config: Update yaml tags (#394)

* Add/update yaml tags for Options and Policy

config/options.go

@@ -34,136 +34,136 @@ const DefaultAlternativeAddr = ":5443"
 // Use NewXXXOptions() methods for a safely initialized data structure.
 type Options struct {
 	// Debug outputs human-readable logs to Stdout.
-	Debug bool `mapstructure:"pomerium_debug"`
+	Debug bool `mapstructure:"pomerium_debug" yaml:"pomerium_debug,omitempty"`
 
 	// LogLevel sets the global override for log level. All Loggers will use at least this value.
 	// Possible options are "info","warn", and "error". Defaults to "debug".
-	LogLevel string `mapstructure:"log_level"`
+	LogLevel string `mapstructure:"log_level" yaml:"log_level,omitempty"`
 
 	// SharedKey is the shared secret authorization key used to mutually authenticate
 	// requests between services.
-	SharedKey string `mapstructure:"shared_secret"`
+	SharedKey string `mapstructure:"shared_secret" yaml:"shared_secret,omitempty"`
 
 	// Services is a list enabled service mode. If none are selected, "all" is used.
 	// Available options are : "all", "authenticate", "proxy".
-	Services string `mapstructure:"services"`
+	Services string `mapstructure:"services" yaml:"services,omitempty"`
 
 	// Addr specifies the host and port on which the server should serve
 	// HTTPS requests. If empty, ":443" (localhost:443) is used.
-	Addr string `mapstructure:"address"`
+	Addr string `mapstructure:"address" yaml:"address,omitempty"`
 
 	// InsecureServer when enabled disables all transport security.
 	// In this mode, Pomerium is susceptible to man-in-the-middle attacks.
 	// This should be used only for testing.
-	InsecureServer bool `mapstructure:"insecure_server"`
+	InsecureServer bool `mapstructure:"insecure_server" yaml:"insecure_server,omitempty"`
 
 	// Cert and Key is the x509 certificate used to hydrate TLSCertificate
-	Cert string `mapstructure:"certificate"`
+	Cert string `mapstructure:"certificate" yaml:"certificate,omitempty"`
-	Key  string `mapstructure:"certificate_key"`
+	Key  string `mapstructure:"certificate_key" yaml:"certificate_key,omitempty"`
 
 	// CertFile and KeyFile is the x509 certificate used to hydrate TLSCertificate
-	CertFile string `mapstructure:"certificate_file"`
+	CertFile string `mapstructure:"certificate_file" yaml:"certificate_file,omitempty"`
-	KeyFile  string `mapstructure:"certificate_key_file"`
+	KeyFile  string `mapstructure:"certificate_key_file" yaml:"certificate_key_file,omitempty"`
 
 	// TLSCertificate is the hydrated tls.Certificate.
 	TLSCertificate *tls.Certificate
 
 	// HttpRedirectAddr, if set, specifies the host and port to run the HTTP
 	// to HTTPS redirect server on. If empty, no redirect server is started.
-	HTTPRedirectAddr string `mapstructure:"http_redirect_addr"`
+	HTTPRedirectAddr string `mapstructure:"http_redirect_addr" yaml:"http_redirect_addr,omitempty"`
 
 	// Timeout settings : https://github.com/pomerium/pomerium/issues/40
-	ReadTimeout       time.Duration `mapstructure:"timeout_read"`
+	ReadTimeout       time.Duration `mapstructure:"timeout_read" yaml:"timeout_read,omitempty"`
-	WriteTimeout      time.Duration `mapstructure:"timeout_write"`
+	WriteTimeout      time.Duration `mapstructure:"timeout_write" yaml:"timeout_write,omitempty"`
-	ReadHeaderTimeout time.Duration `mapstructure:"timeout_read_header"`
+	ReadHeaderTimeout time.Duration `mapstructure:"timeout_read_header" yaml:"timeout_read_header,omitempty"`
-	IdleTimeout       time.Duration `mapstructure:"timeout_idle"`
+	IdleTimeout       time.Duration `mapstructure:"timeout_idle" yaml:"timeout_idle,omitempty"`
 
