diff --git a/cmd/all_in_one.go b/cmd/all_in_one.go index d667aba2..6ed7c5ae 100644 --- a/cmd/all_in_one.go +++ b/cmd/all_in_one.go @@ -35,6 +35,9 @@ type allCmdOptions struct { ingressControllerOpts debug bool debugDumpConfigDiff bool + debugPomerium bool + debugEnvoy bool + adminBindAddr string configControllerShutdownTimeout time.Duration // metricsBindAddress must be externally accessible host:port metricsBindAddress string `validate:"required,hostname_port"` @@ -81,21 +84,43 @@ func AllInOneCommand() (*cobra.Command, error) { return &cmd.Command, nil } +// the below flags are not intended to be used by end users, but rather for development and debugging purposes +// setting them to hidden to avoid confusion, as enabling them may cause sensitive information to be logged or exposed +const ( + debug = "debug" + debugPomerium = "debug-pomerium" + debugEnvoy = "debug-envoy" + debugAdminBindAddr = "debug-admin-addr" + debugDumpConfigDiff = "debug-dump-config-diff" + configControllerShutdown = "config-controller-shutdown" +) + +var hidden = []string{ + debugPomerium, + debugEnvoy, + debugAdminBindAddr, + debugDumpConfigDiff, +} + func (s *allCmd) setupFlags() error { flags := s.PersistentFlags() flags.BoolVar(&s.debug, debug, false, "enable debug logging") flags.BoolVar(&s.debugDumpConfigDiff, debugDumpConfigDiff, false, "development dump of config diff, don't use in production") - if err := flags.MarkHidden(debugDumpConfigDiff); err != nil { - return err - } + flags.BoolVar(&s.debugPomerium, debugPomerium, false, "enable debug logging for pomerium") + flags.BoolVar(&s.debugEnvoy, debugEnvoy, false, "enable debug logging for envoy") flags.StringVar(&s.metricsBindAddress, metricsBindAddress, "", "host:port for aggregate metrics. host is mandatory") + flags.StringVar(&s.adminBindAddr, debugAdminBindAddr, "", "host:port for admin server") flags.StringVar(&s.serverAddr, "server-addr", ":8443", "the address the HTTPS server would bind to") flags.StringVar(&s.httpRedirectAddr, "http-redirect-addr", ":8080", "the address HTTP redirect would bind to") flags.StringVar(&s.deriveTLS, "databroker-auto-tls", "", "enable auto TLS and generate server certificate for the domain") - flags.DurationVar(&s.configControllerShutdownTimeout, "config-controller-shutdown", time.Second*30, "timeout waiting for graceful config controller shutdown") - if err := flags.MarkHidden("config-controller-shutdown"); err != nil { - return err + flags.DurationVar(&s.configControllerShutdownTimeout, configControllerShutdown, time.Second*30, "timeout waiting for graceful config controller shutdown") + + for _, flag := range hidden { + if err := s.PersistentFlags().MarkHidden(flag); err != nil { + return fmt.Errorf("failed to mark %s flag: %w", flag, err) + } } + s.ingressControllerOpts.setupFlags(flags) return viperWalk(flags) } @@ -220,6 +245,15 @@ func (s *allCmdParam) makeBootstrapConfig(opt allCmdOptions) error { }, } + if opt.debugPomerium { + s.cfg.Options.LogLevel = "debug" + } + if opt.debugEnvoy { + s.cfg.Options.ProxyLogLevel = "debug" + s.cfg.Options.LogLevel = "debug" + } + s.cfg.Options.EnvoyAdminAddress = opt.adminBindAddr + return nil } diff --git a/cmd/ingress_opts.go b/cmd/ingress_opts.go index 4c1340ad..15c3a40c 100644 --- a/cmd/ingress_opts.go +++ b/cmd/ingress_opts.go @@ -25,8 +25,6 @@ const ( annotationPrefix = "prefix" namespaces = "namespaces" sharedSecret = "shared-secret" - debug = "debug" - debugDumpConfigDiff = "debug-dump-config-diff" updateStatusFromService = "update-status-from-service" globalSettings = "pomerium-config" ) diff --git a/cspell.config.yaml b/cspell.config.yaml index 020bdde8..49be2791 100644 --- a/cspell.config.yaml +++ b/cspell.config.yaml @@ -11,6 +11,7 @@ words: - protobuf - oidc - readyz + - sharedkey - sslcert - sslkey - sslrootcert diff --git a/go.mod b/go.mod index f3b76730..20338191 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/martinlindhe/base36 v1.1.1 github.com/open-policy-agent/opa v0.51.0 github.com/pomerium/csrf v1.7.0 - github.com/pomerium/pomerium v0.20.1-0.20230417224458-b7d846464cf2 + github.com/pomerium/pomerium v0.20.1-0.20230421153948-65e0fcb667a6 github.com/sergi/go-diff v1.3.1 github.com/spf13/cobra v1.7.0 github.com/spf13/pflag v1.0.5 @@ -207,6 +207,7 @@ require ( github.com/libdns/libdns v0.2.1 // indirect github.com/lufeee/execinquery v1.2.1 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect + github.com/lyft/protoc-gen-star/v2 v2.0.1 // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.6 // indirect github.com/maratori/testableexamples v1.0.0 // indirect @@ -308,6 +309,7 @@ require ( golang.org/x/crypto v0.8.0 // indirect golang.org/x/exp v0.0.0-20220930202632-ec3f01382ef9 // indirect golang.org/x/exp/typeparams v0.0.0-20230224173230-c95f2b4c22f2 // indirect + golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect golang.org/x/mod v0.9.0 // indirect golang.org/x/net v0.9.0 // indirect golang.org/x/oauth2 v0.7.0 // indirect diff --git a/go.sum b/go.sum index b2d6c3f6..868fb75f 100644 --- a/go.sum +++ b/go.sum @@ -624,6 +624,8 @@ github.com/lufeee/execinquery v1.2.1 h1:hf0Ems4SHcUGBxpGN7Jz78z1ppVkP/837ZlETPCE github.com/lufeee/execinquery v1.2.1/go.mod h1:EC7DrEKView09ocscGHC+apXMIaorh4xqSxS/dy8SbM= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= +github.com/lyft/protoc-gen-star/v2 v2.0.1 h1:keaAo8hRuAT0O3DfJ/wM3rufbAjGeJ1lAtWZHDjKGB0= +github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o= github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= @@ -748,8 +750,8 @@ github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY= github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw= github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis= github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0= -github.com/pomerium/pomerium v0.20.1-0.20230417224458-b7d846464cf2 h1:GkxNP7yqOR2AjGynipRP28CwBf7r8rpqDbux1nUW1co= -github.com/pomerium/pomerium v0.20.1-0.20230417224458-b7d846464cf2/go.mod h1:Tjid/Zcu6FnkqD8VvuPlxiqcnM0PBW/67pYsnn2RAUM= +github.com/pomerium/pomerium v0.20.1-0.20230421153948-65e0fcb667a6 h1:avTNhVhVZ4spOSa3Zf45HfNeq1P+gOhoehfveKVklA4= +github.com/pomerium/pomerium v0.20.1-0.20230421153948-65e0fcb667a6/go.mod h1:Tjid/Zcu6FnkqD8VvuPlxiqcnM0PBW/67pYsnn2RAUM= github.com/pomerium/webauthn v0.0.0-20221118023040-00a9c430578b h1:oll/aOfJudnqFAwCvoXK9+WN2zVjTzHVPLXCggHQmHk= github.com/pomerium/webauthn v0.0.0-20221118023040-00a9c430578b/go.mod h1:KswTenBBh4y1pmhU2dpm8VgJQCgSErCg7OOFTeebrNc= github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= @@ -1041,6 +1043,8 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=