server

package
v0.18.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2026 License: Apache-2.0 Imports: 101 Imported by: 0

Documentation

Index

Constants

View Source
const (
	APP     = "app"
	BINDING = "binding"
)
View Source
const (
	// AUDIT_QUEUE_SIZE is the audit event queue length; when full, enqueue
	// blocks and applies backpressure to the request path
	AUDIT_QUEUE_SIZE = 1000
	// AUDIT_MAX_BATCH_SIZE caps how many events are written per transaction
	AUDIT_MAX_BATCH_SIZE = 200
)
View Source
const (
	PROVIDER_NAME_DELIMITER = "_"
	AUTH_KEY                = "authenticated"
	USER_KEY                = "user" // email/userid/nickname (for git email/nickname/userid)
	USER_ID_KEY             = "user_id"
	USER_EMAIL_KEY          = "email"
	USER_NICKNAME_KEY       = "nickname"
	PROVIDER_NAME_KEY       = "provider_name"
	GROUPS_KEY              = "groups"
	SESSION_INDEX_KEY       = "session_index"
	NONCE_KEY               = "nonce"
	REDIRECT_URL            = "redirect"
	REQUEST_ID_KEY          = "request_id" // SAML AuthnRequest ID, used to enforce InResponseTo
)
View Source
const (
	DRY_RUN_ARG              = "dryRun"
	PROMOTE_ARG              = "promote"
	REAPPLY_ALL_ARG          = "reapplyAll"
	DELEGATE_BUILD_OP        = "delegate_build"
	MAX_DELEGATE_UPLOAD_SIZE = 512 << 20 // 512 MiB
	MAX_SECRET_UPLOAD_SIZE   = 8 << 20   // 8 MiB: values are capped at 1 MiB, but json escaping can inflate a text value up to 6x
)
View Source
const (
	DEFAULT_CERT_FILE = "default.crt"
	DEFAULT_KEY_FILE  = "default.key"
	APPSPECS          = "appspecs"
)
View Source
const AUTH_FAILURE_EVENT_INTERVAL = time.Minute

AUTH_FAILURE_EVENT_INTERVAL is the minimum interval between audit events for the same failed-auth operation/target/user combination

View Source
const CURRENT_AUDIT_DB_VERSION = 2
View Source
const (
	REALM = "openrun"
)
View Source
const REPO_FOLDER_SEPERATOR = "//"
View Source
const RedactedValue = "<redacted>"

RedactedValue is returned in place of secret field values by the config read APIs. An update which submits this value keeps the stored value, so edit forms can round-trip without ever seeing the secret

View Source
const SAML_AUTH_PREFIX = "saml_"

The flow is 1. At service startup, SAMLServiceProvider is initialized 2. For apps using SAML, CheckSAMLAuth is called to check if the user is authenticated 3. CheckSAMLAuth verifies the session cookie to see if the user is authenticated. If yes, done 4. If the user is not authenticated, login function is called (API is currently on the app domain) 5. Login creates a sessionid and nonce. Saves entry in DB with sessionid as key and state map as value 6. Login creates a cookie with the nonce and redirect url. Redirects to the SAML provider's login page, with sessionid in RelayState 7. SAML provider's login page redirects to the ACS api on the callback domain, with sessionid in RelayState 8. ACS api validates the sessionid, and updates the state map in the DB with the user id and groups info 9. ACS api redirects to the redirect API on the app domain, again passing the sessionid in the relay parameter 10. redirect API validates the passed sessionid, nonce from DB statemap against nonce from cookie, 11. redirect stores the authenticated session, with the user id and groups info and deletes the DB entry 12. Redirects back to original app url, which will again call CheckSAMLAuth and find the authenticated cookie

Variables

View Source
var (
	COMPRESSION_ENABLED_MIME_TYPES = []string{
		"text/html",
		"text/css",
		"text/plain",
		"text/xml",
		"text/x-component",
		"text/javascript",
		"application/x-javascript",
		"application/javascript",
		"application/json",
		"application/manifest+json",
		"application/vnd.api+json",
		"application/xml",
		"application/xhtml+xml",
		"application/rss+xml",
		"application/atom+xml",
		"application/vnd.ms-fontobject",
		"application/x-font-ttf",
		"application/x-font-opentype",
		"application/x-font-truetype",
		"image/svg+xml",
		"image/x-icon",
		"image/vnd.microsoft.icon",
		"font/ttf",
		"font/eot",
		"font/otf",
		"font/opentype",
	}
)

Functions

func GenerateSelfSignedCertificate

func GenerateSelfSignedCertificate(certPath, keyPath string, validityDuration time.Duration) error

Types

type AdminBasicAuth

type AdminBasicAuth struct {
	*types.Logger
	// contains filtered or unexported fields
}

AdminBasicAuth implements basic auth for the admin user account. Cache the success auth header to avoid the bcrypt hash check penalty Basic auth is supported for admin user only, and changing it requires service restart. Caching the sha of the successful auth header allows us to skip the bcrypt check which significantly improves performance.

func NewAdminBasicAuth

func NewAdminBasicAuth(logger *types.Logger, config *types.ServerConfig) *AdminBasicAuth

func (*AdminBasicAuth) BasicAuth

func (a *AdminBasicAuth) BasicAuth(authHeader string) (username, password string, ok bool)

type AppStore

type AppStore struct {
	*types.Logger
	// contains filtered or unexported fields
}

