refactor server CLI and configuration

This commit simplifies the KES server CLI
and configuration based on an internal
design review.

From now on, the KES server only accepts
YAML configuration since the most common
why to use/deploy a KES server is as (docker)
container resp. as K8S pod.
Some configuration fields have changed as well.
For example the previous Vault key store `name`
field has been replaced by the `prefix` field.

Further, this commit simplifies the server
CLI. The TLS private key can be specified
via `--key` and the certificate via `--cert`
(Same as for curl).

Further, the authentication can now be disabled
via `--auth=off` or explicitly enabled via
`--auth=on`. As before mTLS authentication
verification is enabled by default.
(`--auth=on` is the default)

cmd/kes/config.go

@@ -5,93 +5,87 @@
 package main
 
 import (
-	"fmt"
 	"os"
-	"strings"
 	"time"
 
 	"github.com/minio/kes"
-	"github.com/pelletier/go-toml"
 	"gopkg.in/yaml.v2"
 )
 
 type serverConfig struct {
-	Addr string       `toml:"address" yaml:"address"`
-	Root kes.Identity `toml:"root" yaml:"root"`
+	Addr string       `yaml:"address"`
+	Root kes.Identity `yaml:"root"`
 
 	TLS struct {
-		KeyPath  string `toml:"key" yaml:"key"`
-		CertPath string `toml:"cert" yaml:"cert"`
+		KeyPath  string `yaml:"key"`
+		CertPath string `yaml:"cert"`
 		Proxy    struct {
-			Identities []kes.Identity `toml:"identities" yaml:"identities"`
+			Identities []kes.Identity `yaml:"identities"`
 			Header     struct {
-				ClientCert string `toml:"cert" yaml:"cert"`
-			} `toml:"header" yaml:"header"`
-		} `toml:"proxy" yaml:"proxy"`
-	} `toml:"tls" yaml:"tls"`
+				ClientCert string `yaml:"cert"`
+			} `yaml:"header"`
+		} `yaml:"proxy"`
+	} `yaml:"tls"`
 
 	Policies map[string]struct {
-		Paths      []string       `toml:"paths" yaml:"paths"`
-		Identities []kes.Identity `toml:"identities" yaml:"identities"`
-	} `toml:"policy" yaml:"policy"`
+		Paths      []string       `yaml:"paths"`
+		Identities []kes.Identity `yaml:"identities"`
+	} `yaml:"policy"`
 
 	Cache struct {
 		Expiry struct {
-			All    time.Duration `toml:"all" yaml:"all"`
-			Unused time.Duration `toml:"unused" yaml:"unused"`
-		} `toml:"expiry" yaml:"expiry"`
-	} `toml:"cache" yaml:"cache"`
+			Any    time.Duration `yaml:"any"`
+			Unused time.Duration `yaml:"unused"`
+		} `yaml:"expiry"`
+	} `yaml:"cache"`
 
 	Log struct {
-		Error struct {
-			Files []string `toml:"file" yaml:"file"`
-		} `toml:"error" yaml:"error"`
-		Audit struct {
-			Files []string `toml:"file" yaml:"file"`
-		} `toml:"audit" yaml:"audit"`
-	} `toml:"log" yaml:"log"`
-
-	KeyStore struct {
+		Error string `yaml:"error"`
+		Audit string `yaml:"audit"`
+	} `yaml:"log"`
+
+	Keys struct {
 		Fs struct {
-			Dir string `toml:"path" yaml:"path"`
-		} `toml:"fs" yaml:"fs"`
+			Path string `yaml:"path"`
+		} `yaml:"fs"`
 
 		Vault struct {
-			Addr      string `toml:"address" yaml:"address"`
-			Name      string `toml:"name" yaml:"name"`
-			Namespace string `toml:"namespace" yaml:"namespace"`
+			Endpoint  string `yaml:"endpoint"`
+			Namespace string `yaml:"namespace"`
+
+			Prefix string `yaml:"prefix"`
 
 			AppRole struct {
-				ID     string        `toml:"id" yaml:"id"`
-				Secret string        `toml:"secret" yaml:"secret"`
-				Retry  time.Duration `toml:"retry" yaml:"retry"`
-			} `toml:"approle" yaml:"approle"`
+				ID     string        `yaml:"id"`
+				Secret string        `yaml:"secret"`
+				Retry  time.Duration `yaml:"retry"`
+			} `yaml:"approle"`
 
 			TLS struct {
-				KeyPath  string `toml:"key" yaml:"key"`
-				CertPath string `toml:"cert" yaml:"cert"`
-				CAPath   string `toml:"ca" yaml:"ca"`
-			} `toml:"tls" yaml:"tls"`
+				KeyPath  string `yaml:"key"`
+				CertPath string `yaml:"cert"`
+				CAPath   string `yaml:"ca"`
+			} `yaml:"tls"`
 
 			Status struct {
-				Ping time.Duration `toml:"ping" yaml:"ping"`
-			} `toml:"status" yaml:"status"`
-		} `toml:"vault" yaml:"vault"`
+				Ping time.Duration `yaml:"ping"`
+			} `yaml:"status"`
+		} `yaml:"vault"`
 
 		Aws struct {
 			SecretsManager struct {
-				Addr     string `toml:"address" yaml:"address"`
-				Region   string `toml:"region" yaml:"region"`
-				KmsKeyID string `toml:"kms_key_id" yaml:"kms_key_id"`
+				Endpoint string `yaml:"endpoint"`
+				Region   string `yaml:"region"`
+				KmsKey   string ` yaml:"kmskey"`
 
 				Login struct {
-					AccessKey    string `toml:"access_key" yaml:"access_key"`
-					SecretKey    string `toml:"secret_key" yaml:"secret_key"`
-					SessionToken string `toml:"session_token" yaml:"session_token"`
-				} `toml:"credentials" yaml:"credentials"`
-			} `toml:"secrets_manager" yaml:"secrets_manager"`
-		} `toml:"aws" yaml:"aws"`
-	} `toml:"keystore" yaml:"keystore"`
+					AccessKey    string `yaml:"accesskey"`
+					SecretKey    string `yaml:"secretkey"`
+					SessionToken string `yaml:"token"`
+				} `yaml:"credentials"`
+			} `yaml:"secretsmanager"`
+		} `yaml:"aws"`
+	} `yaml:"keys"`
 }
 
 func loadServerConfig(path string) (config serverConfig, err error) {
@@ -103,26 +97,9 @@ func loadServerConfig(path string) (config serverConfig, err error) {
 	if err != nil {
 		return config, err
 	}
-	defer file.Close()
-
-	switch {
-	case strings.HasSuffix(path, ".yaml"):
-		err = yaml.NewDecoder(file).Decode(&config)
-		return config, err
-	case strings.HasSuffix(path, ".toml"):
-		err = toml.NewDecoder(file).Decode(&config)
-		return config, err
-	default:
-		// First, try yaml. If that fails due to an invalid yaml
-		// file, try toml.
-		if err = yaml.NewDecoder(file).Decode(&config); err != nil {
-			if _, ok := err.(*yaml.TypeError); ok {
-				if err = toml.NewDecoder(file).Decode(&config); err != nil {
-					return config, fmt.Errorf("%s is neither a valid yaml nor toml file", path)
-				}
-				return config, err
-			}
-		}
+	if err = yaml.NewDecoder(file).Decode(&config); err != nil {
+		file.Close()
 		return config, err
 	}
+	return config, file.Close()
 }