Could you please rebase this on top of master, rather than merge it in? Thanks!

I've run into a bit of a problem while testing these changes, github.com/golang/glog adds a set of flags related to logging which break the test that checks if you are providing --config and other flags because they aren't part of the per binary configs. It's entirely plausible that you'd want to provide --config and --log_dir or something but with the current flag.CommandLine.NFlags() > 1 test you are prevented from doing this.

Not entirely sure what the best way around this is at the moment, going to drink some coffee and see if I can come up with a good solution.

(this idea doesn't work)

Post caffeine: easiest solution is probably to just make the per-binary flags use their own flag.FlagSet and let glog use the default flat.CommandLine set so we can still test for --config and other binary specific flags.

Will require some rewording of the --config usage text to specify you can use it and the glog flags but that should be fine. It's a little annoying that you won't be able to specify everything via the config file but meh ¯_(ツ)_/¯.

I know I'm a bit late to this conversation, but while we're discussing flags and configurations, have we thought about configuring through environment variables? Many cluster management products use a .env file to supply environment variables to server binaries ala the 12 factor app model

Blerp, current solution doesn't work: I forgot that flag doesn't like parsing flags it doesn't know and the only other option is basically 'just allow anything, even badly formatted flag arguments'. There are some really hacky ways around this by for instance changing the error handling for flag.CommandLine and then adding the glog flags to the per-binary flag.FlagSet but, guh, it's not very clean.

One super simple option I can think of that would make life significantly easier (and allow all configuration to happen via flags or files) would be to fork github.com/golang/glog and remove the flags it registers and move the configuration to a Setup or Init method that has to be called before logging happens. This would preserve the same properties the package already has (i.e. you currently have to call flag.Parse before you can do any logging) and remove all of the annoying side effects of a package magically registering its own flags that you don't have control over...

I know I'm a bit late to this conversation, but while we're discussing flags and configurations, have we thought about configuring through environment variables? Many cluster management products use a .env file to supply environment variables to server binaries ala the 12 factor app model

@gdbelvin This would be a viable solution but I personally don't super like it as a method of configuration, you get the benefits of having everything in a file but have to worry about when the last time you sourced it was/if there the current ENV is out of sync with what is in the file etc. It would also require writing some reflect code or something to simplify pulling from vars unless each binary just had a big section for populating variables.

The case of flags defined outside the Trillian codebase is an interesting one, because it seems to force us to a mixed configuration. @rolandshoemaker, what's your deployment plan in regards to those flags? Should they be defined in your configuration object as well?

About implementation options, I don't think this is a strong enough reason to fork glog. I would suggest something in those lines instead:

allowedFlags := map[string]bool{
  "logtostderr":      true,
  "alsologtostderr":  true,
  "stderrthreshold":  true,
  "log_dir":          true,
  "log_backtrace_at": true,
  "v":                true,
  "vmodule":          true,
}
for _, arg := range os.Args[1:] {
  var flag string
  switch {
  case strings.HasPrefix(arg, "--"):
    flag = arg[2:]
  case strings.HasPrefix(arg, "-"):
    flag = arg[1:]
  default:
    continue // Ignore non-flags
  }
  if index := strings.Index(flag, "="); index != -1 {
    flag = flag[0:index]
  }
  if _, ok := allowedFlags[flag]; !ok {
    return fmt.Errorf("flag not allowed in conjunction with --config: %v", arg)
  }
}

(Warning: I haven't tested / executed this.)

Another option, if we'd like other flags to be configurable via config files, is to add them to the configuration and call flag.Set for each flag. The caveat is that logging won't work as expected up until that point.

I'm OK with dropping the --config "exclusiveness" requirement if people think those options are not worth it, though.

@RJPercival had an interesting suggestion: we could use flag.CommandLine.Parse directly on the config file, which would preclude all the json-parsing logic and config struct intermediates. That would change the format from json to a "flags file", though (one flag per line, possibly).

At that point, IMO, we might just have a .sh file wrapping the entry points and set the flags there, which would avoid the entire config file business. IDK much about your deployment environment, so I'll leave that to you.

I wouldn't be explicitly opposed to this, generating a file is generating a file, the only real difference in terms of management is that it's a little simpler to verify that the file has been properly formatted when it's JSON since we can use basically any parser on the config management node to verify the file.

I think this approach does have a few downsides though, mainly it would make the config take precedence over flags when both are provided (which I think is basically the opposite of expected behavior) and it would require either a bunch of extra parsing code (to properly split up the flags/flag arguments in the way that flag.Parse expects them to be provided or strict rules about how flags should be provided (i.e. each flag must be on a new line and use the -flag=value format etc etc) in the files.

To illustrate my proposal of reading flags from a file, see RJPercival@c6d3fc8. This supports things like glog without any special code being required. Parsing is off-loaded to a shellwords package (admittedly, this means an extra dependency). It supports either letting command-line arguments take precedence or raising an error if any command-line arguments other than "--config" are supplied.

Having said all that, it doesn't give you much over just having a wrapper script around the binary with whatever flags you'd like. Can you explain to me what this PR gives us? You mentioned it allows you to "use basically any parser on the config management node to verify the [config]". What sort of verification were you planning to do?

To illustrate my proposal of reading flags from a file, see RJPercival/trillian@c6d3fc8. This supports things like glog without any special code being required. Parsing is off-loaded to a shellwords package (admittedly, this means an extra dependency). It supports either letting command-line arguments take precedence or raising an error if any command-line arguments other than "--config" are supplied.

Yup, this is a MUCH cleaner implementation. Looking at the code I think this is probably the best way forward if we do want to support some kind of file based configuration.

Can you explain to me what this PR gives us? You mentioned it allows you to "use basically any parser on the config management node to verify the [config]". What sort of verification were you planning to do?

By verification I really just meant a super basic sanity check, for instance in our existing deployment of other software we are able to simply parse the JSON config after it has been generated on the config management node from a template in order to verify that it is at least properly formatted.

Having said all that, it doesn't give you much over just having a wrapper script around the binary with whatever flags you'd like.

After having deployed trillian in its current form a bunch recently I've pretty much come around to this being a basically fine solution. I think the only thing I'd really like file based configuration for at this point is basic secret isolation so that we don't have PEM key passwords or MySQL credentials in the process list but ¯_(ツ)_/¯.

Conclusion: I think I'm convinced at this point that this JSON-based solution ends up being very heavyweight for relatively little benefit (we could have native lists or maps! but... nowhere uses that now so eh). I still think having the separation of config from service is nice to have and provides for basic secret isolation but is not necessary.

At this point I think there are two real choices: (a.) close this and #578 out and go on our merry way and keep everything as-is or (b.) implement the solution from RJPercival/trillian@c6d3fc8. I think I'd probably go with (b.) but could really go either way to be honest.

I can appreciate not wanting certain flags visible in the process list; that's a good reason to have a config file. Would you like to pick up RJPercival@c6d3fc8, finish it off and see how it works for your use case?

I can appreciate not wanting certain flags visible in the process list; that's a good reason to have a config file. Would you like to pick up RJPercival/trillian@c6d3fc8, finish it off and see how it works for your use case?

Sounds good to me.

Changes look fine to me, thanks! Side-note: looks like TestUpdateRoot may be flaky.

(Oh also, I don't have perms on this repo so someone else should merge/kick the travis build)

I've given it a kick. Yes I've noticed client_test.go being pretty flaky, likely because of the sleep call it's relying on. @gdbelvin, any chance you could take a look at that?

The second build hit issue #617 (I'll look into that). Third time is hopefully the charm...