Documentation
¶
Overview ¶
Package config provides configuration management for muster.
This package implements a simple configuration system that loads configuration from a single directory. The default configuration directory is ~/.config/muster, but users can specify a custom directory using the --config-path flag in commands.
Configuration Directory ¶
Configuration is loaded from a single directory containing:
- config.yaml (main configuration file)
- subdirectories for entity definitions (workflows/, capabilities/, serviceclasses/, mcpservers/)
Default location: ~/.config/muster Custom location: Specified via --config-path flag
Entity Storage System ¶
The Storage system provides generic YAML-based persistence for entity definitions including workflows, capabilities, serviceclasses, and mcpservers. This unified storage system allows users to create, modify, and manage entities through both API operations and direct file manipulation.
## Storage Locations
Entities are stored in YAML files in type-specific subdirectories within the configuration directory:
- Default: ~/.config/muster/{entityType}/
- Custom: {customConfigPath}/{entityType}/
Where {entityType} is one of: workflows, capabilities, serviceclasses, mcpservers
## Supported Operations
The Storage interface provides CRUD operations:
- Save: Store entity data as YAML file
- Load: Retrieve entity data from file
- Delete: Remove entity file
- List: Get all available entity names
## File Format
All entities are stored as YAML files with .yaml extension. Filenames are automatically sanitized to ensure filesystem compatibility.
## Usage Example
// Create storage instance (uses default ~/.config/muster)
storage := config.NewStorage()
// Create storage instance with custom path
storage := config.NewStorageWithPath("/custom/config/path")
// Save a workflow
workflowYAML := []byte(`name: "my-workflow"
description: "Example workflow"
steps: []`)
err := storage.Save("workflows", "my-workflow", workflowYAML)
// Load the workflow
data, err := storage.Load("workflows", "my-workflow")
// List all workflows
names, err := storage.List("workflows")
// Delete the workflow
err = storage.Delete("workflows", "my-workflow")
Configuration Structure ¶
The configuration file uses YAML format with the following main sections:
aggregator: port: 8090 # Port for the aggregator service (default: 8090) host: "localhost" # Host to bind to (default: localhost) transport: "streamable-http" # Transport to use (default: streamable-http) enabled: true # Whether the aggregator is enabled (default: true) musterPrefix: "x" # Pre-prefix for all tools (default: "x")
Configuration API ¶
The configuration can be accessed and modified at runtime through the Configuration API. The API adapter (ConfigAdapter) is located in the app package rather than here to avoid circular import dependencies, as the adapter needs to import the api package for registration, while the api package imports this package for type definitions.
Usage Examples ¶
// Load configuration from default location
cfg, err := config.LoadConfig(config.GetDefaultConfigPathOrPanic())
if err != nil {
log.Fatal(err)
}
// Access aggregator configuration
fmt.Printf("Aggregator running on %s:%d\n", cfg.Aggregator.Host, cfg.Aggregator.Port)
Index ¶
Constants ¶
const ( // DefaultOAuthCallbackPath is the default path for OAuth server callbacks (Cursor -> Muster auth) DefaultOAuthCallbackPath = "/oauth/callback" // DefaultOAuthProxyCallbackPath is the default path for OAuth proxy callbacks (Muster -> Remote server auth) // This MUST be different from DefaultOAuthCallbackPath to avoid route conflicts DefaultOAuthProxyCallbackPath = "/oauth/proxy/callback" // DefaultOAuthCIMDPath is the default path for serving the Client ID Metadata Document (CIMD) DefaultOAuthCIMDPath = "/.well-known/oauth-client.json" // DefaultOAuthCIMDScopes contains the default OAuth scopes for the CIMD. // Operators can customize this via Helm values (muster.oauth.cimdScopes) to add // additional scopes needed by downstream MCP servers (e.g., Google API scopes). // The "groups" scope is included by default to ensure group claims are available // in ID tokens for RBAC decisions in downstream services like mcp-kubernetes. DefaultOAuthCIMDScopes = "openid profile email groups offline_access" // DefaultOAuthServerProvider is the default OAuth provider for server protection. DefaultOAuthServerProvider = "dex" // DefaultOAuthStorageType is the default storage type for OAuth tokens. DefaultOAuthStorageType = "memory" )
const ( // MCPTransportStreamableHTTP is the streamable HTTP transport. MCPTransportStreamableHTTP = "streamable-http" // MCPTransportSSE is the Server-Sent Events transport. MCPTransportSSE = "sse" // MCPTransportStdio is the standard I/O transport. MCPTransportStdio = "stdio" )
Variables ¶
This section is empty.
