Documentation
¶
Overview ¶
Package config provides application configuration management using Viper. It supports configuration files, environment variables, and CLI flag overrides.
Index ¶
- Constants
- func DefaultConfigPath() (string, error)
- func IsValidCatalogType(t string) bool
- func IsValidHTTPClientCacheType(t string) bool
- func ResetGlobal()
- func ValidCatalogTypes() []string
- func ValidHTTPClientCacheTypes() []string
- func WithConfig(ctx context.Context, cfg *Config) context.Context
- func WithManagerOptions(ctx context.Context, opts []ManagerOption) context.Context
- type APIAuditConfig
- type APIAuthConfig
- type APIAzureOIDCConfig
- type APICORSConfig
- type APICompressionConfig
- type APIOpenAPIConfig
- type APIOpenAPIServerConfig
- type APIProfilerConfig
- type APIRateLimitConfig
- type APIRateLimitEntry
- type APIServerConfig
- type APITLSConfig
- type APITracingConfig
- type ActionConfig
- type ActionConfigValues
- type AuthConfig
- type BuildConfig
- type CELConfig
- type CELConfigValues
- type CatalogConfig
- type Config
- func (c *Config) AddCatalog(catalog CatalogConfig) error
- func (c *Config) CheckVersion() string
- func (c *Config) GetCatalog(name string) (*CatalogConfig, bool)
- func (c *Config) GetDefaultCatalog() (*CatalogConfig, bool)
- func (c *Config) RemoveCatalog(name string) error
- func (c *Config) SetDefaultCatalog(name string) error
- func (c *Config) Validate() error
- type CustomOAuth2Config
- type EntraAuthConfig
- type GCPAuthConfig
- type GitHubAuthConfig
- type GlobalAuthConfig
- type GoTemplateConfig
- type GoTemplateConfigValues
- type HTTPClientConfig
- type IdentityFieldMapping
- type LoggingConfig
- type Manager
- func (m *Manager) AllSettings() map[string]any
- func (m *Manager) Config() *Config
- func (m *Manager) ConfigPath() string
- func (m *Manager) Get(key string) any
- func (m *Manager) GetUnknownKeys() []string
- func (m *Manager) IsSet(key string) bool
- func (m *Manager) Load() (*Config, error)
- func (m *Manager) Save() error
- func (m *Manager) SaveAs(path string) error
- func (m *Manager) Set(key string, value any)
- func (m *Manager) WarnUnknownKeys(ctx context.Context)
- type ManagerOption
- type ResolverConfig
- type ResolverConfigValues
- type SanitizedAuth
- type SanitizedCatAuth
- type SanitizedCatalog
- type SanitizedConfig
- type SanitizedEntraAuth
- type SanitizedGCPAuth
- type SanitizedGitHubAuth
- type Settings
- type TelemetryConfig
- type TokenExchangeConfig
- type VersionCheckConfig
Constants ¶
View Source
const ( // DefaultConfigFileName is the default config file name (without extension). DefaultConfigFileName = "config" // DefaultConfigFileType is the default config file type. DefaultConfigFileType = "yaml" // EnvPrefix is the environment variable prefix. EnvPrefix = "SCAFCTL" )
View Source
const ( CatalogTypeFilesystem = "filesystem" CatalogTypeOCI = "oci" CatalogTypeHTTP = "http" )
CatalogType constants define the supported catalog types.
View Source
const ( HTTPClientCacheTypeMemory = "memory" HTTPClientCacheTypeFilesystem = "filesystem" )
HTTPClientCacheType constants define the supported HTTP cache types.
View Source
const CurrentConfigVersion = 1
CurrentConfigVersion is the current config file version.
View Source
const LoggingFormatConsole = "console"
LoggingFormatConsole is the human-readable console log format.
View Source
const LoggingFormatJSON = "json"
LoggingFormatJSON is the JSON log format.
View Source
const LoggingFormatText = "text"
LoggingFormatText is the text log format (alias for console).
View Source
const RedactedValue = "***REDACTED***"
RedactedValue is the placeholder inserted for sensitive fields.
Variables ¶
This section is empty.
Functions ¶
func DefaultConfigPath ¶
DefaultConfigPath returns the default configuration file path. Uses XDG Base Directory Specification.
func IsValidCatalogType ¶
IsValidCatalogType returns true if the given type is valid.
func IsValidHTTPClientCacheType ¶
IsValidHTTPClientCacheType returns true if the given cache type is valid.
func ResetGlobal ¶
func ResetGlobal()
ResetGlobal resets the global configuration (primarily for testing).
func ValidCatalogTypes ¶
func ValidCatalogTypes() []string
ValidCatalogTypes returns the list of valid catalog types.
func ValidHTTPClientCacheTypes ¶
func ValidHTTPClientCacheTypes() []string
ValidHTTPClientCacheTypes returns the list of valid HTTP cache types.
func WithConfig ¶
WithConfig returns a new context with the Config stored in it.
func WithManagerOptions ¶ added in v0.7.0
func WithManagerOptions(ctx context.Context, opts []ManagerOption) context.Context
WithManagerOptions stores ManagerOption values in the context so that subcommands which create their own Manager can apply the same embedder options (e.g., WithBaseConfig, WithEnvPrefix).
Types ¶
type APIAuditConfig ¶ added in v0.7.0
type APIAuditConfig struct {
Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable audit logging"`
TrustProxy bool `` /* 294-byte string literal not displayed */
}
APIAuditConfig holds audit logging configuration.
type APIAuthConfig ¶ added in v0.7.0
type APIAuthConfig struct {
AzureOIDC APIAzureOIDCConfig `json:"azureOIDC,omitempty" yaml:"azureOIDC,omitempty" mapstructure:"azureOIDC" doc:"Azure AD OIDC configuration"`
}
APIAuthConfig holds API authentication configuration.
type APIAzureOIDCConfig ¶ added in v0.7.0
type APIAzureOIDCConfig struct {
Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable Entra OIDC authentication"`
TenantID string `` /* 162-byte string literal not displayed */
ClientID string `` /* 162-byte string literal not displayed */
}
APIAzureOIDCConfig holds Azure AD OIDC configuration.
type APICORSConfig ¶ added in v0.7.0
type APICORSConfig struct {
Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable CORS"`
AllowedOrigins []string `` /* 129-byte string literal not displayed */
AllowedMethods []string `` /* 134-byte string literal not displayed */
AllowedHeaders []string `` /* 129-byte string literal not displayed */
MaxAge int `` /* 144-byte string literal not displayed */
}
APICORSConfig holds CORS configuration for the API server.
type APICompressionConfig ¶ added in v0.7.0
type APICompressionConfig struct {
Level int `` /* 132-byte string literal not displayed */
}
APICompressionConfig holds response compression configuration.
type APIOpenAPIConfig ¶ added in v0.7.0
type APIOpenAPIConfig struct {
Servers []APIOpenAPIServerConfig `json:"servers,omitempty" yaml:"servers,omitempty" mapstructure:"servers" doc:"OpenAPI server entries" maxItems:"10"`
Title string `json:"title,omitempty" yaml:"title,omitempty" mapstructure:"title" doc:"API title" maxLength:"200" example:"scafctl API"`
Description string `json:"description,omitempty" yaml:"description,omitempty" mapstructure:"description" doc:"API description" maxLength:"2000"`
}
APIOpenAPIConfig holds OpenAPI specification configuration.
type APIOpenAPIServerConfig ¶ added in v0.7.0
type APIOpenAPIServerConfig struct {
URL string `json:"url" yaml:"url" mapstructure:"url" doc:"Server URL" maxLength:"2048" example:"https://api.example.com"`
Description string `json:"description,omitempty" yaml:"description,omitempty" mapstructure:"description" doc:"Server description" maxLength:"500"`
}
APIOpenAPIServerConfig holds a single OpenAPI server entry.
type APIProfilerConfig ¶ added in v0.7.0
type APIProfilerConfig struct {
Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable pprof profiler endpoints"`
AllowUnauthProd bool `` /* 154-byte string literal not displayed */
}
APIProfilerConfig holds profiler configuration for the API server.
type APIRateLimitConfig ¶ added in v0.7.0
type APIRateLimitConfig struct {
Global *APIRateLimitEntry `json:"global,omitempty" yaml:"global,omitempty" mapstructure:"global" doc:"Global rate limit"`
Endpoints map[string]*APIRateLimitEntry `` /* 179-byte string literal not displayed */
}
APIRateLimitConfig holds rate limiting configuration.
type APIRateLimitEntry ¶ added in v0.7.0
type APIRateLimitEntry struct {
MaxRequests int `` /* 128-byte string literal not displayed */
Window string `json:"window" yaml:"window" mapstructure:"window" doc:"Time window for rate limit" example:"1m" maxLength:"20"`
TrustProxy bool `` /* 295-byte string literal not displayed */
}
APIRateLimitEntry defines a rate limit rule.
type APIServerConfig ¶ added in v0.7.0
type APIServerConfig struct {
Host string `` /* 177-byte string literal not displayed */
Port int `` /* 130-byte string literal not displayed */
APIVersion string `` /* 246-byte string literal not displayed */
ShutdownTimeout string `` /* 157-byte string literal not displayed */
RequestTimeout string `` /* 152-byte string literal not displayed */
BodyReadTimeout string `` /* 177-byte string literal not displayed */
MaxRequestSize int64 `` /* 174-byte string literal not displayed */
TLS APITLSConfig `json:"tls,omitempty" yaml:"tls,omitempty" mapstructure:"tls" doc:"TLS configuration"`
CORS APICORSConfig `json:"cors,omitempty" yaml:"cors,omitempty" mapstructure:"cors" doc:"CORS configuration"`
RateLimit APIRateLimitConfig `json:"rateLimit,omitempty" yaml:"rateLimit,omitempty" mapstructure:"rateLimit" doc:"Rate limiting configuration"`
Auth APIAuthConfig `json:"auth,omitempty" yaml:"auth,omitempty" mapstructure:"auth" doc:"Authentication configuration"`
Compression APICompressionConfig `json:"compression,omitempty" yaml:"compression,omitempty" mapstructure:"compression" doc:"Response compression configuration"`
OpenAPI APIOpenAPIConfig `` /* 205-byte string literal not displayed */
Profiler APIProfilerConfig `` /* 166-byte string literal not displayed */
Audit APIAuditConfig `json:"audit,omitempty" yaml:"audit,omitempty" mapstructure:"audit" doc:"Audit logging configuration"`
Tracing APITracingConfig `json:"tracing,omitempty" yaml:"tracing,omitempty" mapstructure:"tracing" doc:"OpenTelemetry tracing configuration"`
MaxConcurrent int `` /* 202-byte string literal not displayed */
}
APIServerConfig holds REST API server configuration.
type APITLSConfig ¶ added in v0.7.0
type APITLSConfig struct {
Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable TLS"`
Cert string `` /* 143-byte string literal not displayed */
Key string `` /* 139-byte string literal not displayed */
}
APITLSConfig holds TLS configuration for the API server.
type APITracingConfig ¶ added in v0.7.0
type APITracingConfig struct {
Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable OpenTelemetry tracing"`
}
APITracingConfig holds OpenTelemetry tracing configuration for the API server.
type ActionConfig ¶
type ActionConfig struct {
// DefaultTimeout is the default timeout per action execution
DefaultTimeout string `` /* 150-byte string literal not displayed */
// GracePeriod is the cancellation grace period
GracePeriod string `` /* 145-byte string literal not displayed */
// MaxConcurrency is the max concurrent actions (0 = unlimited)
MaxConcurrency int `` /* 162-byte string literal not displayed */
// OutputDir is the default target directory for action file operations.
// When set, actions resolve relative paths against this directory instead of CWD.
// Can be overridden by the --output-dir CLI flag.
OutputDir string `` /* 175-byte string literal not displayed */
}
ActionConfig holds action executor configuration.
func (*ActionConfig) ToActionValues ¶
func (a *ActionConfig) ToActionValues() (ActionConfigValues, error)
ToActionValues converts ActionConfig to an ActionConfigValues struct. Duration strings are parsed, and zero/empty values use defaults from settings.
func (*ActionConfig) Validate ¶
func (a *ActionConfig) Validate() error
Validate validates the action configuration. Returns an error if any value is invalid.
type ActionConfigValues ¶
type ActionConfigValues struct {
DefaultTimeout time.Duration `json:"defaultTimeout" yaml:"defaultTimeout" doc:"Default per-action execution timeout"`
GracePeriod time.Duration `json:"gracePeriod" yaml:"gracePeriod" doc:"Cancellation grace period"`
MaxConcurrency int `json:"maxConcurrency" yaml:"maxConcurrency" doc:"Maximum concurrent action executions" maximum:"1000" example:"5"`
OutputDir string `json:"outputDir" yaml:"outputDir" doc:"Default target directory for action file operations"`
}
ActionConfigValues holds parsed action config values with durations.
type AuthConfig ¶
type AuthConfig struct {
Type string `json:"type" yaml:"type" mapstructure:"type" doc:"Auth type" example:"token" maxLength:"50"`
TokenEnvVar string `` /* 168-byte string literal not displayed */
}
AuthConfig holds authentication settings for a catalog.
type BuildConfig ¶ added in v0.3.0
type BuildConfig struct {
// EnableCache enables build-level caching to skip redundant builds.
EnableCache *bool `json:"enableCache,omitempty" yaml:"enableCache,omitempty" mapstructure:"enableCache" doc:"Enable build-level caching"`
// CacheDir is the directory for storing build cache entries.
CacheDir string `` /* 159-byte string literal not displayed */
// AutoCacheRemoteArtifacts automatically caches remote catalog fetches into the local catalog.
AutoCacheRemoteArtifacts *bool `` /* 171-byte string literal not displayed */
// PluginCacheDir is the directory for cached plugin binaries.
PluginCacheDir string `` /* 181-byte string literal not displayed */
}
BuildConfig holds build command configuration.
func (*BuildConfig) IsAutoCacheRemoteArtifacts ¶ added in v0.3.0
func (b *BuildConfig) IsAutoCacheRemoteArtifacts() bool
IsAutoCacheRemoteArtifacts returns whether remote artifacts are auto-cached (defaults to true).
func (*BuildConfig) IsCacheEnabled ¶ added in v0.3.0
func (b *BuildConfig) IsCacheEnabled() bool
IsCacheEnabled returns whether build caching is enabled (defaults to true).
func (*BuildConfig) Validate ¶ added in v0.3.0
func (b *BuildConfig) Validate() error
Validate validates the build configuration.
type CELConfig ¶
type CELConfig struct {
// CacheSize is the maximum number of compiled programs to cache
CacheSize int `` /* 141-byte string literal not displayed */
// CostLimit is the cost limit for expression evaluation (0 = disabled)
// Prevents runaway expressions from consuming resources
CostLimit int64 `` /* 150-byte string literal not displayed */
// UseASTBasedCaching enables AST-based cache key generation for better hit rates
// Expressions with same structure share cache entries
UseASTBasedCaching bool `` /* 139-byte string literal not displayed */
// EnableMetrics enables expression metrics collection
EnableMetrics *bool `json:"enableMetrics,omitempty" yaml:"enableMetrics,omitempty" mapstructure:"enableMetrics" doc:"Enable expression metrics"`
}
CELConfig holds CEL expression engine configuration.
func (*CELConfig) ToCELValues ¶
func (c *CELConfig) ToCELValues() CELConfigValues
ToCELValues converts CELConfig to a CELConfigValues struct. If a config value is zero/empty, the default value from settings is used.
type CELConfigValues ¶
type CELConfigValues struct {
CacheSize int `json:"cacheSize" yaml:"cacheSize" doc:"CEL program cache size" maximum:"100000" example:"1000"`
CostLimit int64 `json:"costLimit" yaml:"costLimit" doc:"CEL evaluation cost limit" maximum:"1000000000" example:"100000"`
UseASTBasedCaching bool `json:"useASTBasedCaching" yaml:"useASTBasedCaching" doc:"Use AST-based cache keys for deduplication"`
EnableMetrics bool `json:"enableMetrics" yaml:"enableMetrics" doc:"Enable CEL evaluation metrics"`
}
CELConfigValues holds parsed CEL configuration values. This avoids circular dependencies between config and celexp packages.
type CatalogConfig ¶
type CatalogConfig struct {
Name string `json:"name" yaml:"name" mapstructure:"name" doc:"Catalog name" example:"internal" maxLength:"255"`
Type string `json:"type" yaml:"type" mapstructure:"type" doc:"Catalog type" example:"filesystem" maxLength:"50"`
Path string `` /* 151-byte string literal not displayed */
URL string `` /* 145-byte string literal not displayed */
Auth *AuthConfig `json:"auth,omitempty" yaml:"auth,omitempty" mapstructure:"auth" doc:"Authentication configuration"`
AuthProvider string `` /* 199-byte string literal not displayed */
AuthScope string `` /* 194-byte string literal not displayed */
Metadata map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty" mapstructure:"metadata" doc:"Additional metadata"`
HTTPClient *HTTPClientConfig `` /* 144-byte string literal not displayed */
}
CatalogConfig represents a single catalog configuration.
func (*CatalogConfig) Validate ¶
func (c *CatalogConfig) Validate() error
Validate validates a catalog configuration.
type Config ¶
type Config struct {
Version int `json:"version,omitempty" yaml:"version,omitempty" mapstructure:"version" doc:"Config file version" example:"1" maximum:"100"`
Catalogs []CatalogConfig `json:"catalogs" yaml:"catalogs" mapstructure:"catalogs" doc:"Configured catalogs" maxItems:"50"`
Settings Settings `json:"settings" yaml:"settings" mapstructure:"settings" doc:"Application settings"`
Logging LoggingConfig `json:"logging,omitempty" yaml:"logging,omitempty" mapstructure:"logging" doc:"Logging configuration"`
Telemetry TelemetryConfig `json:"telemetry,omitempty" yaml:"telemetry,omitempty" mapstructure:"telemetry" doc:"OpenTelemetry configuration"`
HTTPClient HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"Global HTTP client configuration"`
CEL CELConfig `json:"cel,omitempty" yaml:"cel,omitempty" mapstructure:"cel" doc:"CEL expression engine configuration"`
GoTemplate GoTemplateConfig `json:"goTemplate,omitempty" yaml:"goTemplate,omitempty" mapstructure:"goTemplate" doc:"Go template engine configuration"`
Resolver ResolverConfig `json:"resolver,omitempty" yaml:"resolver,omitempty" mapstructure:"resolver" doc:"Resolver executor configuration"`
Action ActionConfig `json:"action,omitempty" yaml:"action,omitempty" mapstructure:"action" doc:"Action executor configuration"`
Auth GlobalAuthConfig `json:"auth,omitempty" yaml:"auth,omitempty" mapstructure:"auth" doc:"Authentication handler configuration"`
Build BuildConfig `json:"build,omitempty" yaml:"build,omitempty" mapstructure:"build" doc:"Build command configuration"`
APIServer APIServerConfig `json:"apiServer,omitempty" yaml:"apiServer,omitempty" mapstructure:"apiServer" doc:"REST API server configuration"`
}
Config represents the application configuration.
func FromContext ¶
FromContext retrieves the Config from the context. Returns nil if no Config is stored in the context.
func (*Config) AddCatalog ¶
func (c *Config) AddCatalog(catalog CatalogConfig) error
AddCatalog adds a new catalog configuration.
func (*Config) CheckVersion ¶
CheckVersion checks if the config version is current and returns a warning message if not. Returns an empty string if the version is current or if version checking should be skipped.
func (*Config) GetCatalog ¶
func (c *Config) GetCatalog(name string) (*CatalogConfig, bool)
GetCatalog returns a catalog configuration by name.
func (*Config) GetDefaultCatalog ¶
func (c *Config) GetDefaultCatalog() (*CatalogConfig, bool)
GetDefaultCatalog returns the default catalog configuration.
func (*Config) RemoveCatalog ¶
RemoveCatalog removes a catalog by name.
func (*Config) SetDefaultCatalog ¶
SetDefaultCatalog sets the default catalog by name. Returns an error if the catalog doesn't exist.
type CustomOAuth2Config ¶ added in v0.7.0
type CustomOAuth2Config struct {
// Name is the handler identifier, used as: scafctl auth login <name>
// Must not conflict with built-in handler names (github, gcp, entra).
Name string `json:"name" yaml:"name" mapstructure:"name" doc:"Handler name (used as CLI argument)" maxLength:"64" example:"quay"`
DisplayName string `` /* 152-byte string literal not displayed */
// OAuth2 endpoints
AuthorizeURL string `` /* 214-byte string literal not displayed */
TokenURL string `` /* 145-byte string literal not displayed */
DeviceAuthURL string `` /* 228-byte string literal not displayed */
// Client credentials
ClientID string `json:"clientID" yaml:"clientID" mapstructure:"clientID" doc:"OAuth2 client ID" maxLength:"256"`
ClientSecret string `` //nolint:gosec // G117: config field, not a hardcoded credential
/* 169-byte string literal not displayed */
// Flow configuration
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty" mapstructure:"scopes" doc:"Default OAuth scopes" maxItems:"20"`
DefaultFlow string `` /* 244-byte string literal not displayed */
CallbackPort int `` /* 190-byte string literal not displayed */
DeviceCodePollInterval int `` /* 230-byte string literal not displayed */
DisablePKCE bool `` /* 153-byte string literal not displayed */
ResponseType string `` /* 205-byte string literal not displayed */
// Token verification
VerifyURL string `` /* 179-byte string literal not displayed */
IdentityFields *IdentityFieldMapping `` /* 153-byte string literal not displayed */
// Registry association (optional, only for OCI registry auth)
Registry string `` /* 178-byte string literal not displayed */
RegistryUsername string `` /* 187-byte string literal not displayed */
// Token exchange (optional secondary credential derivation)
TokenExchange *TokenExchangeConfig `` /* 186-byte string literal not displayed */
}
CustomOAuth2Config defines a user-configurable OAuth2 auth handler. Each entry registers as its own named auth.Handler, usable for any OAuth2 service (OCI registries, APIs, providers, etc.).
type EntraAuthConfig ¶
type EntraAuthConfig struct {
// HTTPClient optionally overrides HTTP settings for Entra auth requests.
HTTPClient *HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"HTTP client overrides for Entra"`
// ClientID overrides the default application ID.
// If not set, uses the default scafctl public client ID.
ClientID string `` /* 164-byte string literal not displayed */
// TenantID sets the default tenant for authentication.
// Use "common" for multi-tenant, "organizations" for work/school only,
// or a specific tenant GUID.
TenantID string `` /* 137-byte string literal not displayed */
// DefaultScopes are requested during login if not specified on command line.
DefaultScopes []string `` /* 131-byte string literal not displayed */
}
EntraAuthConfig contains Entra-specific configuration.
type GCPAuthConfig ¶ added in v0.5.0
type GCPAuthConfig struct {
// HTTPClient optionally overrides HTTP settings for GCP auth requests.
HTTPClient *HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"HTTP client overrides for GCP"`
// ClientID overrides the default OAuth 2.0 client ID.
ClientID string `` /* 195-byte string literal not displayed */
// ClientSecret overrides the default OAuth 2.0 client secret.
ClientSecret string `` //nolint:gosec // G117: not a hardcoded credential, it's a config field
/* 169-byte string literal not displayed */
// DefaultScopes are requested during login if not specified on command line.
DefaultScopes []string `` /* 154-byte string literal not displayed */
// ImpersonateServiceAccount is the service account email to impersonate.
ImpersonateServiceAccount string `` /* 237-byte string literal not displayed */
// Project is the default GCP project ID.
Project string `` /* 141-byte string literal not displayed */
}
GCPAuthConfig contains GCP-specific configuration.
type GitHubAuthConfig ¶ added in v0.5.0
type GitHubAuthConfig struct {
// HTTPClient optionally overrides HTTP settings for GitHub auth requests.
HTTPClient *HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"HTTP client overrides for GitHub"`
// ClientID overrides the default GitHub OAuth App client ID.
// If not set, uses the default scafctl OAuth App client ID.
ClientID string `` /* 150-byte string literal not displayed */
// ClientSecret is the GitHub OAuth App client secret.
// Required for the interactive (browser authorization code + PKCE) flow.
// When not set, the interactive flow automatically uses device code with
// browser auto-open — the same behaviour as 'gh auth login'.
ClientSecret string `` //nolint:gosec // G117: config field, not a hardcoded credential
/* 177-byte string literal not displayed */
// Hostname sets the GitHub hostname for enterprise server (GHES).
// Defaults to "github.com".
Hostname string `` /* 134-byte string literal not displayed */
// DefaultScopes are requested during login if not specified on command line.
DefaultScopes []string `` /* 131-byte string literal not displayed */
// AppID is the GitHub App ID for the installation token flow.
AppID int64 `` /* 152-byte string literal not displayed */
// InstallationID is the GitHub App installation ID.
InstallationID int64 `` /* 166-byte string literal not displayed */
// PrivateKeyPath is the file path to the PEM-encoded private key for the GitHub App.
PrivateKeyPath string `` /* 207-byte string literal not displayed */
// PrivateKey is the inline PEM-encoded private key for the GitHub App.
PrivateKey string `` //nolint:gosec // Field name, not a credential
/* 154-byte string literal not displayed */
// PrivateKeySecretName is the name of the secret store entry containing the private key.
PrivateKeySecretName string `` /* 206-byte string literal not displayed */
}
GitHubAuthConfig contains GitHub-specific configuration.
type GlobalAuthConfig ¶
type GlobalAuthConfig struct {
// HTTPClient optionally overrides the global HTTP client settings for all auth handlers.
// Individual handler configs (Entra, GitHub, GCP) can further override these.
HTTPClient *HTTPClientConfig `` /* 127-byte string literal not displayed */
// Entra contains Microsoft Entra ID configuration.
Entra *EntraAuthConfig `json:"entra,omitempty" yaml:"entra,omitempty" mapstructure:"entra" doc:"Microsoft Entra ID configuration"`
// GitHub contains GitHub authentication configuration.
GitHub *GitHubAuthConfig `json:"github,omitempty" yaml:"github,omitempty" mapstructure:"github" doc:"GitHub authentication configuration"`
// GCP contains Google Cloud Platform authentication configuration.
GCP *GCPAuthConfig `json:"gcp,omitempty" yaml:"gcp,omitempty" mapstructure:"gcp" doc:"Google Cloud Platform authentication configuration"`
// CustomOAuth2 contains user-defined OAuth2 auth handlers.
CustomOAuth2 []CustomOAuth2Config `` /* 164-byte string literal not displayed */
}
GlobalAuthConfig holds authentication handler configuration.
type GoTemplateConfig ¶ added in v0.6.0
type GoTemplateConfig struct {
// CacheSize is the maximum number of compiled templates to cache
CacheSize int `` /* 141-byte string literal not displayed */
// EnableMetrics enables template metrics collection
EnableMetrics *bool `json:"enableMetrics,omitempty" yaml:"enableMetrics,omitempty" mapstructure:"enableMetrics" doc:"Enable template metrics"`
// AllowEnvFunctions enables the sprig 'env' and 'expandenv' template functions.
// When false (the default), these functions are removed from the template
// function map to prevent solution files from exfiltrating process secrets
// (e.g. GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY) via {{ env "SECRET" }}.
// Set to true only if your solutions explicitly require reading env vars.
AllowEnvFunctions bool `` /* 229-byte string literal not displayed */
}
GoTemplateConfig holds Go template engine configuration.
func (*GoTemplateConfig) ToGoTemplateValues ¶ added in v0.6.0
func (g *GoTemplateConfig) ToGoTemplateValues() GoTemplateConfigValues
ToGoTemplateValues converts GoTemplateConfig to a GoTemplateConfigValues struct. If a config value is zero/empty, the default value from settings is used.
type GoTemplateConfigValues ¶ added in v0.6.0
type GoTemplateConfigValues struct {
CacheSize int `json:"cacheSize" yaml:"cacheSize" doc:"Template compilation cache size" maximum:"100000" example:"500"`
EnableMetrics bool `json:"enableMetrics" yaml:"enableMetrics" doc:"Enable template execution metrics"`
AllowEnvFunctions bool `json:"allowEnvFunctions" yaml:"allowEnvFunctions" doc:"Allow sprig env/expandenv functions"`
}
GoTemplateConfigValues holds parsed Go template config values. This avoids circular dependencies between config and gotmpl packages.
