feat(frontline): migrate Frontline service to file-based TOML config

cmd/frontline/BUILD.bazel

@@ -7,6 +7,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli",
+        "//pkg/config",
         "//pkg/uid",
         "//svc/frontline",
     ],

cmd/frontline/main.go

@@ -2,9 +2,9 @@ package frontline
 
 import (
 	"context"
-	"time"
 
 	"github.com/unkeyed/unkey/pkg/cli"
+	"github.com/unkeyed/unkey/pkg/config"
 	"github.com/unkeyed/unkey/pkg/uid"
 	"github.com/unkeyed/unkey/svc/frontline"
 )
@@ -19,114 +19,19 @@ var Cmd = &cli.Command{
 	Name:        "frontline",
 	Usage:       "Run the Unkey Frontline server (multi-tenant frontline)",
 	Flags: []cli.Flag{
-		// Server Configuration
-		cli.Int("http-port", "HTTP port for the Gate server to listen on. Default: 7070",
-			cli.Default(7070), cli.EnvVar("UNKEY_HTTP_PORT")),
-
-		cli.Int("https-port", "HTTPS port for the Gate server to listen on. Default: 7443",
-			cli.Default(7443), cli.EnvVar("UNKEY_HTTPS_PORT")),
-
-		cli.Bool("tls-enabled", "Enable TLS termination for the frontline. Default: true",
-			cli.Default(true), cli.EnvVar("UNKEY_TLS_ENABLED")),
-
-		cli.String("tls-cert-file", "Path to TLS certificate file (dev mode)",
-			cli.EnvVar("UNKEY_TLS_CERT_FILE")),
-
-		cli.String("tls-key-file", "Path to TLS key file (dev mode)",
-			cli.EnvVar("UNKEY_TLS_KEY_FILE")),
-
-		cli.String("region", "The cloud region with platform, e.g. us-east-1.aws",
-			cli.Required(),
-			cli.EnvVar("UNKEY_REGION"),
-		),
-
-		cli.String("frontline-id", "Unique identifier for this instance. Auto-generated if not provided.",
-			cli.Default(uid.New("frontline", 4)), cli.EnvVar("UNKEY_GATE_ID")),
-
-		cli.String("default-cert-domain", "Domain to use for fallback TLS certificate when a domain has no cert configured",
-			cli.EnvVar("UNKEY_DEFAULT_CERT_DOMAIN")),
-
-		cli.String("apex-domain", "Apex domain for region routing. Cross-region requests forwarded to frontline.{region}.{apex-domain}. Example: unkey.cloud",
-			cli.Default("unkey.cloud"), cli.EnvVar("UNKEY_APEX_DOMAIN")),
-
-		// Database Configuration - Partitioned (for hostname lookups)
-		cli.String("database-primary", "MySQL connection string for partitioned primary database (frontline operations). Required. Example: user:pass@host:3306/unkey?parseTime=true",
-			cli.Required(), cli.EnvVar("UNKEY_DATABASE_PRIMARY")),
-
-		cli.String("database-replica", "MySQL connection string for partitioned read-replica (frontline operations). Format same as database-primary.",
-			cli.EnvVar("UNKEY_DATABASE_REPLICA")),
-
-		// Observability
-		cli.Bool("otel", "Enable OpenTelemetry tracing and metrics",
-			cli.EnvVar("UNKEY_OTEL")),
-		cli.Float("otel-trace-sampling-rate", "Sampling rate for OpenTelemetry traces (0.0-1.0). Only used when --otel is provided. Default: 0.25",
-			cli.Default(0.25), cli.EnvVar("UNKEY_OTEL_TRACE_SAMPLING_RATE")),
-		cli.Int("prometheus-port", "Enable Prometheus /metrics endpoint on specified port. Set to 0 to disable.", cli.EnvVar("UNKEY_PROMETHEUS_PORT")),
-
-		// Vault Configuration
-		cli.String("vault-url", "URL of the remote vault service (e.g., http://vault:8080)",
-			cli.EnvVar("UNKEY_VAULT_URL")),
-		cli.String("vault-token", "Authentication token for the vault service",
-			cli.EnvVar("UNKEY_VAULT_TOKEN")),
-
-		cli.Int("max-hops", "Maximum number of hops allowed for a request",
-			cli.Default(10), cli.EnvVar("UNKEY_MAX_HOPS")),
-
-		cli.String("ctrl-addr", "Address of the control plane",
-			cli.Default("localhost:8080"), cli.EnvVar("UNKEY_CTRL_ADDR")),
-
-		// Logging Sampler Configuration
-		cli.Float("log-sample-rate", "Baseline probability (0.0-1.0) of emitting log events. Default: 1.0",
-			cli.Default(1.0), cli.EnvVar("UNKEY_LOG_SAMPLE_RATE")),
-		cli.Duration("log-slow-threshold", "Duration threshold for slow event sampling. Default: 1s",
-			cli.Default(time.Second), cli.EnvVar("UNKEY_LOG_SLOW_THRESHOLD")),
+		cli.String("config", "Path to a TOML config file",
+			cli.Default("unkey.toml"), cli.EnvVar("UNKEY_CONFIG")),
 	},
 	Action: action,
 }
 
 func action(ctx context.Context, cmd *cli.Command) error {
-	config := frontline.Config{
-		// Basic configuration
-		FrontlineID: cmd.String("frontline-id"),
-		Image:       cmd.String("image"),
-		Region:      cmd.String("region"),
-
-		// HTTP configuration
-		HttpPort:  cmd.Int("http-port"),
-		HttpsPort: cmd.Int("https-port"),
-
-		// TLS configuration
-		EnableTLS:   cmd.Bool("tls-enabled"),
-		TLSCertFile: cmd.String("tls-cert-file"),
-		TLSKeyFile:  cmd.String("tls-key-file"),
-		ApexDomain:  cmd.String("apex-domain"),
-		MaxHops:     cmd.Int("max-hops"),
-
-		// Control Plane Configuration
-		CtrlAddr: cmd.String("ctrl-addr"),
-
-		// Partitioned Database configuration (for hostname lookups)
-		DatabasePrimary:         cmd.String("database-primary"),
-		DatabaseReadonlyReplica: cmd.String("database-replica"),
-
-		// OpenTelemetry configuration
-		OtelEnabled:           cmd.Bool("otel"),
-		OtelTraceSamplingRate: cmd.Float("otel-trace-sampling-rate"),
-		PrometheusPort:        cmd.Int("prometheus-port"),
-
-		// Vault configuration
-		VaultURL:   cmd.String("vault-url"),
-		VaultToken: cmd.String("vault-token"),
-
-		// Logging sampler configuration
-		LogSampleRate:    cmd.Float("log-sample-rate"),
-		LogSlowThreshold: cmd.Duration("log-slow-threshold"),
-	}
-
-	err := config.Validate()
+	cfg, err := config.Load[frontline.Config](cmd.String("config"))
 	if err != nil {
-		return err
+		return cli.Exit("Failed to load config: "+err.Error(), 1)
 	}
 
-	return frontline.Run(ctx, config)
+	cfg.FrontlineID = uid.New("frontline", 4)
+
+	return frontline.Run(ctx, cfg)
 }

cmd/preflight/BUILD.bazel

@@ -7,6 +7,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli",
+        "//pkg/config",
         "//svc/preflight",
     ],
 )

cmd/preflight/main.go

@@ -2,9 +2,9 @@ package preflight
 
 import (
 	"context"
-	"time"
 
 	"github.com/unkeyed/unkey/pkg/cli"
+	"github.com/unkeyed/unkey/pkg/config"
 	"github.com/unkeyed/unkey/svc/preflight"
 )
 
@@ -14,52 +14,17 @@ var Cmd = &cli.Command{
 	Name:  "preflight",
 	Usage: "Run the pod mutation webhook for secrets and credentials injection",
 	Flags: []cli.Flag{
-		cli.Int("http-port", "HTTP port for the webhook server. Default: 8443",
-			cli.Default(8443), cli.EnvVar("UNKEY_HTTP_PORT")),
-		cli.String("tls-cert-file", "Path to TLS certificate file",
-			cli.Required(), cli.EnvVar("UNKEY_TLS_CERT_FILE")),
-		cli.String("tls-key-file", "Path to TLS private key file",
-			cli.Required(), cli.EnvVar("UNKEY_TLS_KEY_FILE")),
-		cli.String("inject-image", "Container image for inject binary",
-			cli.Default("inject:latest"), cli.EnvVar("UNKEY_INJECT_IMAGE")),
-		cli.String("inject-image-pull-policy", "Image pull policy (Always, IfNotPresent, Never)",
-			cli.Default("IfNotPresent"), cli.EnvVar("UNKEY_INJECT_IMAGE_PULL_POLICY")),
-		cli.String("krane-endpoint", "Endpoint for Krane secrets service",
-			cli.Default("http://krane.unkey.svc.cluster.local:8070"), cli.EnvVar("UNKEY_KRANE_ENDPOINT")),
-		cli.String("depot-token", "Depot API token for fetching on-demand pull tokens (optional)",
-			cli.EnvVar("UNKEY_DEPOT_TOKEN")),
-		cli.StringSlice("insecure-registries", "Comma-separated list of insecure (HTTP) registries",
-			cli.EnvVar("UNKEY_INSECURE_REGISTRIES")),
-		cli.StringSlice("registry-aliases", "Comma-separated list of registry aliases (from=to)",
-			cli.EnvVar("UNKEY_REGISTRY_ALIASES")),
-		// Logging Sampler Configuration
-		cli.Float("log-sample-rate", "Baseline probability (0.0-1.0) of emitting log events. Default: 1.0",
-			cli.Default(1.0), cli.EnvVar("UNKEY_LOG_SAMPLE_RATE")),
-		cli.Duration("log-slow-threshold", "Duration threshold for slow event sampling. Default: 1s",
-			cli.Default(time.Second), cli.EnvVar("UNKEY_LOG_SLOW_THRESHOLD")),
+		cli.String("config", "Path to a TOML config file",
+			cli.Default("unkey.toml"), cli.EnvVar("UNKEY_CONFIG")),
 	},
 	Action: action,
 }
 
 func action(ctx context.Context, cmd *cli.Command) error {
-	config := preflight.Config{
-		HttpPort:              cmd.Int("http-port"),
-		TLSCertFile:           cmd.RequireString("tls-cert-file"),
-		TLSKeyFile:            cmd.RequireString("tls-key-file"),
-		InjectImage:           cmd.String("inject-image"),
-		InjectImagePullPolicy: cmd.String("inject-image-pull-policy"),
-		KraneEndpoint:         cmd.String("krane-endpoint"),
-		DepotToken:            cmd.String("depot-token"),
-		InsecureRegistries:    cmd.StringSlice("insecure-registries"),
-		RegistryAliases:       cmd.StringSlice("registry-aliases"),
-		// Logging sampler configuration
-		LogSampleRate:    cmd.Float("log-sample-rate"),
-		LogSlowThreshold: cmd.Duration("log-slow-threshold"),
+	cfg, err := config.Load[preflight.Config](cmd.String("config"))
+	if err != nil {
+		return cli.Exit("Failed to load config: "+err.Error(), 1)
 	}
 
-	if err := config.Validate(); err != nil {
-		return cli.Exit("Invalid configuration: "+err.Error(), 1)
-	}
-
-	return preflight.Run(ctx, config)
+	return preflight.Run(ctx, cfg)
 }

cmd/sentinel/BUILD.bazel

@@ -7,7 +7,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/cli",
-        "//pkg/uid",
+        "//pkg/config",
         "//svc/sentinel",
     ],
 )

cmd/sentinel/main.go

@@ -2,10 +2,9 @@ package sentinel
 
 import (
 	"context"
-	"time"
 
 	"github.com/unkeyed/unkey/pkg/cli"
-	"github.com/unkeyed/unkey/pkg/uid"
+	"github.com/unkeyed/unkey/pkg/config"
 	"github.com/unkeyed/unkey/svc/sentinel"
 )
 
@@ -19,72 +18,17 @@ var Cmd = &cli.Command{
 	Name:        "sentinel",
 	Usage:       "Run the Unkey Sentinel server (deployment proxy)",
 	Flags: []cli.Flag{
-		// Server Configuration
-		cli.Int("http-port", "HTTP port for the Sentinel server to listen on. Default: 8080",
-			cli.Default(8080), cli.EnvVar("UNKEY_HTTP_PORT")),
-
-		// Instance Identification
-		cli.String("sentinel-id", "Unique identifier for this sentinel instance. Auto-generated if not provided.",
-			cli.Default(uid.New("sentinel", 4)), cli.EnvVar("UNKEY_SENTINEL_ID")),
-
-		cli.String("workspace-id", "Workspace ID this sentinel serves. Required.",
-			cli.Required(), cli.EnvVar("UNKEY_WORKSPACE_ID")),
-
-		cli.String("environment-id", "Environment ID this sentinel serves (handles all deployments in this environment). Required.",
-			cli.Required(), cli.EnvVar("UNKEY_ENVIRONMENT_ID")),
-
-		cli.String("region", "Geographic region identifier. Used for logging. Default: unknown",
-			cli.Default("unknown"), cli.EnvVar("UNKEY_REGION")),
-
-		// Database Configuration
-		cli.String("database-primary", "MySQL connection string for primary database. Required.",
-			cli.Required(), cli.EnvVar("UNKEY_DATABASE_PRIMARY")),
-
-		cli.String("database-replica", "MySQL connection string for read-replica.",
-			cli.EnvVar("UNKEY_DATABASE_REPLICA")),
-
-		cli.String("clickhouse-url", "ClickHouse connection string. Optional.",
-			cli.EnvVar("UNKEY_CLICKHOUSE_URL")),
-
-		// Observability
-		cli.Bool("otel", "Enable OpenTelemetry tracing and metrics",
-			cli.EnvVar("UNKEY_OTEL")),
-		cli.Float("otel-trace-sampling-rate", "Sampling rate for OpenTelemetry traces (0.0-1.0). Default: 0.25",
-			cli.Default(0.25), cli.EnvVar("UNKEY_OTEL_TRACE_SAMPLING_RATE")),
-		cli.Int("prometheus-port", "Enable Prometheus /metrics endpoint on specified port. Set to 0 to disable.", cli.EnvVar("UNKEY_PROMETHEUS_PORT")),
-
-		// Logging Sampler Configuration
-		cli.Float("log-sample-rate", "Baseline probability (0.0-1.0) of emitting log events. Default: 1.0",
-			cli.Default(1.0), cli.EnvVar("UNKEY_LOG_SAMPLE_RATE")),
-		cli.Duration("log-slow-threshold", "Duration threshold for slow event sampling. Default: 1s",
-			cli.Default(time.Second), cli.EnvVar("UNKEY_LOG_SLOW_THRESHOLD")),
+		cli.String("config", "Path to a TOML config file",
+			cli.Default("unkey.toml"), cli.EnvVar("UNKEY_CONFIG")),
 	},
 	Action: action,
 }
 
 func action(ctx context.Context, cmd *cli.Command) error {
-	return sentinel.Run(ctx, sentinel.Config{
-		// Instance identification
-		SentinelID:    cmd.String("sentinel-id"),
-		WorkspaceID:   cmd.String("workspace-id"),
-		EnvironmentID: cmd.String("environment-id"),
-		Region:        cmd.String("region"),
-
-		// HTTP configuration
-		HttpPort: cmd.Int("http-port"),
-
-		// Database configuration
-		DatabasePrimary:         cmd.String("database-primary"),
-		DatabaseReadonlyReplica: cmd.String("database-replica"),
-		ClickhouseURL:           cmd.String("clickhouse-url"),
-
-		// Observability
-		OtelEnabled:           cmd.Bool("otel"),
-		OtelTraceSamplingRate: cmd.Float("otel-trace-sampling-rate"),
-		PrometheusPort:        cmd.Int("prometheus-port"),
+	cfg, err := config.Load[sentinel.Config](cmd.String("config"))
+	if err != nil {
+		return cli.Exit("Failed to load config: "+err.Error(), 1)
+	}
 
-		// Logging sampler configuration
-		LogSampleRate:    cmd.Float("log-sample-rate"),
-		LogSlowThreshold: cmd.Duration("log-slow-threshold"),
-	})
+	return sentinel.Run(ctx, cfg)
 }