 	// Policies define per-route configuration and access control policies.
 	Policies   []Policy
 	PolicyEnv  string
-	PolicyFile string `mapstructure:"policy_file"`
+	PolicyFile string `mapstructure:"policy_file" yaml:"policy_file,omitempty"`
 
 	// AuthenticateURL represents the externally accessible http endpoints
 	// used for authentication requests and callbacks
-	AuthenticateURLString string `mapstructure:"authenticate_service_url"`
+	AuthenticateURLString string `mapstructure:"authenticate_service_url" yaml:"authenticate_service_url,omitempty"`
 	AuthenticateURL       *url.URL
 
 	// Session/Cookie management
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
-	CookieName     string        `mapstructure:"cookie_name"`
+	CookieName     string        `mapstructure:"cookie_name" yaml:"cookie_name,omitempty"`
-	CookieSecret   string        `mapstructure:"cookie_secret"`
+	CookieSecret   string        `mapstructure:"cookie_secret" yaml:"cookie_secret,omitempty"`
-	CookieDomain   string        `mapstructure:"cookie_domain"`
+	CookieDomain   string        `mapstructure:"cookie_domain" yaml:"cookie_domain,omitempty"`
-	CookieSecure   bool          `mapstructure:"cookie_secure"`
+	CookieSecure   bool          `mapstructure:"cookie_secure" yaml:"cookie_secure,omitempty"`
-	CookieHTTPOnly bool          `mapstructure:"cookie_http_only"`
+	CookieHTTPOnly bool          `mapstructure:"cookie_http_only" yaml:"cookie_http_only,omitempty"`
-	CookieExpire   time.Duration `mapstructure:"cookie_expire"`
+	CookieExpire   time.Duration `mapstructure:"cookie_expire" yaml:"cookie_expire,omitempty"`
-	CookieRefresh  time.Duration `mapstructure:"cookie_refresh"`
+	CookieRefresh  time.Duration `mapstructure:"cookie_refresh" yaml:"cookie_refresh,omitempty"`
 
 	// Identity provider configuration variables as specified by RFC6749
 	// https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
-	ClientID       string   `mapstructure:"idp_client_id"`
+	ClientID       string   `mapstructure:"idp_client_id" yaml:"idp_client_id,omitempty"`
-	ClientSecret   string   `mapstructure:"idp_client_secret"`
+	ClientSecret   string   `mapstructure:"idp_client_secret" yaml:"idp_client_secret,omitempty"`
-	Provider       string   `mapstructure:"idp_provider"`
+	Provider       string   `mapstructure:"idp_provider" yaml:"idp_provider,omitempty"`
-	ProviderURL    string   `mapstructure:"idp_provider_url"`
+	ProviderURL    string   `mapstructure:"idp_provider_url" yaml:"idp_provider_url,omitempty"`
-	Scopes         []string `mapstructure:"idp_scopes"`
+	Scopes         []string `mapstructure:"idp_scopes" yaml:"idp_scopes,omitempty"`
-	ServiceAccount string   `mapstructure:"idp_service_account"`
+	ServiceAccount string   `mapstructure:"idp_service_account" yaml:"idp_service_account,omitempty"`
 
 	// Administrators contains a set of emails with users who have super user
 	// (sudo) access including the ability to impersonate other users' access
-	Administrators []string `mapstructure:"administrators"`
+	Administrators []string `mapstructure:"administrators" yaml:"administrators,omitempty"`
 
 	// AuthorizeURL is the routable destination of the authorize service's
 	// gRPC endpoint. NOTE: As many load balancers do not support
 	// externally routed gRPC so this may be an internal location.
-	AuthorizeURLString string `mapstructure:"authorize_service_url"`
+	AuthorizeURLString string `mapstructure:"authorize_service_url" yaml:"authorize_service_url,omitempty"`
 	AuthorizeURL       *url.URL
 
