diff --git a/cmd/omniwitness/README.md b/cmd/omniwitness/README.md index 35444a0..83c4110 100644 --- a/cmd/omniwitness/README.md +++ b/cmd/omniwitness/README.md @@ -43,6 +43,9 @@ To enable this, two flags must be passed to `omniwitness`: 1. `--bastion_addr` is the `host:port` of the bastion host to connect to. 1. `--bastion_key_path` is the path to a file containing an ed25519 private key in PKCS8 PEM format. +To run the witness in bastion-only mode, set the `--poll_interval` flag to 0. +This will disable all attempts to poll logs, and witnessing will only occur via bastion connections. + Although the witness key _could_ be reused, it's strongly recommended to use a separate key for this. Such a key can be generated with the following command: ```bash diff --git a/cmd/omniwitness/monolith.go b/cmd/omniwitness/monolith.go index 7ed446e..843a748 100644 --- a/cmd/omniwitness/monolith.go +++ b/cmd/omniwitness/monolith.go @@ -52,6 +52,8 @@ var ( bastionKeyPath = flag.String("bastion_key_path", "", "Path to a file containing an ed25519 private key in PKCS8 PEM format") bastionRateLimit = flag.Float64("bastion_rate_limit", 20, "Maximum number of bastion requests per second to serve") httpTimeout = flag.Duration("http_timeout", 10*time.Second, "HTTP timeout for outbound requests") + + pollInterval = flag.Duration("poll_interval", 1*time.Minute, "Time to wait between polling logs for new checkpoints. Set to 0 to disable polling logs.") ) func main() { @@ -107,6 +109,7 @@ func main() { BastionAddr: *bastionAddr, BastionKey: bastionKey, BastionRateLimit: *bastionRateLimit, + FeedInterval: *pollInterval, } var p persistence.LogStatePersistence if len(*dbFile) > 0 { diff --git a/omniwitness/omniwitness.go b/omniwitness/omniwitness.go index 314f8b1..07e0283 100644 --- a/omniwitness/omniwitness.go +++ b/omniwitness/omniwitness.go @@ -63,9 +63,6 @@ type LogStateReadOps = persistence.LogStateReadOps type LogStateWriteOps = persistence.LogStateWriteOps const ( - // Interval between attempts to feed checkpoints - // TODO(mhutchinson): Make this configurable - defaultFeedInterval = 1 * time.Minute defaultDistributeInterval = 1 * time.Minute ) @@ -142,9 +139,6 @@ func Main(ctx context.Context, operatorConfig OperatorConfig, p LogStatePersiste return fmt.Errorf("failed to create witness: %v", err) } - if operatorConfig.FeedInterval == 0 { - operatorConfig.FeedInterval = defaultFeedInterval - } if operatorConfig.DistributeInterval == 0 { operatorConfig.DistributeInterval = defaultDistributeInterval } @@ -152,14 +146,17 @@ func Main(ctx context.Context, operatorConfig OperatorConfig, p LogStatePersiste bw := witnessAdapter{ w: witness, } - for c, f := range feeders { - c, f := c, f - // Continually feed this log in its own goroutine, hooked up to the global waitgroup. - g.Go(func() error { - klog.Infof("Feeder %q goroutine started", c.Origin) - defer klog.Infof("Feeder %q goroutine done", c.Origin) - return f(ctx, c, bw, httpClient, operatorConfig.FeedInterval) - }) + + if operatorConfig.FeedInterval > 0 { + for c, f := range feeders { + c, f := c, f + // Continually feed this log in its own goroutine, hooked up to the global waitgroup. + g.Go(func() error { + klog.Infof("Feeder %q goroutine started", c.Origin) + defer klog.Infof("Feeder %q goroutine done", c.Origin) + return f(ctx, c, bw, httpClient, operatorConfig.FeedInterval) + }) + } } if operatorConfig.BastionAddr != "" && operatorConfig.BastionKey != nil {