitempty"`
	Zone                           string            `yaml:"zone,omitempty"`
	GoMaxProcs                     int               `yaml:"go_max_procs,omitempty"`
	Tracing                        Tracing           `yaml:"tracing,omitempty"`
	TraceKey                       string            `yaml:"trace_key,omitempty"`
	AccessLog                      AccessLog         `yaml:"access_log,omitempty"`
	DebugAddr                      string            `yaml:"debug_addr,omitempty"`
	EnablePROXY                    bool              `yaml:"enable_proxy,omitempty"`
	EnableSSL                      bool              `yaml:"enable_ssl,omitempty"`
	SSLPort                        uint16            `yaml:"ssl_port,omitempty"`
	DisableHTTP                    bool              `yaml:"disable_http,omitempty"`
	EnableHTTP2                    bool              `yaml:"enable_http2"`
	EnableHTTP1ConcurrentReadWrite bool              `yaml:"enable_http1_concurrent_read_write"`
	SSLCertificates                []tls.Certificate `yaml:"-"`
	TLSPEM                         []TLSPem          `yaml:"tls_pem,omitempty"`
	CACerts                        []string          `yaml:"ca_certs,omitempty"`
	CAPool                         *x509.CertPool    `yaml:"-"`
	ClientCACerts                  string            `yaml:"client_ca_certs,omitempty"`
	ClientCAPool                   *x509.CertPool    `yaml:"-"`

	SkipSSLValidation        bool     `yaml:"skip_ssl_validation,omitempty"`
	ForwardedClientCert      string   `yaml:"forwarded_client_cert,omitempty"`
	ForceForwardedProtoHttps bool     `yaml:"force_forwarded_proto_https,omitempty"`
	SanitizeForwardedProto   bool     `yaml:"sanitize_forwarded_proto,omitempty"`
	HopByHopHeadersToFilter  []string `yaml:"hop_by_hop_headers_to_filter"`
	IsolationSegments        []string `yaml:"isolation_segments,omitempty"`
	RoutingTableShardingMode string   `yaml:"routing_table_sharding_mode,omitempty"`

	CipherString                                    string                                `yaml:"cipher_suites,omitempty"`
	CipherSuites                                    []uint16                              `yaml:"-"`
	MinTLSVersionString                             string                                `yaml:"min_tls_version,omitempty"`
	MaxTLSVersionString                             string                                `yaml:"max_tls_version,omitempty"`
	MinTLSVersion                                   uint16                                `yaml:"-"`
	MaxTLSVersion                                   uint16                                `yaml:"-"`
	ClientCertificateValidationString               string                                `yaml:"client_cert_validation,omitempty"`
	ClientCertificateValidation                     tls.ClientAuthType                    `yaml:"-"`
	OnlyTrustClientCACerts                          bool                                  `yaml:"only_trust_client_ca_certs"`
	TLSHandshakeTimeout                             time.Duration                         `yaml:"tls_handshake_timeout"`
	VerifyClientCertificatesBasedOnProvidedMetadata bool                                  `yaml:"enable_verify_client_certificate_metadata,omitempty"`
	VerifyClientCertificateMetadataRules            []VerifyClientCertificateMetadataRule `yaml:"verify_client_certificate_metadata,omitempty"`

	LoadBalancerHealthyThreshold    time.Duration `yaml:"load_balancer_healthy_threshold,omitempty"`
	PublishStartMessageInterval     time.Duration `yaml:"publish_start_message_interval,omitempty"`
	SuspendPruningIfNatsUnavailable bool          `yaml:"suspend_pruning_if_nats_unavailable,omitempty"`
	PruneStaleDropletsInterval      time.Duration `yaml:"prune_stale_droplets_interval,omitempty"`
	DropletStaleThreshold           time.Duration `yaml:"droplet_stale_threshold,omitempty"`
	PublishActiveAppsInterval       time.Duration `yaml:"publish_active_apps_interval,omitempty"`
	StartResponseDelayInterval      time.Duration `yaml:"start_response_delay_interval,omitempty"`
	EndpointTimeout                 time.Duration `yaml:"endpoint_timeout,omitempty"`
	EndpointDialTimeout             time.Duration `yaml:"endpoint_dial_timeout,omitempty"`
	WebsocketDialTimeout            time.Duration `yaml:"websocket_dial_timeout,omitempty"`
	EndpointKeepAliveProbeInterval  time.Duration `yaml:"endpoint_keep_alive_probe_interval,omitempty"`
	RouteServiceTimeout             time.Duration `yaml:"route_services_timeout,omitempty"`
	FrontendIdleTimeout             time.Duration `yaml:"frontend_idle_timeout,omitempty"`

	RouteLatencyMetricMuzzleDuration time.Duration `yaml:"route_latency_metric_muzzle_duration,omitempty"`

	DrainWait                      time.Duration `yaml:"drain_wait,omitempty"`
	DrainTimeout                   time.Duration `yaml:"drain_timeout,omitempty"`
	SecureCookies                  bool          `yaml:"secure_cookies,omitempty"`
	StickySessionCookieNames       StringSet     `yaml:"sticky_session_cookie_names"`
	StickySessionsForAuthNegotiate bool          `yaml:"sticky_sessions_for_auth_negotiate"`
	HealthCheckUserAgent           string        `yaml:"healthcheck_user_agent,omitempty"`

