diff --git a/config/options.go b/config/options.go index 5e3273b40..30cef2585 100644 --- a/config/options.go +++ b/config/options.go @@ -34,136 +34,136 @@ const DefaultAlternativeAddr = ":5443" // Use NewXXXOptions() methods for a safely initialized data structure. type Options struct { // Debug outputs human-readable logs to Stdout. - Debug bool `mapstructure:"pomerium_debug"` + Debug bool `mapstructure:"pomerium_debug" yaml:"pomerium_debug,omitempty"` // LogLevel sets the global override for log level. All Loggers will use at least this value. // Possible options are "info","warn", and "error". Defaults to "debug". - LogLevel string `mapstructure:"log_level"` + LogLevel string `mapstructure:"log_level" yaml:"log_level,omitempty"` // SharedKey is the shared secret authorization key used to mutually authenticate // requests between services. - SharedKey string `mapstructure:"shared_secret"` + SharedKey string `mapstructure:"shared_secret" yaml:"shared_secret,omitempty"` // Services is a list enabled service mode. If none are selected, "all" is used. // Available options are : "all", "authenticate", "proxy". - Services string `mapstructure:"services"` + Services string `mapstructure:"services" yaml:"services,omitempty"` // Addr specifies the host and port on which the server should serve // HTTPS requests. If empty, ":443" (localhost:443) is used. - Addr string `mapstructure:"address"` + Addr string `mapstructure:"address" yaml:"address,omitempty"` // InsecureServer when enabled disables all transport security. // In this mode, Pomerium is susceptible to man-in-the-middle attacks. // This should be used only for testing. - InsecureServer bool `mapstructure:"insecure_server"` + InsecureServer bool `mapstructure:"insecure_server" yaml:"insecure_server,omitempty"` // Cert and Key is the x509 certificate used to hydrate TLSCertificate - Cert string `mapstructure:"certificate"` - Key string `mapstructure:"certificate_key"` + Cert string `mapstructure:"certificate" yaml:"certificate,omitempty"` + Key string `mapstructure:"certificate_key" yaml:"certificate_key,omitempty"` // CertFile and KeyFile is the x509 certificate used to hydrate TLSCertificate - CertFile string `mapstructure:"certificate_file"` - KeyFile string `mapstructure:"certificate_key_file"` + CertFile string `mapstructure:"certificate_file" yaml:"certificate_file,omitempty"` + KeyFile string `mapstructure:"certificate_key_file" yaml:"certificate_key_file,omitempty"` // TLSCertificate is the hydrated tls.Certificate. TLSCertificate *tls.Certificate // HttpRedirectAddr, if set, specifies the host and port to run the HTTP // to HTTPS redirect server on. If empty, no redirect server is started. - HTTPRedirectAddr string `mapstructure:"http_redirect_addr"` + HTTPRedirectAddr string `mapstructure:"http_redirect_addr" yaml:"http_redirect_addr,omitempty"` // Timeout settings : https://github.com/pomerium/pomerium/issues/40 - ReadTimeout time.Duration `mapstructure:"timeout_read"` - WriteTimeout time.Duration `mapstructure:"timeout_write"` - ReadHeaderTimeout time.Duration `mapstructure:"timeout_read_header"` - IdleTimeout time.Duration `mapstructure:"timeout_idle"` + ReadTimeout time.Duration `mapstructure:"timeout_read" yaml:"timeout_read,omitempty"` + WriteTimeout time.Duration `mapstructure:"timeout_write" yaml:"timeout_write,omitempty"` + ReadHeaderTimeout time.Duration `mapstructure:"timeout_read_header" yaml:"timeout_read_header,omitempty"` + IdleTimeout time.Duration `mapstructure:"timeout_idle" yaml:"timeout_idle,omitempty"` // Policies define per-route configuration and access control policies. Policies []Policy PolicyEnv string - PolicyFile string `mapstructure:"policy_file"` + PolicyFile string `mapstructure:"policy_file" yaml:"policy_file,omitempty"` // AuthenticateURL represents the externally accessible http endpoints // used for authentication requests and callbacks - AuthenticateURLString string `mapstructure:"authenticate_service_url"` + AuthenticateURLString string `mapstructure:"authenticate_service_url" yaml:"authenticate_service_url,omitempty"` AuthenticateURL *url.URL // Session/Cookie management // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie - CookieName string `mapstructure:"cookie_name"` - CookieSecret string `mapstructure:"cookie_secret"` - CookieDomain string `mapstructure:"cookie_domain"` - CookieSecure bool `mapstructure:"cookie_secure"` - CookieHTTPOnly bool `mapstructure:"cookie_http_only"` - CookieExpire time.Duration `mapstructure:"cookie_expire"` - CookieRefresh time.Duration `mapstructure:"cookie_refresh"` + CookieName string `mapstructure:"cookie_name" yaml:"cookie_name,omitempty"` + CookieSecret string `mapstructure:"cookie_secret" yaml:"cookie_secret,omitempty"` + CookieDomain string `mapstructure:"cookie_domain" yaml:"cookie_domain,omitempty"` + CookieSecure bool `mapstructure:"cookie_secure" yaml:"cookie_secure,omitempty"` + CookieHTTPOnly bool `mapstructure:"cookie_http_only" yaml:"cookie_http_only,omitempty"` + CookieExpire time.Duration `mapstructure:"cookie_expire" yaml:"cookie_expire,omitempty"` + CookieRefresh time.Duration `mapstructure:"cookie_refresh" yaml:"cookie_refresh,omitempty"` // Identity provider configuration variables as specified by RFC6749 // https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749 - ClientID string `mapstructure:"idp_client_id"` - ClientSecret string `mapstructure:"idp_client_secret"` - Provider string `mapstructure:"idp_provider"` - ProviderURL string `mapstructure:"idp_provider_url"` - Scopes []string `mapstructure:"idp_scopes"` - ServiceAccount string `mapstructure:"idp_service_account"` + ClientID string `mapstructure:"idp_client_id" yaml:"idp_client_id,omitempty"` + ClientSecret string `mapstructure:"idp_client_secret" yaml:"idp_client_secret,omitempty"` + Provider string `mapstructure:"idp_provider" yaml:"idp_provider,omitempty"` + ProviderURL string `mapstructure:"idp_provider_url" yaml:"idp_provider_url,omitempty"` + Scopes []string `mapstructure:"idp_scopes" yaml:"idp_scopes,omitempty"` + ServiceAccount string `mapstructure:"idp_service_account" yaml:"idp_service_account,omitempty"` // Administrators contains a set of emails with users who have super user // (sudo) access including the ability to impersonate other users' access - Administrators []string `mapstructure:"administrators"` + Administrators []string `mapstructure:"administrators" yaml:"administrators,omitempty"` // AuthorizeURL is the routable destination of the authorize service's // gRPC endpoint. NOTE: As many load balancers do not support // externally routed gRPC so this may be an internal location. - AuthorizeURLString string `mapstructure:"authorize_service_url"` + AuthorizeURLString string `mapstructure:"authorize_service_url" yaml:"authorize_service_url,omitempty"` AuthorizeURL *url.URL // Settings to enable custom behind-the-ingress service communication - OverrideCertificateName string `mapstructure:"override_certificate_name"` - CA string `mapstructure:"certificate_authority"` - CAFile string `mapstructure:"certificate_authority_file"` + OverrideCertificateName string `mapstructure:"override_certificate_name" yaml:"override_certificate_name,omitempty"` + CA string `mapstructure:"certificate_authority" yaml:"certificate_authority,omitempty"` + CAFile string `mapstructure:"certificate_authority_file" yaml:"certificate_authority_file,omitempty"` // SigningKey is the private key used to add a JWT-signature. // https://www.pomerium.io/docs/signed-headers.html - SigningKey string `mapstructure:"signing_key"` + SigningKey string `mapstructure:"signing_key" yaml:"signing_key,omitempty"` // Headers to set on all proxied requests. Add a 'disable' key map to turn off. HeadersEnv string Headers map[string]string // RefreshCooldown limits the rate a user can refresh her session - RefreshCooldown time.Duration `mapstructure:"refresh_cooldown"` + RefreshCooldown time.Duration `mapstructure:"refresh_cooldown" yaml:"refresh_cooldown,omitempty"` - //Routes map[string]string `mapstructure:"routes"` - DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout"` + //Routes map[string]string `mapstructure:"routes" yaml:"routes,omitempty"` + DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"` // Address/Port to bind to for prometheus metrics - MetricsAddr string `mapstructure:"metrics_address"` + MetricsAddr string `mapstructure:"metrics_address" yaml:"metrics_address,omitempty"` // Tracing shared settings - TracingProvider string `mapstructure:"tracing_provider"` - TracingDebug bool `mapstructure:"tracing_debug"` + TracingProvider string `mapstructure:"tracing_provider" yaml:"tracing_provider,omitempty"` + TracingDebug bool `mapstructure:"tracing_debug" yaml:"tracing_debug,omitempty"` // Jaeger // // CollectorEndpoint is the full url to the Jaeger HTTP Thrift collector. // For example, http://localhost:14268/api/traces - TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint"` + TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint" yaml:"tracing_jaeger_collector_endpoint,omitempty"` // AgentEndpoint instructs exporter to send spans to jaeger-agent at this address. // For example, localhost:6831. - TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint"` + TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint" yaml:"tracing_jaeger_agent_endpoint,omitempty"` // GRPC Service Settings // GRPCAddr specifies the host and port on which the server should serve // gRPC requests. If running in all-in-one mode, ":5443" (localhost:5443) is used. - GRPCAddr string `mapstructure:"grpc_address"` + GRPCAddr string `mapstructure:"grpc_address" yaml:"grpc_address,omitempty"` // GRPCInsecure disables transport security. // If running in all-in-one mode, defaults to true. - GRPCInsecure bool `mapstructure:"grpc_insecure"` + GRPCInsecure bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"` - GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout"` - GRPCClientDNSRoundRobin bool `mapstructure:"grpc_client_dns_roundrobin"` + GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"` + GRPCClientDNSRoundRobin bool `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"` // ForwardAuthEndpoint allows for a given route to be used as a forward-auth // endpoint instead of a reverse proxy. Some third-party proxies that do not @@ -171,7 +171,7 @@ type Options struct { // allow you to delegate and authenticate each request to your website // with an external server or service. Pomerium can be configured to accept // these requests with this switch - ForwardAuthURLString string `mapstructure:"forward_auth_url"` + ForwardAuthURLString string `mapstructure:"forward_auth_url" yaml:"forward_auth_url,omitempty"` ForwardAuthURL *url.URL viper *viper.Viper diff --git a/config/policy.go b/config/policy.go index 148353b5d..ec27f3e12 100644 --- a/config/policy.go +++ b/config/policy.go @@ -16,27 +16,27 @@ type Policy struct { From string `mapstructure:"from" yaml:"from"` To string `mapstructure:"to" yaml:"to"` // Identity related policy - AllowedEmails []string `mapstructure:"allowed_users" yaml:"allowed_users"` - AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups"` - AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains"` + AllowedEmails []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty"` + AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty"` + AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty"` Source *url.URL Destination *url.URL // Allow unauthenticated HTTP OPTIONS requests as per the CORS spec // https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests - CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight"` + CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight,omitempty"` // Allow any public request to access this route. **Bypasses authentication** - AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access"` + AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access,omitempty"` // UpstreamTimeout is the route specific timeout. Must be less than the global // timeout. If unset, route will fallback to the proxy's DefaultUpstreamTimeout. - UpstreamTimeout time.Duration `mapstructure:"timeout" yaml:"timeout"` + UpstreamTimeout time.Duration `mapstructure:"timeout" yaml:"timeout,omitempty"` // Enable proxying of websocket connections by removing the default timeout handler. // Caution: Enabling this feature could result in abuse via DOS attacks. - AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets"` + AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets,omitempty"` // TLSSkipVerify controls whether a client verifies the server's certificate // chain and host name. @@ -44,32 +44,32 @@ type Policy struct { // server and any host name in that certificate. // In this mode, TLS is susceptible to man-in-the-middle attacks. // This should be used only for testing. - TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify"` + TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify,omitempty"` // TLSServerName overrides the hostname in the `to` field. This is useful // if your backend is an HTTPS server with a valid certificate, but you // want to communicate to the backend with an internal hostname (e.g. // Docker container name). - TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name"` + TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name,omitempty"` // TLSCustomCA defines the root certificate to use with a given // route when verifying server certificates. - TLSCustomCA string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca"` - TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file"` + TLSCustomCA string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca,omitempty"` + TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file,omitempty"` RootCAs *x509.CertPool // Contains the x.509 client certificate to to present to the downstream // host. - TLSClientCert string `mapstructure:"tls_client_cert" yaml:"tls_client_cert"` - TLSClientKey string `mapstructure:"tls_client_key" yaml:"tls_client_key"` - TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file"` - TLSClientKeyFile string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file"` + TLSClientCert string `mapstructure:"tls_client_cert" yaml:"tls_client_cert,omitempty"` + TLSClientKey string `mapstructure:"tls_client_key" yaml:"tls_client_key,omitempty"` + TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file,omitempty"` + TLSClientKeyFile string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file,omitempty"` ClientCertificate *tls.Certificate // SetRequestHeaders adds a collection of headers to the downstream request // in the form of key value pairs. Note bene, this will overwrite the // value of any existing value of a given header key. - SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers"` + SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers,omitempty"` } // Validate checks the validity of a policy. diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 686d7171f..a05a45025 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## vUnreleased + +### New + +### Changed + +- Added yaml tags to all options structs [GH-394](https://github.com/pomerium/pomerium/pull/394) + ## v0.5.0 ### New