Documentation
¶
Overview ¶
Package config defines all configuration of Garm. It can read the configuration file from YAML file and decode the configuration to a Config struct.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetActualValue ¶
GetActualValue returns the environment variable value if the given val has "_" prefix and suffix, otherwise returns val directly.
func GetVersion ¶
func GetVersion() string
GetVersion returns the current configuration version of Garm.
Types ¶
type Athenz ¶
type Athenz struct {
// AuthHeader represents the HTTP request header key name to attach the n-token for authentication requests to Athenz.
AuthHeader string `yaml:"auth_header"`
// URL represents the Athenz (ZMS and ZTS) URL handle authentication and authorization request.
URL string `yaml:"url"`
// Timeout represents the request timeout duration to Athenz server.
Timeout string `yaml:"timeout"`
// AthenzRootCA is the Athenz root CA certificate file path for connecting to Athenz.
AthenzRootCA string `yaml:"root_ca"`
// AuthN represents the authentication configuration.
AuthN webhook.AuthenticationConfig
// AuthZ represents the authorization configuration.
AuthZ webhook.AuthorizationConfig
// Config is the common configuration for authentication and authorization server.
Config webhook.Config
}
Athenz represents the configuration for webhook server to connect to Athenz.
type Config ¶
type Config struct {
// Version represents configuration file version.
Version string `yaml:"version"`
// EnableColorLogging represents if user want to enable colorized logging.
EnableColorLogging bool `yaml:"enable_log_color"`
// Logger represents logging configuration for Garm application.
Logger Logger `yaml:"logger"`
// Server represents webhook server and health check server configuration.
Server Server `yaml:"server"`
// Athenz represents Athenz configuration for Garm to connect to Athenz server.
Athenz Athenz `yaml:"athenz"`
// Token represents configuration to generate n-token for connecting to Athenz.
Token Token `yaml:"token"`
// Mapping represents the mapping rule for mapping K8s authentication and authorization requests to Athenz requests.
Mapping Mapping `yaml:"map_rule"`
}
Config represents an application configuration content (config.yaml). In K8s environment, this configuration is stored in K8s ConfigMap.
type Logger ¶
type Logger struct {
// LogPath represents log file path.
LogPath string `yaml:"log_path"`
// LogTrace represents the event to be logged.
// LogTrace is a comma separated list, the value can be "server", "athenz" and "mapping".
LogTrace string `yaml:"log_trace"`
}
Logger represents logging configuration for Garm.
type Mapping ¶
type Mapping struct {
// TLD represents the mapping rules for each Top Level Domain.
TLD TLD `yaml:"tld"`
}
Mapping represents the mapping rules from K8s authentication and authorization requests to Athenz requests.
type Platform ¶
type Platform struct {
// Name represents the platform name. Currently, it supports "k8s", "aks" and "k8s".
Name string `yaml:"name"`
// ServiceAthenzDomains represents the Athenz domain name used for non-administrative K8s webhook requests.
ServiceAthenzDomains []string `yaml:"service_athenz_domains"`
// ResourceMappings maps the K8s webhook request "resource" to the "resource" part of Athenz resource name.
ResourceMappings map[string]string `yaml:"resource_mappings,omitempty"`
// VerbMappings maps the K8s webhook request "verb" to the "verb" part of Athenz resource name.
VerbMappings map[string]string `yaml:"verb_mappings,omitempty"`
// APIGroupControlEnable enables the use of API group in Athenz resource name.
APIGroupControlEnabled bool `yaml:"api_group_control"`
// APIGroupMappings maps the K8s webhook request "group" to the "group" part of Athenz resource name.
APIGroupMappings map[string]string `yaml:"api_group_mappings"`
// EmptyNamespace represents the value used when the K8s webhook request "namespace" is empty.
EmptyNamespace string `yaml:"empty_namespace"`
// ResourceNameControlEnable enables the use of resource name in Athenz resource name.
ResourceNameControlEnabled bool `yaml:"resource_name_control"`
// ResourceNameMappings maps the K8s webhook request "name" to the "name" part of Athenz resource name.
ResourceNameMappings map[string]string `yaml:"resource_name_mappings"`
// ResourceNameReplacer represents the replacer to replace ":" or some values to another string.
ResourceNameReplacer map[string]string `yaml:"resource_name_replacer"`
// NonResourceAPIGroup represents the API group value (Athenz resource name) used for K8s non-resource webhook requests.
NonResourceAPIGroup string `yaml:"non_resource_api_group"`
// NonResourceNamespace represents the namespace value (Athenz resource name) used for K8s non-resource webhook requests.
NonResourceNamespace string `yaml:"non_resource_namespace"`
// ServiceAccountPrefixes represents the service account prefix for identifying service accounts.
ServiceAccountPrefixes []string `yaml:"service_account_prefixes"`
// AthenzUserPrefix represents the Athenz user prefix used when the K8s webhook request is from a user account.
AthenzUserPrefix string `yaml:"athenz_user_prefix"`
// AthenzServiceAccountPrefix represents the Athenz service account prefix used when the K8s webhook request is from a service account.
AthenzServiceAccountPrefix string `yaml:"athenz_service_account_prefix"`
// AdminAthenzDomain represents the Athenz domain name used for administrative K8s webhook requests.
AdminAthenzDomain string `yaml:"admin_athenz_domain"`
// AdminAccessList represents the list of administrative K8s webhook request patterns, which should use the admin domain in Athenz.
AdminAccessList []*RequestInfo `yaml:"admin_access_list"`
// Whitelist represents the list of whitelist K8s webhook request patterns. These requests will always trigger requests to Athenz to do authorization check.
WhiteList []*RequestInfo `yaml:"white_list"`
// Blacklist represents the list of blacklist K8s webhook request patterns. These requests will always rejected by Garm directly.
BlackList []*RequestInfo `yaml:"black_list"`
}
Platform represents the mapping rules for each K8s request.
type RequestInfo ¶
type RequestInfo struct {
// Verb represents the K8s verb field inside K8s webhook request.
Verb string `yaml:"verb"`
// Namespace represents the K8s namespace field inside K8s webhook request.
Namespace string `yaml:"namespace"`
// APIGroup represents the K8s API Group field inside K8s webhook request.
APIGroup string `yaml:"api_group"`
// Resource represents the K8s resource field inside K8s webhook request.
Resource string `yaml:"resource"`
// Name represents the K8s resource name field inside K8s webhook request.
Name string `yaml:"name"`
// contains filtered or unexported fields
}
RequestInfo represents the rule of the K8s webhook request.
func (*RequestInfo) Match ¶
func (r *RequestInfo) Match(req RequestInfo) bool
Match checks if the given RequestInfo matches with the regular expression in this RequestInfo. 1. r.Serialize() 2. replace `* => .*` 3. replace `..* => .*` return is regexp match
func (*RequestInfo) Serialize ¶
func (r *RequestInfo) Serialize() string
Serialize returns RequestInfo in string, separated by the delimiter.
type Server ¶
type Server struct {
// Port represents webhook server port.
Port int `yaml:"port"`
// HealthzPort represents health check server port.
HealthzPort int `yaml:"health_check_port"`
// HealthzPath represents the API path (pattern) for health check server.
HealthzPath string `yaml:"health_check_path"`
// Timeout represents the maximum webhook server request handling duration.
Timeout string `yaml:"timeout"`
// ShutdownDuration represents the maximum shutdown duration.
ShutdownDuration string `yaml:"shutdown_duration"`
// ProbeWaitTime represents the pause duration before shutting down webhook server after health check server shutdown.
ProbeWaitTime string `yaml:"probe_wait_time"`
// TLS represents the TLS configuration for webhook server.
TLS TLS `yaml:"tls"`
}
Server represents webhook server and health check server configuration.
type TLD ¶
type TLD struct {
// Name represents the top level domain name.
Name string `yaml:"name"`
// Platform represents the mapping rules for each K8s request.
Platform Platform `yaml:"platform"`
}
TLD represents the mapping rules for each Top Level Domain.
type TLS ¶
type TLS struct {
// Enable represents the webhook server enable TLS or not.
Enabled bool `yaml:"enabled"`
// Cert represents the certificate file path of webhook server.
Cert string `yaml:"cert"`
// Key represents the private key file path of webhook server certificate.
Key string `yaml:"key"`
// CA represents the CA certificates file path for verifying clients connecting to webhook server.
CA string `yaml:"ca"`
}
TLS represents the TLS configuration for webhook server.
type Token ¶
type Token struct {
// AthenzDomain represents the Athenz domain value to generate the n-token.
AthenzDomain string `yaml:"athenz_domain"`
// ServiceName represents the Athenz service name value to generate the n-token.
ServiceName string `yaml:"service_name"`
// NTokenPath represents the n-token path. Only for Copper Argos.
NTokenPath string `yaml:"ntoken_path"`
// PrivateKey represents the private key file path for signing the n-token.
PrivateKey string `yaml:"private_key"`
// ValidateToken represents should validate the token or not. Set true when NTokenPath is set.
ValidateToken bool `yaml:"validate_token"`
// RefreshDuration represents the token refresh duration, no matter it is generated, or it is get from the token file (Copper Argos).
RefreshDuration string `yaml:"refresh_duration"`
// KeyVersion represents the key version of the n-token.
KeyVersion string `yaml:"key_version"`
// Expiration represents the duration of the expiration.
Expiration string `yaml:"expiration"`
}
Token represents the token generation details or the n-token file for Copper Argos.
Source Files
Click to show internal directories.
Click to hide internal directories.