Documentation
¶
Index ¶
- Constants
- Variables
- func CertificateDir() string
- func ClientConfigFile() string
- func ConfigDir() string
- func ConfigFile() string
- func LoadServerCertificates(cfg *Config, log *logrus.Logger) (*crypto.TLSCertificateConfig, error)
- func NewDefaultImageBuilderWorkerConfig() *imageBuilderWorkerConfig
- func NormalizedPURLPackageTypeID(s string) string
- func Save(cfg *Config, cfgFile string) error
- func Validate(cfg *Config) error
- type Config
- type ConfigOption
- func WithAAPAuth(apiUrl, externalApiUrl string) ConfigOption
- func WithK8sAuth(apiUrl, rbacNs string) ConfigOption
- func WithOAuth2Auth(authorizationUrl, tokenUrl, userinfoUrl, issuer, clientId string, enabled bool) ConfigOption
- func WithOIDCAuth(issuer, clientId string, enabled bool) ConfigOption
- func WithTracingEnabled() ConfigOption
- type CryptoPolicyConfig
- type DependenciesSyncConfig
- type EnrollmentService
- type HealthChecks
- type ImageBuilderServiceConfig
- type LoginBranding
- type ManagementService
- type PAMOIDCIssuer
- type PurlTransformConfig
- type PurlTransformTypeRules
- type RateLimitConfig
- type SBOMConfig
- type SSHCryptoConfig
- type ServiceConfig
- type ThemeColors
- type TracingConfig
- type TrustifyAuthConfig
- type TrustifyConfig
- type VulnerabilityConfig
Constants ¶
const DefaultDependenciesSyncPollInterval = 15 * time.Minute
DefaultDependenciesSyncPollInterval is the default polling interval for dependency probes.
const DefaultDependencySyncTaskInterval = 3 * time.Minute
DefaultDependencySyncTaskInterval is how often the dependency-sync periodic task executes. This is intentionally shorter than the poll interval so that newly added refs are discovered quickly and partial failures are retried within minutes rather than waiting for the full poll interval.
Variables ¶
var ( ErrCheckingServerCerts = errors.New("failed to check if server certificate and key can be read") ErrServerCertsNotFound = errors.New("server certificate and key files are missing or unreadable") ErrInvalidServerCerts = errors.New("failed to parse or load server certificate and key") )
Functions ¶
func CertificateDir ¶
func CertificateDir() string
func ClientConfigFile ¶
func ClientConfigFile() string
func ConfigFile ¶
func ConfigFile() string
func LoadServerCertificates ¶ added in v1.0.0
func NewDefaultImageBuilderWorkerConfig ¶ added in v1.1.0
func NewDefaultImageBuilderWorkerConfig() *imageBuilderWorkerConfig
NewDefaultImageBuilderWorkerConfig returns a default ImageBuilder worker configuration
func NormalizedPURLPackageTypeID ¶ added in v1.2.0
NormalizedPURLPackageTypeID returns the package type key for lookups (after "pkg:", lowercased).
Types ¶
type Config ¶
type Config struct {
Database *dbConfig `json:"database,omitempty"`
Service *svcConfig `json:"service,omitempty"`
ImageBuilderService *ImageBuilderServiceConfig `json:"imageBuilderService,omitempty"`
ImageBuilderWorker *imageBuilderWorkerConfig `json:"imageBuilderWorker,omitempty"`
KV *kvConfig `json:"kv,omitempty"`
Alertmanager *alertmanagerConfig `json:"alertmanager,omitempty"`
Auth *authConfig `json:"auth,omitempty"`
Metrics *metricsConfig `json:"metrics,omitempty"`
CA *ca.Config `json:"ca,omitempty"`
Tracing *TracingConfig `json:"tracing,omitempty"`
GitOps *gitOpsConfig `json:"gitOps,omitempty"`
CryptoPolicy *CryptoPolicyConfig `json:"cryptoPolicy,omitempty"`
Periodic *periodicConfig `json:"periodic,omitempty"`
Organizations *organizationsConfig `json:"organizations,omitempty"`
TelemetryGateway *telemetryGatewayConfig `json:"telemetrygateway,omitempty"`
VulnerabilityReporting *VulnerabilityConfig `json:"vulnerabilityReporting,omitempty"`
DependenciesSync *DependenciesSyncConfig `json:"dependenciesSync,omitempty"`
}
func LoadOrGenerate ¶
func NewDefault ¶
func NewDefault(opts ...ConfigOption) *Config
func NewFromFile ¶
func (*Config) GetDependenciesSyncPollInterval ¶ added in v1.2.0
GetDependenciesSyncPollInterval returns the configured poll interval, or the default if unset.
type ConfigOption ¶ added in v0.8.1
type ConfigOption func(*Config)
func WithAAPAuth ¶ added in v1.0.0
func WithAAPAuth(apiUrl, externalApiUrl string) ConfigOption
func WithK8sAuth ¶ added in v1.0.0
func WithK8sAuth(apiUrl, rbacNs string) ConfigOption
func WithOAuth2Auth ¶ added in v1.0.0
func WithOAuth2Auth(authorizationUrl, tokenUrl, userinfoUrl, issuer, clientId string, enabled bool) ConfigOption
func WithOIDCAuth ¶ added in v1.0.0
func WithOIDCAuth(issuer, clientId string, enabled bool) ConfigOption
func WithTracingEnabled ¶ added in v0.8.1
func WithTracingEnabled() ConfigOption
type CryptoPolicyConfig ¶ added in v1.1.0
type CryptoPolicyConfig struct {
// ForceFIPSMode explicitly enables or disables FIPS-compliant algorithms globally.
// If nil, FIPS mode is auto-detected at runtime from system configuration.
// If true, FIPS-compliant algorithms are used regardless of system FIPS mode.
// If false, library defaults are used even if system is in FIPS mode.
ForceFIPSMode *bool `json:"forceFipsMode,omitempty"`
SSH *SSHCryptoConfig `json:"ssh,omitempty"`
}
CryptoPolicyConfig contains cryptographic policy configuration for all protocols.
type DependenciesSyncConfig ¶ added in v1.2.0
type DependenciesSyncConfig struct {
// PollInterval is the polling interval for git/HTTP dependency probes (e.g. "15m", "1h").
// Default: 15m.
PollInterval util.Duration `json:"pollInterval,omitempty"`
}
DependenciesSyncConfig holds global settings for automated dependency synchronization.
type EnrollmentService ¶ added in v0.6.0
type EnrollmentService struct {
client.Config
// EnrollmentUIEndpoint is the address of the device enrollment UI
EnrollmentUIEndpoint string `json:"enrollment-ui-endpoint,omitempty"`
}
func (*EnrollmentService) Equal ¶ added in v0.6.0
func (s *EnrollmentService) Equal(s2 *EnrollmentService) bool
type HealthChecks ¶ added in v1.1.0
type HealthChecks struct {
Enabled bool `json:"enabled,omitempty"`
ReadinessPath string `json:"readinessPath,omitempty"`
LivenessPath string `json:"livenessPath,omitempty"`
ReadinessTimeout util.Duration `json:"readinessTimeout,omitempty"`
}
HealthChecks holds health check endpoint configuration.
type ImageBuilderServiceConfig ¶ added in v1.1.0
type ImageBuilderServiceConfig struct {
Address string `json:"address,omitempty"`
LogLevel string `json:"logLevel,omitempty"`
TLSCertFile string `json:"tlsCertFile,omitempty"`
TLSKeyFile string `json:"tlsKeyFile,omitempty"`
HttpReadTimeout util.Duration `json:"httpReadTimeout,omitempty"`
HttpReadHeaderTimeout util.Duration `json:"httpReadHeaderTimeout,omitempty"`
HttpWriteTimeout util.Duration `json:"httpWriteTimeout,omitempty"`
HttpIdleTimeout util.Duration `json:"httpIdleTimeout,omitempty"`
HttpMaxNumHeaders int `json:"httpMaxNumHeaders,omitempty"`
HttpMaxUrlLength int `json:"httpMaxUrlLength,omitempty"`
HttpMaxRequestSize int `json:"httpMaxRequestSize,omitempty"`
RateLimit *RateLimitConfig `json:"rateLimit,omitempty"`
HealthChecks *HealthChecks `json:"healthChecks,omitempty"`
DeleteCancelTimeout util.Duration `json:"deleteCancelTimeout,omitempty"`
}
func NewDefaultImageBuilderServiceConfig ¶ added in v1.1.0
func NewDefaultImageBuilderServiceConfig() *ImageBuilderServiceConfig
NewDefaultImageBuilderServiceConfig returns a default ImageBuilder service configuration
type LoginBranding ¶ added in v1.1.0
type LoginBranding struct {
// DisplayName is used in the page title ("<DisplayName> Login") and card heading
// Default: "Flight Control"
DisplayName string `json:"displayName,omitempty"`
// FaviconDataUri is a data URI for a custom favicon (e.g. "data:image/png;base64,...").
// If not set, the default embedded Flight Control favicon is used.
FaviconDataUri string `json:"faviconDataUri,omitempty"`
// DarkTheme overrides PatternFly CSS variables and logo for dark mode
DarkTheme *ThemeColors `json:"darkTheme,omitempty"`
// LightTheme overrides PatternFly CSS variables and logo for light mode
LightTheme *ThemeColors `json:"lightTheme,omitempty"`
}
LoginBranding configures the visual branding of the PAM issuer login UI
type ManagementService ¶ added in v0.6.0
func (*ManagementService) Equal ¶ added in v0.6.0
func (s *ManagementService) Equal(s2 *ManagementService) bool
type PAMOIDCIssuer ¶ added in v1.0.0
type PAMOIDCIssuer struct {
// Address is the listen address for the PAM issuer service (e.g., ":8444")
Address string `json:"address,omitempty"`
// If true, the PAM issuer service will listen on a plaintext socket instead of TLS.
DisableTLS bool `json:"disableTLS,omitempty"`
// Issuer is the base URL for the OIDC issuer (e.g., "https://flightctl.example.com")
Issuer string `json:"issuer,omitempty"`
// ClientID is the OAuth2 client ID for this issuer
ClientID string `json:"clientId,omitempty"`
// ClientSecret is the OAuth2 client secret for this issuer
ClientSecret string `json:"clientSecret,omitempty"`
// Scopes are the supported OAuth2 scopes
Scopes []string `json:"scopes,omitempty"`
// RedirectURIs are the allowed redirect URIs for OAuth2 flows
RedirectURIs []string `json:"redirectUris,omitempty"`
// PAMService is the PAM service name to use for authentication (default: "flightctl")
PAMService string `json:"pamService" validate:"required"`
// AllowPublicClientWithoutPKCE allows public clients (no client secret) to skip PKCE
// SECURITY WARNING: This should only be enabled for testing or backward compatibility
// Default: false (PKCE required for public clients per OAuth 2.0 Security BCP)
AllowPublicClientWithoutPKCE bool `json:"allowPublicClientWithoutPKCE,omitempty"`
// AccessTokenExpiration is the expiration duration for access tokens and ID tokens
// Default: 1 hour
AccessTokenExpiration util.Duration `json:"accessTokenExpiration,omitempty"`
// RefreshTokenExpiration is the expiration duration for refresh tokens
// Default: 7 days
RefreshTokenExpiration util.Duration `json:"refreshTokenExpiration,omitempty"`
// PendingSessionCookieMaxAge is the MaxAge duration for pending session cookies
// Default: 10 minutes
PendingSessionCookieMaxAge util.Duration `json:"pendingSessionCookieMaxAge,omitempty"`
// AuthenticatedSessionCookieMaxAge is the MaxAge duration for authenticated session cookies
// Default: 30 minutes
AuthenticatedSessionCookieMaxAge util.Duration `json:"authenticatedSessionCookieMaxAge,omitempty"`
// Branding configures the login UI appearance (logo, display name, colors)
// If nil, the default Flight Control branding is used
Branding *LoginBranding `json:"branding,omitempty"`
}
PAMOIDCIssuer represents an OIDC issuer that uses Linux PAM for authentication
type PurlTransformConfig ¶ added in v1.2.0
type PurlTransformConfig struct {
// Enabled, when nil, means enabled (default). Set to false to disable PURL normalization.
Enabled *bool `json:"enabled,omitempty"`
// ByType maps package type ID (e.g. "rpm") to rules for that type only.
ByType map[string]PurlTransformTypeRules `json:"byType,omitempty"`
}
PurlTransformConfig holds configuration for PURL normalization.
func NewDefaultPurlTransformConfig ¶ added in v1.2.0
func NewDefaultPurlTransformConfig() *PurlTransformConfig
NewDefaultPurlTransformConfig returns default PURL transformation config for RHEL-based distros.
func (*PurlTransformConfig) EffectivePurlTransformEnabled ¶ added in v1.2.0
func (p *PurlTransformConfig) EffectivePurlTransformEnabled() bool
EffectivePurlTransformEnabled returns whether PURL normalization is enabled.
type PurlTransformTypeRules ¶ added in v1.2.0
type PurlTransformTypeRules struct {
NamespaceMapping map[string]string `json:"namespaceMapping,omitempty"`
DistroMapping map[string]string `json:"distroMapping,omitempty"`
AllowedQualifiers []string `json:"allowedQualifiers,omitempty"`
}
PurlTransformTypeRules defines namespace, distro, and qualifier rules for one PURL package type (map key and segment after "pkg:" in pkg:type/..., e.g. "rpm").
type RateLimitConfig ¶ added in v0.9.0
type RateLimitConfig struct {
Enabled bool `json:"enabled,omitempty"` // Enable/disable rate limiting
Requests int `json:"requests,omitempty"` // max requests per window
Window util.Duration `json:"window,omitempty"` // e.g. "1m" for one minute
AuthRequests int `json:"authRequests,omitempty"` // max auth requests per window
AuthWindow util.Duration `json:"authWindow,omitempty"` // e.g. "1h" for one hour
// TrustedProxies specifies IP addresses/networks that are allowed to set proxy headers
// If empty, proxy headers are ignored for security (only direct connection IPs are used)
TrustedProxies []string `json:"trustedProxies,omitempty"`
}
type SBOMConfig ¶ added in v1.2.0
type SBOMConfig struct {
Enabled bool `json:"enabled,omitempty"`
PushToRegistry bool `json:"pushToRegistry,omitempty"`
UploadToTrustify bool `json:"uploadToTrustify,omitempty"`
PurlTransform *PurlTransformConfig `json:"purlTransform,omitempty"`
}
SBOMConfig holds configuration for SBOM generation during image builds.
func NewDefaultSBOMConfig ¶ added in v1.2.0
func NewDefaultSBOMConfig() *SBOMConfig
NewDefaultSBOMConfig returns the default SBOM configuration.
type SSHCryptoConfig ¶ added in v1.1.0
type SSHCryptoConfig struct {
// KeyExchangeAlgorithms specifies allowed key exchange algorithms for SSH connections.
// If empty, defaults are selected based on FIPS mode detection.
// Example FIPS-compliant values: ["ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "diffie-hellman-group14-sha256"]
KeyExchangeAlgorithms []string `json:"keyExchangeAlgorithms,omitempty"`
// Ciphers specifies allowed ciphers (encryption algorithms) for SSH connections.
// If empty, defaults are selected based on FIPS mode detection.
// Note: In SSH, "ciphers" refer to encryption algorithms only, unlike TLS cipher suites
// which bundle key exchange, encryption, and MAC together.
// Example FIPS-compliant values: ["aes128-gcm@openssh.com", "aes256-gcm@openssh.com"]
Ciphers []string `json:"ciphers,omitempty"`
// MACs specifies allowed MAC (Message Authentication Code) algorithms for SSH connections.
// If empty, defaults are selected based on FIPS mode detection.
// Example FIPS-compliant values: ["hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com"]
MACs []string `json:"macs,omitempty"`
// HostKeyAlgorithms specifies allowed host key algorithms.
// If empty, defaults are selected based on FIPS mode detection.
// Example FIPS-compliant values: ["ecdsa-sha2-nistp256", "rsa-sha2-256", "rsa-sha2-512"]
HostKeyAlgorithms []string `json:"hostKeyAlgorithms,omitempty"`
// ForceFIPSMode explicitly enables or disables FIPS-compliant algorithms for SSH only.
// If nil, inherits from CryptoPolicyConfig.ForceFIPSMode.
// This allows SSH-specific override of the global FIPS setting.
ForceFIPSMode *bool `json:"forceFipsMode,omitempty"`
}
SSHCryptoConfig contains configuration for SSH crypto algorithms used when accessing Git repositories over SSH or other SSH connections.
type ServiceConfig ¶ added in v0.6.0
type ServiceConfig struct {
// EnrollmentService is the client configuration for connecting to the device enrollment server
EnrollmentService EnrollmentService `json:"enrollment-service,omitempty"`
// ManagementService is the client configuration for connecting to the device management server
ManagementService ManagementService `json:"management-service,omitempty"`
}
func NewServiceConfig ¶ added in v0.6.0
func NewServiceConfig() ServiceConfig
type ThemeColors ¶ added in v1.1.0
type ThemeColors struct {
// LogoDataUri is a data URI for a custom logo (e.g. "data:image/svg+xml;base64,...").
// Use different logos per theme (e.g. dark text on light backgrounds, white text on dark backgrounds).
// If not set, the default embedded Flight Control logo is used.
LogoDataUri string `json:"logoDataUri,omitempty"`
// BrandDefault overrides --pf-t--global--color--brand--default (primary brand color for buttons, links)
BrandDefault string `json:"brandDefault,omitempty"`
// BrandHover overrides --pf-t--global--color--brand--hover (brand color on hover/focus)
BrandHover string `json:"brandHover,omitempty"`
// BrandClicked overrides --pf-t--global--color--brand--clicked (brand color on click/active)
BrandClicked string `json:"brandClicked,omitempty"`
// BackgroundPrimary overrides --pf-t--global--background--color--primary--default (card/surface background)
BackgroundPrimary string `json:"backgroundPrimary,omitempty"`
// BackgroundSecondary overrides --pf-t--global--background--color--secondary--default (page background)
BackgroundSecondary string `json:"backgroundSecondary,omitempty"`
// TextColorRegular overrides --pf-t--global--text--color--regular (primary text color)
TextColorRegular string `json:"textColorRegular,omitempty"`
}
ThemeColors defines PatternFly v6 semantic token overrides for a specific theme (light or dark). Each color field maps to a PF6 semantic CSS custom property. See https://www.patternfly.org/tokens/all-patternfly-tokens for the full token list.
type TracingConfig ¶ added in v1.2.0
type TrustifyAuthConfig ¶ added in v1.2.0
type TrustifyAuthConfig struct {
// Mode selects the authentication mode. Allowed values: "client-credentials", "none".
Mode string `json:"mode,omitempty"`
// OIDCIssuerURL is the OIDC issuer URL used in client-credentials mode.
OIDCIssuerURL string `json:"oidcIssuerUrl,omitempty"`
// ClientID is the OAuth2 client ID used in client-credentials mode.
ClientID string `json:"clientId,omitempty"`
// ClientSecret is the OAuth2 client secret used in client-credentials mode.
ClientSecret api.SecureString `json:"clientSecret,omitempty"`
}
TrustifyAuthConfig configures authentication against the Trustify API.
type TrustifyConfig ¶ added in v1.2.0
type TrustifyConfig struct {
// Endpoint is the Trustify API base URL (e.g. "https://trustify.example.com").
// Do not include the /api/v1 or /api/v2 paths; the client appends them automatically.
Endpoint string `json:"endpoint,omitempty"`
// Auth configures how the periodic service authenticates to Trustify.
Auth *TrustifyAuthConfig `json:"auth,omitempty"`
}
TrustifyConfig holds Trustify API connection and authentication details.
type VulnerabilityConfig ¶ added in v1.2.0
type VulnerabilityConfig struct {
// Enabled enables vulnerability integration (sync task + API endpoints).
Enabled bool `json:"enabled,omitempty"`
// SyncInterval is the interval between Trustify sync runs (e.g. "15m", "1h").
SyncInterval util.Duration `json:"syncInterval,omitempty"`
// Trustify holds the Trustify connection details (periodic service only).
Trustify *TrustifyConfig `json:"trustify,omitempty"`
}
VulnerabilityConfig holds configuration for the vulnerability integration feature.