debug: add some additional runtime flags (pomerium#602)

* add debug runtime flags

* cspell

cmd/all_in_one.go

@@ -35,6 +35,9 @@ type allCmdOptions struct {
 	ingressControllerOpts
 	debug                           bool
 	debugDumpConfigDiff             bool
+	debugPomerium                   bool
+	debugEnvoy                      bool
+	adminBindAddr                   string
 	configControllerShutdownTimeout time.Duration
 	// metricsBindAddress must be externally accessible host:port
 	metricsBindAddress string `validate:"required,hostname_port"`
@@ -81,21 +84,43 @@ func AllInOneCommand() (*cobra.Command, error) {
 	return &cmd.Command, nil
 }
 
+// the below flags are not intended to be used by end users, but rather for development and debugging purposes
+// setting them to hidden to avoid confusion, as enabling them may cause sensitive information to be logged or exposed
+const (
+	debug                    = "debug"
+	debugPomerium            = "debug-pomerium"
+	debugEnvoy               = "debug-envoy"
+	debugAdminBindAddr       = "debug-admin-addr"
+	debugDumpConfigDiff      = "debug-dump-config-diff"
+	configControllerShutdown = "config-controller-shutdown"
+)
+
+var hidden = []string{
+	debugPomerium,
+	debugEnvoy,
+	debugAdminBindAddr,
+	debugDumpConfigDiff,
+}
+
 func (s *allCmd) setupFlags() error {
 	flags := s.PersistentFlags()
 	flags.BoolVar(&s.debug, debug, false, "enable debug logging")
 	flags.BoolVar(&s.debugDumpConfigDiff, debugDumpConfigDiff, false, "development dump of config diff, don't use in production")
-	if err := flags.MarkHidden(debugDumpConfigDiff); err != nil {
-		return err
-	}
+	flags.BoolVar(&s.debugPomerium, debugPomerium, false, "enable debug logging for pomerium")
+	flags.BoolVar(&s.debugEnvoy, debugEnvoy, false, "enable debug logging for envoy")
 	flags.StringVar(&s.metricsBindAddress, metricsBindAddress, "", "host:port for aggregate metrics. host is mandatory")
+	flags.StringVar(&s.adminBindAddr, debugAdminBindAddr, "", "host:port for admin server")
 	flags.StringVar(&s.serverAddr, "server-addr", ":8443", "the address the HTTPS server would bind to")
 	flags.StringVar(&s.httpRedirectAddr, "http-redirect-addr", ":8080", "the address HTTP redirect would bind to")
 	flags.StringVar(&s.deriveTLS, "databroker-auto-tls", "", "enable auto TLS and generate server certificate for the domain")
-	flags.DurationVar(&s.configControllerShutdownTimeout, "config-controller-shutdown", time.Second*30, "timeout waiting for graceful config controller shutdown")
-	if err := flags.MarkHidden("config-controller-shutdown"); err != nil {
-		return err
+	flags.DurationVar(&s.configControllerShutdownTimeout, configControllerShutdown, time.Second*30, "timeout waiting for graceful config controller shutdown")
+
+	for _, flag := range hidden {
+		if err := s.PersistentFlags().MarkHidden(flag); err != nil {
+			return fmt.Errorf("failed to mark %s flag: %w", flag, err)
+		}
 	}
+
 	s.ingressControllerOpts.setupFlags(flags)
 	return viperWalk(flags)
 }
@@ -220,6 +245,15 @@ func (s *allCmdParam) makeBootstrapConfig(opt allCmdOptions) error {
 		},
 	}
 
+	if opt.debugPomerium {
+		s.cfg.Options.LogLevel = "debug"
+	}
+	if opt.debugEnvoy {
+		s.cfg.Options.ProxyLogLevel = "debug"
+		s.cfg.Options.LogLevel = "debug"
+	}
+	s.cfg.Options.EnvoyAdminAddress = opt.adminBindAddr
+
 	return nil
 }
 

cmd/ingress_opts.go

@@ -25,8 +25,6 @@ const (
 	annotationPrefix           = "prefix"
 	namespaces                 = "namespaces"
 	sharedSecret               = "shared-secret"
-	debug                      = "debug"
-	debugDumpConfigDiff        = "debug-dump-config-diff"
 	updateStatusFromService    = "update-status-from-service"
 	globalSettings             = "pomerium-config"
 )

cspell.config.yaml

@@ -11,6 +11,7 @@ words:
   - protobuf
   - oidc
   - readyz
+  - sharedkey
   - sslcert
   - sslkey
   - sslrootcert

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/martinlindhe/base36 v1.1.1
 	github.com/open-policy-agent/opa v0.51.0
 	github.com/pomerium/csrf v1.7.0
-	github.com/pomerium/pomerium v0.20.1-0.20230417224458-b7d846464cf2
+	github.com/pomerium/pomerium v0.20.1-0.20230421153948-65e0fcb667a6
 	github.com/sergi/go-diff v1.3.1
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
@@ -207,6 +207,7 @@ require (
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/lufeee/execinquery v1.2.1 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/lyft/protoc-gen-star/v2 v2.0.1 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/maratori/testableexamples v1.0.0 // indirect
@@ -308,6 +309,7 @@ require (
 	golang.org/x/crypto v0.8.0 // indirect
 	golang.org/x/exp v0.0.0-20220930202632-ec3f01382ef9 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20230224173230-c95f2b4c22f2 // indirect
+	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.9.0 // indirect
 	golang.org/x/net v0.9.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect

go.sum

@@ -624,6 +624,8 @@ github.com/lufeee/execinquery v1.2.1 h1:hf0Ems4SHcUGBxpGN7Jz78z1ppVkP/837ZlETPCE
 github.com/lufeee/execinquery v1.2.1/go.mod h1:EC7DrEKView09ocscGHC+apXMIaorh4xqSxS/dy8SbM=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/lyft/protoc-gen-star/v2 v2.0.1 h1:keaAo8hRuAT0O3DfJ/wM3rufbAjGeJ1lAtWZHDjKGB0=
+github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
@@ -748,8 +750,8 @@ github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY=
 github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw=
 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis=
 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0=
-github.com/pomerium/pomerium v0.20.1-0.20230417224458-b7d846464cf2 h1:GkxNP7yqOR2AjGynipRP28CwBf7r8rpqDbux1nUW1co=
-github.com/pomerium/pomerium v0.20.1-0.20230417224458-b7d846464cf2/go.mod h1:Tjid/Zcu6FnkqD8VvuPlxiqcnM0PBW/67pYsnn2RAUM=
+github.com/pomerium/pomerium v0.20.1-0.20230421153948-65e0fcb667a6 h1:avTNhVhVZ4spOSa3Zf45HfNeq1P+gOhoehfveKVklA4=
+github.com/pomerium/pomerium v0.20.1-0.20230421153948-65e0fcb667a6/go.mod h1:Tjid/Zcu6FnkqD8VvuPlxiqcnM0PBW/67pYsnn2RAUM=
 github.com/pomerium/webauthn v0.0.0-20221118023040-00a9c430578b h1:oll/aOfJudnqFAwCvoXK9+WN2zVjTzHVPLXCggHQmHk=
 github.com/pomerium/webauthn v0.0.0-20221118023040-00a9c430578b/go.mod h1:KswTenBBh4y1pmhU2dpm8VgJQCgSErCg7OOFTeebrNc=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw=
@@ -1041,6 +1043,8 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=