mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-23 13:08:13 +02:00
config: Update yaml tags (#394)
* Add/update yaml tags for Options and Policy
This commit is contained in:
Travis Groth
GitHub
parent
6743accd74
commit
8164cfd85a
3 changed files with 73 additions and 65 deletions
|
|
@ -34,136 +34,136 @@ const DefaultAlternativeAddr = ":5443"
|
|||
// Use NewXXXOptions() methods for a safely initialized data structure.
|
||||
type Options struct {
|
||||
// Debug outputs human-readable logs to Stdout.
|
||||
Debug bool `mapstructure:"pomerium_debug"`
|
||||
Debug bool `mapstructure:"pomerium_debug" yaml:"pomerium_debug,omitempty"`
|
||||
|
||||
// LogLevel sets the global override for log level. All Loggers will use at least this value.
|
||||
// Possible options are "info","warn", and "error". Defaults to "debug".
|
||||
LogLevel string `mapstructure:"log_level"`
|
||||
LogLevel string `mapstructure:"log_level" yaml:"log_level,omitempty"`
|
||||
|
||||
// SharedKey is the shared secret authorization key used to mutually authenticate
|
||||
// requests between services.
|
||||
SharedKey string `mapstructure:"shared_secret"`
|
||||
SharedKey string `mapstructure:"shared_secret" yaml:"shared_secret,omitempty"`
|
||||
|
||||
// Services is a list enabled service mode. If none are selected, "all" is used.
|
||||
// Available options are : "all", "authenticate", "proxy".
|
||||
Services string `mapstructure:"services"`
|
||||
Services string `mapstructure:"services" yaml:"services,omitempty"`
|
||||
|
||||
// Addr specifies the host and port on which the server should serve
|
||||
// HTTPS requests. If empty, ":443" (localhost:443) is used.
|
||||
Addr string `mapstructure:"address"`
|
||||
Addr string `mapstructure:"address" yaml:"address,omitempty"`
|
||||
|
||||
// InsecureServer when enabled disables all transport security.
|
||||
// In this mode, Pomerium is susceptible to man-in-the-middle attacks.
|
||||
// This should be used only for testing.
|
||||
InsecureServer bool `mapstructure:"insecure_server"`
|
||||
InsecureServer bool `mapstructure:"insecure_server" yaml:"insecure_server,omitempty"`
|
||||
|
||||
// Cert and Key is the x509 certificate used to hydrate TLSCertificate
|
||||
Cert string `mapstructure:"certificate"`
|
||||
Key string `mapstructure:"certificate_key"`
|
||||
Cert string `mapstructure:"certificate" yaml:"certificate,omitempty"`
|
||||
Key string `mapstructure:"certificate_key" yaml:"certificate_key,omitempty"`
|
||||
|
||||
// CertFile and KeyFile is the x509 certificate used to hydrate TLSCertificate
|
||||
CertFile string `mapstructure:"certificate_file"`
|
||||
KeyFile string `mapstructure:"certificate_key_file"`
|
||||
CertFile string `mapstructure:"certificate_file" yaml:"certificate_file,omitempty"`
|
||||
KeyFile string `mapstructure:"certificate_key_file" yaml:"certificate_key_file,omitempty"`
|
||||
|
||||
// TLSCertificate is the hydrated tls.Certificate.
|
||||
TLSCertificate *tls.Certificate
|
||||
|
||||
// HttpRedirectAddr, if set, specifies the host and port to run the HTTP
|
||||
// to HTTPS redirect server on. If empty, no redirect server is started.
|
||||
HTTPRedirectAddr string `mapstructure:"http_redirect_addr"`
|
||||
HTTPRedirectAddr string `mapstructure:"http_redirect_addr" yaml:"http_redirect_addr,omitempty"`
|
||||
|
||||
// Timeout settings : https://github.com/pomerium/pomerium/issues/40
|
||||
ReadTimeout time.Duration `mapstructure:"timeout_read"`
|
||||
WriteTimeout time.Duration `mapstructure:"timeout_write"`
|
||||
ReadHeaderTimeout time.Duration `mapstructure:"timeout_read_header"`
|
||||
IdleTimeout time.Duration `mapstructure:"timeout_idle"`
|
||||
ReadTimeout time.Duration `mapstructure:"timeout_read" yaml:"timeout_read,omitempty"`
|
||||
WriteTimeout time.Duration `mapstructure:"timeout_write" yaml:"timeout_write,omitempty"`
|
||||
ReadHeaderTimeout time.Duration `mapstructure:"timeout_read_header" yaml:"timeout_read_header,omitempty"`
|
||||
IdleTimeout time.Duration `mapstructure:"timeout_idle" yaml:"timeout_idle,omitempty"`
|
||||
|
||||
// Policies define per-route configuration and access control policies.
|
||||
Policies []Policy
|
||||
PolicyEnv string
|
||||
PolicyFile string `mapstructure:"policy_file"`
|
||||
PolicyFile string `mapstructure:"policy_file" yaml:"policy_file,omitempty"`
|
||||
|
||||
// AuthenticateURL represents the externally accessible http endpoints
|
||||
// used for authentication requests and callbacks
|
||||
AuthenticateURLString string `mapstructure:"authenticate_service_url"`
|
||||
AuthenticateURLString string `mapstructure:"authenticate_service_url" yaml:"authenticate_service_url,omitempty"`
|
||||
AuthenticateURL *url.URL
|
||||
|
||||
// Session/Cookie management
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
|
||||
CookieName string `mapstructure:"cookie_name"`
|
||||
CookieSecret string `mapstructure:"cookie_secret"`
|
||||
CookieDomain string `mapstructure:"cookie_domain"`
|
||||
CookieSecure bool `mapstructure:"cookie_secure"`
|
||||
CookieHTTPOnly bool `mapstructure:"cookie_http_only"`
|
||||
CookieExpire time.Duration `mapstructure:"cookie_expire"`
|
||||
CookieRefresh time.Duration `mapstructure:"cookie_refresh"`
|
||||
CookieName string `mapstructure:"cookie_name" yaml:"cookie_name,omitempty"`
|
||||
CookieSecret string `mapstructure:"cookie_secret" yaml:"cookie_secret,omitempty"`
|
||||
CookieDomain string `mapstructure:"cookie_domain" yaml:"cookie_domain,omitempty"`
|
||||
CookieSecure bool `mapstructure:"cookie_secure" yaml:"cookie_secure,omitempty"`
|
||||
CookieHTTPOnly bool `mapstructure:"cookie_http_only" yaml:"cookie_http_only,omitempty"`
|
||||
CookieExpire time.Duration `mapstructure:"cookie_expire" yaml:"cookie_expire,omitempty"`
|
||||
CookieRefresh time.Duration `mapstructure:"cookie_refresh" yaml:"cookie_refresh,omitempty"`
|
||||
|
||||
// Identity provider configuration variables as specified by RFC6749
|
||||
// https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
|
||||
ClientID string `mapstructure:"idp_client_id"`
|
||||
ClientSecret string `mapstructure:"idp_client_secret"`
|
||||
Provider string `mapstructure:"idp_provider"`
|
||||
ProviderURL string `mapstructure:"idp_provider_url"`
|
||||
Scopes []string `mapstructure:"idp_scopes"`
|
||||
ServiceAccount string `mapstructure:"idp_service_account"`
|
||||
ClientID string `mapstructure:"idp_client_id" yaml:"idp_client_id,omitempty"`
|
||||
ClientSecret string `mapstructure:"idp_client_secret" yaml:"idp_client_secret,omitempty"`
|
||||
Provider string `mapstructure:"idp_provider" yaml:"idp_provider,omitempty"`
|
||||
ProviderURL string `mapstructure:"idp_provider_url" yaml:"idp_provider_url,omitempty"`
|
||||
Scopes []string `mapstructure:"idp_scopes" yaml:"idp_scopes,omitempty"`
|
||||
ServiceAccount string `mapstructure:"idp_service_account" yaml:"idp_service_account,omitempty"`
|
||||
|
||||
// Administrators contains a set of emails with users who have super user
|
||||
// (sudo) access including the ability to impersonate other users' access
|
||||
Administrators []string `mapstructure:"administrators"`
|
||||
Administrators []string `mapstructure:"administrators" yaml:"administrators,omitempty"`
|
||||
|
||||
// AuthorizeURL is the routable destination of the authorize service's
|
||||
// gRPC endpoint. NOTE: As many load balancers do not support
|
||||
// externally routed gRPC so this may be an internal location.
|
||||
AuthorizeURLString string `mapstructure:"authorize_service_url"`
|
||||
AuthorizeURLString string `mapstructure:"authorize_service_url" yaml:"authorize_service_url,omitempty"`
|
||||
AuthorizeURL *url.URL
|
||||
|
||||
// Settings to enable custom behind-the-ingress service communication
|
||||
OverrideCertificateName string `mapstructure:"override_certificate_name"`
|
||||
CA string `mapstructure:"certificate_authority"`
|
||||
CAFile string `mapstructure:"certificate_authority_file"`
|
||||
OverrideCertificateName string `mapstructure:"override_certificate_name" yaml:"override_certificate_name,omitempty"`
|
||||
CA string `mapstructure:"certificate_authority" yaml:"certificate_authority,omitempty"`
|
||||
CAFile string `mapstructure:"certificate_authority_file" yaml:"certificate_authority_file,omitempty"`
|
||||
|
||||
// SigningKey is the private key used to add a JWT-signature.
|
||||
// https://www.pomerium.io/docs/signed-headers.html
|
||||
SigningKey string `mapstructure:"signing_key"`
|
||||
SigningKey string `mapstructure:"signing_key" yaml:"signing_key,omitempty"`
|
||||
|
||||
// Headers to set on all proxied requests. Add a 'disable' key map to turn off.
|
||||
HeadersEnv string
|
||||
Headers map[string]string
|
||||
|
||||
// RefreshCooldown limits the rate a user can refresh her session
|
||||
RefreshCooldown time.Duration `mapstructure:"refresh_cooldown"`
|
||||
RefreshCooldown time.Duration `mapstructure:"refresh_cooldown" yaml:"refresh_cooldown,omitempty"`
|
||||
|
||||
//Routes map[string]string `mapstructure:"routes"`
|
||||
DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout"`
|
||||
//Routes map[string]string `mapstructure:"routes" yaml:"routes,omitempty"`
|
||||
DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"`
|
||||
|
||||
// Address/Port to bind to for prometheus metrics
|
||||
MetricsAddr string `mapstructure:"metrics_address"`
|
||||
MetricsAddr string `mapstructure:"metrics_address" yaml:"metrics_address,omitempty"`
|
||||
|
||||
// Tracing shared settings
|
||||
TracingProvider string `mapstructure:"tracing_provider"`
|
||||
TracingDebug bool `mapstructure:"tracing_debug"`
|
||||
TracingProvider string `mapstructure:"tracing_provider" yaml:"tracing_provider,omitempty"`
|
||||
TracingDebug bool `mapstructure:"tracing_debug" yaml:"tracing_debug,omitempty"`
|
||||
|
||||
// Jaeger
|
||||
//
|
||||
// CollectorEndpoint is the full url to the Jaeger HTTP Thrift collector.
|
||||
// For example, http://localhost:14268/api/traces
|
||||
TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint"`
|
||||
TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint" yaml:"tracing_jaeger_collector_endpoint,omitempty"`
|
||||
// AgentEndpoint instructs exporter to send spans to jaeger-agent at this address.
|
||||
// For example, localhost:6831.
|
||||
TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint"`
|
||||
TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint" yaml:"tracing_jaeger_agent_endpoint,omitempty"`
|
||||
|
||||
// GRPC Service Settings
|
||||
|
||||
// GRPCAddr specifies the host and port on which the server should serve
|
||||
// gRPC requests. If running in all-in-one mode, ":5443" (localhost:5443) is used.
|
||||
GRPCAddr string `mapstructure:"grpc_address"`
|
||||
GRPCAddr string `mapstructure:"grpc_address" yaml:"grpc_address,omitempty"`
|
||||
|
||||
// GRPCInsecure disables transport security.
|
||||
// If running in all-in-one mode, defaults to true.
|
||||
GRPCInsecure bool `mapstructure:"grpc_insecure"`
|
||||
GRPCInsecure bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`
|
||||
|
||||
GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout"`
|
||||
GRPCClientDNSRoundRobin bool `mapstructure:"grpc_client_dns_roundrobin"`
|
||||
GRPCClientTimeout time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
|
||||
GRPCClientDNSRoundRobin bool `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
|
||||
|
||||
// ForwardAuthEndpoint allows for a given route to be used as a forward-auth
|
||||
// endpoint instead of a reverse proxy. Some third-party proxies that do not
|
||||
|
|
@ -171,7 +171,7 @@ type Options struct {
|
|||
// allow you to delegate and authenticate each request to your website
|
||||
// with an external server or service. Pomerium can be configured to accept
|
||||
// these requests with this switch
|
||||
ForwardAuthURLString string `mapstructure:"forward_auth_url"`
|
||||
ForwardAuthURLString string `mapstructure:"forward_auth_url" yaml:"forward_auth_url,omitempty"`
|
||||
ForwardAuthURL *url.URL
|
||||
|
||||
viper *viper.Viper
|
||||
|
|
|
|||
|
|
@ -16,27 +16,27 @@ type Policy struct {
|
|||
From string `mapstructure:"from" yaml:"from"`
|
||||
To string `mapstructure:"to" yaml:"to"`
|
||||
// Identity related policy
|
||||
AllowedEmails []string `mapstructure:"allowed_users" yaml:"allowed_users"`
|
||||
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups"`
|
||||
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains"`
|
||||
AllowedEmails []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty"`
|
||||
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty"`
|
||||
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty"`
|
||||
|
||||
Source *url.URL
|
||||
Destination *url.URL
|
||||
|
||||
// Allow unauthenticated HTTP OPTIONS requests as per the CORS spec
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
|
||||
CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight"`
|
||||
CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight,omitempty"`
|
||||
|
||||
// Allow any public request to access this route. **Bypasses authentication**
|
||||
AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access"`
|
||||
AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access,omitempty"`
|
||||
|
||||
// UpstreamTimeout is the route specific timeout. Must be less than the global
|
||||
// timeout. If unset, route will fallback to the proxy's DefaultUpstreamTimeout.
|
||||
UpstreamTimeout time.Duration `mapstructure:"timeout" yaml:"timeout"`
|
||||
UpstreamTimeout time.Duration `mapstructure:"timeout" yaml:"timeout,omitempty"`
|
||||
|
||||
// Enable proxying of websocket connections by removing the default timeout handler.
|
||||
// Caution: Enabling this feature could result in abuse via DOS attacks.
|
||||
AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets"`
|
||||
AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets,omitempty"`
|
||||
|
||||
// TLSSkipVerify controls whether a client verifies the server's certificate
|
||||
// chain and host name.
|
||||
|
|
@ -44,32 +44,32 @@ type Policy struct {
|
|||
// server and any host name in that certificate.
|
||||
// In this mode, TLS is susceptible to man-in-the-middle attacks.
|
||||
// This should be used only for testing.
|
||||
TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify"`
|
||||
TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify,omitempty"`
|
||||
|
||||
// TLSServerName overrides the hostname in the `to` field. This is useful
|
||||
// if your backend is an HTTPS server with a valid certificate, but you
|
||||
// want to communicate to the backend with an internal hostname (e.g.
|
||||
// Docker container name).
|
||||
TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name"`
|
||||
TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name,omitempty"`
|
||||
|
||||
// TLSCustomCA defines the root certificate to use with a given
|
||||
// route when verifying server certificates.
|
||||
TLSCustomCA string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca"`
|
||||
TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file"`
|
||||
TLSCustomCA string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca,omitempty"`
|
||||
TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file,omitempty"`
|
||||
RootCAs *x509.CertPool
|
||||
|
||||
// Contains the x.509 client certificate to to present to the downstream
|
||||
// host.
|
||||
TLSClientCert string `mapstructure:"tls_client_cert" yaml:"tls_client_cert"`
|
||||
TLSClientKey string `mapstructure:"tls_client_key" yaml:"tls_client_key"`
|
||||
TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file"`
|
||||
TLSClientKeyFile string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file"`
|
||||
TLSClientCert string `mapstructure:"tls_client_cert" yaml:"tls_client_cert,omitempty"`
|
||||
TLSClientKey string `mapstructure:"tls_client_key" yaml:"tls_client_key,omitempty"`
|
||||
TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file,omitempty"`
|
||||
TLSClientKeyFile string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file,omitempty"`
|
||||
ClientCertificate *tls.Certificate
|
||||
|
||||
// SetRequestHeaders adds a collection of headers to the downstream request
|
||||
// in the form of key value pairs. Note bene, this will overwrite the
|
||||
// value of any existing value of a given header key.
|
||||
SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers"`
|
||||
SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers,omitempty"`
|
||||
}
|
||||
|
||||
// Validate checks the validity of a policy.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,13 @@
|
|||
# Changelog
|
||||
|
||||
## vUnreleased
|
||||
|
||||
### New
|
||||
|
||||
### Changed
|
||||
|
||||
- Added yaml tags to all options structs [GH-394](https://github.com/pomerium/pomerium/pull/394)
|
||||
|
||||
## v0.5.0
|
||||
|
||||
### New
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue