diff options
Diffstat (limited to 'app/config.go')
-rw-r--r-- | app/config.go | 92 |
1 files changed, 37 insertions, 55 deletions
diff --git a/app/config.go b/app/config.go index 6565863..b8c8d51 100644 --- a/app/config.go +++ b/app/config.go | |||
@@ -1,12 +1,7 @@ | |||
1 | package app | 1 | package app |
2 | 2 | ||
3 | import ( | 3 | import ( |
4 | "log" | ||
5 | "time" | 4 | "time" |
6 | |||
7 | "code.crute.us/mcrute/golib/cli" | ||
8 | "code.crute.us/mcrute/golib/vault" | ||
9 | "github.com/spf13/cobra" | ||
10 | ) | 5 | ) |
11 | 6 | ||
12 | type GitHubOauthCreds struct { | 7 | type GitHubOauthCreds struct { |
@@ -15,56 +10,43 @@ type GitHubOauthCreds struct { | |||
15 | } | 10 | } |
16 | 11 | ||
17 | type Config struct { | 12 | type Config struct { |
18 | Bind []string | 13 | Bind []string `flag:"bind" flag-scope:"web" flag-help:"Addresses and ports to bind http server"` |
19 | BindTLS []string | 14 | Debug bool `flag:"debug" flag-help:"Enable debug mode"` |
20 | Debug bool | 15 | MongoDbUri string `flag:"mongodb-uri" flag-help:"URI for connection to mongodb"` |
21 | TemplateGlob string | 16 | LogFile string `flag:"log-file" flag-scope:"web" flag-help:"Log file for combined host logs"` |
22 | TemplatePath string | 17 | TrustedIPRanges []string `flag:"trusted-ip-ranges" flag-scope:"web" flag-help:"Comma separated list of IP ranges for trusted XFF proxies"` |
23 | MongoDbUri string | 18 | Hostnames []string `flag:"hostname" flag-scope:"web" flag-help:"Hostname this server serves (can be specified multiple times)"` |
24 | MongodbVaultPath string | 19 | DisableBackgroundJobs bool `flag:"disable-bg-jobs" flag-help:"Disable background jobs and only serve web pages"` |
25 | LogFile string | 20 | RateLimit time.Duration `flag:"rate-limit" flag-help:"Number seconds between requests for credential resources"` |
26 | TLSCacheDir string | 21 | RateLimitBurst int `flag:"rate-limit-burst" flag-help:"Number of burst requests allowed to credential endpoints"` |
27 | TrustedIPRanges []string | 22 | IssuerEndpoint string `flag:"issuer-endpoint" flag-help:"Oauth issuer endpoint"` |
28 | ManagementIPRanges []string | 23 | JWTAudience string `flag:"jwt-audience" flag-help:"Audience for issued JWTs"` |
29 | Hostnames []string | 24 | AuthCookieDuration time.Duration `flag:"auth-cookie-duration" flag-help:"Expiration duration of the auth cookies"` |
30 | DisableBackgroundJobs bool | 25 | GitHubOauthCreds string `flag:"github-oauth-vault-path" flag-help:"Vault material name for GitHub auth credentials"` |
31 | RateLimit time.Duration | 26 | DNSApiKeyVaultPath string `flag:"dns-api-vault-path" flag-help:"Vault material for DNS API key"` |
32 | RateLimitBurst int | 27 | AutocertEmail string `flag:"autocert-email" flag-scope:"web" flag-help:"Autocert notification email"` |
33 | IssuerEndpoint string | 28 | AutocertHost string `flag:"autocert-host" flag-scope:"web" flag-help:"Autocert service url"` |
34 | JWTAudience string | 29 | NetboxHost string `flag:"netbox-host" flag-scope:"web" flag-help:"Netbox service url"` |
35 | AuthCookieDuration time.Duration | 30 | NetboxApiKeyVaultPath string `flag:"netbox-api-vault-path" flag-scope:"web" flag-help:"Vault material path for Netbox API key"` |
36 | GitHubOauthCreds *GitHubOauthCreds | ||
37 | } | 31 | } |
38 | 32 | ||
39 | func NewConfigFromCmd(cmd *cobra.Command) Config { | 33 | var DefaultConfig = &Config{ |
40 | f := cli.TolerantPflagSet{cmd.Flags()} | 34 | Bind: []string{":8169"}, |
41 | 35 | Debug: false, | |
42 | var githubOauth GitHubOauthCreds | 36 | MongoDbUri: "cloud-id-broker-prod-dynamic@mongodb.sea4.crute.me/cloud-id-broker-prod", |
43 | oauthPath := f.MayGetString("github-oauth-vault-path") | 37 | LogFile: "", |
44 | err := vault.GetVaultKeyStruct(oauthPath, &githubOauth) | 38 | TrustedIPRanges: []string{"172.19.0.0/22", "2602:803:4072::/48"}, |
45 | if err != nil { | 39 | Hostnames: []string{"aws-access.crute.me"}, |
46 | log.Fatalf("Error getting %s from vault: %w", oauthPath, err) | 40 | DisableBackgroundJobs: false, |
47 | } | 41 | RateLimit: 30 * time.Second, |
48 | 42 | RateLimitBurst: 30, | |
49 | return Config{ | 43 | IssuerEndpoint: "https://aws-access.crute.me", |
50 | Bind: f.MayGetStringSlice("bind"), | 44 | JWTAudience: "aws-access", |
51 | BindTLS: f.MayGetStringSlice("bind-tls"), | 45 | AuthCookieDuration: 24 * time.Hour, |
52 | Debug: f.MayGetBool("debug"), | 46 | GitHubOauthCreds: "service/aws-access/github-oauth", |
53 | TemplateGlob: f.MayGetString("template-glob"), | 47 | DNSApiKeyVaultPath: "service/aws-access/dns-api-key", |
54 | TemplatePath: f.MayGetString("template-path"), | 48 | AutocertEmail: "letsencrypt-certs@pomonaconsulting.com", |
55 | MongoDbUri: f.MayGetString("mongodb-uri"), | 49 | AutocertHost: "https://dns-manage.crute.me/acmev2", |
56 | MongodbVaultPath: f.MayGetString("mongodb-vault-path"), | 50 | NetboxHost: "https://netbox.crute.me", |
57 | DisableBackgroundJobs: f.MayGetBool("disable-bg-jobs"), | 51 | NetboxApiKeyVaultPath: "infra/netbox-readonly", |
58 | TrustedIPRanges: f.MayGetStringSlice("trusted-ip-ranges"), | ||
59 | ManagementIPRanges: f.MayGetStringSlice("management-ip-ranges"), | ||
60 | Hostnames: f.MayGetStringSlice("hostname"), | ||
61 | LogFile: f.MayGetString("log-file"), | ||
62 | TLSCacheDir: f.MayGetString("tls-cache-dir"), | ||
63 | RateLimit: f.MayGetDuration("rate-limit"), | ||
64 | RateLimitBurst: f.MayGetInt("rate-limit-burst"), | ||
65 | IssuerEndpoint: f.MayGetString("issuer-endpoint"), | ||
66 | JWTAudience: f.MayGetString("jwt-audience"), | ||
67 | AuthCookieDuration: f.MayGetDuration("auth-cookie-duration"), | ||
68 | GitHubOauthCreds: &githubOauth, | ||
69 | } | ||
70 | } | 52 | } |