 	// Settings to enable custom behind-the-ingress service communication
-	OverrideCertificateName string `mapstructure:"override_certificate_name"`
+	OverrideCertificateName string `mapstructure:"override_certificate_name" yaml:"override_certificate_name,omitempty"`
-	CA                      string `mapstructure:"certificate_authority"`
+	CA                      string `mapstructure:"certificate_authority" yaml:"certificate_authority,omitempty"`
-	CAFile                  string `mapstructure:"certificate_authority_file"`
+	CAFile                  string `mapstructure:"certificate_authority_file" yaml:"certificate_authority_file,omitempty"`
 
 	// SigningKey is the private key used to add a JWT-signature.
 	// https://www.pomerium.io/docs/signed-headers.html
-	SigningKey string `mapstructure:"signing_key"`
+	SigningKey string `mapstructure:"signing_key" yaml:"signing_key,omitempty"`
 
 	// Headers to set on all proxied requests. Add a 'disable' key map to turn off.
 	HeadersEnv string
 	Headers    map[string]string
 
 	// RefreshCooldown limits the rate a user can refresh her session
-	RefreshCooldown time.Duration `mapstructure:"refresh_cooldown"`
+	RefreshCooldown time.Duration `mapstructure:"refresh_cooldown" yaml:"refresh_cooldown,omitempty"`
 
-	//Routes                 map[string]string `mapstructure:"routes"`
+	//Routes                 map[string]string `mapstructure:"routes" yaml:"routes,omitempty"`
-	DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout"`
+	DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"`
 
 	// Address/Port to bind to for prometheus metrics
-	MetricsAddr string `mapstructure:"metrics_address"`
+	MetricsAddr string `mapstructure:"metrics_address" yaml:"metrics_address,omitempty"`
 
 	// Tracing shared settings
-	TracingProvider string `mapstructure:"tracing_provider"`
+	TracingProvider string `mapstructure:"tracing_provider" yaml:"tracing_provider,omitempty"`
-	TracingDebug    bool   `mapstructure:"tracing_debug"`
+	TracingDebug    bool   `mapstructure:"tracing_debug" yaml:"tracing_debug,omitempty"`
 
 	//  Jaeger
 	//
 	// CollectorEndpoint is the full url to the Jaeger HTTP Thrift collector.
 	// For example, http://localhost:14268/api/traces
-	TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint"`
+	TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint" yaml:"tracing_jaeger_collector_endpoint,omitempty"`
 	// AgentEndpoint instructs exporter to send spans to jaeger-agent at this address.
 	// For example, localhost:6831.
-	TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint"`
+	TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint" yaml:"tracing_jaeger_agent_endpoint,omitempty"`
 
 	// GRPC Service Settings
 
 	// GRPCAddr specifies the host and port on which the server should serve
 	// gRPC requests. If running in all-in-one mode, ":5443" (localhost:5443) is used.
-	GRPCAddr string `mapstructure:"grpc_address"`
+	GRPCAddr string `mapstructure:"grpc_address" yaml:"grpc_address,omitempty"`
 
 	// GRPCInsecure disables transport security.
 	// If running in all-in-one mode, defaults to true.
-	GRPCInsecure bool `mapstructure:"grpc_insecure"`
+	GRPCInsecure bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
 
-	GRPCClientTimeout       time.Duration `mapstructure:"grpc_client_timeout"`
+	GRPCClientTimeout       time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
-	GRPCClientDNSRoundRobin bool          `mapstructure:"grpc_client_dns_roundrobin"`
+	GRPCClientDNSRoundRobin bool          `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
 
