This repository has been archived by the owner on Apr 25, 2022. It is now read-only.
/
options.go
109 lines (97 loc) · 3.14 KB
/
options.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package openshift
import (
"fmt"
"math/rand"
"github.com/google/uuid"
)
// Options is the set of internal template options for rendering
// the lokistack-gateway tenants configuration file when mode openshift-logging.
type Options struct {
BuildOpts BuildOptions
Authentication []AuthenticationSpec
Authorization AuthorizationSpec
}
// AuthenticationSpec describes the authentication specification
// for a single tenant to authenticate it's subjects through OpenShift Auth.
type AuthenticationSpec struct {
TenantName string
TenantID string
ServiceAccount string
RedirectURL string
CookieSecret string
}
// AuthorizationSpec describes the authorization specification
// for all tenants to authorize access for it's subjects through the
// opa-openshift sidecar.
type AuthorizationSpec struct {
OPAUrl string
}
// BuildOptions represents the set of options required to build
// extra lokistack gateway k8s objects (e.g. ServiceAccount, Route, RBAC)
// on openshift.
type BuildOptions struct {
LokiStackName string
GatewayName string
GatewayNamespace string
GatewaySvcName string
GatewaySvcTargetPort string
Labels map[string]string
EnableCertificateSigningService bool
}
// TenantData defines the existing tenantID and cookieSecret for lokistack reconcile.
type TenantData struct {
TenantID string
CookieSecret string
}
// NewOptions returns an openshift options struct.
func NewOptions(
stackName string,
gwName, gwNamespace, gwBaseDomain, gwSvcName, gwPortName string,
gwLabels map[string]string,
enableCertSigningService bool,
tenantConfigMap map[string]TenantData,
) Options {
host := ingressHost(stackName, gwNamespace, gwBaseDomain)
var authn []AuthenticationSpec
for _, name := range defaultTenants {
if tenantConfigMap != nil {
authn = append(authn, AuthenticationSpec{
TenantName: name,
TenantID: tenantConfigMap[name].TenantID,
ServiceAccount: gwName,
RedirectURL: fmt.Sprintf("http://%s/openshift/%s/callback", host, name),
CookieSecret: tenantConfigMap[name].CookieSecret,
})
} else {
authn = append(authn, AuthenticationSpec{
TenantName: name,
TenantID: uuid.New().String(),
ServiceAccount: gwName,
RedirectURL: fmt.Sprintf("http://%s/openshift/%s/callback", host, name),
CookieSecret: newCookieSecret(),
})
}
}
return Options{
BuildOpts: BuildOptions{
LokiStackName: stackName,
GatewayName: gwName,
GatewayNamespace: gwNamespace,
GatewaySvcName: gwSvcName,
GatewaySvcTargetPort: gwPortName,
Labels: gwLabels,
EnableCertificateSigningService: enableCertSigningService,
},
Authentication: authn,
Authorization: AuthorizationSpec{
OPAUrl: fmt.Sprintf("http://localhost:%d/v1/data/%s/allow", GatewayOPAHTTPPort, opaDefaultPackage),
},
}
}
func newCookieSecret() string {
b := make([]rune, cookieSecretLength)
for i := range b {
b[i] = allowedRunes[rand.Intn(len(allowedRunes))]
}
return string(b)
}