config

package
v1.2.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 11, 2026 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const DefaultDependenciesSyncPollInterval = 15 * time.Minute

DefaultDependenciesSyncPollInterval is the default polling interval for dependency probes.

View Source
const DefaultDependencySyncTaskInterval = 3 * time.Minute

DefaultDependencySyncTaskInterval is how often the dependency-sync periodic task executes. This is intentionally shorter than the poll interval so that newly added refs are discovered quickly and partial failures are retried within minutes rather than waiting for the full poll interval.

Variables

View Source
var (
	ErrCheckingServerCerts = errors.New("failed to check if server certificate and key can be read")
	ErrServerCertsNotFound = errors.New("server certificate and key files are missing or unreadable")
	ErrInvalidServerCerts  = errors.New("failed to parse or load server certificate and key")
)

Functions

func CertificateDir

func CertificateDir() string

func ClientConfigFile

func ClientConfigFile() string

func ConfigDir

func ConfigDir() string

func ConfigFile

func ConfigFile() string

func LoadServerCertificates added in v1.0.0

func LoadServerCertificates(cfg *Config, log *logrus.Logger) (*crypto.TLSCertificateConfig, error)

func NewDefaultImageBuilderWorkerConfig added in v1.1.0

func NewDefaultImageBuilderWorkerConfig() *imageBuilderWorkerConfig

NewDefaultImageBuilderWorkerConfig returns a default ImageBuilder worker configuration

func NormalizedPURLPackageTypeID added in v1.2.0

func NormalizedPURLPackageTypeID(s string) string

NormalizedPURLPackageTypeID returns the package type key for lookups (after "pkg:", lowercased).

func Save

func Save(cfg *Config, cfgFile string) error

func Validate

func Validate(cfg *Config) error

Types

type Config

type Config struct {
	Database               *dbConfig                  `json:"database,omitempty"`
	Service                *svcConfig                 `json:"service,omitempty"`
	ImageBuilderService    *ImageBuilderServiceConfig `json:"imageBuilderService,omitempty"`
	ImageBuilderWorker     *imageBuilderWorkerConfig  `json:"imageBuilderWorker,omitempty"`
	KV                     *kvConfig                  `json:"kv,omitempty"`
	Alertmanager           *alertmanagerConfig        `json:"alertmanager,omitempty"`
	Auth                   *authConfig                `json:"auth,omitempty"`
	Metrics                *metricsConfig             `json:"metrics,omitempty"`
	CA                     *ca.Config                 `json:"ca,omitempty"`
	Tracing                *TracingConfig             `json:"tracing,omitempty"`
	GitOps                 *gitOpsConfig              `json:"gitOps,omitempty"`
	CryptoPolicy           *CryptoPolicyConfig        `json:"cryptoPolicy,omitempty"`
	Periodic               *periodicConfig            `json:"periodic,omitempty"`
	Organizations          *organizationsConfig       `json:"organizations,omitempty"`
	TelemetryGateway       *telemetryGatewayConfig    `json:"telemetrygateway,omitempty"`
	VulnerabilityReporting *VulnerabilityConfig       `json:"vulnerabilityReporting,omitempty"`
	DependenciesSync       *DependenciesSyncConfig    `json:"dependenciesSync,omitempty"`
}

func Load

func Load(cfgFile string) (*Config, error)

func LoadOrGenerate

func LoadOrGenerate(cfgFile string) (*Config, error)

func NewDefault

func NewDefault(opts ...ConfigOption) *Config

func NewFromFile

func NewFromFile(cfgFile string) (*Config, error)

func (*Config) GetDependenciesSyncPollInterval added in v1.2.0

func (c *Config) GetDependenciesSyncPollInterval() time.Duration

GetDependenciesSyncPollInterval returns the configured poll interval, or the default if unset.

func (*Config) String

func (cfg *Config) String() string

type ConfigOption added in v0.8.1

type ConfigOption func(*Config)

func WithAAPAuth added in v1.0.0

func WithAAPAuth(apiUrl, externalApiUrl string) ConfigOption

func WithK8sAuth added in v1.0.0

func WithK8sAuth(apiUrl, rbacNs string) ConfigOption

func WithOAuth2Auth added in v1.0.0

func WithOAuth2Auth(authorizationUrl, tokenUrl, userinfoUrl, issuer, clientId string, enabled bool) ConfigOption

func WithOIDCAuth added in v1.0.0

func WithOIDCAuth(issuer, clientId string, enabled bool) ConfigOption

func WithTracingEnabled added in v0.8.1

func WithTracingEnabled() ConfigOption

type CryptoPolicyConfig added in v1.1.0

type CryptoPolicyConfig struct {
	// ForceFIPSMode explicitly enables or disables FIPS-compliant algorithms globally.
	// If nil, FIPS mode is auto-detected at runtime from system configuration.
	// If true, FIPS-compliant algorithms are used regardless of system FIPS mode.
	// If false, library defaults are used even if system is in FIPS mode.
	ForceFIPSMode *bool `json:"forceFipsMode,omitempty"`

	SSH *SSHCryptoConfig `json:"ssh,omitempty"`
}

CryptoPolicyConfig contains cryptographic policy configuration for all protocols.

type DependenciesSyncConfig added in v1.2.0

type DependenciesSyncConfig struct {
	// PollInterval is the polling interval for git/HTTP dependency probes (e.g. "15m", "1h").
	// Default: 15m.
	PollInterval util.Duration `json:"pollInterval,omitempty"`
}

DependenciesSyncConfig holds global settings for automated dependency synchronization.

type EnrollmentService added in v0.6.0

type EnrollmentService struct {
	client.Config

	// EnrollmentUIEndpoint is the address of the device enrollment UI
	EnrollmentUIEndpoint string `json:"enrollment-ui-endpoint,omitempty"`
}

func (*EnrollmentService) Equal added in v0.6.0

type HealthChecks added in v1.1.0

type HealthChecks struct {
	Enabled          bool          `json:"enabled,omitempty"`
	ReadinessPath    string        `json:"readinessPath,omitempty"`
	LivenessPath     string        `json:"livenessPath,omitempty"`
	ReadinessTimeout util.Duration `json:"readinessTimeout,omitempty"`
}

HealthChecks holds health check endpoint configuration.

type ImageBuilderServiceConfig added in v1.1.0

type ImageBuilderServiceConfig struct {
	Address               string           `json:"address,omitempty"`
	LogLevel              string           `json:"logLevel,omitempty"`
	TLSCertFile           string           `json:"tlsCertFile,omitempty"`
	TLSKeyFile            string           `json:"tlsKeyFile,omitempty"`
	HttpReadTimeout       util.Duration    `json:"httpReadTimeout,omitempty"`
	HttpReadHeaderTimeout util.Duration    `json:"httpReadHeaderTimeout,omitempty"`
	HttpWriteTimeout      util.Duration    `json:"httpWriteTimeout,omitempty"`
	HttpIdleTimeout       util.Duration    `json:"httpIdleTimeout,omitempty"`
	HttpMaxNumHeaders     int              `json:"httpMaxNumHeaders,omitempty"`
	HttpMaxUrlLength      int              `json:"httpMaxUrlLength,omitempty"`
	HttpMaxRequestSize    int              `json:"httpMaxRequestSize,omitempty"`
	RateLimit             *RateLimitConfig `json:"rateLimit,omitempty"`
	HealthChecks          *HealthChecks    `json:"healthChecks,omitempty"`
	DeleteCancelTimeout   util.Duration    `json:"deleteCancelTimeout,omitempty"`
}

func NewDefaultImageBuilderServiceConfig added in v1.1.0

func NewDefaultImageBuilderServiceConfig() *ImageBuilderServiceConfig

NewDefaultImageBuilderServiceConfig returns a default ImageBuilder service configuration

type LoginBranding added in v1.1.0

type LoginBranding struct {
	// DisplayName is used in the page title ("<DisplayName> Login") and card heading
	// Default: "Flight Control"
	DisplayName string `json:"displayName,omitempty"`
	// FaviconDataUri is a data URI for a custom favicon (e.g. "data:image/png;base64,...").
	// If not set, the default embedded Flight Control favicon is used.
	FaviconDataUri string `json:"faviconDataUri,omitempty"`
	// DarkTheme overrides PatternFly CSS variables and logo for dark mode
	DarkTheme *ThemeColors `json:"darkTheme,omitempty"`
	// LightTheme overrides PatternFly CSS variables and logo for light mode
	LightTheme *ThemeColors `json:"lightTheme,omitempty"`
}

LoginBranding configures the visual branding of the PAM issuer login UI

type ManagementService added in v0.6.0

type ManagementService struct {
	client.Config
}

func (*ManagementService) Equal added in v0.6.0

type PAMOIDCIssuer added in v1.0.0

type PAMOIDCIssuer struct {
	// Address is the listen address for the PAM issuer service (e.g., ":8444")
	Address string `json:"address,omitempty"`
	// If true, the PAM issuer service will listen on a plaintext socket instead of TLS.
	DisableTLS bool `json:"disableTLS,omitempty"`
	// Issuer is the base URL for the OIDC issuer (e.g., "https://flightctl.example.com")
	Issuer string `json:"issuer,omitempty"`
	// ClientID is the OAuth2 client ID for this issuer
	ClientID string `json:"clientId,omitempty"`
	// ClientSecret is the OAuth2 client secret for this issuer
	ClientSecret string `json:"clientSecret,omitempty"`
	// Scopes are the supported OAuth2 scopes
	Scopes []string `json:"scopes,omitempty"`
	// RedirectURIs are the allowed redirect URIs for OAuth2 flows
	RedirectURIs []string `json:"redirectUris,omitempty"`
	// PAMService is the PAM service name to use for authentication (default: "flightctl")
	PAMService string `json:"pamService" validate:"required"`
	// AllowPublicClientWithoutPKCE allows public clients (no client secret) to skip PKCE
	// SECURITY WARNING: This should only be enabled for testing or backward compatibility
	// Default: false (PKCE required for public clients per OAuth 2.0 Security BCP)
	AllowPublicClientWithoutPKCE bool `json:"allowPublicClientWithoutPKCE,omitempty"`
	// AccessTokenExpiration is the expiration duration for access tokens and ID tokens
	// Default: 1 hour
	AccessTokenExpiration util.Duration `json:"accessTokenExpiration,omitempty"`
	// RefreshTokenExpiration is the expiration duration for refresh tokens
	// Default: 7 days
	RefreshTokenExpiration util.Duration `json:"refreshTokenExpiration,omitempty"`
	// PendingSessionCookieMaxAge is the MaxAge duration for pending session cookies
	// Default: 10 minutes
	PendingSessionCookieMaxAge util.Duration `json:"pendingSessionCookieMaxAge,omitempty"`
	// AuthenticatedSessionCookieMaxAge is the MaxAge duration for authenticated session cookies
	// Default: 30 minutes
	AuthenticatedSessionCookieMaxAge util.Duration `json:"authenticatedSessionCookieMaxAge,omitempty"`
	// Branding configures the login UI appearance (logo, display name, colors)
	// If nil, the default Flight Control branding is used
	Branding *LoginBranding `json:"branding,omitempty"`
}

PAMOIDCIssuer represents an OIDC issuer that uses Linux PAM for authentication

type PurlTransformConfig added in v1.2.0

type PurlTransformConfig struct {
	// Enabled, when nil, means enabled (default). Set to false to disable PURL normalization.
	Enabled *bool `json:"enabled,omitempty"`
	// ByType maps package type ID (e.g. "rpm") to rules for that type only.
	ByType map[string]PurlTransformTypeRules `json:"byType,omitempty"`
}

PurlTransformConfig holds configuration for PURL normalization.

func NewDefaultPurlTransformConfig added in v1.2.0

func NewDefaultPurlTransformConfig() *PurlTransformConfig

NewDefaultPurlTransformConfig returns default PURL transformation config for RHEL-based distros.

func (*PurlTransformConfig) EffectivePurlTransformEnabled added in v1.2.0

func (p *PurlTransformConfig) EffectivePurlTransformEnabled() bool

EffectivePurlTransformEnabled returns whether PURL normalization is enabled.

type PurlTransformTypeRules added in v1.2.0

type PurlTransformTypeRules struct {
	NamespaceMapping  map[string]string `json:"namespaceMapping,omitempty"`
	DistroMapping     map[string]string `json:"distroMapping,omitempty"`
	AllowedQualifiers []string          `json:"allowedQualifiers,omitempty"`
}

PurlTransformTypeRules defines namespace, distro, and qualifier rules for one PURL package type (map key and segment after "pkg:" in pkg:type/..., e.g. "rpm").

type RateLimitConfig added in v0.9.0

type RateLimitConfig struct {
	Enabled      bool          `json:"enabled,omitempty"`      // Enable/disable rate limiting
	Requests     int           `json:"requests,omitempty"`     // max requests per window
	Window       util.Duration `json:"window,omitempty"`       // e.g. "1m" for one minute
	AuthRequests int           `json:"authRequests,omitempty"` // max auth requests per window
	AuthWindow   util.Duration `json:"authWindow,omitempty"`   // e.g. "1h" for one hour
	// TrustedProxies specifies IP addresses/networks that are allowed to set proxy headers
	// If empty, proxy headers are ignored for security (only direct connection IPs are used)
	TrustedProxies []string `json:"trustedProxies,omitempty"`
}

type SBOMConfig added in v1.2.0

type SBOMConfig struct {
	Enabled          bool                 `json:"enabled,omitempty"`
	PushToRegistry   bool                 `json:"pushToRegistry,omitempty"`
	UploadToTrustify bool                 `json:"uploadToTrustify,omitempty"`
	PurlTransform    *PurlTransformConfig `json:"purlTransform,omitempty"`
}

SBOMConfig holds configuration for SBOM generation during image builds.

func NewDefaultSBOMConfig added in v1.2.0

func NewDefaultSBOMConfig() *SBOMConfig

NewDefaultSBOMConfig returns the default SBOM configuration.

type SSHCryptoConfig added in v1.1.0

type SSHCryptoConfig struct {
	// KeyExchangeAlgorithms specifies allowed key exchange algorithms for SSH connections.
	// If empty, defaults are selected based on FIPS mode detection.
	// Example FIPS-compliant values: ["ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "diffie-hellman-group14-sha256"]
	KeyExchangeAlgorithms []string `json:"keyExchangeAlgorithms,omitempty"`

	// Ciphers specifies allowed ciphers (encryption algorithms) for SSH connections.
	// If empty, defaults are selected based on FIPS mode detection.
	// Note: In SSH, "ciphers" refer to encryption algorithms only, unlike TLS cipher suites
	// which bundle key exchange, encryption, and MAC together.
	// Example FIPS-compliant values: ["aes128-gcm@openssh.com", "aes256-gcm@openssh.com"]
	Ciphers []string `json:"ciphers,omitempty"`

	// MACs specifies allowed MAC (Message Authentication Code) algorithms for SSH connections.
	// If empty, defaults are selected based on FIPS mode detection.
	// Example FIPS-compliant values: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com"]
	MACs []string `json:"macs,omitempty"`

	// HostKeyAlgorithms specifies allowed host key algorithms.
	// If empty, defaults are selected based on FIPS mode detection.
	// Example FIPS-compliant values: ["ecdsa-sha2-nistp256", "rsa-sha2-256", "rsa-sha2-512"]
	HostKeyAlgorithms []string `json:"hostKeyAlgorithms,omitempty"`

	// ForceFIPSMode explicitly enables or disables FIPS-compliant algorithms for SSH only.
	// If nil, inherits from CryptoPolicyConfig.ForceFIPSMode.
	// This allows SSH-specific override of the global FIPS setting.
	ForceFIPSMode *bool `json:"forceFipsMode,omitempty"`
}

SSHCryptoConfig contains configuration for SSH crypto algorithms used when accessing Git repositories over SSH or other SSH connections.

type ServiceConfig added in v0.6.0

type ServiceConfig struct {
	// EnrollmentService is the client configuration for connecting to the device enrollment server
	EnrollmentService EnrollmentService `json:"enrollment-service,omitempty"`
	// ManagementService is the client configuration for connecting to the device management server
	ManagementService ManagementService `json:"management-service,omitempty"`
}

func NewServiceConfig added in v0.6.0

func NewServiceConfig() ServiceConfig

type ThemeColors added in v1.1.0

type ThemeColors struct {
	// LogoDataUri is a data URI for a custom logo (e.g. "data:image/svg+xml;base64,...").
	// Use different logos per theme (e.g. dark text on light backgrounds, white text on dark backgrounds).
	// If not set, the default embedded Flight Control logo is used.
	LogoDataUri string `json:"logoDataUri,omitempty"`
	// BrandDefault overrides --pf-t--global--color--brand--default (primary brand color for buttons, links)
	BrandDefault string `json:"brandDefault,omitempty"`
	// BrandHover overrides --pf-t--global--color--brand--hover (brand color on hover/focus)
	BrandHover string `json:"brandHover,omitempty"`
	// BrandClicked overrides --pf-t--global--color--brand--clicked (brand color on click/active)
	BrandClicked string `json:"brandClicked,omitempty"`
	// BackgroundPrimary overrides --pf-t--global--background--color--primary--default (card/surface background)
	BackgroundPrimary string `json:"backgroundPrimary,omitempty"`
	// BackgroundSecondary overrides --pf-t--global--background--color--secondary--default (page background)
	BackgroundSecondary string `json:"backgroundSecondary,omitempty"`
	// TextColorRegular overrides --pf-t--global--text--color--regular (primary text color)
	TextColorRegular string `json:"textColorRegular,omitempty"`
}

ThemeColors defines PatternFly v6 semantic token overrides for a specific theme (light or dark). Each color field maps to a PF6 semantic CSS custom property. See https://www.patternfly.org/tokens/all-patternfly-tokens for the full token list.

type TracingConfig added in v1.2.0

type TracingConfig struct {
	Enabled  bool   `json:"enabled,omitempty"`
	Endpoint string `json:"endpoint,omitempty"`
	Insecure bool   `json:"insecure,omitempty"`
}

type TrustifyAuthConfig added in v1.2.0

type TrustifyAuthConfig struct {
	// Mode selects the authentication mode. Allowed values: "client-credentials", "none".
	Mode string `json:"mode,omitempty"`
	// OIDCIssuerURL is the OIDC issuer URL used in client-credentials mode.
	OIDCIssuerURL string `json:"oidcIssuerUrl,omitempty"`
	// ClientID is the OAuth2 client ID used in client-credentials mode.
	ClientID string `json:"clientId,omitempty"`
	// ClientSecret is the OAuth2 client secret used in client-credentials mode.
	ClientSecret api.SecureString `json:"clientSecret,omitempty"`
}

TrustifyAuthConfig configures authentication against the Trustify API.

type TrustifyConfig added in v1.2.0

type TrustifyConfig struct {
	// Endpoint is the Trustify API base URL (e.g. "https://trustify.example.com").
	// Do not include the /api/v1 or /api/v2 paths; the client appends them automatically.
	Endpoint string `json:"endpoint,omitempty"`
	// Auth configures how the periodic service authenticates to Trustify.
	Auth *TrustifyAuthConfig `json:"auth,omitempty"`
}

TrustifyConfig holds Trustify API connection and authentication details.

type VulnerabilityConfig added in v1.2.0

type VulnerabilityConfig struct {
	// Enabled enables vulnerability integration (sync task + API endpoints).
	Enabled bool `json:"enabled,omitempty"`
	// SyncInterval is the interval between Trustify sync runs (e.g. "15m", "1h").
	SyncInterval util.Duration `json:"syncInterval,omitempty"`
	// Trustify holds the Trustify connection details (periodic service only).
	Trustify *TrustifyConfig `json:"trustify,omitempty"`
}

VulnerabilityConfig holds configuration for the vulnerability integration feature.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL