Documentation
¶
Overview ¶
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Package config defines all the configuration parameters. It reads configuration from environment variables and command-line arguments.
Index ¶
- Variables
- type CopperArgosMode
- type DerivedK8sSecretBackup
- type DerivedRoleCert
- type DerivedServiceCert
- type DerivedTargetDomainRoles
- type DerivedTokenFile
- type DerivedTokenServer
- type DomainRole
- type HeaderTokenMode
- type IdentityConfig
- type LocalCertMode
- type RestAPIMode
- type TLS
- type TokenFileConfig
Constants ¶
This section is empty.
Variables ¶
var ( // default values for X.509 certificate signing request DEFAULT_COUNTRY string DEFAULT_PROVINCE string DEFAULT_ORGANIZATION string DEFAULT_ORGANIZATIONAL_UNIT = "Athenz" // default values for role tokens and access tokens DEFAULT_TOKEN_REFRESH = 30 * time.Minute DEFAULT_TOKEN_EXPIRY_RAW = "0" DEFAULT_TOKEN_EXPIRY = time.Duration(0) DEFAULT_TOKEN_SERVER_TIMEOUT = 3 * time.Second // DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES may be overwritten with go build option (e.g. "-X identity.DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES=5") DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES_RAW = "5" DEFAULT_ROLE_CERT_EXPIRY_TIME_BUFFER_MINUTES = 5 DEFAULT_ENDPOINT string DEFAULT_ROLE_AUTH_HEADER = "Athenz-Role-Auth" DEFAULT_DNS_SUFFIX = "athenz.cloud" DEFAULT_ROLE_CERT_FILENAME_DELIMITER = ":role." DEFAULT_ACCESS_TOKEN_FILENAME_DELIMITER = ":role." DEFAULT_ROLE_TOKEN_FILENAME_DELIMITER = ":role." DEFAULT_INTERMEDIATE_CERT_BUNDLE string // default values for graceful shutdown DEFAULT_SHUTDOWN_TIMEOUT = 5 * time.Second DEFAULT_SHUTDOWN_DELAY = time.Duration(0) // default maximum elapsed time on initialization DEFAULT_MAX_ELAPSED_TIME_ON_INIT = 1 * time.Minute )
var ( // VERSION is a constant storing the SIA version, provided by the build argument in go build VERSION string // VERSION is a constant storing the SIA build date, provided by the build argument in go build BUILD_DATE string // APP_NAME is a constant storing the binary name, provided by the command line APP_NAME = filepath.Base(os.Args[0]) // USER_AGENT is a constant storing the User-Agent Header value, computed on package loading USER_AGENT = fmt.Sprintf("%s/%s", APP_NAME, VERSION) )
var ErrHelp = flag.ErrHelp
var ErrVersion = errors.New("flag: version requested")
Functions ¶
This section is empty.
Types ¶
type CopperArgosMode ¶ added in v3.3.0
type DerivedK8sSecretBackup ¶ added in v3.3.0
type DerivedK8sSecretBackup struct {
Use bool
UseRead bool
UseWrite bool
Secret string // Secret name that your service cert is stored in
// Ns string // Namespace that your Secret is stored in
Raw string // Raw string of the backup config: "", "read", "write", "read,write"; Used for log purpose only
}
type DerivedRoleCert ¶ added in v3.3.0
type DerivedRoleCert struct {
Use bool // if fetching role certificate is enabled (de facto standard)
TargetDomainRoles []DomainRole // domain roles to fetch role certificates for
Format string // format for role certificate file output (i.e. /var/run/athenz/rolecerts/{{domain}}:role.{{role}}.cert.pem).
// format for role certificate key file output (i.e. /var/run/athenz/rolecerts/{{domain}}:role.{{role}}.key.pem)
// empty "" means no separate key file output feature enabled.
KeyFormat string
Delimiter string // delimiter to separate domain and role name in the file name.
}
type DerivedServiceCert ¶ added in v3.3.0
type DerivedServiceCert struct {
CopperArgos CopperArgosMode
LocalCert LocalCertMode // Use 3rd party provided service cert instead of CopperArgos
}
type DerivedTargetDomainRoles ¶ added in v3.3.0
type DerivedTargetDomainRoles struct {
// contains filtered or unexported fields
}
type DerivedTokenFile ¶ added in v3.3.0
type DerivedTokenFile struct {
AccessToken TokenFileConfig
RoleToken TokenFileConfig
}
type DerivedTokenServer ¶ added in v3.3.0
type DerivedTokenServer struct {
Use bool // whether to use the token server
HeaderToken HeaderTokenMode // header token mode configuration
RestAPI RestAPIMode // rest api mode configuration
Addr string // token server address
ShutdownDelay time.Duration // Shutdown delay for gracefully shutting down the Token Server
ShutdownTimeout time.Duration // Shutdown timeout for gracefully shutting down the Token Server
ServerTimeout time.Duration // Timeout for receiving a request from a tenant and sending a response
TLS TLS // TLS configuration for token server
}
type DomainRole ¶
func (DomainRole) String ¶
func (dr DomainRole) String() string
type HeaderTokenMode ¶ added in v3.3.0
HeaderTokenMode is a mode that exchanges information such as domain and role tokens with tenants by attaching it to the request and response headers. TODO: Consider whether there is a better name for the struct.
type IdentityConfig ¶
type IdentityConfig struct {
Init bool
Endpoint string
DNSSuffix string
Refresh time.Duration
DelayJitterSeconds int64
KeyFile string
CertFile string
CaCertFile string
IntermediateCertBundle string
Namespace string
ServiceAccount string
SaTokenFile string
PodIP net.IP
PodUID string
PodName string
Reloader *util.CertReloader
ServerCACert string
K8sSecretBackup DerivedK8sSecretBackup
// ServiceCerts Derived State and its related fields:
ServiceCert DerivedServiceCert
//
TokenTargetDomainRoles []DomainRole // TODO: Will be migrated into DerivedTargetDomainRoles
// RoleCerts Derived State and its related fields:
RoleCert DerivedRoleCert
//
// Token Cache Derived State and its related fields:
TokenFile DerivedTokenFile
//
// Token Server Derived State and its related fields:
TokenServer DerivedTokenServer
//
TokenRefresh time.Duration
TokenExpiry time.Duration
TokenType string
MetricsServerAddr string
HealthCheckAddr string
HealthCheckEndpoint string
DeleteInstanceID bool
LogDir string
LogLevel string
// contains filtered or unexported fields
}
IdentityConfig from cmd line args
func DefaultIdentityConfig ¶
func DefaultIdentityConfig() *IdentityConfig
func LoadConfig ¶
func LoadConfig(program string, args []string) (*IdentityConfig, error)
LoadConfig reads from ENV and args, and then returns an IdentityConfig object (precedence: args > ENV > default).
type LocalCertMode ¶ added in v3.3.0
type LocalCertMode struct {
Use bool
}
type RestAPIMode ¶ added in v3.3.0
type RestAPIMode struct {
Use bool
}
RestAPIMode is a mode that exchanges information such as domain and role tokens with tenants by attaching it to the POST request and response body.
type TLS ¶ added in v3.3.0
TLS is a struct that summarizes the configuration details for enabling TLS communication between tenants and SIA.
Source Files