Functions ¶
func GetDefaultConfigPathOrPanic ¶
func GetDefaultConfigPathOrPanic() string
Types ¶
type AggregatorConfig ¶
type AggregatorConfig struct {
Port int `yaml:"port,omitempty"` // Port for the aggregator SSE endpoint (default: 8080)
Host string `yaml:"host,omitempty"` // Host to bind to (default: localhost)
Transport string `yaml:"transport,omitempty"` // Transport to use (default: streamable-http)
MusterPrefix string `yaml:"musterPrefix,omitempty"` // Pre-prefix for all tools (default: "x")
// OAuth contains all OAuth-related configuration with explicit mcpClient/server roles.
// - oauth.mcpClient: muster as OAuth client/proxy for authenticating TO remote MCP servers
// - oauth.server: muster as OAuth resource server for protecting ITSELF
OAuth OAuthConfig `yaml:"oauth,omitempty"`
}
AggregatorConfig defines the configuration for the MCP aggregator service.
type DexConfig ¶
type DexConfig struct {
// IssuerURL is the Dex OIDC issuer URL.
IssuerURL string `yaml:"issuerUrl,omitempty"`
// ClientID is the Dex OAuth client ID.
ClientID string `yaml:"clientId,omitempty"`
// ClientSecret is the Dex OAuth client secret.
// For production, use ClientSecretFile instead to avoid secrets in config files.
ClientSecret string `yaml:"clientSecret,omitempty"`
// ClientSecretFile is the path to a file containing the Dex OAuth client secret.
// This is the recommended way to provide secrets in production deployments.
// The file should contain only the secret value (no newlines at the end).
ClientSecretFile string `yaml:"clientSecretFile,omitempty"`
// ConnectorID is the optional Dex connector ID to bypass connector selection.
ConnectorID string `yaml:"connectorId,omitempty"`
// CAFile is the path to a CA certificate file for Dex TLS verification.
// Use this when Dex uses a private/internal CA.
CAFile string `yaml:"caFile,omitempty"`
}
DexConfig holds configuration for the Dex OIDC provider.
type GoogleConfig ¶
type GoogleConfig struct {
// ClientID is the Google OAuth client ID.
ClientID string `yaml:"clientId,omitempty"`
// ClientSecret is the Google OAuth client secret.
// For production, use ClientSecretFile instead to avoid secrets in config files.
ClientSecret string `yaml:"clientSecret,omitempty"`
// ClientSecretFile is the path to a file containing the Google OAuth client secret.
// This is the recommended way to provide secrets in production deployments.
ClientSecretFile string `yaml:"clientSecretFile,omitempty"`
}
GoogleConfig holds configuration for the Google OAuth provider.
type MCPServerType ¶
type MCPServerType string
MCPServerType defines the type of MCP server.
const ( MCPServerTypeStdio MCPServerType = "stdio" MCPServerTypeStreamableHTTP MCPServerType = "streamable-http" MCPServerTypeSSE MCPServerType = "sse" )
type MusterConfig ¶
type MusterConfig struct {
Aggregator AggregatorConfig `yaml:"aggregator"`
Namespace string `yaml:"namespace,omitempty"` // Namespace for MCPServer, ServiceClass and Workflow discovery
Kubernetes bool `yaml:"kubernetes,omitempty"` // Enable Kubernetes CRD mode (uses CRDs instead of filesystem)
Events bool `yaml:"events,omitempty"` // Enable Kubernetes event emission (alpha, disabled by default)
}
MusterConfig is the top-level configuration structure for muster.
func GetDefaultConfigWithRoles ¶
func GetDefaultConfigWithRoles() MusterConfig
GetDefaultConfigWithRoles returns default configuration
func LoadConfig ¶
func LoadConfig(configPath string) (MusterConfig, error)
LoadConfig loads configuration from a single specified directory. The directory should contain config.yaml and subdirectories for other configuration types.
type OAuthCIMDConfig ¶
type OAuthCIMDConfig struct {
// Path is the path for serving the Client ID Metadata Document (default: "/.well-known/oauth-client.json").
// Muster will serve the CIMD at this path when OAuth MCP client is enabled and PublicURL is set.
Path string `yaml:"path,omitempty"`
// Scopes is the OAuth scopes to advertise in the self-hosted CIMD.
// This determines what API scopes downstream MCP servers can use when muster
// forwards tokens via SSO. Default: "openid profile email offline_access".
// Operators can add additional scopes (e.g., Google API scopes) as needed.
// Format: space-separated list of scope strings.
Scopes string `yaml:"scopes,omitempty"`
}
OAuthCIMDConfig contains Client ID Metadata Document configuration.
type OAuthConfig ¶
type OAuthConfig struct {
// MCPClient configuration for remote MCP server authentication (muster as OAuth proxy).
// When enabled, muster acts as an OAuth client proxy, handling authentication
// flows on behalf of users without exposing tokens to the Muster Agent.
MCPClient OAuthMCPClientConfig `yaml:"mcpClient,omitempty"`
// Server configuration for protecting the Muster Server itself.
// When enabled, muster acts as an OAuth Resource Server, requiring valid
// access tokens from clients (e.g., Muster Agent) to access protected endpoints.
Server OAuthServerConfig `yaml:"server,omitempty"`
}
OAuthConfig consolidates all OAuth-related configuration with explicit mcpClient/server roles. This structure clearly separates the two distinct OAuth roles that muster can play:
- MCPClient: when muster authenticates TO remote MCP servers on behalf of users
- Server: when muster protects ITSELF and requires clients to authenticate
type OAuthMCPClientConfig ¶
type OAuthMCPClientConfig struct {
// Enabled controls whether OAuth MCP client/proxy functionality is active.
// When false, remote MCP servers requiring auth will return errors.
Enabled bool `yaml:"enabled,omitempty"`
// PublicURL is the publicly accessible URL of the Muster Server.
// This is used to construct OAuth callback URLs (e.g., https://muster.example.com).
// Required when OAuth MCP client is enabled.
PublicURL string `yaml:"publicUrl,omitempty"`
// ClientID is the OAuth client identifier.
// This should be the URL of the Client ID Metadata Document (CIMD).
// If not set and PublicURL is set, the ClientID will be auto-derived as
// {PublicURL}/.well-known/oauth-client.json and muster will serve the CIMD itself.
ClientID string `yaml:"clientId,omitempty"`
// CallbackPath is the path for the OAuth proxy callback endpoint (default: "/oauth/proxy/callback").
// This is used when muster authenticates with remote MCP servers.
// NOTE: This MUST be different from the OAuth server callback (/oauth/callback) to avoid conflicts.
CallbackPath string `yaml:"callbackPath,omitempty"`
// CIMD contains Client ID Metadata Document configuration.
// Muster can serve its own CIMD when acting as an OAuth client for MCP servers.
CIMD OAuthCIMDConfig `yaml:"cimd,omitempty"`
// CAFile is the path to a CA certificate file for verifying TLS connections to OAuth servers.
// This is useful when connecting to OAuth servers with self-signed certificates.
CAFile string `yaml:"caFile,omitempty"`
}
OAuthMCPClientConfig defines the OAuth client/proxy configuration for remote MCP server authentication. When enabled, the Muster Server acts as an OAuth client proxy, handling authentication flows on behalf of users without exposing tokens to the Muster Agent.
func (*OAuthMCPClientConfig) GetCIMDPath ¶
func (c *OAuthMCPClientConfig) GetCIMDPath() string
GetCIMDPath returns the path for serving the CIMD.
func (*OAuthMCPClientConfig) GetCIMDScopes ¶
func (c *OAuthMCPClientConfig) GetCIMDScopes() string
GetCIMDScopes returns the OAuth scopes to advertise in the CIMD. If not set, returns the default scopes: "openid profile email offline_access".
func (*OAuthMCPClientConfig) GetEffectiveClientID ¶
func (c *OAuthMCPClientConfig) GetEffectiveClientID() string
GetEffectiveClientID returns the effective OAuth client ID. If ClientID is explicitly set, it is returned as-is. If ClientID is empty but PublicURL is set, returns the self-hosted CIMD URL. Otherwise, returns empty string (OAuth proxy requires publicUrl to function).
func (*OAuthMCPClientConfig) GetRedirectURI ¶
func (c *OAuthMCPClientConfig) GetRedirectURI() string
GetRedirectURI returns the full redirect URI for OAuth proxy callbacks. This is where remote MCP server IdPs will redirect after authentication.
func (*OAuthMCPClientConfig) ShouldServeCIMD ¶
func (c *OAuthMCPClientConfig) ShouldServeCIMD() bool
ShouldServeCIMD returns true if muster should serve its own CIMD. This is the case when OAuth MCP client is enabled, PublicURL is set, and ClientID is either empty or matches the auto-derived CIMD URL.
type OAuthServerConfig ¶
type OAuthServerConfig struct {
// Enabled controls whether OAuth server protection is active.
// When true, all MCP endpoints require valid OAuth tokens.
Enabled bool `yaml:"enabled,omitempty"`
// BaseURL is the publicly accessible base URL of the Muster Server.
// This is used as the OAuth issuer URL (e.g., https://muster.example.com).
// Required when OAuth server is enabled.
BaseURL string `yaml:"baseUrl,omitempty"`
// Provider specifies the OAuth provider to use: "dex" or "google".
// Default: "dex"
Provider string `yaml:"provider,omitempty"`
// Dex configuration (used when Provider is "dex")
Dex DexConfig `yaml:"dex,omitempty"`
// Google configuration (used when Provider is "google")
Google GoogleConfig `yaml:"google,omitempty"`
// Storage configuration for OAuth tokens and client registrations.
Storage OAuthStorageConfig `yaml:"storage,omitempty"`
// RegistrationToken is the token required for dynamic client registration.
// Required if AllowPublicClientRegistration is false.
// For production, use RegistrationTokenFile instead to avoid secrets in config files.
RegistrationToken string `yaml:"registrationToken,omitempty"`
// RegistrationTokenFile is the path to a file containing the registration token.
// This is the recommended way to provide secrets in production deployments.
RegistrationTokenFile string `yaml:"registrationTokenFile,omitempty"`
// AllowPublicClientRegistration allows unauthenticated dynamic client registration.
// WARNING: This can lead to DoS attacks. Default: false.
AllowPublicClientRegistration bool `yaml:"allowPublicClientRegistration,omitempty"`
// EncryptionKey is the AES-256 key for encrypting tokens at rest (32 bytes, base64-encoded).
// Required for production deployments.
// For production, use EncryptionKeyFile instead to avoid secrets in config files.
EncryptionKey string `yaml:"encryptionKey,omitempty"`
// EncryptionKeyFile is the path to a file containing the encryption key.
// This is the recommended way to provide secrets in production deployments.
EncryptionKeyFile string `yaml:"encryptionKeyFile,omitempty"`
// TrustedPublicRegistrationSchemes lists URI schemes allowed for unauthenticated
// client registration. Enables Cursor/VSCode without registration tokens.
// Example: ["cursor", "vscode"]
TrustedPublicRegistrationSchemes []string `yaml:"trustedPublicRegistrationSchemes,omitempty"`
// EnableCIMD enables Client ID Metadata Documents per MCP 2025-11-25 spec.
// Default: true
EnableCIMD bool `yaml:"enableCIMD,omitempty"`
// AllowLocalhostRedirectURIs allows http://localhost and http://127.0.0.1 redirect URIs.
// Required for native apps (like muster agent) per RFC 8252 Section 7.3.
// Default: true (native app support enabled by default)
AllowLocalhostRedirectURIs bool `yaml:"allowLocalhostRedirectURIs,omitempty"`
// SessionDuration is the maximum session duration before re-authentication
// is required. This sets the server-side refresh token TTL.
// Default: 720h (30 days), aligned with Dex's absoluteLifetime.
// Format: Go duration string (e.g., "720h", "30d" is NOT valid, use hours).
SessionDuration string `yaml:"sessionDuration,omitempty"`
// AllowedOrigins is a comma-separated list of allowed CORS origins.
AllowedOrigins string `yaml:"allowedOrigins,omitempty"`
// EnableHSTS enables HSTS header (for reverse proxy scenarios).
EnableHSTS bool `yaml:"enableHSTS,omitempty"`
// TLSCertFile is the path to the TLS certificate file (PEM format).
// If both TLSCertFile and TLSKeyFile are provided, the server will use HTTPS.
TLSCertFile string `yaml:"tlsCertFile,omitempty"`
// TLSKeyFile is the path to the TLS private key file (PEM format).
TLSKeyFile string `yaml:"tlsKeyFile,omitempty"`
}
OAuthServerConfig defines the OAuth server configuration for protecting the Muster Server. When enabled, the Muster Server acts as an OAuth Resource Server, requiring valid access tokens from clients (e.g., Muster Agent) to access protected endpoints. This implements ADR 005 (OAuth Protection for Muster Server).
type OAuthStorageConfig ¶
type OAuthStorageConfig struct {
// Type is the storage backend type: "memory" or "valkey" (default: "memory").
Type string `yaml:"type,omitempty"`
// Valkey configuration (used when Type is "valkey").
Valkey ValkeyConfig `yaml:"valkey,omitempty"`
}
OAuthStorageConfig holds configuration for OAuth token storage backend.
type Storage ¶
type Storage struct {
// contains filtered or unexported fields
}
Storage provides generic storage functionality for dynamic entities using a single configuration directory approach
func NewStorageWithPath ¶
NewStorageWithPath creates a new Storage instance with a custom config path
type ValkeyConfig ¶
type ValkeyConfig struct {
// URL is the Valkey server address (e.g., "valkey.namespace.svc:6379").
URL string `yaml:"url,omitempty"`
// Password is the optional password for Valkey authentication.
// For production, use PasswordFile instead to avoid secrets in config files.
Password string `yaml:"password,omitempty"`
// PasswordFile is the path to a file containing the Valkey password.
// This is the recommended way to provide secrets in production deployments.
PasswordFile string `yaml:"passwordFile,omitempty"`
// TLSEnabled enables TLS for Valkey connections.
TLSEnabled bool `yaml:"tlsEnabled,omitempty"`
// KeyPrefix is the prefix for all Valkey keys (default: "muster:").
KeyPrefix string `yaml:"keyPrefix,omitempty"`
// DB is the Valkey database number (default: 0).
DB int `yaml:"db,omitempty"`
}
ValkeyConfig holds configuration for Valkey storage backend.
Source Files