 	// ForwardAuthEndpoint allows for a given route to be used as a forward-auth
 	// endpoint instead of a reverse proxy. Some third-party proxies that do not
@@ -171,7 +171,7 @@ type Options struct {
 	// allow you to delegate and authenticate each request to your website
 	// with an external server or service. Pomerium can be configured to accept
 	// these requests with this switch
-	ForwardAuthURLString string `mapstructure:"forward_auth_url"`
+	ForwardAuthURLString string `mapstructure:"forward_auth_url" yaml:"forward_auth_url,omitempty"`
 	ForwardAuthURL       *url.URL
 
 	viper *viper.Viper

config/policy.go

@@ -16,27 +16,27 @@ type Policy struct {
 	From string `mapstructure:"from" yaml:"from"`
 	To   string `mapstructure:"to" yaml:"to"`
 	// Identity related policy
-	AllowedEmails  []string `mapstructure:"allowed_users" yaml:"allowed_users"`
+	AllowedEmails  []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty"`
-	AllowedGroups  []string `mapstructure:"allowed_groups" yaml:"allowed_groups"`
+	AllowedGroups  []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty"`
-	AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains"`
+	AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty"`
 
 	Source      *url.URL
 	Destination *url.URL
 
 	// Allow unauthenticated HTTP OPTIONS requests as per the CORS spec
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
-	CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight"`
+	CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight,omitempty"`
 
 	// Allow any public request to access this route. **Bypasses authentication**
-	AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access"`
+	AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access,omitempty"`
 
 	// UpstreamTimeout is the route specific timeout. Must be less than the global
 	// timeout. If unset,  route will fallback to the proxy's DefaultUpstreamTimeout.
-	UpstreamTimeout time.Duration `mapstructure:"timeout" yaml:"timeout"`
+	UpstreamTimeout time.Duration `mapstructure:"timeout" yaml:"timeout,omitempty"`
 
 	// Enable proxying of websocket connections by removing the default timeout handler.
 	// Caution: Enabling this feature could result in abuse via DOS attacks.
-	AllowWebsockets bool `mapstructure:"allow_websockets"  yaml:"allow_websockets"`
+	AllowWebsockets bool `mapstructure:"allow_websockets"  yaml:"allow_websockets,omitempty"`
 
 	// TLSSkipVerify controls whether a client verifies the server's certificate
 	// chain and host name.
@@ -44,32 +44,32 @@ type Policy struct {
 	// server and any host name in that certificate.
 	// In this mode, TLS is susceptible to man-in-the-middle attacks.
 	// This should be used only for testing.
-	TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify"`
+	TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify,omitempty"`
 
 	// TLSServerName overrides the hostname in the `to` field. This is useful
 	// if your backend is an HTTPS server with a valid certificate, but you
 	// want to communicate to the backend with an internal hostname (e.g.
 	// Docker container name).
-	TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name"`
+	TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name,omitempty"`
 
 	// TLSCustomCA defines the  root certificate to use with a given
 	// route when verifying server certificates.
-	TLSCustomCA     string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca"`
+	TLSCustomCA     string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca,omitempty"`
-	TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file"`
+	TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file,omitempty"`
 	RootCAs         *x509.CertPool
 
 	// Contains the x.509 client certificate to to present to the downstream
 	// host.
-	TLSClientCert     string `mapstructure:"tls_client_cert" yaml:"tls_client_cert"`
+	TLSClientCert     string `mapstructure:"tls_client_cert" yaml:"tls_client_cert,omitempty"`
-	TLSClientKey      string `mapstructure:"tls_client_key" yaml:"tls_client_key"`
+	TLSClientKey      string `mapstructure:"tls_client_key" yaml:"tls_client_key,omitempty"`
-	TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file"`
+	TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file,omitempty"`
-	TLSClientKeyFile  string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file"`
+	TLSClientKeyFile  string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file,omitempty"`
 	ClientCertificate *tls.Certificate
 
 	// SetRequestHeaders adds a collection of headers to the downstream request
 	// in the form of key value pairs. Note bene, this will overwrite the
 	// value of any existing value of a given header key.
-	SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers"`
+	SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers,omitempty"`
 }
 
 // Validate checks the validity of a policy.

docs/docs/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## vUnreleased
+
+### New
+
+### Changed
+
+- Added yaml tags to all options structs [GH-394](https://github.com/pomerium/pomerium/pull/394)
+
 ## v0.5.0
 
 ### New