-
Notifications
You must be signed in to change notification settings - Fork 407
/
options.go
executable file
·185 lines (161 loc) · 7.9 KB
/
options.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
package main
import (
"flag"
"fmt"
"os"
"strconv"
"strings"
"time"
"k8s.io/apimachinery/pkg/types"
"github.com/sirupsen/logrus"
)
const (
defaultCertificateValidityTime = 90 * 24 * time.Hour
defaultNamespace = "default"
)
type options struct {
appName string
externalAPIPort int
internalAPIPort int
namespace string
tokenLength int
appTokenExpirationMinutes int
runtimeTokenExpirationMinutes int
caSecretName types.NamespacedName
rootCACertificateSecretName types.NamespacedName
requestLogging bool
connectorServiceHost string
gatewayBaseURL string
certificateProtectedHost string
appsInfoURL string
appCertificateValidityTime time.Duration
runtimeCertificateValidityTime time.Duration
central bool
revocationConfigMapName string
lookupEnabled bool
lookupConfigMapPath string
}
type environment struct {
country string
organization string
organizationalUnit string
locality string
province string
}
func parseArgs() *options {
appName := flag.String("appName", "connector-service", "Name of the Certificate Service, used by k8s deployments and services.")
externalAPIPort := flag.Int("externalAPIPort", 8081, "External API port.")
internalAPIPort := flag.Int("internalAPIPort", 8080, "Internal API port.")
namespace := flag.String("namespace", "kyma-integration", "Namespace used by Certificate Service")
tokenLength := flag.Int("tokenLength", 64, "Length of a registration tokens.")
appTokenExpirationMinutes := flag.Int("appTokenExpirationMinutes", 5, "Time to Live of application tokens expressed in minutes.")
runtimeTokenExpirationMinutes := flag.Int("runtimeTokenExpirationMinutes", 10, "Time to Live of runtime tokens expressed in minutes.")
caSecretName := flag.String("caSecretName", "kyma-integration/nginx-auth-ca", "Namespace/name of the secret which contains certificate and key used for signing client certificates.")
rootCACertificateSecretName := flag.String("rootCACertificateSecretName", "", "Namespace/name of the secret which contains root CA Certificate in case certificates are singed by intermediate CA.")
requestLogging := flag.Bool("requestLogging", false, "Flag for logging incoming requests.")
connectorServiceHost := flag.String("connectorServiceHost", "cert-service.wormhole.cluster.kyma.cx", "Host at which this service is accessible.")
gatewayBaseURL := flag.String("gatewayBaseURL", "https://gateway.wormhole.cluster.kyma.cx", "Base URL of the gateway service.")
certificateProtectedHost := flag.String("certificateProtectedHost", "gateway.wormhole.cluster.kyma.cx", "Host secured with client certificate, used for certificate renewal.")
appsInfoURL := flag.String("appsInfoURL", "", "URL at which management information is available.")
appCertificateValidityTime := flag.String("appCertificateValidityTime", "90d", "Validity time of certificates issued for apps by this service.")
runtimeCertificateValidityTime := flag.String("runtimeCertificateValidityTime", "90d", "Validity time of certificates issued for runtimes by this service.")
