mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 02:46:30 +02:00
de603f87de
* Add new configurable bootstrap writers (#2405) This PR adds the ability to configure different backends to use for storing modifications to the zero bootstrap config. The two currently implemented backends allow writing changes to a file or to a Kubernetes secret. Backend selection is determined by the scheme in a URI passed to the flag '--config-writeback-uri'. In a Kubernetes environment, where the bootstrap config is mounted into the pod from a secret, this option allows Pomerium to write changes back to the secret, as writes to the mounted secret file on disk are not persisted. * Use env vars for bootstrap config filepath/writeback uri * linter pass and code cleanup * Add new config writer options mechanism This moves the encryption cipher parameter out of the WriteConfig() method in the ConfigWriter interface and into a new ConfigWriterOptions struct. Options (e.g. cipher) can be applied to an existing ConfigWriter to allow customizing implementation-specific behavior. * Code cleanup/lint fixes * Move vendored k8s code into separate package, and add license header and package comment
80 lines
2 KiB
Go
80 lines
2 KiB
Go
package cmd
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/spf13/viper"
|
|
)
|
|
|
|
const (
|
|
// PomeriumZeroTokenEnv is the environment variable name for the API token.
|
|
//nolint: gosec
|
|
PomeriumZeroTokenEnv = "POMERIUM_ZERO_TOKEN"
|
|
|
|
// BootstrapConfigFileName can be set to override the default location of the bootstrap config file.
|
|
BootstrapConfigFileName = "BOOTSTRAP_CONFIG_FILE"
|
|
// BootstrapConfigWritebackURI controls how changes to the bootstrap config are persisted.
|
|
// See controller.WithBootstrapConfigWritebackURI for details.
|
|
BootstrapConfigWritebackURI = "BOOTSTRAP_CONFIG_WRITEBACK_URI"
|
|
)
|
|
|
|
func getToken(configFile string) string {
|
|
if token, ok := os.LookupEnv(PomeriumZeroTokenEnv); ok {
|
|
return token
|
|
}
|
|
|
|
if configFile != "" {
|
|
// load the token from the config file
|
|
v := viper.New()
|
|
v.SetConfigFile(configFile)
|
|
if v.ReadInConfig() == nil {
|
|
return v.GetString("pomerium_zero_token")
|
|
}
|
|
}
|
|
|
|
// we will fallback to normal pomerium if empty
|
|
return ""
|
|
}
|
|
|
|
func getConnectAPIEndpoint() string {
|
|
if endpoint := os.Getenv("CONNECT_SERVER_ENDPOINT"); endpoint != "" {
|
|
return endpoint
|
|
}
|
|
return "https://connect.pomerium.app"
|
|
}
|
|
|
|
func getClusterAPIEndpoint() string {
|
|
if endpoint := os.Getenv("CLUSTER_API_ENDPOINT"); endpoint != "" {
|
|
return endpoint
|
|
}
|
|
return "https://console.pomerium.app/cluster/v1"
|
|
}
|
|
|
|
func getOTELAPIEndpoint() string {
|
|
if endpoint := os.Getenv("POMERIUM_OTEL_ENDPOINT"); endpoint != "" {
|
|
return endpoint
|
|
}
|
|
return "https://telemetry.pomerium.app"
|
|
}
|
|
|
|
func getBootstrapConfigFileName() (string, error) {
|
|
if filename := os.Getenv(BootstrapConfigFileName); filename != "" {
|
|
return filename, nil
|
|
}
|
|
cacheDir, err := os.UserCacheDir()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
dir := filepath.Join(cacheDir, "pomerium")
|
|
if err := os.MkdirAll(dir, 0o700); err != nil {
|
|
return "", fmt.Errorf("error creating cache directory: %w", err)
|
|
}
|
|
|
|
return filepath.Join(dir, "bootstrap.dat"), nil
|
|
}
|
|
|
|
func getBootstrapConfigWritebackURI() string {
|
|
return os.Getenv(BootstrapConfigWritebackURI)
|
|
}
|