	OAuth                             OAuthConfig      `yaml:"oauth,omitempty"`
	RoutingApi                        RoutingApiConfig `yaml:"routing_api,omitempty"`
	RouteServiceSecret                string           `yaml:"route_services_secret,omitempty"`
	RouteServiceSecretPrev            string           `yaml:"route_services_secret_decrypt_only,omitempty"`
	RouteServiceRecommendHttps        bool             `yaml:"route_services_recommend_https,omitempty"`
	RouteServicesHairpinning          bool             `yaml:"route_services_hairpinning"`
	RouteServicesHairpinningAllowlist []string         `yaml:"route_services_hairpinning_allowlist,omitempty"`
	RouteServicesServerPort           uint16           `yaml:"route_services_internal_server_port"`
	// These fields are populated by the `Process` function.
	Ip                          string        `yaml:"-"`
	RouteServiceEnabled         bool          `yaml:"-"`
	NatsClientPingInterval      time.Duration `yaml:"nats_client_ping_interval,omitempty"`
	NatsClientMessageBufferSize int           `yaml:"-"`
	Backends                    BackendConfig `yaml:"backends,omitempty"`
	ExtraHeadersToLog           []string      `yaml:"extra_headers_to_log,omitempty"`

	RouteServiceConfig RouteServiceConfig `yaml:"route_services,omitempty"`

	TokenFetcherMaxRetries                    uint32        `yaml:"token_fetcher_max_retries,omitempty"`
	TokenFetcherRetryInterval                 time.Duration `yaml:"token_fetcher_retry_interval,omitempty"`
	TokenFetcherExpirationBufferTimeInSeconds int64         `yaml:"token_fetcher_expiration_buffer_time,omitempty"`

	PidFile                 string `yaml:"pid_file,omitempty"`
	LoadBalance             string `yaml:"balancing_algorithm,omitempty"`
	LoadBalanceAZPreference string `yaml:"balancing_algorithm_az_preference,omitempty"`

	DisableKeepAlives            bool `yaml:"disable_keep_alives"`
	MaxIdleConns                 int  `yaml:"max_idle_conns,omitempty"`
	MaxIdleConnsPerHost          int  `yaml:"max_idle_conns_per_host,omitempty"`
	MaxHeaderBytes               int  `yaml:"max_header_bytes"`
	KeepAlive100ContinueRequests bool `yaml:"keep_alive_100_continue_requests"`

	HTTPRewrite HTTPRewrite `yaml:"http_rewrite,omitempty"`

	EmptyPoolResponseCode503 bool          `yaml:"empty_pool_response_code_503,omitempty"`
	EmptyPoolTimeout         time.Duration `yaml:"empty_pool_timeout,omitempty"`

	HTMLErrorTemplateFile string `yaml:"html_error_template_file,omitempty"`

	// Old metric, to eventually be replaced by prometheus reporting
	// reports latency under gorouter sourceid, and with and without component name
	PerRequestMetricsReporting bool `yaml:"per_request_metrics_reporting,omitempty"`

	// Old metric, to eventually be replaced by prometheus reporting
	SendHttpStartStopServerEvent bool `yaml:"send_http_start_stop_server_event,omitempty"`

	// Old metric, to eventually be replaced by prometheus reporting
	SendHttpStartStopClientEvent bool `yaml:"send_http_start_stop_client_event,omitempty"`

	PerAppPrometheusHttpMetricsReporting bool `yaml:"per_app_prometheus_http_metrics_reporting,omitempty"`

	HealthCheckPollInterval time.Duration `yaml:"healthcheck_poll_interval"`
	HealthCheckTimeout      time.Duration `yaml:"healthcheck_timeout"`
}

func DefaultConfig

func DefaultConfig() (*Config, error)

func InitConfigFromFile

func InitConfigFromFile(path string) (*Config, error)

func (*Config) Initialize

func (c *Config) Initialize(configYAML []byte) error

func (*Config) NatsServers

func (c *Config) NatsServers() []string

func (*Config) Process

func (c *Config) Process() error

func (*Config) RoutingApiEnabled

func (c *Config) RoutingApiEnabled() bool

type FormatConfig

type FormatConfig struct {
	Timestamp string `yaml:"timestamp"`
}

type HTTPRewrite

type HTTPRewrite struct {
	Responses HTTPRewriteResponses `yaml:"responses,omitempty"`
}

type HTTPRewriteResponses

type HTTPRewriteResponses struct {
	AddHeadersIfNotPresent []HeaderNameValue `yaml:"add_headers_if_not_present,omitempty"`
	RemoveHeaders          []HeaderNameValue `yaml:"remove_headers,omitempty"`
}

type HeaderNameValue

type HeaderNameValue struct {
	Name  string `yaml:"name"`
	Value string `yaml:"value,omitempty"`
}

type LoggingConfig

type LoggingConfig struct {
	Syslog                 string       `yaml:"syslog"`
	SyslogAddr             string       `yaml:"syslog_addr"`
	SyslogNetwork          string       `yaml:"syslog_network"`
	Level                  string       `yaml:"level"`
	LoggregatorEnabled     bool         `yaml:"loggregator_enabled"`
	MetronAddress          string       `yaml:"metron_address"`
	DisableLogForwardedFor bool         `yaml:"disable_log_forwarded_for"`
	DisableLogSourceIP     bool         `yaml:"disable_log_source_ip"`
	RedactQueryParams      string       `yaml:"redact_query_params"`
	EnableAttemptsDetails  bool         `yaml:"enable_attempts_details"`
	Format                 FormatConfig `yaml:"format"`

	// This field is populated by the `Process` function.
	JobName string `yaml:"-"`
}

type NatsConfig

type NatsConfig struct {
	Hosts                 []NatsHost       `yaml:"hosts"`
	User                  string           `yaml:"user"`
	Pass                  string           `yaml:"pass"`
	TLSEnabled            bool             `yaml:"tls_enabled"`
	CACerts               string           `yaml:"ca_certs"`
	CAPool                *x509.CertPool   `yaml:"-"`
	ClientAuthCertificate tls.Certificate  `yaml:"-"`
	TLSPem                `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}

type NatsHost

type NatsHost struct {
	Hostname string
	Port     uint16
}

type OAuthConfig

type OAuthConfig struct {
	TokenEndpoint     string `yaml:"token_endpoint"`
	Port              int    `yaml:"port"`
	SkipSSLValidation bool   `yaml:"skip_ssl_validation"`
	ClientName        string `yaml:"client_name"`
	ClientSecret      string `yaml:"client_secret"`
	CACerts           string `yaml:"ca_certs"`
}

type PrometheusConfig

type PrometheusConfig struct {
	Port     uint16 `yaml:"port"`
	CertPath string `yaml:"cert_path"`
	KeyPath  string `yaml:"key_path"`
	CAPath   string `yaml:"ca_path"`
}

type RouteServiceConfig

type RouteServiceConfig struct {
	ClientAuthCertificate     tls.Certificate
	MaxAttempts               int              `yaml:"max_attempts"`
	StrictSignatureValidation bool             `yaml:"strict_signature_validation"`
	TLSPem                    `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}

type RoutingApiConfig

type RoutingApiConfig struct {
	Uri                   string         `yaml:"uri"`
	Port                  int            `yaml:"port"`
	AuthDisabled          bool           `yaml:"auth_disabled"`
	CACerts               string         `yaml:"ca_certs"`
	CAPool                *x509.CertPool `yaml:"-"`
	ClientAuthCertificate tls.Certificate
	TLSPem                `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}

type StatusConfig

type StatusConfig struct {
	Host                                 string             `yaml:"host"`
	Port                                 uint16             `yaml:"port"`
	EnableNonTLSHealthChecks             bool               `yaml:"enable_nontls_health_checks"`
	EnableDeprecatedVarzHealthzEndpoints bool               `yaml:"enable_deprecated_varz_healthz_endpoints"`
	TLSCert                              tls.Certificate    `yaml:"-"`
	TLS                                  StatusTLSConfig    `yaml:"tls"`
	User                                 string             `yaml:"user"`
	Pass                                 string             `yaml:"pass"`
	Routes                               StatusRoutesConfig `yaml:"routes"`
}

type StatusRoutesConfig

type StatusRoutesConfig struct {
	Port uint16 `yaml:"port"`
}

type StatusTLSConfig

type StatusTLSConfig struct {
	Port        uint16 `yaml:"port"`
	Certificate string `yaml:"certificate"`
	Key         string `yaml:"key"`
}

type StringSet

type StringSet map[string]struct{}

func (StringSet) MarshalYAML

func (ss StringSet) MarshalYAML() (interface{}, error)

func (*StringSet) UnmarshalYAML

func (ss *StringSet) UnmarshalYAML(unmarshal func(interface{}) error) error

type TLSPem

type TLSPem struct {
	CertChain  string `yaml:"cert_chain"`
	PrivateKey string `yaml:"private_key"`
}

type Tracing

type Tracing struct {
	EnableZipkin bool   `yaml:"enable_zipkin"`
	EnableW3C    bool   `yaml:"enable_w3c"`
	W3CTenantID  string `yaml:"w3c_tenant_id"`
}

type VerifyClientCertificateMetadataRule

type VerifyClientCertificateMetadataRule struct {
	// The issuer DN , for which the subject validation should apply
	CASubject CertSubject `yaml:"issuer_in_chain"`
	// The subject DNs	 that are allowed to be used for mTLS connections to Gorouter
	ValidSubjects []CertSubject `yaml:"valid_cert_subjects"`
}

VerifyClientCertificateMetadataRules defines verification rules for client certificates, which allow additional checks for the certificates' subject.

A rule is applied based on the CA certificate's subject. The CA certificate is defined as part of `client_ca_certs` and identified via its subject. See VerifyClientCertMetadata() for the implementation of checks.

For client certificates issued by a CA that matches CASubject, the valid client certificate subjects are defined in ValidSubjects.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL