config

package
v2.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 7, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package config defines all configuration of Garm. It can read the configuration file from YAML file and decode the configuration to a Config struct.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetActualValue

func GetActualValue(val string) string

GetActualValue returns the environment variable value if the given val has "_" prefix and suffix, otherwise returns val directly.

func GetVersion

func GetVersion() string

GetVersion returns the current configuration version of Garm.

Types

type Athenz

type Athenz struct {
	// AuthHeader represents the HTTP request header key name to attach the n-token for authentication requests to Athenz.
	AuthHeader string `yaml:"auth_header"`

	// URL represents the Athenz (ZMS and ZTS) URL handle authentication and authorization request.
	URL string `yaml:"url"`

	// Timeout represents the request timeout duration to Athenz server.
	Timeout string `yaml:"timeout"`

	// AthenzRootCA is the Athenz root CA certificate file path for connecting to Athenz.
	AthenzRootCA string `yaml:"root_ca"`

	// AuthN represents the authentication configuration.
	AuthN webhook.AuthenticationConfig

	// AuthZ represents the authorization configuration.
	AuthZ webhook.AuthorizationConfig

	// Config is the common configuration for authentication and authorization server.
	Config webhook.Config
}

Athenz represents the configuration for webhook server to connect to Athenz.

type Config

type Config struct {
	// Version represents configuration file version.
	Version string `yaml:"version"`

	// EnableColorLogging represents if user want to enable colorized logging.
	EnableColorLogging bool `yaml:"enable_log_color"`

	// Logger represents logging configuration for Garm application.
	Logger Logger `yaml:"logger"`

	// Server represents webhook server and health check server configuration.
	Server Server `yaml:"server"`

	// Athenz represents Athenz configuration for Garm to connect to Athenz server.
	Athenz Athenz `yaml:"athenz"`

	// Token represents configuration to generate n-token for connecting to Athenz.
	Token Token `yaml:"token"`

	// Mapping represents the mapping rule for mapping K8s authentication and authorization requests to Athenz requests.
	Mapping Mapping `yaml:"map_rule"`
}

Config represents an application configuration content (config.yaml). In K8s environment, this configuration is stored in K8s ConfigMap.

func New

func New(path string) (*Config, error)

New returns the decoded configuration YAML file as *Config struct. Returns non-nil error if any.

type Logger

type Logger struct {
	// LogPath represents log file path.
	LogPath string `yaml:"log_path"`

	// LogTrace represents the event to be logged.
	// LogTrace is a comma separated list, the value can be "server", "athenz" and "mapping".
	LogTrace string `yaml:"log_trace"`
}

Logger represents logging configuration for Garm.

type Mapping

type Mapping struct {
	// TLD represents the mapping rules for each Top Level Domain.
	TLD TLD `yaml:"tld"`
}

Mapping represents the mapping rules from K8s authentication and authorization requests to Athenz requests.

type Platform

type Platform struct {
	// Name represents the platform name. Currently, it supports "k8s", "aks" and "k8s".
	Name string `yaml:"name"`

	// ServiceAthenzDomains represents the Athenz domain name used for non-administrative K8s webhook requests.
	ServiceAthenzDomains []string `yaml:"service_athenz_domains"`

	// ResourceMappings maps the K8s webhook request "resource" to the "resource" part of Athenz resource name.
	ResourceMappings map[string]string `yaml:"resource_mappings,omitempty"`

	// VerbMappings maps the K8s webhook request "verb" to the "verb" part of Athenz resource name.
	VerbMappings map[string]string `yaml:"verb_mappings,omitempty"`

	// APIGroupControlEnable enables the use of API group in Athenz resource name.
	APIGroupControlEnabled bool `yaml:"api_group_control"`

	// APIGroupMappings maps the K8s webhook request "group" to the "group" part of Athenz resource name.
	APIGroupMappings map[string]string `yaml:"api_group_mappings"`

	// EmptyNamespace represents the value used when the K8s webhook request "namespace" is empty.
	EmptyNamespace string `yaml:"empty_namespace"`

	// ResourceNameControlEnable enables the use of resource name in Athenz resource name.
	ResourceNameControlEnabled bool `yaml:"resource_name_control"`

	// ResourceNameMappings maps the K8s webhook request "name" to the "name" part of Athenz resource name.
	ResourceNameMappings map[string]string `yaml:"resource_name_mappings"`

	// ResourceNameReplacer represents the replacer to replace ":" or some values to another string.
	ResourceNameReplacer map[string]string `yaml:"resource_name_replacer"`

	// NonResourceAPIGroup represents the API group value (Athenz resource name) used for K8s non-resource webhook requests.
	NonResourceAPIGroup string `yaml:"non_resource_api_group"`

	// NonResourceNamespace represents the namespace value (Athenz resource name) used for K8s non-resource webhook requests.
	NonResourceNamespace string `yaml:"non_resource_namespace"`

	// ServiceAccountPrefixes represents the service account prefix for identifying service accounts.
	ServiceAccountPrefixes []string `yaml:"service_account_prefixes"`

