You have to specify configuration file using flag -config-file. Using binary file command is worker -config-file=/path/config.toml
Then, you can run the docker image, mounting (-v) a config.toml inside the container (you could also make a custom Dockerfile with "ADD my-custom-conf.toml /my-custom-conf.toml"). E.g.
docker run -v /home/myuser/foulkon/config.toml:/worker.toml tecsisa/foulkon worker
This config file is a TOML file that has several parts:
| Server | Server config properties | Values | Default | Optional |
|---|---|---|---|---|
| host | Worker's hostname. | localhost |
No | |
| port | Worker's port. | 8000 |
No | |
| certfile | Absolute path for public certificate. | /etc/secrets/public.pem |
Yes | |
| keyfile | Absolute path for private key. | /etc/secrets/private.pem |
Yes |
Note: Don't use Foulkon worker without certificate in production.
| Admin user | Admin user configuration | Values | Default | Optional |
|---|---|---|---|---|
| username | Admin user name. | admin |
No | |
| password | Admin user password. | password |
No |
Note: Use a strong password for admin user in production.
| Logger | Logger configuration properties. | Values | Default | Optional |
|---|---|---|---|---|
| type | Type of logger to use. | file, default |
default |
Yes |
| level | Log level. | debug, info, warning, error, fatal, panic |
info |
Yes |
| dir | Full path where log file is. It won't be autogenerated. | /tmp/foulkon.log |
No if logger type is file |
| Database | Database configuration | Values | Default | Optional |
|---|---|---|---|---|
| type | Database backend type | postgres |
No |
| PostgreSQL | PostgreSQL configuration properties | Values | Default | Optional |
|---|---|---|---|---|
| datasourcename | Connection datasource including user, password and database. | postgres://foulkon:password@localhost:5432/foulkondb?sslmode=disable |
No | |
| idleconns | Idle connection number. | 10 |
5 | Yes |
| maxopenconns | Max open connection number. | 20 |
20 | Yes |
| connttl | Timeout for conenctions | 200 |
300 | Yes |
| Authenticator | Authenticator connector configuration properties | Values | Default | Optional |
|---|---|---|---|---|
| type | Type of connector that will be used. | oidc, header |
None | No |
| Header authenticator | Header authenticator connector configuration properties | Values | Default | Optional |
|---|---|---|---|---|
| name | Trusted request header | X-Remote-User |
None | No |
Note: The header authenticator must not be used when it's possible for incoming requests to reach Foulkon worker directly. Also, it's advised to have the API entrypoint of the system strip the trusted header from incoming requests.
The worker reads configuration from database at startup, and when configured to use the OIDC authenticator, initializes it to use configured OIDC Providers with its clients. If you want to add, update or delete OIDC Providers you have to use the OIDC Provider API. If you change OIDC Providers you will need to restart the worker servers to have the changes take effect.
The worker server has an endpoint to see what configuration is active at this time, only for admin access.
$ curl -n -X POST /about \
-H "Content-Type: application/json" \
-H "Authorization: Basic admin"HTTP/1.1 200 Ok
{
"logger": {
"type": "default",
"level": "info"
},
"database": {
"type": "postgres",
"idleconns": 5,
"maxopenconns": 20,
"connttl": 300
},
"authenticator": {
"type": "oidc",
"oidcProviders": [
{
"id": "cedd8d9b-ef69-4eda-a7d1-44548fa34107",
"name": "google",
"path": "/gapps/",
"urn": "urn:iws:auth::oidc/gapps/google",
"createAt": "2017-05-30T10:51:32.935174579Z",
"updateAt": "2017-05-30T10:51:32.935174628Z",
"issuerURL": "https://accounts.google.com",
"oidcClients": [
{
"name": "test-api-client"
},
{
"name": "test-api-client2"
}
]
},
{
"id": "fe2863bf-a90f-4b54-a42c-e65fd1719774",
"name": "salesforce",
"path": "/salesforce/",
"urn": "urn:iws:auth::oidc/salesforce/salesforce",
"createAt": "2017-05-30T10:51:35.747331949Z",
"updateAt": "2017-05-30T10:51:35.747331978Z",
"issuerURL": "https://login.salesforce.com",
"oidcClients": [
{
"name": "test-client"
}
]
}
]
},
"version": "v0.5.0-SNAPSHOT"
}