* refactor middleware options
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use ocmemstore micro store implementaiton for token cache
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* refactor ocis store options, support redis sentinel
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* align cache configuration
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* database and tabe are used to build prefixes for inmemory stores
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add global persistent store options to userlog config
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* log cache errors but continue
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* drup unnecessary type conversion
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Better description for the default userinfo ttl
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use global cache options for even more caches
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* don't log userinfo cache misses
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* default to stock memory store
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use correct mem store typo string
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* split cache options, doc cleanup
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* mint and write userinfo to cache async
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* use hashed token as key
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* go mod tidy
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update docs
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update cache store naming
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bring back depreceted ocis-pkg/store package for backwards compatability
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update changelog
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Apply suggestions from code review
Co-authored-by: kobergj <jkoberg@owncloud.com>
* revert ocis-pkg/cache to store rename
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* add waiting for each step 50 milliseconds
* starlack check
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: kobergj <jkoberg@owncloud.com>
Co-authored-by: Viktor Scharf <scharf.vi@gmail.com>
* upgrade to go1.19 and set go mem limit
* create ocis-pkg memlimit package
* use std automemlimit import
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* import automemlimit in every ocis service, drop ocis-pkg/memlimit package
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bump go to 1.20
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* drop unused config options and env vars
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update all version numbers, add doc
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix lint
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update bingo and mockery
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* bump golangci-lint
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix selector test
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Update changelog/unreleased/enhancement-memlimit.md
Co-authored-by: kobergj <juliankoberg@googlemail.com>
---------
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Willy Kloucek <wkloucek@owncloud.com>
Co-authored-by: kobergj <juliankoberg@googlemail.com>
For certain setups we don't need the ADMIN_USER_ID to be set. It is
mainly needed for bootstrapping the internal idm and the initial role
assignment. If roles are assigned by other means (e.g. OIDC claims
in the future) we don't need it.
This makes the ADMIN_USER_ID optional, also if ADMIN_USER_ID is unset
we don't need to configure a password for the admin user. We will still
generated the admin_id and password when running 'ocis init', but it is
ok to run manual setups without those settings.
* add policies service
add policies proxy middleware
add policies event service
add policies grpc service
prepare ci and git environments (ci, make, readme, doc)
* add webfinger to the drone conf
* fix docs
remove not used virus scan postprocessing step
* relocate example rego file
implicitly enable and disable proxy and postprocessing policy checking by setting the query.
update configuration descriptions
* move policies
update readme
* use converter func to convert pp environment to actual environment
expose and test custom rego functions
add engine unit tests
add opa unit tests
update policies readme
Co-authored-by: Martin <github@diemattels.at>
* relocate sample policies to the deployments folder
change and document policies service port
* update index.md and small fix
* add health command
add version command
add debug server
---------
Co-authored-by: Martin <github@diemattels.at>
* Remove unused code from oidc module
* Use already existing Metadata type for jwks discovery
ocis-pkg/oidc already provides a type for the oidc metadata. Switch to
that instead of defining yet another custom type.
* oidc: Add helper to get IDP metadata
TLS for the services can be configure by setting the "OCIS_HTTP_TLS_ENABLED",
"OCIS_HTTP_TLS_CERTIFICATE" and "OCIS_HTTP_TLS_KEY" environment variables.
Currently the ocis proxy is this only service that directly accesses backend
services. It determines whether to use TLS or not by looking a the new registry
metadata "use_tls". As specific CA Cert for certificate verification
can be set with the "PROXY_HTTPS_CACERT" environment variable.
* Introduce TLS Settings for go-micro based grpc services and clients
TLS for the services can be configure by setting the OCIS_MICRO_GRPC_TLS_ENABLED"
"OCIS_MICRO_GRPC_TLS_CERTIFICATE" and "OCIS_MICRO_GRPC_TLS_KEY"
enviroment variables.
TLS for the clients can configured by setting the "OCIS_MICRO_GRPC_CLIENT_TLS_MODE"
and "OCIS_MICRO_GRPC_CLIENT_TLS_CACERT" variables.
By default TLS is disabled.
Co-authored-by: Martin <github@diemattels.at>
* Unify TLS configuration for all grpc services
All grpc service (whether they're based on reva) or go-micro use the
same set of config vars now.
TLS for the services can be configure by setting the OCIS_GRPC_TLS_ENABLED,
OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY enviroment variables.
TLS for the clients can configured by setting the OCIS_GRPC_CLIENT_TLS_MODE
and OCIS_MICRO_GRPC_CLIENT_TLS_CACERT variables.
There are no individual per service config vars currently. If really
needed, per service tls configurations can be specified via config file.
Co-authored-by: Martin <github@diemattels.at>
Co-authored-by: Martin <github@diemattels.at>
* use tls for nats connections
* add config options for nats client tls config
* add nats tls config to CI
* add function to create a certpool
* add option to provide a rootCA to validate the server's TLS certificate
* add option to provide a rootCA to validate the server's TLS certificate
* add option to provide a rootCA to validate the server's TLS certificate
* add option to provide a rootCA to validate the server's TLS certificate
* configure nats clients in reva to use tls
* bring back CORS env vars
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* update CORS descriptions
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* align writing of 'A comma-separated ...'
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* fix some desc quotes
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
* Apply suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
* Apply more suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
* Apply final suggestions from code review
Co-authored-by: Martin <github@diemattels.at>
Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Martin <github@diemattels.at>
Use OCIS_URL as the link base. This change also makes sure that the
top-level OcisURL config value gets a default assigned, even when
OCIS_URL is unset.
Fixes: #4688
This avoids various issues of the old "mdns" default. At least for the simple
single process setup (#3134, #4597). When starting the services individually we
still default to "mdns".
This avoids using a public global variable. It allows us to initialize
the default client a bit later (outside of init()). That way we can e.g.
properly initialize the in-memory registry.
kobergj