central := flag.Bool("central", false, "Determines whether connector works as the central")
revocationConfigMapName := flag.String("revocationConfigMapName", "revocations-config", "Name of the config map containing revoked certificates")
lookupEnabled := flag.Bool("lookupEnabled", false, "Determines whether connector should make a call to get gateway endpoint")
lookupConfigMapPath := flag.String("lookupConfigMapPath", "/etc/config/config.json", "Path in the pod where Config Map for cluster lookup is stored")
flag.Parse()
appValidityTime, err := parseDuration(*appCertificateValidityTime)
if err != nil {
logrus.Infof("Failed to parse certificate validity time for applications: %s, using default value.", err)
}
runtimeValidityTime, err := parseDuration(*runtimeCertificateValidityTime)
if err != nil {
logrus.Infof("Failed to parse certificate validity time for applications: %s, using default value.", err)
}
return &options{
appName: *appName,
externalAPIPort: *externalAPIPort,
internalAPIPort: *internalAPIPort,
namespace: *namespace,
tokenLength: *tokenLength,
appTokenExpirationMinutes: *appTokenExpirationMinutes,
runtimeTokenExpirationMinutes: *runtimeTokenExpirationMinutes,
caSecretName: parseNamespacedName(*caSecretName),
rootCACertificateSecretName: parseNamespacedName(*rootCACertificateSecretName),
requestLogging: *requestLogging,
connectorServiceHost: *connectorServiceHost,
gatewayBaseURL: *gatewayBaseURL,
certificateProtectedHost: *certificateProtectedHost,
central: *central,
appsInfoURL: *appsInfoURL,
appCertificateValidityTime: appValidityTime,
runtimeCertificateValidityTime: runtimeValidityTime,
revocationConfigMapName: *revocationConfigMapName,
lookupEnabled: *lookupEnabled,
lookupConfigMapPath: *lookupConfigMapPath,
}
}
func (o *options) String() string {
return fmt.Sprintf("--appName=%s --externalAPIPort=%d --internalAPIPort=%d --namespace=%s --tokenLength=%d "+
"--appTokenExpirationMinutes=%d --runtimeTokenExpirationMinutes=%d --caSecretName=%s --rootCACertificateSecretName=%s --requestLogging=%t "+
"--connectorServiceHost=%s --certificateProtectedHost=%s --gatewayBaseURL=%s "+
"--appsInfoURL=%s --central=%t --appCertificateValidityTime=%s --runtimeCertificateValidityTime=%s "+
"--revocationConfigMapName=%s --lookupEnabled=%t --lookupConfigMapPath=%s",
o.appName, o.externalAPIPort, o.internalAPIPort, o.namespace, o.tokenLength,
o.appTokenExpirationMinutes, o.runtimeTokenExpirationMinutes, o.caSecretName, o.rootCACertificateSecretName, o.requestLogging,
o.connectorServiceHost, o.certificateProtectedHost, o.gatewayBaseURL,
o.appsInfoURL, o.central, o.appCertificateValidityTime, o.runtimeCertificateValidityTime,
o.revocationConfigMapName, o.lookupEnabled, o.lookupConfigMapPath)
}
func parseEnv() *environment {
return &environment{
country: os.Getenv("COUNTRY"),
organization: os.Getenv("ORGANIZATION"),
organizationalUnit: os.Getenv("ORGANIZATIONALUNIT"),
locality: os.Getenv("LOCALITY"),
province: os.Getenv("PROVINCE"),
}
}
func (e *environment) String() string {
return fmt.Sprintf("COUNTRY=%s ORGANIZATION=%s ORGANIZATIONALUNIT=%s LOCALITY=%s PROVINCE=%s",
e.country, e.organization, e.organizationalUnit, e.locality, e.province)
}
func parseDuration(durationString string) (time.Duration, error) {
unitsMap := map[string]time.Duration{"m": time.Minute, "h": time.Hour, "d": 24 * time.Hour}
timeUnit := durationString[len(durationString)-1:]
_, ok := unitsMap[timeUnit]
if !ok {
return defaultCertificateValidityTime, fmt.Errorf("unrecognized time unit provided: %s", timeUnit)
}
timeLength, err := strconv.Atoi(durationString[:len(durationString)-1])
if err != nil {
return defaultCertificateValidityTime, err
}
return time.Duration(timeLength) * unitsMap[timeUnit], nil
}
func parseNamespacedName(value string) types.NamespacedName {
parts := strings.Split(value, string(types.Separator))
if singleValueProvided(parts) {
return types.NamespacedName{
Name: parts[0],
Namespace: defaultNamespace,
}
}
namespace := get(parts, 0)
if namespace == "" {
namespace = defaultNamespace
}
return types.NamespacedName{
Namespace: namespace,
Name: get(parts, 1),
}
}
func singleValueProvided(split []string) bool {
return len(split) == 1 || get(split, 1) == ""
}
func get(array []string, index int) string {
if len(array) > index {
return array[index]
}
return ""
}