AppStore is a store of apps. List of apps is stored in memory. Apps are initialized lazily, AddApp has to be called before GetApp to initialize the app

func NewAppStore

func NewAppStore(logger *types.Logger, server *Server) *AppStore

func (*AppStore) ActiveContainerNames added in v0.17.3

func (a *AppStore) ActiveContainerNames() map[container.ContainerName]bool

ActiveContainerNames returns the container names currently referenced by loaded apps.

func (*AppStore) AddAppIfUnchanged added in v0.18.4

func (a *AppStore) AddAppIfUnchanged(app *app.App, generation uint64) bool

AddAppIfUnchanged adds the app to the store only if no apps have been removed from the store since the given generation was read. It returns false without adding when the store changed: the DB state the app was built from may have been superseded (e.g. a reload committed in between), so the caller must discard the app and rebuild from a fresh read.

func (*AppStore) ClearApps

func (a *AppStore) ClearApps(pathDomains []types.AppPathDomain)

ClearApps removes the specified apps from the in memory App cache Also clears the app info cache for all apps (so that it is reloaded on next request)

func (*AppStore) ClearAppsAudit

func (a *AppStore) ClearAppsAudit(ctx context.Context, pathDomains []types.AppPathDomain, op string) error

ClearApps removes the specified apps from the in memory App cache and creates an audit entry. Also clears the app info cache for all apps (so that it is reloaded on next request)

func (*AppStore) ClearAppsNoNotify

func (a *AppStore) ClearAppsNoNotify(pathDomains []types.AppPathDomain)

ClearApps removes the specified apps from the in memory App cache Also clears the app info cache for all apps (so that it is reloaded on next request) This does not notify other servers of the app update (intended for use from the listener)

func (*AppStore) ClearLinkedApps

func (a *AppStore) ClearLinkedApps(pathDomain types.AppPathDomain) error

func (*AppStore) Generation added in v0.18.4

func (a *AppStore) Generation() uint64

Generation returns the current store generation. Read it before loading app state from the DB and pass it to AddAppIfUnchanged.

func (*AppStore) GetAllAppsInfo

func (a *AppStore) GetAllAppsInfo() ([]types.AppInfo, error)

func (*AppStore) GetAllDomains

func (a *AppStore) GetAllDomains() (map[string]bool, error)

func (*AppStore) GetApp

func (a *AppStore) GetApp(pathDomain types.AppPathDomain) (*app.App, error)

func (*AppStore) GetAppInfo

func (a *AppStore) GetAppInfo(appId types.AppId) (types.AppInfo, bool)

func (*AppStore) GetAppsFullInfo

func (a *AppStore) GetAppsFullInfo() (map[string][]types.AppInfo, map[string]bool, error)

GetAppsFullInfo returns the apps indexed by effective domain and the set of all configured domains, for request matching.

func (*AppStore) ResetAllAppCache

func (a *AppStore) ResetAllAppCache()

type BuilderCheck added in v0.18.6

type BuilderCheck struct {
	Name   string `json:"name"`
	Ok     bool   `json:"ok"`
	Detail string `json:"detail"`
}

BuilderCheck is one row of the builder config verification checklist

type BuilderPublishResponse added in v0.18.6

type BuilderPublishResponse struct {
	Mode        string `json:"mode"` // git or local
	PublishPath string `json:"publish_path"`
	Source      string `json:"source"`
	CommitSha   string `json:"commit_sha,omitempty"`
	Repo        string `json:"repo,omitempty"`
	Stanza      string `json:"stanza"`
}

BuilderPublishResponse is the publish/unpublish result

type CacheDir

type CacheDir struct {
	// contains filtered or unexported fields
}

type ConfigEntry added in v0.18.6

type ConfigEntry struct {
	Name       string         `json:"name"`
	Values     map[string]any `json:"values"`
	Source     string         `json:"source"`     // "static" or "dynamic"
	Overridden bool           `json:"overridden"` // static entry shadowed by a dynamic entry of the same name
}

ConfigEntry is one named config entry (static from openrun.toml or dynamic) as returned by the config read APIs. Values are redacted

type ConfigSectionValues added in v0.18.6

type ConfigSectionValues struct {
	Static  map[string]any `json:"static"`
	Dynamic map[string]any `json:"dynamic"`
}

ConfigSectionValues holds the field values of one struct config section (security, system, logging, ...) for the read APIs: the static values from openrun.toml flattened to dotted keys, and the dynamic overrides. Secret values are redacted

type ContainerDetail added in v0.18.4

type ContainerDetail struct {
	ContainerInfo
	Command      string           `json:"command"`
	StartedAt    string           `json:"started_at"`
	CreatedAt    string           `json:"created_at"`
	RestartCount int              `json:"restart_count"`
	ExitCode     int              `json:"exit_code"`
	Health       string           `json:"health"`
	AppVersion   string           `json:"app_version"`
	SizeRw       int64            `json:"size_rw"`       // writable layer disk usage
	SizeRootFs   int64            `json:"size_root_fs"`  // total disk usage
	PortBindings []string         `json:"port_bindings"` // host->container port mappings
	Mounts       []ContainerMount `json:"mounts"`
	Stats        *ContainerStats  `json:"stats"`
}