	// AthenzUserPrefix represents the Athenz user prefix used when the K8s webhook request is from a user account.
	AthenzUserPrefix string `yaml:"athenz_user_prefix"`

	// AthenzServiceAccountPrefix represents the Athenz service account prefix used when the K8s webhook request is from a service account.
	AthenzServiceAccountPrefix string `yaml:"athenz_service_account_prefix"`

	// AdminAthenzDomain represents the Athenz domain name used for administrative K8s webhook requests.
	AdminAthenzDomain string `yaml:"admin_athenz_domain"`

	// AdminAccessList represents the list of administrative K8s webhook request patterns, which should use the admin domain in Athenz.
	AdminAccessList []*RequestInfo `yaml:"admin_access_list"`

	// Whitelist represents the list of whitelist K8s webhook request patterns. These requests will always trigger requests to Athenz to do authorization check.
	WhiteList []*RequestInfo `yaml:"white_list"`

	// Blacklist represents the list of blacklist K8s webhook request patterns. These requests will always rejected by Garm directly.
	BlackList []*RequestInfo `yaml:"black_list"`
}

Platform represents the mapping rules for each K8s request.

type RequestInfo

type RequestInfo struct {
	// Verb represents the K8s verb field inside K8s webhook request.
	Verb string `yaml:"verb"`

	// Namespace represents the K8s namespace field inside K8s webhook request.
	Namespace string `yaml:"namespace"`

	// APIGroup represents the K8s API Group field inside K8s webhook request.
	APIGroup string `yaml:"api_group"`

	// Resource represents the K8s resource field inside K8s webhook request.
	Resource string `yaml:"resource"`

	// Name represents the K8s resource name field inside K8s webhook request.
	Name string `yaml:"name"`
	// contains filtered or unexported fields
}

RequestInfo represents the rule of the K8s webhook request.

func (*RequestInfo) Match

func (r *RequestInfo) Match(req RequestInfo) bool

Match checks if the given RequestInfo matches with the regular expression in this RequestInfo. 1. r.Serialize() 2. replace `* => .*` 3. replace `..* => .*` return is regexp match

func (*RequestInfo) Serialize

func (r *RequestInfo) Serialize() string

Serialize returns RequestInfo in string format. 1. replacedAPIGroup = replace `. => _` in r.APIGroup 2. output format: `${r.Verb}-${r.Namespace}-${replacedAPIGroup}-${r.Resource}-${r.Name}`

type Server

type Server struct {
	// Port represents webhook server port.
	Port int `yaml:"port"`

	// HealthzPort represents health check server port.
	HealthzPort int `yaml:"health_check_port"`

	// HealthzPath represents the API path (pattern) for health check server.
	HealthzPath string `yaml:"health_check_path"`

	// Timeout represents the maximum webhook server request handling duration.
	Timeout string `yaml:"timeout"`

	// ShutdownDuration represents the maximum shutdown duration.
	ShutdownDuration string `yaml:"shutdown_duration"`

	// ProbeWaitTime represents the pause duration before shutting down webhook server after health check server shutdown.
	ProbeWaitTime string `yaml:"probe_wait_time"`

	// TLS represents the TLS configuration for webhook server.
	TLS TLS `yaml:"tls"`
}

Server represents webhook server and health check server configuration.

type TLD

type TLD struct {
	// Name represents the top level domain name.
	Name string `yaml:"name"`

	// Platform represents the mapping rules for each K8s request.
	Platform Platform `yaml:"platform"`
}

TLD represents the mapping rules for each Top Level Domain.

type TLS

type TLS struct {
	// Enable represents the webhook server enable TLS or not.
	Enabled bool `yaml:"enabled"`

	// Cert represents the certificate file path of webhook server.
	Cert string `yaml:"cert"`

	// Key represents the private key file path of webhook server certificate.
	Key string `yaml:"key"`

	// CA represents the CA certificates file path for verifying clients connecting to webhook server.
	CA string `yaml:"ca"`
}

TLS represents the TLS configuration for webhook server.

type Token

type Token struct {
	// AthenzDomain represents the Athenz domain value to generate the n-token.
	AthenzDomain string `yaml:"athenz_domain"`

	// ServiceName represents the Athenz service name value to generate the n-token.
	ServiceName string `yaml:"service_name"`

	// NTokenPath represents the n-token path. Only for Copper Argos.
	NTokenPath string `yaml:"ntoken_path"`

	// PrivateKey represents the private key file path for signing the n-token.
	PrivateKey string `yaml:"private_key"`

	// ValidateToken represents should validate the token or not. Set true when NTokenPath is set.
	ValidateToken bool `yaml:"validate_token"`

	// RefreshDuration represents the token refresh duration, no matter it is generated, or it is get from the token file (Copper Argos).
	RefreshDuration string `yaml:"refresh_duration"`

	// KeyVersion represents the key version of the n-token.
	KeyVersion string `yaml:"key_version"`

	// Expiration represents the duration of the expiration.
	Expiration string `yaml:"expiration"`
}

Token represents the token generation details or the n-token file for Copper Argos.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL