feat(krane): migrate Krane service to file-based TOML config

cmd/frontline/BUILD.bazel

@@ -7,6 +7,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli",
+        "//pkg/config",
         "//pkg/uid",
         "//svc/frontline",
     ],

cmd/frontline/main.go

@@ -2,9 +2,9 @@ package frontline
 
 import (
 	"context"
-	"time"
 
 	"github.com/unkeyed/unkey/pkg/cli"
+	"github.com/unkeyed/unkey/pkg/config"
 	"github.com/unkeyed/unkey/pkg/uid"
 	"github.com/unkeyed/unkey/svc/frontline"
 )
@@ -19,114 +19,19 @@ var Cmd = &cli.Command{
 	Name:        "frontline",
 	Usage:       "Run the Unkey Frontline server (multi-tenant frontline)",
 	Flags: []cli.Flag{
-		// Server Configuration
-		cli.Int("http-port", "HTTP port for the Gate server to listen on. Default: 7070",
-			cli.Default(7070), cli.EnvVar("UNKEY_HTTP_PORT")),
-
-		cli.Int("https-port", "HTTPS port for the Gate server to listen on. Default: 7443",
-			cli.Default(7443), cli.EnvVar("UNKEY_HTTPS_PORT")),
-
-		cli.Bool("tls-enabled", "Enable TLS termination for the frontline. Default: true",
-			cli.Default(true), cli.EnvVar("UNKEY_TLS_ENABLED")),
-
-		cli.String("tls-cert-file", "Path to TLS certificate file (dev mode)",
-			cli.EnvVar("UNKEY_TLS_CERT_FILE")),
-
-		cli.String("tls-key-file", "Path to TLS key file (dev mode)",
-			cli.EnvVar("UNKEY_TLS_KEY_FILE")),
-
-		cli.String("region", "The cloud region with platform, e.g. us-east-1.aws",
-			cli.Required(),
-			cli.EnvVar("UNKEY_REGION"),
-		),
-
-		cli.String("frontline-id", "Unique identifier for this instance. Auto-generated if not provided.",
-			cli.Default(uid.New("frontline", 4)), cli.EnvVar("UNKEY_GATE_ID")),
-
-		cli.String("default-cert-domain", "Domain to use for fallback TLS certificate when a domain has no cert configured",
-			cli.EnvVar("UNKEY_DEFAULT_CERT_DOMAIN")),
-
-		cli.String("apex-domain", "Apex domain for region routing. Cross-region requests forwarded to frontline.{region}.{apex-domain}. Example: unkey.cloud",
-			cli.Default("unkey.cloud"), cli.EnvVar("UNKEY_APEX_DOMAIN")),
-
-		// Database Configuration - Partitioned (for hostname lookups)
-		cli.String("database-primary", "MySQL connection string for partitioned primary database (frontline operations). Required. Example: user:pass@host:3306/unkey?parseTime=true",
-			cli.Required(), cli.EnvVar("UNKEY_DATABASE_PRIMARY")),
-
-		cli.String("database-replica", "MySQL connection string for partitioned read-replica (frontline operations). Format same as database-primary.",
-			cli.EnvVar("UNKEY_DATABASE_REPLICA")),
-
-		// Observability
-		cli.Bool("otel", "Enable OpenTelemetry tracing and metrics",
-			cli.EnvVar("UNKEY_OTEL")),
-		cli.Float("otel-trace-sampling-rate", "Sampling rate for OpenTelemetry traces (0.0-1.0). Only used when --otel is provided. Default: 0.25",
-			cli.Default(0.25), cli.EnvVar("UNKEY_OTEL_TRACE_SAMPLING_RATE")),
-		cli.Int("prometheus-port", "Enable Prometheus /metrics endpoint on specified port. Set to 0 to disable.", cli.EnvVar("UNKEY_PROMETHEUS_PORT")),
-
-		// Vault Configuration
-		cli.String("vault-url", "URL of the remote vault service (e.g., http://vault:8080)",
-			cli.EnvVar("UNKEY_VAULT_URL")),
-		cli.String("vault-token", "Authentication token for the vault service",
-			cli.EnvVar("UNKEY_VAULT_TOKEN")),
-
-		cli.Int("max-hops", "Maximum number of hops allowed for a request",
-			cli.Default(10), cli.EnvVar("UNKEY_MAX_HOPS")),
-
-		cli.String("ctrl-addr", "Address of the control plane",
-			cli.Default("localhost:8080"), cli.EnvVar("UNKEY_CTRL_ADDR")),
-
-		// Logging Sampler Configuration
-		cli.Float("log-sample-rate", "Baseline probability (0.0-1.0) of emitting log events. Default: 1.0",
-			cli.Default(1.0), cli.EnvVar("UNKEY_LOG_SAMPLE_RATE")),
-		cli.Duration("log-slow-threshold", "Duration threshold for slow event sampling. Default: 1s",
-			cli.Default(time.Second), cli.EnvVar("UNKEY_LOG_SLOW_THRESHOLD")),
+		cli.String("config", "Path to a TOML config file",
+			cli.Default("unkey.toml"), cli.EnvVar("UNKEY_CONFIG")),
 	},
 	Action: action,
 }
 
 func action(ctx context.Context, cmd *cli.Command) error {
-	config := frontline.Config{
-		// Basic configuration
-		FrontlineID: cmd.String("frontline-id"),
-		Image:       cmd.String("image"),
-		Region:      cmd.String("region"),
-
-		// HTTP configuration
-		HttpPort:  cmd.Int("http-port"),
-		HttpsPort: cmd.Int("https-port"),
-
-		// TLS configuration
-		EnableTLS:   cmd.Bool("tls-enabled"),
-		TLSCertFile: cmd.String("tls-cert-file"),
-		TLSKeyFile:  cmd.String("tls-key-file"),
-		ApexDomain:  cmd.String("apex-domain"),
-		MaxHops:     cmd.Int("max-hops"),
-
-		// Control Plane Configuration
-		CtrlAddr: cmd.String("ctrl-addr"),
-
-		// Partitioned Database configuration (for hostname lookups)
-		DatabasePrimary:         cmd.String("database-primary"),
-		DatabaseReadonlyReplica: cmd.String("database-replica"),
-
-		// OpenTelemetry configuration
-		OtelEnabled:           cmd.Bool("otel"),
-		OtelTraceSamplingRate: cmd.Float("otel-trace-sampling-rate"),
-		PrometheusPort:        cmd.Int("prometheus-port"),
-
-		// Vault configuration
-		VaultURL:   cmd.String("vault-url"),
-		VaultToken: cmd.String("vault-token"),
-
-		// Logging sampler configuration
-		LogSampleRate:    cmd.Float("log-sample-rate"),
-		LogSlowThreshold: cmd.Duration("log-slow-threshold"),
-	}
-
-	err := config.Validate()
+	cfg, err := config.Load[frontline.Config](cmd.String("config"))
 	if err != nil {
-		return err
+		return cli.Exit("Failed to load config: "+err.Error(), 1)
 	}
 
-	return frontline.Run(ctx, config)
+	cfg.FrontlineID = uid.New("frontline", 4)
+
+	return frontline.Run(ctx, cfg)
 }

cmd/krane/BUILD.bazel

@@ -7,7 +7,8 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli",
-        "//pkg/uid",
+        "//pkg/clock",
+        "//pkg/config",
         "//svc/krane",
     ],
 )

cmd/krane/main.go

@@ -2,10 +2,10 @@ package krane
 
 import (
 	"context"
-	"time"
 
 	"github.com/unkeyed/unkey/pkg/cli"
-	"github.com/unkeyed/unkey/pkg/uid"
+	"github.com/unkeyed/unkey/pkg/clock"
+	"github.com/unkeyed/unkey/pkg/config"
 	"github.com/unkeyed/unkey/svc/krane"
 )
 
@@ -21,113 +21,21 @@ var Cmd = &cli.Command{
 It manages the lifecycle of deployments in a kubernetes cluster:
 
 EXAMPLES:
-unkey run krane                                   # Run with default configuration`,
+  unkey run krane --config /etc/unkey/krane.toml`,
 	Flags: []cli.Flag{
-		// Server Configuration
-		cli.String("control-plane-url",
-			"URL of the control plane to connect to",
-			cli.Default("https://control.unkey.cloud"),
-			cli.EnvVar("UNKEY_CONTROL_PLANE_URL"),
-		),
-		cli.String("control-plane-bearer",
-			"Bearer token for authenticating with the control plane",
-			cli.Default(""),
-			cli.EnvVar("UNKEY_CONTROL_PLANE_BEARER"),
-		),
-
-		// Instance Identification
-		cli.String("instance-id",
-			"Unique identifier for this instance. Auto-generated if not provided.",
-			cli.Default(uid.New(uid.InstancePrefix, 4)),
-			cli.EnvVar("UNKEY_INSTANCE_ID"),
-		),
-		cli.String("region",
-			"The cloud region with platform, e.g. us-east-1.aws",
-			cli.Required(),
-			cli.EnvVar("UNKEY_REGION"),
-		),
-
-		cli.String("registry-url",
-			"URL of the container registry for pulling images. Example: registry.depot.dev",
-			cli.EnvVar("UNKEY_REGISTRY_URL"),
-		),
-
-		cli.String("registry-username",
-			"Username for authenticating with the container registry.",
-			cli.EnvVar("UNKEY_REGISTRY_USERNAME"),
-		),
-
-		cli.String("registry-password",
-			"Password/token for authenticating with the container registry.",
-			cli.EnvVar("UNKEY_REGISTRY_PASSWORD"),
-		),
-
-		cli.Int("prometheus-port",
-			"Port for Prometheus metrics, set to 0 to disable.",
-			cli.Default(0),
-			cli.EnvVar("UNKEY_PROMETHEUS_PORT")),
-
-		cli.Int("rpc-port",
-			"Port for RPC server",
-			cli.Default(8070),
-			cli.EnvVar("UNKEY_RPC_PORT")),
-
-		// Vault Configuration
-		cli.String("vault-url", "URL of the vault service",
-			cli.EnvVar("UNKEY_VAULT_URL")),
-		cli.String("vault-token", "Authentication token for the vault service",
-			cli.EnvVar("UNKEY_VAULT_TOKEN")),
-
-		cli.String("cluster-id", "ID of the cluster",
-			cli.Default("local"),
-			cli.EnvVar("UNKEY_CLUSTER_ID")),
-
-		// Observability
-		cli.Bool("otel-enabled", "Enable OpenTelemetry tracing and logging",
-			cli.Default(false),
-			cli.EnvVar("UNKEY_OTEL_ENABLED")),
-		cli.Float("otel-trace-sampling-rate", "Sampling rate for traces (0.0 to 1.0)",
-			cli.Default(0.01),
-			cli.EnvVar("UNKEY_OTEL_TRACE_SAMPLING_RATE")),
-
-		// Logging Sampler Configuration
-		cli.Float("log-sample-rate", "Baseline probability (0.0-1.0) of emitting log events. Default: 1.0",
-			cli.Default(1.0), cli.EnvVar("UNKEY_LOG_SAMPLE_RATE")),
-		cli.Duration("log-slow-threshold", "Duration threshold for slow event sampling. Default: 1s",
-			cli.Default(time.Second), cli.EnvVar("UNKEY_LOG_SLOW_THRESHOLD")),
+		cli.String("config", "Path to a TOML config file",
+			cli.Default("unkey.toml"), cli.EnvVar("UNKEY_CONFIG")),
 	},
 	Action: action,
 }
 
 func action(ctx context.Context, cmd *cli.Command) error {
-
-	config := krane.Config{
-		Clock:                 nil,
-		Region:                cmd.RequireString("region"),
-		InstanceID:            cmd.RequireString("instance-id"),
-		RegistryURL:           cmd.RequireString("registry-url"),
-		RegistryUsername:      cmd.RequireString("registry-username"),
-		RegistryPassword:      cmd.RequireString("registry-password"),
-		RPCPort:               cmd.RequireInt("rpc-port"),
-		VaultURL:              cmd.String("vault-url"),
-		VaultToken:            cmd.String("vault-token"),
-		PrometheusPort:        cmd.RequireInt("prometheus-port"),
-		ControlPlaneURL:       cmd.RequireString("control-plane-url"),
-		ControlPlaneBearer:    cmd.RequireString("control-plane-bearer"),
-		OtelEnabled:           cmd.Bool("otel-enabled"),
-		OtelTraceSamplingRate: cmd.Float("otel-trace-sampling-rate"),
-
-		// Logging sampler configuration
-		LogSampleRate:    cmd.Float("log-sample-rate"),
-		LogSlowThreshold: cmd.Duration("log-slow-threshold"),
-	}
-
-	// Validate configuration
-	err := config.Validate()
+	cfg, err := config.Load[krane.Config](cmd.String("config"))
 	if err != nil {
-		return cli.Exit("Invalid configuration: "+err.Error(), 1)
+		return cli.Exit("Failed to load config: "+err.Error(), 1)
 	}
 
-	// Run krane
-	return krane.Run(ctx, config)
+	cfg.Clock = clock.New()
+
+	return krane.Run(ctx, cfg)
 }

cmd/preflight/BUILD.bazel

@@ -7,6 +7,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli",
+        "//pkg/config",
         "//svc/preflight",
     ],
 )

cmd/preflight/main.go

@@ -2,9 +2,9 @@ package preflight
 
 import (
 	"context"
-	"time"
 
 	"github.com/unkeyed/unkey/pkg/cli"
+	"github.com/unkeyed/unkey/pkg/config"
 	"github.com/unkeyed/unkey/svc/preflight"
 )
 
@@ -14,52 +14,17 @@ var Cmd = &cli.Command{
 	Name:  "preflight",
 	Usage: "Run the pod mutation webhook for secrets and credentials injection",
 	Flags: []cli.Flag{
-		cli.Int("http-port", "HTTP port for the webhook server. Default: 8443",
-			cli.Default(8443), cli.EnvVar("UNKEY_HTTP_PORT")),
-		cli.String("tls-cert-file", "Path to TLS certificate file",
-			cli.Required(), cli.EnvVar("UNKEY_TLS_CERT_FILE")),
-		cli.String("tls-key-file", "Path to TLS private key file",
-			cli.Required(), cli.EnvVar("UNKEY_TLS_KEY_FILE")),
-		cli.String("inject-image", "Container image for inject binary",
-			cli.Default("inject:latest"), cli.EnvVar("UNKEY_INJECT_IMAGE")),
-		cli.String("inject-image-pull-policy", "Image pull policy (Always, IfNotPresent, Never)",
-			cli.Default("IfNotPresent"), cli.EnvVar("UNKEY_INJECT_IMAGE_PULL_POLICY")),
-		cli.String("krane-endpoint", "Endpoint for Krane secrets service",
-			cli.Default("http://krane.unkey.svc.cluster.local:8070"), cli.EnvVar("UNKEY_KRANE_ENDPOINT")),
-		cli.String("depot-token", "Depot API token for fetching on-demand pull tokens (optional)",
-			cli.EnvVar("UNKEY_DEPOT_TOKEN")),
-		cli.StringSlice("insecure-registries", "Comma-separated list of insecure (HTTP) registries",
-			cli.EnvVar("UNKEY_INSECURE_REGISTRIES")),
-		cli.StringSlice("registry-aliases", "Comma-separated list of registry aliases (from=to)",
-			cli.EnvVar("UNKEY_REGISTRY_ALIASES")),
-		// Logging Sampler Configuration
-		cli.Float("log-sample-rate", "Baseline probability (0.0-1.0) of emitting log events. Default: 1.0",
-			cli.Default(1.0), cli.EnvVar("UNKEY_LOG_SAMPLE_RATE")),
-		cli.Duration("log-slow-threshold", "Duration threshold for slow event sampling. Default: 1s",
-			cli.Default(time.Second), cli.EnvVar("UNKEY_LOG_SLOW_THRESHOLD")),
+		cli.String("config", "Path to a TOML config file",
+			cli.Default("unkey.toml"), cli.EnvVar("UNKEY_CONFIG")),
 	},
 	Action: action,
 }
 
 func action(ctx context.Context, cmd *cli.Command) error {
-	config := preflight.Config{
-		HttpPort:              cmd.Int("http-port"),
-		TLSCertFile:           cmd.RequireString("tls-cert-file"),
-		TLSKeyFile:            cmd.RequireString("tls-key-file"),
-		InjectImage:           cmd.String("inject-image"),
-		InjectImagePullPolicy: cmd.String("inject-image-pull-policy"),
-		KraneEndpoint:         cmd.String("krane-endpoint"),
-		DepotToken:            cmd.String("depot-token"),
-		InsecureRegistries:    cmd.StringSlice("insecure-registries"),
-		RegistryAliases:       cmd.StringSlice("registry-aliases"),
-		// Logging sampler configuration
-		LogSampleRate:    cmd.Float("log-sample-rate"),
-		LogSlowThreshold: cmd.Duration("log-slow-threshold"),
+	cfg, err := config.Load[preflight.Config](cmd.String("config"))
+	if err != nil {
+		return cli.Exit("Failed to load config: "+err.Error(), 1)
 	}
 
-	if err := config.Validate(); err != nil {
-		return cli.Exit("Invalid configuration: "+err.Error(), 1)
-	}
-
-	return preflight.Run(ctx, config)
+	return preflight.Run(ctx, cfg)
 }

cmd/sentinel/BUILD.bazel

@@ -7,7 +7,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli",
-        "//pkg/uid",
+        "//pkg/config",
         "//svc/sentinel",
     ],
 )