ContainerDetail is the full detail of a container managed by OpenRun

type ContainerInfo added in v0.18.4

type ContainerInfo struct {
	Id      string `json:"id"`
	Name    string `json:"name"`
	AppId   string `json:"app_id"`
	AppPath string `json:"app_path"`
	Image   string `json:"image"`
	State   string `json:"state"`  // running / exited / ...
	Status  string `json:"status"` // human readable, "Up 2 hours"
	Ports   string `json:"ports"`
	Env     string `json:"env"`     // prod / stage / dev / preview
	Runtime string `json:"runtime"` // docker / podman / kubernetes
	// CreatedAt is the container/pod creation time, date-first formatted so
	// it sorts lexicographically (used by the console for recency ordering)
	CreatedAt string `json:"created_at"`
}

ContainerInfo is the summary of a container managed by OpenRun

type ContainerMount added in v0.18.4

type ContainerMount struct {
	Type        string `json:"type"`
	Source      string `json:"source"`
	Destination string `json:"destination"`
	ReadWrite   bool   `json:"read_write"`
}

ContainerMount is a mount point of a container

type ContainerStats added in v0.18.4

type ContainerStats struct {
	CPUPercent string `json:"cpu_percent"`
	MemUsage   string `json:"mem_usage"`
	MemPercent string `json:"mem_percent"`
	NetIO      string `json:"net_io"`
	BlockIO    string `json:"block_io"`
	PIDs       string `json:"pids"`
}

ContainerStats are the live resource stats of a container

type ContextShared

type ContextShared struct {
	UserId    string
	AppId     string
	Operation string
	Target    string
	DryRun    bool
}

type Handler

type Handler struct {
	*types.Logger
	// contains filtered or unexported fields
}

func NewTCPHandler

func NewTCPHandler(logger *types.Logger, config *types.ServerConfig, server *Server) *Handler

NewTCPHandler creates a new handler for HTTP/HTTPS requests. App API's are mounted amd authentication is enabled. It also mounts the internal APIs if admin over TCP is enabled

func NewUDSHandler

func NewUDSHandler(logger *types.Logger, config *types.ServerConfig, server *Server) *Handler

NewUDSHandler creates a new handler for admin APIs over the unix domain socket

type InmemoryKVStore added in v0.15.3

type InmemoryKVStore struct {
	// contains filtered or unexported fields
}

func NewInmemoryKVStore added in v0.15.3

func NewInmemoryKVStore() *InmemoryKVStore

func (*InmemoryKVStore) DeleteKV added in v0.15.3

func (s *InmemoryKVStore) DeleteKV(ctx context.Context, key string) error

func (*InmemoryKVStore) FetchKV added in v0.15.3

func (s *InmemoryKVStore) FetchKV(ctx context.Context, key string) (map[string]any, error)

func (*InmemoryKVStore) FetchKVBlob added in v0.17.1

func (s *InmemoryKVStore) FetchKVBlob(ctx context.Context, key string) ([]byte, error)

func (*InmemoryKVStore) StoreKV added in v0.15.3

func (s *InmemoryKVStore) StoreKV(ctx context.Context, key string, value map[string]any, expireAt *time.Time) error

func (*InmemoryKVStore) StoreKVBlob added in v0.15.3

func (s *InmemoryKVStore) StoreKVBlob(ctx context.Context, key string, value []byte, expireAt *time.Time) error

func (*InmemoryKVStore) UpdateKV added in v0.15.3

func (s *InmemoryKVStore) UpdateKV(ctx context.Context, key string, value map[string]any) error

func (*InmemoryKVStore) UpdateKVBlob added in v0.15.3

func (s *InmemoryKVStore) UpdateKVBlob(ctx context.Context, key string, value []byte) error

func (*InmemoryKVStore) UpsertKVBlob added in v0.17.1

func (s *InmemoryKVStore) UpsertKVBlob(ctx context.Context, key string, value []byte, expireAt *time.Time) error

type KVSessionStore added in v0.17.1

type KVSessionStore struct {
	Codecs []securecookie.Codec

	Options *sessions.Options
	// contains filtered or unexported fields
}

KVSessionStore keeps session payloads server-side and puts only an opaque, signed session id in the browser cookie.

func NewKVSessionStore added in v0.17.1

func NewKVSessionStore(db KVStore, keyPairs ...[]byte) *KVSessionStore

func (*KVSessionStore) Get added in v0.17.1

func (s *KVSessionStore) Get(r *http.Request, name string) (*sessions.Session, error)

func (*KVSessionStore) MaxAge added in v0.17.1

func (s *KVSessionStore) MaxAge(age int)

func (*KVSessionStore) New added in v0.17.1

func (s *KVSessionStore) New(r *http.Request, name string) (*sessions.Session, error)

func (*KVSessionStore) Save added in v0.17.1

type KVStore added in v0.15.3

type KVStore interface {
	FetchKV(ctx context.Context, key string) (map[string]any, error)
	FetchKVBlob(ctx context.Context, key string) ([]byte, error)
	StoreKV(ctx context.Context, key string, value map[string]any, expireAt *time.Time) error
	StoreKVBlob(ctx context.Context, key string, value []byte, expireAt *time.Time) error
	UpsertKVBlob(ctx context.Context, key string, value []byte, expireAt *time.Time) error

	UpdateKV(ctx context.Context, key string, value map[string]any) error
	UpdateKVBlob(ctx context.Context, key string, value []byte) error
	DeleteKV(ctx context.Context, key string) error
}

KVStore is an interface for a key-value store. Implemented by metadata.Metadata

type KubernetesStats added in v0.18.6

type KubernetesStats struct {
	Enabled    bool                       `json:"enabled"`
	Cluster    *container.ClusterStats    `json:"cluster"`
	Namespaces []container.NamespaceStats `json:"namespaces"`
}