type HTTPClientConfig ¶
type HTTPClientConfig struct {
// Timeout is the maximum time to wait for a request to complete
Timeout string `` /* 128-byte string literal not displayed */
// Retry settings
RetryMax int `` /* 132-byte string literal not displayed */
RetryWaitMin string `` /* 155-byte string literal not displayed */
RetryWaitMax string `` /* 156-byte string literal not displayed */
// Cache settings
EnableCache *bool `json:"enableCache,omitempty" yaml:"enableCache,omitempty" mapstructure:"enableCache" doc:"Enable HTTP response caching"`
CacheType string `` /* 153-byte string literal not displayed */
CacheDir string `` /* 161-byte string literal not displayed */
CacheTTL string `` /* 144-byte string literal not displayed */
CacheKeyPrefix string `` /* 155-byte string literal not displayed */
MaxCacheFileSize int64 `` /* 192-byte string literal not displayed */
MemoryCacheSize int `` /* 176-byte string literal not displayed */
// Circuit breaker settings
EnableCircuitBreaker *bool `` /* 148-byte string literal not displayed */
CircuitBreakerMaxFailures int `` /* 190-byte string literal not displayed */
CircuitBreakerOpenTimeout string `` /* 194-byte string literal not displayed */
CircuitBreakerHalfOpenMaxRequests int `` /* 229-byte string literal not displayed */
// Compression
EnableCompression *bool `` /* 142-byte string literal not displayed */
// AllowPrivateIPs controls whether HTTP requests to private, loopback, and
// link-local IP addresses are permitted. Checked against IP literals only
// (hostnames are not pre-resolved). When false (default), requests to RFC 1918
// ranges (10.x, 172.16.x, 192.168.x), loopback (127.x, ::1), link-local
// (169.254.x), and CGNAT (100.64.x) are blocked. Set to true to allow private
// network access (e.g., for on-premises endpoints or local development).
AllowPrivateIPs *bool `` /* 241-byte string literal not displayed */
// MaxResponseBodySize is the maximum number of bytes the HTTP provider will
// read from a single response body. Prevents denial-of-service via unbounded
// responses from malicious or misconfigured servers. Defaults to 100 MB.
MaxResponseBodySize int64 `` /* 217-byte string literal not displayed */
}
HTTPClientConfig holds HTTP client configuration settings. All duration fields use string format (e.g., "30s", "5m", "1h").
func (*HTTPClientConfig) Validate ¶
func (h *HTTPClientConfig) Validate() error
Validate validates the HTTP client configuration. Returns an error if any value is invalid.
type IdentityFieldMapping ¶ added in v0.7.0
type IdentityFieldMapping struct {
Username string `` /* 140-byte string literal not displayed */
Email string `json:"email,omitempty" yaml:"email,omitempty" mapstructure:"email" doc:"JSON field for email" maxLength:"128" example:"email"`
Name string `json:"name,omitempty" yaml:"name,omitempty" mapstructure:"name" doc:"JSON field for display name" maxLength:"128"`
}
IdentityFieldMapping maps fields in a token verification response to identity claims.
type LoggingConfig ¶
type LoggingConfig struct {
Level string `` /* 174-byte string literal not displayed */
Format string `` /* 144-byte string literal not displayed */
Timestamps bool `json:"timestamps,omitempty" yaml:"timestamps,omitempty" mapstructure:"timestamps" doc:"Include timestamps in logs"`
EnableProfiling bool `` /* 142-byte string literal not displayed */
}
LoggingConfig holds logging configuration.
func (*LoggingConfig) Validate ¶
func (l *LoggingConfig) Validate() error
Validate validates the logging configuration. Returns an error if any value is invalid.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles configuration loading and access.
func NewManager ¶
func NewManager(configPath string, opts ...ManagerOption) *Manager
NewManager creates a new configuration manager. If configPath is empty, the XDG-compliant default path will be used.
func (*Manager) AllSettings ¶
AllSettings returns all settings as a map.
func (*Manager) ConfigPath ¶
ConfigPath returns the path to the config file.
func (*Manager) GetUnknownKeys ¶
GetUnknownKeys returns a list of configuration keys that are not recognized by the config schema. Useful for programmatic validation.
func (*Manager) Save ¶
Save saves the current configuration to file. It syncs m.config to viper before writing, then uses viper's WriteConfig. This allows both direct config modification AND Set() calls to be persisted.
func (*Manager) Set ¶
Set sets a configuration value. For individual settings fields (e.g., "logging.level"), this also updates m.config to keep it in sync. For top-level struct values like "settings" or "catalogs", only viper is updated (the caller should modify cfg directly instead).
func (*Manager) WarnUnknownKeys ¶
WarnUnknownKeys logs warnings for any configuration keys that are not recognized by the config schema. This helps users identify typos or deprecated settings in their config files.
type ManagerOption ¶ added in v0.7.0
type ManagerOption func(*Manager)
ManagerOption configures a Manager.
func ManagerOptionsFromContext ¶ added in v0.7.0
func ManagerOptionsFromContext(ctx context.Context) []ManagerOption
ManagerOptionsFromContext retrieves the ManagerOption slice from the context. Returns nil when no options were stored.
func WithBaseConfig ¶ added in v0.7.0
func WithBaseConfig(data []byte) ManagerOption
WithBaseConfig sets an embedded configuration layer that is merged after built-in defaults but before the user's config file. This allows embedders to ship organization-specific defaults without overwriting user config. The bytes must be valid YAML.
func WithEnvPrefix ¶ added in v0.7.0
func WithEnvPrefix(prefix string) ManagerOption
WithEnvPrefix overrides the default environment variable prefix ("SCAFCTL"). The prefix is normalized to a safe env var format (upper-cased, hyphens/dots replaced with underscores).
type ResolverConfig ¶
type ResolverConfig struct {
// Timeout is the default timeout per resolver execution
Timeout string `` /* 132-byte string literal not displayed */
// PhaseTimeout is the maximum time for each resolution phase
PhaseTimeout string `` /* 144-byte string literal not displayed */
// MaxConcurrency is the maximum concurrent resolvers per phase (0 = unlimited)
MaxConcurrency int `` /* 166-byte string literal not displayed */
// WarnValueSize is the warn threshold in bytes (0 = disabled)
WarnValueSize int64 `` /* 159-byte string literal not displayed */
// MaxValueSize is the max value size in bytes (0 = disabled)
MaxValueSize int64 `` /* 157-byte string literal not displayed */
// ValidateAll enables collecting all errors instead of stopping at first
ValidateAll bool `` /* 126-byte string literal not displayed */
}
ResolverConfig holds resolver executor configuration.
func (*ResolverConfig) ToResolverValues ¶
func (r *ResolverConfig) ToResolverValues() (ResolverConfigValues, error)
ToResolverValues converts ResolverConfig to a ResolverConfigValues struct. Duration strings are parsed, and zero/empty values use defaults from settings.
func (*ResolverConfig) Validate ¶
func (r *ResolverConfig) Validate() error
Validate validates the resolver configuration. Returns an error if any value is invalid.
type ResolverConfigValues ¶
type ResolverConfigValues struct {
Timeout time.Duration `json:"timeout" yaml:"timeout" doc:"Per-resolver execution timeout"`
PhaseTimeout time.Duration `json:"phaseTimeout" yaml:"phaseTimeout" doc:"Per-phase execution timeout"`
MaxConcurrency int `json:"maxConcurrency" yaml:"maxConcurrency" doc:"Maximum concurrent resolver executions" maximum:"1000" example:"10"`
WarnValueSize int64 `` /* 128-byte string literal not displayed */
MaxValueSize int64 `json:"maxValueSize" yaml:"maxValueSize" doc:"Maximum allowed value size (bytes)" maximum:"1073741824" example:"10485760"`
ValidateAll bool `json:"validateAll" yaml:"validateAll" doc:"Run all validators even if one fails"`
}
ResolverConfigValues holds parsed resolver config values with durations.
type SanitizedAuth ¶ added in v0.5.0
type SanitizedAuth struct {
Entra *SanitizedEntraAuth `json:"entra,omitempty" yaml:"entra,omitempty" doc:"Entra ID auth configuration (redacted)"`
GitHub *SanitizedGitHubAuth `json:"github,omitempty" yaml:"github,omitempty" doc:"GitHub auth configuration (redacted)"`
GCP *SanitizedGCPAuth `json:"gcp,omitempty" yaml:"gcp,omitempty" doc:"GCP auth configuration (redacted)"`
}
SanitizedAuth redacts client secrets and tokens from auth config.
type SanitizedCatAuth ¶ added in v0.5.0
type SanitizedCatAuth struct {
Type string `json:"type" yaml:"type" doc:"Authentication type" maxLength:"64" example:"token"`
TokenEnvVar string `` /* 139-byte string literal not displayed */
}
SanitizedCatAuth contains only non-sensitive catalog auth fields.
type SanitizedCatalog ¶ added in v0.5.0
type SanitizedCatalog struct {
Name string `json:"name" yaml:"name" doc:"Catalog name" maxLength:"256" example:"my-catalog"`
Type string `json:"type" yaml:"type" doc:"Catalog type" maxLength:"64" example:"git"`
Path string `json:"path,omitempty" yaml:"path,omitempty" doc:"Local filesystem path" maxLength:"1024" example:"/path/to/catalog"`
URL string `json:"url,omitempty" yaml:"url,omitempty" doc:"Remote URL" maxLength:"2048" example:"https://github.com/org/catalog"`
Auth *SanitizedCatAuth `json:"auth,omitempty" yaml:"auth,omitempty" doc:"Authentication settings (redacted)"`
Metadata map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty" doc:"Additional metadata"`
}
SanitizedCatalog redacts auth tokens from catalog config.
type SanitizedConfig ¶ added in v0.5.0
type SanitizedConfig struct {
Version int `json:"version,omitempty" yaml:"version,omitempty" doc:"Config file version" maximum:"10" example:"1"`
Catalogs []SanitizedCatalog `json:"catalogs" yaml:"catalogs" doc:"Configured solution catalogs" maxItems:"50"`
Settings Settings `json:"settings" yaml:"settings" doc:"General application settings"`
Logging LoggingConfig `json:"logging" yaml:"logging" doc:"Logging configuration"`
HTTPClient HTTPClientConfig `json:"httpClient" yaml:"httpClient" doc:"HTTP client configuration"`
CEL CELConfig `json:"cel" yaml:"cel" doc:"CEL expression engine configuration"`
Resolver ResolverConfig `json:"resolver" yaml:"resolver" doc:"Resolver execution configuration"`
Action ActionConfig `json:"action" yaml:"action" doc:"Action execution configuration"`
Auth SanitizedAuth `json:"auth" yaml:"auth" doc:"Authentication configuration (redacted)"`
Build BuildConfig `json:"build" yaml:"build" doc:"Build configuration"`
}
SanitizedConfig mirrors Config but with sensitive fields redacted.
func SanitizeConfig ¶ added in v0.5.0
func SanitizeConfig(cfg *Config) SanitizedConfig
SanitizeConfig creates a sanitized copy of the config with sensitive values redacted.
type SanitizedEntraAuth ¶ added in v0.5.0
type SanitizedEntraAuth struct {
ClientID string `` /* 151-byte string literal not displayed */
TenantID string `` /* 139-byte string literal not displayed */
DefaultScopes []string `json:"defaultScopes,omitempty" yaml:"defaultScopes,omitempty" doc:"Default OAuth scopes" maxItems:"20"`
}
SanitizedEntraAuth contains only non-sensitive Entra ID fields.
type SanitizedGCPAuth ¶ added in v0.5.0
type SanitizedGCPAuth struct {
ClientID string `` /* 140-byte string literal not displayed */
GCPClientCredential string `` /* 164-byte string literal not displayed */
DefaultScopes []string `json:"defaultScopes,omitempty" yaml:"defaultScopes,omitempty" doc:"Default OAuth scopes" maxItems:"20"`
ImpersonateServiceAccount string `` /* 183-byte string literal not displayed */
Project string `json:"project,omitempty" yaml:"project,omitempty" doc:"GCP project ID" maxLength:"256" example:"my-gcp-project"`
}
SanitizedGCPAuth contains only non-sensitive GCP auth fields.
type SanitizedGitHubAuth ¶ added in v0.5.0
type SanitizedGitHubAuth struct {
ClientID string `json:"clientId,omitempty" yaml:"clientId,omitempty" doc:"GitHub OAuth app client ID" maxLength:"256" example:"Iv1.abc123"`
Hostname string `json:"hostname,omitempty" yaml:"hostname,omitempty" doc:"GitHub hostname" maxLength:"256" example:"github.com"`
DefaultScopes []string `json:"defaultScopes,omitempty" yaml:"defaultScopes,omitempty" doc:"Default OAuth scopes" maxItems:"20"`
}
SanitizedGitHubAuth contains only non-sensitive GitHub auth fields.
type Settings ¶
type Settings struct {
DefaultCatalog string `` /* 154-byte string literal not displayed */
NoColor bool `json:"noColor,omitempty" yaml:"noColor,omitempty" mapstructure:"noColor" doc:"Disable colored output"`
Quiet bool `json:"quiet,omitempty" yaml:"quiet,omitempty" mapstructure:"quiet" doc:"Suppress non-essential output"`
VersionCheck *VersionCheckConfig `json:"versionCheck,omitempty" yaml:"versionCheck,omitempty" mapstructure:"versionCheck" doc:"Version check configuration"`
// RequireSecureKeyring when true causes scafctl to fail with an error if the
// OS keyring is unavailable and the secret store would fall back to an insecure
// file-based or environment-variable-based master key. Enable this in
// production or shared environments to prevent silent degradation of secret
// protection.
RequireSecureKeyring bool `` /* 195-byte string literal not displayed */
// DisableOfficialCatalog prevents the official OCI catalog from being
// appended to the catalog chain. When true, only explicitly configured
// catalogs are used for plugin resolution.
DisableOfficialCatalog bool `` /* 179-byte string literal not displayed */
}
Settings holds application-wide settings.
type TelemetryConfig ¶ added in v0.5.0
type TelemetryConfig struct {
// Endpoint is the OTLP gRPC exporter endpoint (e.g. localhost:4317).
// Equivalent to the OTEL_EXPORTER_OTLP_ENDPOINT environment variable.
// When empty, tracing and OTel log export are disabled (noop providers).
Endpoint string `` /* 151-byte string literal not displayed */
// Insecure disables TLS for the OTLP gRPC connection. Useful for local
// development setups where the collector has no TLS configured.
Insecure bool `` /* 137-byte string literal not displayed */
// ServiceName overrides the OTel resource service.name attribute.
// Defaults to the binary name (scafctl).
ServiceName string `` /* 163-byte string literal not displayed */
// SamplerType controls the trace sampler. Supported values: always_on, always_off, traceidratio.
// Defaults to always_on.
SamplerType string `` /* 182-byte string literal not displayed */
// SamplerArg is the argument passed to the sampler (e.g. ratio for traceidratio).
SamplerArg float64 `` /* 152-byte string literal not displayed */
}
TelemetryConfig holds OpenTelemetry configuration.
type TokenExchangeConfig ¶ added in v0.7.0
type TokenExchangeConfig struct {
// URL is the API endpoint to call to derive a secondary token.
URL string `` /* 156-byte string literal not displayed */
// Method is the HTTP method (default: POST).
Method string `` /* 133-byte string literal not displayed */
// RequestBody is the JSON body to send. Supports Go template variables: {{.Hostname}}, {{.Username}}.
RequestBody gotmpl.GoTemplatingContent `` /* 149-byte string literal not displayed */
// TokenJSONPath is the dot-notation path to extract the derived token from the JSON response.
TokenJSONPath string `` /* 161-byte string literal not displayed */
// UsernameJSONPath optionally extracts a username from the response.
UsernameJSONPath string `` /* 166-byte string literal not displayed */
}
TokenExchangeConfig defines a secondary API call that the OAuth2 handler executes after initial authentication. The primary OAuth2 token is injected as a Bearer token in the Authorization header. The response is parsed to extract a derived credential.
This is fully generic — not coupled to registries or any specific service type:
- Quay.io: OAuth2 token → POST /api/v1/user/apptoken → app token
- API gateway: OAuth2 token → POST /v1/keys/generate → scoped API key
- Vault-like: OAuth2 token → POST /v1/auth/jwt/login → dynamic secret
Note: This is a configurable credential derivation step, not an implementation of RFC 8693 (OAuth 2.0 Token Exchange).
type VersionCheckConfig ¶ added in v0.6.0
type VersionCheckConfig struct {
// Timeout overrides the version check HTTP timeout (default: 5s).
Timeout string `` /* 128-byte string literal not displayed */
// Enabled can disable the automatic version check.
Enabled *bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable version check"`
}
VersionCheckConfig holds version check configuration.
Source Files
Click to show internal directories.
Click to hide internal directories.