config: generate cookie secret if not set in all-in-one mode (#3742)

* config: generate cookie secret if not set in all-in-one mode

* fix tests

* config: add warning about cookie_secret

* breakup lines

internal/log/warnings.go

@@ -0,0 +1,42 @@
+package log
+
+import (
+	"context"
+	"sync"
+
+	"github.com/pomerium/pomerium/internal/syncutil"
+)
+
+var warnCookieSecretOnce sync.Once
+
+// WarnCookieSecret warns about the cookie secret.
+func WarnCookieSecret() {
+	warnCookieSecretOnce.Do(func() {
+		Warn(context.Background()).
+			Msg("using a generated COOKIE_SECRET. " +
+				"Set the COOKIE_SECRET to avoid users being logged out on restart. " +
+				"https://www.pomerium.com/docs/reference/cookie-secret")
+	})
+}
+
+var warnNoTLSCertificateOnce syncutil.OnceMap[string]
+
+// WarnNoTLSCertificate warns about no TLS certificate.
+func WarnNoTLSCertificate(domain string) {
+	warnNoTLSCertificateOnce.Do(domain, func() {
+		Warn(context.Background()).
+			Str("domain", domain).
+			Msg("no TLS certificate found for domain, using a self-signed certificate")
+	})
+}
+
+var warnWebSocketHTTP1_1Once syncutil.OnceMap[string]
+
+// WarnWebSocketHTTP1_1 warns about falling back to http 1.1 due to web socket support.
+func WarnWebSocketHTTP1_1(clusterID string) {
+	warnWebSocketHTTP1_1Once.Do(clusterID, func() {
+		Warn(context.Background()).
+			Str("cluster-id", clusterID).
+			Msg("forcing http/1.1 due to web socket support")
+	})
+}

internal/syncutil/syncutil.go

@@ -0,0 +1,27 @@
+// Package syncutil contains methods for working with sync code.
+package syncutil
+
+import (
+	"sync"
+)
+
+// A OnceMap is a collection sync.Onces accessible by a key. The zero value is usable.
+type OnceMap[T comparable] struct {
+	mu sync.Mutex
+	m  map[T]*sync.Once
+}
+
+// Do runs f once.
+func (o *OnceMap[T]) Do(key T, f func()) {
+	o.mu.Lock()
+	if o.m == nil {
+		o.m = make(map[T]*sync.Once)
+	}
+	oo, ok := o.m[key]
+	if !ok {
+		oo = new(sync.Once)
+		o.m[key] = oo
+	}
+	o.mu.Unlock()
+	oo.Do(f)
+}