KubernetesStats is the cluster and namespace summary shown on the container list when the kubernetes runtime is active. Enabled is false for other runtimes

type OAuthAuthInfo added in v0.17.3

type OAuthAuthInfo struct {
	UserId      string
	Groups      []string
	UserSubject string
	UserEmail   string
}

type OAuthManager added in v0.15.3

type OAuthManager struct {
	*types.Logger
	// contains filtered or unexported fields
}

OAuthManager manages the OAuth providers and their configurations (also OIDC)

func NewOAuthManager added in v0.15.3

func NewOAuthManager(logger *types.Logger, config *types.ServerConfig, db KVStore) *OAuthManager

func (*OAuthManager) CheckAuth added in v0.15.3

func (s *OAuthManager) CheckAuth(w http.ResponseWriter, r *http.Request, appProvider string) (string, []string, error)

func (*OAuthManager) CheckAuthInfo added in v0.17.3

func (s *OAuthManager) CheckAuthInfo(w http.ResponseWriter, r *http.Request, appProvider string) (OAuthAuthInfo, error)

func (*OAuthManager) RegisterRoutes added in v0.15.3

func (s *OAuthManager) RegisterRoutes(csrfMiddleware *http.CrossOriginProtection, mux *chi.Mux)

func (*OAuthManager) Setup added in v0.15.3

func (s *OAuthManager) Setup(sessionKey []byte, sessionBlockKey []byte) error

func (*OAuthManager) UpdateProviders added in v0.18.6

func (s *OAuthManager) UpdateProviders(auth map[string]types.AuthConfig) error

UpdateProviders re-registers the OAuth providers from the merged (static + dynamic) auth config. Called when dynamic config entries change the auth section

func (*OAuthManager) ValidateAuthType added in v0.15.3

func (s *OAuthManager) ValidateAuthType(authType string) bool

func (*OAuthManager) ValidateProviderName added in v0.15.3

func (s *OAuthManager) ValidateProviderName(provider string) bool

type RateLimitedErrorLogger added in v0.16.16

type RateLimitedErrorLogger struct {
	// contains filtered or unexported fields
}

RateLimitedErrorLogger wraps an io.Writer and rate-limits repeated TLS handshake errors. It logs the first occurrence immediately, then suppresses for a configurable duration. After the suppression period, it logs again with the count of suppressed occurrences.

func NewRateLimitedErrorLogger added in v0.16.16

func NewRateLimitedErrorLogger(out io.Writer) *RateLimitedErrorLogger

NewRateLimitedErrorLogger creates a new rate-limited error logger. It starts a background goroutine that cleans up old entries every 30 minutes.

func (*RateLimitedErrorLogger) Stop added in v0.16.16

func (r *RateLimitedErrorLogger) Stop()

Stop stops the background cleanup goroutine

func (*RateLimitedErrorLogger) Write added in v0.16.16

func (r *RateLimitedErrorLogger) Write(p []byte) (n int, err error)

Write implements io.Writer. It rate-limits TLS handshake errors while passing through other messages unchanged.

type Repo

type Repo struct {
	// contains filtered or unexported fields
}

type RepoCache

type RepoCache struct {
	// contains filtered or unexported fields
}

func NewRepoCache

func NewRepoCache(server *Server) (*RepoCache, error)

func (*RepoCache) CheckoutRepo

func (r *RepoCache) CheckoutRepo(sourceUrl, branch, commit, gitAuth string, isDev bool) (string, string, string, string, error)

func (*RepoCache) Cleanup

func (r *RepoCache) Cleanup()

func (*RepoCache) GetSha

func (r *RepoCache) GetSha(sourceUrl, branch, gitAuth string) (string, error)

type SAMLManager added in v0.15.3

type SAMLManager struct {
	*types.Logger
	// contains filtered or unexported fields
}

SAMLManager manages the SAML providers and their configurations

func NewSAMLManager added in v0.15.3

func NewSAMLManager(logger *types.Logger, config *types.ServerConfig, cookieStore sessions.Store, db KVStore) *SAMLManager

func (*SAMLManager) CheckSAMLAuth added in v0.15.3

func (s *SAMLManager) CheckSAMLAuth(w http.ResponseWriter, r *http.Request, appProvider string) (string, []string, error)

func (*SAMLManager) RegisterRoutes added in v0.15.3

func (s *SAMLManager) RegisterRoutes(mux *chi.Mux)

func (*SAMLManager) Setup added in v0.15.3

func (s *SAMLManager) Setup(ctx context.Context) error

func (*SAMLManager) UpdateProviders added in v0.18.6

func (s *SAMLManager) UpdateProviders(ctx context.Context, samlConfigs map[string]types.SAMLConfig)

UpdateProviders re-registers the SAML providers from the merged (static + dynamic) saml config. Provider build failures are logged and disable that provider, matching the startup behavior

func (*SAMLManager) ValidateSAMLProvider added in v0.15.3

func (s *SAMLManager) ValidateSAMLProvider(authType string) bool

type Server

type Server struct {
	*types.Logger
	// contains filtered or unexported fields
}

Server is the instance of the OpenRun Server

func NewServer

func NewServer(config *types.ServerConfig) (*Server, error)

NewServer creates a new instance of the OpenRun Server

func (*Server) AppEvalTemplate added in v0.18.6

func (s *Server) AppEvalTemplate(appSecrets [][]string, defaultProvider, input string) (string, error)

AppEvalTemplate resolves {{secret}} references for apps through the current secrets manager. Apps hold this server method instead of a manager-bound method value, so a dynamic secret provider change (key rotation, new provider) takes effect for already cached apps without a reload

func (*Server) Apply

func (s *Server) Apply(ctx context.Context, inputTx types.Transaction, applyPath string, appPathGlob string, approve, dryRun, promote bool,
	reload types.AppReloadOption, branch, commit, gitAuth string, clobber,
	forceReload, verify bool, lastRunCommitId string, repoCache *RepoCache, isDev bool) (_ *types.AppApplyResponse, _ []types.AppPathDomain, retErr error)

func (*Server) ApproveApps added in v0.18.4

func (s *Server) ApproveApps(ctx context.Context, appPathGlob string, dryRun, promote bool) (*types.AppStagedUpdateResponse, error)

ApproveApps approves the plugin and permission usage for apps matching the glob. With dryRun, the pending permissions are returned without approving

func (*Server) AuthorizeList added in v0.15.0

func (s *Server) AuthorizeList(ctx context.Context, userId string, app *types.AppInfo, groups []string) (bool, error)

AuthorizeList checks if the user has access to list the specified app. When RBAC enforcement is active for the calling app (RBAC config enabled and the caller has rbac: auth), the app:read permission gates listing (with the owner rule). Otherwise, list visibility falls back to whether the app uses the same authentication type as used by the caller

func (*Server) BuilderManager added in v0.18.6

func (s *Server) BuilderManager() *builder.Manager

BuilderManager returns the builder manager (used by the build.in plugin)

func (*Server) CheckAppValid

func (s *Server) CheckAppValid(domain, matchPath string) (string, error)

func (*Server) CleanupVersions added in v0.16.22

func (s *Server) CleanupVersions()

func (*Server) CompleteTransaction

func (s *Server) CompleteTransaction(ctx context.Context, tx types.Transaction, entries []types.AppPathDomain, dryRun bool, op string) error

func (*Server) Config added in v0.18.6

func (s *Server) Config() *types.ServerConfig

Config returns the effective server config: the static openrun.toml config with the dynamic config entries and settings merged in, dynamic taking precedence. This is the canonical config accessor; the returned config is a published snapshot and must never be modified. Startup paths which run before the dynamic config is loaded see the static config

func (*Server) CreateApp

func (s *Server) CreateApp(ctx context.Context, appPath string,
	approve, dryRun bool, appRequest *types.CreateAppRequest) (_ *types.AppCreateResponse, retErr error)

func (*Server) CreateAppTx

func (s *Server) CreateAppTx(ctx context.Context, currentTx types.Transaction, appPath string,
	approve, dryRun bool, appRequest *types.CreateAppRequest, repoCache *RepoCache,
	bindingAccounts *bindingAccountManager) (*types.AppCreateResponse, error)

func (*Server) CreateBinding added in v0.17.2

func (s *Server) CreateBinding(ctx context.Context, createRequest *types.CreateBindingRequest, dryRun bool) (_ *types.Binding, retErr error)

func (*Server) CreateSecret added in v0.18.6

func (s *Server) CreateSecret(ctx context.Context, req *types.CreateSecretRequest, update bool) (*types.SecretCreateResponse, error)

CreateSecret stores a secret value in a writable secret provider (default "db"). A unique name is generated when a prefix is given; the returned SecretRef is the {{secret}} template reference to use in app params/config

func (*Server) CreateService added in v0.17.2

func (s *Server) CreateService(ctx context.Context, service *types.Service, dryRun bool) error

func (*Server) CreateSyncEntry

func (s *Server) CreateSyncEntry(ctx context.Context, path string, scheduled, dryRun bool, sync *types.SyncMetadata) (_ *types.SyncCreateResponse, retErr error)

func (*Server) DeleteApps

func (s *Server) DeleteApps(ctx context.Context, appPathGlob string, dryRun bool) (*types.AppDeleteResponse, error)

func (*Server) DeleteBinding added in v0.17.2

func (s *Server) DeleteBinding(ctx context.Context, path string, dryRun bool) error

func (*Server) DeleteConfigEntry added in v0.18.6

func (s *Server) DeleteConfigEntry(ctx context.Context, section, name string, versionId string) (*types.DynamicConfig, error)

DeleteConfigEntry removes one dynamic config entry, immediately reverting to the static entry of the same name if one exists. Static entries cannot be deleted through the API

func (*Server) DeleteConfigValue added in v0.18.6

func (s *Server) DeleteConfigValue(ctx context.Context, section, key string, versionId string) (*types.DynamicConfig, error)

DeleteConfigValue removes one dynamic config field, immediately reverting to the static openrun.toml value

func (*Server) DeleteSecret added in v0.18.6

func (s *Server) DeleteSecret(ctx context.Context, providerName, name string) error

DeleteSecret deletes a stored secret

func (*Server) DeleteService added in v0.17.2

func (s *Server) DeleteService(ctx context.Context, name, serviceType string, dryRun bool) error

func (*Server) DeleteSyncEntry

func (s *Server) DeleteSyncEntry(ctx context.Context, id string, dryRun bool) (*types.SyncDeleteResponse, error)

func (*Server) DiscardRBACDraft added in v0.18.4

func (s *Server) DiscardRBACDraft(ctx context.Context, draftVersion string) error

DiscardRBACDraft drops the staged config changes. draftVersion is the CAS token: only a draft state the caller has actually seen can be discarded

func (*Server) Export added in v0.18.6

func (s *Server) Export(ctx context.Context, appPathGlob string, opts types.ExportOptions) (string, error)

Export writes the current prod state of apps and bindings as a declarative config file which can be re-applied with "openrun apply". Stage and preview state is not included; dev apps are exported with dev=True.

func (*Server) FilterApps

func (s *Server) FilterApps(appappPathGlob string, includeInternal bool) ([]types.AppInfo, error)

func (*Server) FlushAuditEvents added in v0.18.4

func (s *Server) FlushAuditEvents()

FlushAuditEvents blocks until all audit events queued before the call have been written to the audit DB. Used before audit queries (read-after-write consistency) and during shutdown.

func (*Server) GetApp

func (s *Server) GetApp(ctx context.Context, pathDomain types.AppPathDomain, init bool) (*app.App, error)

func (*Server) GetAppApi

func (s *Server) GetAppApi(ctx context.Context, appPath string) (*types.AppGetResponse, error)

func (*Server) GetAppEntry

func (s *Server) GetAppEntry(ctx context.Context, tx types.Transaction, pathDomain types.AppPathDomain) (*types.AppEntry, error)

func (*Server) GetAppSpec

func (s *Server) GetAppSpec(name types.AppSpec) types.SpecFiles

func (*Server) GetApps

func (s *Server) GetApps(ctx context.Context, appPathGlob string, internal bool) ([]types.AppResponse, error)

func (*Server) GetBinding added in v0.17.2

func (s *Server) GetBinding(ctx context.Context, path string) (*types.Binding, error)

func (*Server) GetBindingAccount added in v0.17.4

func (s *Server) GetBindingAccount(ctx context.Context, path string, useStaging bool) (map[string]string, error)

func (*Server) GetBindingWithAccount added in v0.17.5

func (s *Server) GetBindingWithAccount(ctx context.Context, tx types.Transaction, path string) (*types.Binding, error)

GetBindingWithAccount gets the binding with the account info un-redacted.

func (*Server) GetConfigEntries added in v0.18.6

func (s *Server) GetConfigEntries(ctx context.Context, sections []string) (map[string][]ConfigEntry, error)

GetConfigEntries returns the static and dynamic entries for the requested config sections (all dynamically settable sections when empty). Secret field values are redacted

func (*Server) GetConfigValues added in v0.18.6

func (s *Server) GetConfigValues(ctx context.Context, sections []string) (map[string]*ConfigSectionValues, error)

GetConfigValues returns the static and dynamic field values for the requested struct config sections (all settings sections when empty)

func (*Server) GetConfigVersion added in v0.18.4

func (s *Server) GetConfigVersion(ctx context.Context, versionId string) (*types.DynamicConfig, error)

GetConfigVersion returns one full config snapshot from the history

func (*Server) GetDynamicConfig added in v0.14.10

func (s *Server) GetDynamicConfig() types.DynamicConfig

func (*Server) GetKubernetesPodStatus added in v0.18.6

func (s *Server) GetKubernetesPodStatus(ctx context.Context, id string) (*container.WorkloadPodStatus, error)

GetKubernetesPodStatus returns the kubernetes specific status of one managed pod (conditions, container states, events)

func (*Server) GetKubernetesStats added in v0.18.6

func (s *Server) GetKubernetesStats(ctx context.Context) (*KubernetesStats, error)

GetKubernetesStats returns the cluster summary and pod stats for the OpenRun system and apps namespaces. For non-kubernetes runtimes it returns Enabled false

func (*Server) GetListAppsApp

func (s *Server) GetListAppsApp(ctx context.Context) (*app.App, error)

func (*Server) GetManagedContainer added in v0.18.4

func (s *Server) GetManagedContainer(ctx context.Context, id string, withStats bool) (*ContainerDetail, error)

GetManagedContainer returns the details of one OpenRun managed container. withStats also collects live resource stats and disk usage, which are slow (docker stats samples for about two seconds)

func (*Server) GetManagedContainerLogs added in v0.18.4

func (s *Server) GetManagedContainerLogs(ctx context.Context, id string, tail int) (string, error)

GetManagedContainerLogs returns the last tail lines of the container logs

func (*Server) GetManagedContainerLogsStream added in v0.18.6

func (s *Server) GetManagedContainerLogsStream(ctx context.Context, id string, tail int, follow bool) (func(yield func(any, error) bool), error)

GetManagedContainerLogsStream returns the last tail lines of the container logs as a stream of line chunks. With follow, the stream keeps delivering new output until ctx is canceled (client disconnect) or the container stops. Each yielded value is a plain string of one or more complete lines without the trailing newline (the stream writer adds one per value)

func (*Server) GetRBACDynamicConfig added in v0.18.4

func (s *Server) GetRBACDynamicConfig(ctx context.Context) (*types.DynamicConfig, *types.ConfigDraft, error)

GetRBACDynamicConfig returns the live dynamic config and the staged draft (nil when there is none) for the configuration UI

func (*Server) GetSecret added in v0.18.6

func (s *Server) GetSecret(ctx context.Context, providerName, name string, reveal bool) (*types.SecretGetResponse, error)

GetSecret returns info about one stored secret. reveal additionally returns the secret value and requires the secret:reveal permission

func (*Server) InsertAuditEvent

func (s *Server) InsertAuditEvent(event *types.AuditEvent) error

InsertAuditEvent queues the event for the background audit writer. The write happens asynchronously (batched into one transaction per burst) so the request path does not block on a database write per event. A copy of the event is queued, callers can reuse the struct. Call FlushAuditEvents before reading the audit table to see previously queued events.

func (*Server) KVInitConstant added in v0.15.3

func (s *Server) KVInitConstant(ctx context.Context, keyName string, newValue []byte) ([]byte, error)

KVInitConstant initializes a constant value in the DB. If the value already exists, it returns the existing value. If the value does not exist, it inserts the new value and returns it. If another server inserts the value concurrently, it fetches the value from the DB and returns it.

func (*Server) ListAgentContainers added in v0.18.6

func (s *Server) ListAgentContainers(ctx context.Context) ([]ContainerInfo, error)

ListAgentContainers lists the app builder's agent containers (docker/podman label filter). Empty on the Kubernetes backend, where the builder is not supported. "Agent" is the app builder's AI container; "builder" containers elsewhere (kaniko) are image builds

func (*Server) ListAppAuths added in v0.18.4

func (s *Server) ListAppAuths() []string

ListAppAuths returns the auth types an app can be configured with: the built-in types followed by the oauth, saml (saml_ prefixed) and client cert auth entries configured on this server. The rbac: prefix and +forward_ modifiers are not expanded here

func (*Server) ListBindings added in v0.17.2

func (s *Server) ListBindings(ctx context.Context, source string) ([]*types.Binding, error)

func (*Server) ListConfigHistory added in v0.18.4

func (s *Server) ListConfigHistory(ctx context.Context) ([]types.ConfigHistoryEntry, error)

ListConfigHistory returns the dynamic config snapshots, newest first

func (*Server) ListKanikoBuildContainers added in v0.18.6

func (s *Server) ListKanikoBuildContainers(ctx context.Context) ([]ContainerInfo, error)

ListKanikoBuildContainers lists the kaniko image build pods (Kubernetes backend only; docker/podman builds run in-process)

func (*Server) ListManagedContainers added in v0.18.4

func (s *Server) ListManagedContainers(ctx context.Context) ([]ContainerInfo, error)

ListManagedContainers lists the containers managed by OpenRun. For docker or podman these are the containers carrying the OpenRun labels; for Kubernetes these are the pods in the OpenRun apps namespace

func (*Server) ListSecrets added in v0.18.6

func (s *Server) ListSecrets(ctx context.Context, providerName, nameGlob string) ([]types.SecretInfo, error)

ListSecrets returns info about stored secrets (never values), optionally filtered by a glob pattern on the name

func (*Server) ListServices added in v0.17.2

func (s *Server) ListServices(ctx context.Context, serviceType, name string) ([]*types.Service, error)

func (*Server) ListSyncEntries

func (s *Server) ListSyncEntries(ctx context.Context) (*types.SyncListResponse, error)

func (*Server) MatchApp

func (s *Server) MatchApp(hostHeader, matchPath string) (types.AppInfo, error)

func (*Server) ParseGlob

func (s *Server) ParseGlob(appGlob string) ([]types.AppInfo, error)

func (*Server) PrettyPrint added in v0.18.6

func (s *Server) PrettyPrint(ctx context.Context, applyPath string) (string, error)

PrettyPrint parses an existing declarative config file and re-emits it in the canonical format used by export. Starlark logic (conditionals, config() lookups, helper functions) is evaluated and replaced with literal values

func (*Server) PreviewApp

func (s *Server) PreviewApp(ctx context.Context, mainAppPath, commitId string, approve, dryRun bool) (*types.AppPreviewResponse, error)

func (*Server) PromoteApps

func (s *Server) PromoteApps(ctx context.Context, appPathGlob string, dryRun bool) (*types.AppPromoteResponse, error)

func (*Server) PublishRBACConfig added in v0.18.4

func (s *Server) PublishRBACConfig(ctx context.Context, draftVersion string, force bool) (*types.DynamicConfig, error)

PublishRBACConfig validates the draft config and swaps it live atomically. draftVersion must match the current draft (the publisher has seen the latest edits); the live config must still be the draft's base version unless force is set (a CLI file upload mid-draft surfaces here)

func (*Server) RekeySecrets added in v0.18.6

func (s *Server) RekeySecrets(ctx context.Context, providerName string) (*types.SecretRekeyResponse, error)

RekeySecrets re-encrypts stored secrets with the active master key

func (*Server) ReloadApp

func (s *Server) ReloadApp(ctx context.Context, tx types.Transaction, appEntry *types.AppEntry, stageAppEntry *types.AppEntry,
	approve, dryRun, promote bool, branch, commit, gitAuth string, repoCache *RepoCache, forceReload, verify bool) (*types.AppReloadResult, error)

func (*Server) ReloadApps

func (s *Server) ReloadApps(ctx context.Context, appPathGlob string, approve, dryRun, promote bool,
	branch, commit, gitAuth string, forceReload, verify bool) (_ *types.AppReloadResponse, retErr error)

func (*Server) ReplaceAppParams added in v0.18.4

func (s *Server) ReplaceAppParams(ctx context.Context, appPathGlob string, dryRun, promote bool, params map[string]string) (*types.AppStagedUpdateResponse, error)

ReplaceAppParams replaces all the param values for apps matching the glob. The change applies to staging and is promoted to prod when promote is set

func (*Server) RequestStop added in v0.17.8

func (s *Server) RequestStop()

func (*Server) RestoreConfig added in v0.18.4

func (s *Server) RestoreConfig(ctx context.Context, historyVersionId string, force bool) (*types.DynamicConfig, error)

RestoreConfig restores the full dynamic config from a history snapshot. The restore is validated like a publish and written as a new version, keeping the history linear. An open draft is unaffected (it CAS's against its base version at publish time)

func (*Server) RunBindingCommand added in v0.17.4

func (s *Server) RunBindingCommand(ctx context.Context, bindingName string, useStaging bool, command string) (map[string]any, error)

func (*Server) RunSync

func (s *Server) RunSync(ctx context.Context, id string, dryRun bool) (_ *types.SyncJobStatus, retErr error)

func (*Server) SaveDynamicConfig added in v0.14.10

func (s *Server) SaveDynamicConfig(ctx context.Context) error

func (*Server) SetConfigEntry added in v0.18.6

func (s *Server) SetConfigEntry(ctx context.Context, section, name string, values map[string]any, versionId string) (*types.DynamicConfig, error)

SetConfigEntry creates or replaces one dynamic config entry. Unlike RBAC changes, entry updates are not staged: the update is validated against the config schema, written as a new config version and takes effect immediately. versionId is the CAS token (the live version the caller saw); empty means last-writer-wins. Secret fields submitted with the redaction placeholder keep their stored value

func (*Server) SetConfigValue added in v0.18.6

func (s *Server) SetConfigValue(ctx context.Context, section, key string, value any, versionId string) (*types.DynamicConfig, error)

SetConfigValue sets one dynamic config field (section + dotted key). Like entries, settings updates are not staged: the change is validated against the config schema, written as a new config version and takes effect immediately. A value equal to the redaction placeholder keeps the stored value

func (*Server) StagedUpdate

func (s *Server) StagedUpdate(ctx context.Context, appPathGlob string, dryRun, promote bool, handler stagedUpdateHandler, args map[string]any, op string) (_ *types.AppStagedUpdateResponse, retErr error)

func (*Server) StagedUpdateAppsTx

func (s *Server) StagedUpdateAppsTx(ctx context.Context, tx types.Transaction, appPathGlob string, promote bool, handler stagedUpdateHandler, args map[string]any) ([]any, []types.AppPathDomain, []types.AppPathDomain, error)

func (*Server) Start

func (s *Server) Start() error

Start starts the OpenRun Server

func (*Server) StartManagedContainer added in v0.18.4

func (s *Server) StartManagedContainer(ctx context.Context, id string) error

StartManagedContainer starts a stopped OpenRun managed container

func (*Server) Stop

func (s *Server) Stop(ctx context.Context) error

Stop stops the OpenRun Server

func (*Server) StopManagedContainer added in v0.18.4

func (s *Server) StopManagedContainer(ctx context.Context, id string) error

StopManagedContainer stops a running OpenRun managed container

func (*Server) StopNotify added in v0.17.8

func (s *Server) StopNotify() <-chan struct{}

func (*Server) TokenCreate

func (s *Server) TokenCreate(ctx context.Context, appPath string, webhookType types.WebhookType, dryRun bool) (*types.TokenCreateResponse, error)

func (*Server) TokenDelete

func (s *Server) TokenDelete(ctx context.Context, appPath string, webhookType types.WebhookType, dryRun bool) (*types.TokenDeleteResponse, error)

func (*Server) TokenList

func (s *Server) TokenList(ctx context.Context, appPath string) (*types.TokenListResponse, error)

func (*Server) UpdateAppParams added in v0.18.4

func (s *Server) UpdateAppParams(ctx context.Context, appPathGlob string, dryRun, promote bool, paramName, paramValue string) (*types.AppStagedUpdateResponse, error)

UpdateAppParams updates a single param value for apps matching the glob. A value of "-" deletes the param. The change applies to staging and is promoted to prod when promote is set

func (*Server) UpdateAppSettings

func (s *Server) UpdateAppSettings(ctx context.Context, appPathGlob string, dryRun bool, updateAppRequest types.UpdateAppRequest) (*types.AppUpdateSettingsResponse, error)

func (*Server) UpdateBinding added in v0.17.2

func (s *Server) UpdateBinding(ctx context.Context, updateRequest types.UpdateBindingRequest, dryRun, promote, reapplyAll bool) (_ *types.Binding, retErr error)

func (*Server) UpdateDynamicConfig added in v0.14.10

func (s *Server) UpdateDynamicConfig(ctx context.Context, newConfig *types.DynamicConfig, force bool) (*types.DynamicConfig, error)

func (*Server) UpdateRBACDraft added in v0.18.4

func (s *Server) UpdateRBACDraft(ctx context.Context, draftVersion string,
	mutate func(*types.RBACConfig) error) (*types.ConfigDraft, error)

UpdateRBACDraft applies one mutation to the draft config. The draft is created from the live config on first edit; draftVersion is the CAS token for edits on an existing draft (two operators editing concurrently conflict instead of overwriting each other). Draft edits do not touch the live config and are not recorded in the config history

func (*Server) UpdateService added in v0.17.2

func (s *Server) UpdateService(ctx context.Context, service *types.Service, dryRun bool) error

func (*Server) VersionFiles

func (s *Server) VersionFiles(ctx context.Context, mainAppPath, version string) (*types.AppVersionFilesResponse, error)

func (*Server) VersionList

func (s *Server) VersionList(ctx context.Context, mainAppPath string) (*types.AppVersionListResponse, error)

func (*Server) VersionSwitch

func (s *Server) VersionSwitch(ctx context.Context, mainAppPath string, dryRun bool, version string) (*types.AppVersionSwitchResponse, error)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL