Skip to content

Commit

Permalink
chore: improve formatting and content (open-feature#384)
Browse files Browse the repository at this point in the history 
Signed-off-by: Kavindu Dodanduwa <kavindudodanduwa@gmail.com>
  • Loading branch information
@Kavindu-Dodan
Kavindu-Dodan authored Mar 14, 2023
1 parent b03fb14 commit c5a6a32
Show file tree
Hide file tree
Showing 5 changed files with 72 additions and 73 deletions.
18 changes: 9 additions & 9 deletions docs/annotations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Example:
```yaml
metadata:
annotations:
openfeature.dev/enabled: "true"
openfeature.dev/enabled: "true"
```
### `openfeature.dev/flagsourceconfiguration`
Expand All @@ -18,11 +18,11 @@ If no namespace is provided it is assumed that the CR is within the same namespa
If multiple CRs are provided, they are merged with the latest taking precedence, for example, in the scenario below, `config-B` will take priority in the merge, replacing duplicated values that are set in `config-A`.

Example:
```
```yaml
metadata:
annotations:
openfeature.dev/enabled: "true"
openfeature.dev/flagsourceconfiguration:"config-A, config-B"`
openfeature.dev/enabled: "true"
openfeature.dev/flagsourceconfiguration: "config-A, config-B"
```

### `openfeature.dev/allowkubernetessync`
Expand All @@ -31,25 +31,25 @@ This annotation is used to mark pods which should have their permissions backfil


### `openfeature.dev/featureflagconfiguration`
*This annotation is deprecated in favour of the `openfeature.dev/flagsourceconfiguration` annotation and should no longer be used.*
*This annotation is DEPRECATED in favour of the `openfeature.dev/flagsourceconfiguration` annotation and should no longer be used.*
This annotation specifies the names of the FeatureFlagConfigurations used to configure the injected flagd sidecar.
The annotation value is a comma separated list of values following one of 2 patterns: {NAME} or {NAMESPACE}/{NAME}.
If no namespace is provided it is assumed that the CR is within the same namespace as the deployed pod.
Example:
```yaml
metadata:
annotations:
openfeature.dev/enabled: "true"
openfeature.dev/featureflagconfiguration: "demo, test/demo-2"
openfeature.dev/enabled: "true"
openfeature.dev/featureflagconfiguration: "demo, test/demo-2"
```

### `openfeature.dev`
*This annotation is deprecated in favour of the `openfeature.dev/enabled` annotation and should no longer be used.*
*This annotation is DEPRECATED in favour of the `openfeature.dev/enabled` annotation and should no longer be used.*

When a value of `"enabled"` is provided, the operator will inject a flagd sidecar into the annotated pods.
Example:
```yaml
metadata:
annotations:
openfeature.dev: "enabled"
openfeature.dev: "enabled"
```
16 changes: 8 additions & 8 deletions docs/feature_flag_configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,14 @@ kind: FeatureFlagConfiguration
metadata:
name: featureflagconfiguration-sample
spec:
featureFlagSpec:
flags:
foo:
state: "ENABLED"
variants:
bar: "BAR"
baz: "BAZ"
defaultVariant: "bar"
featureFlagSpec:
flags:
foo:
state: "ENABLED"
variants:
bar: "BAR"
baz: "BAZ"
defaultVariant: "bar"
```
## featureFlagSpec
Expand Down
40 changes: 20 additions & 20 deletions docs/flag_source_configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,27 +39,27 @@ The relevant `FlagSourceConfigurations` are passed to the operator by setting th

## FlagSourceConfiguration Fields

| Field | Behavior | Type | Default |
| ----------- | ----------- | ----------- | ----------- |
| MetricsPort | Defines the port for flagd to serve metrics on | optional `int32`| `8013` |
| Port | Defines the port for flagd to listen on | optional `int32` | `8014` |
| SocketPath | Defines the unix socket path to listen on | optional `string` | `""` |
| SyncProviderArgs | String arguments passed to the sidecar on startup, flagd documentation can be found [here](https://github.com/open-feature/flagd/blob/main/docs/configuration/configuration.md) | optional `array of strings`, key values separated by `=`, e.g `key=value` | `""` |
| Image | Allows for the sidecar image to be overridden | optional `string` | `ghcr.io/open-feature/flagd` |
| Tag | Tag to be appended to the sidecar image | optional `string` | `main` |
| Sources | An array of objects defining configuration and sources for each sync provider to use within flagd, documentation of the object is directly below this table | optional `array of objects` |`[]` |
| EnvVars | An array of environment variables to be applied to the sidecar, all names become prepended with the EnvVarPrefix | optional `array of environment variables` | `[]` |
| EnvVarPrefix | String value defining the prefix to be applied to all environment variables applied to the sidecar| optional `string` | `FLAGD` |
| DefaultSyncProvider | Defines the default provider to be used, can be set to `kubernetes`, `filepath` or `http`. | optional `string` | `kubernetes` |
| RolloutOnChange | When set to true the operator will trigger a restart of any `Deployments` within the `FlagSourceConfiguration` reconcile loop, updating the injected sidecar with the latest configuration. | optional `boolean` | `false` |
| Field | Behavior | Type | Default |
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|------------------------------|
| MetricsPort | Defines the port for flagd to serve metrics on | optional `int32` | `8013` |
| Port | Defines the port for flagd to listen on | optional `int32` | `8014` |
| SocketPath | Defines the unix socket path to listen on | optional `string` | `""` |
| SyncProviderArgs | String arguments passed to the sidecar on startup, flagd documentation can be found [here](https://github.com/open-feature/flagd/blob/main/docs/configuration/configuration.md) | optional `array of strings`, key values separated by `=`, e.g `key=value` | `""` |
| Image | Allows for the sidecar image to be overridden | optional `string` | `ghcr.io/open-feature/flagd` |
| Tag | Tag to be appended to the sidecar image | optional `string` | `main` |
| Sources | An array of objects defining configuration and sources for each sync provider to use within flagd, documentation of the object is directly below this table | optional `array of objects` | `[]` |
| EnvVars | An array of environment variables to be applied to the sidecar, all names become prepended with the EnvVarPrefix | optional `array of environment variables` | `[]` |
| EnvVarPrefix | String value defining the prefix to be applied to all environment variables applied to the sidecar | optional `string` | `FLAGD` |
| DefaultSyncProvider | Defines the default provider to be used, can be set to `kubernetes`, `filepath` or `http`. | optional `string` | `kubernetes` |
| RolloutOnChange | When set to true the operator will trigger a restart of any `Deployments` within the `FlagSourceConfiguration` reconcile loop, updating the injected sidecar with the latest configuration. | optional `boolean` | `false` |

## Source Fields

| Field | Behavior | Type |
| ----------- | ----------- | ----------- |
| Source | Defines the URI of the flag source, this can be either a `host:port` or the `namespace/name` of a `FeatureFlagConfiguration` | `string` |
| Provider | Defines the provider to be used, can be set to `kubernetes`, `filepath` or `http`. If not provided the default sync provider is used. | optional `string` |
| HttpSyncBearerToken | Defines the bearer token to be used with a `http` sync. Has no effect if `Provider` is not `http` | optional `string` |
| Field | Behavior | Type |
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------|-------------------|
| Source | Defines the URI of the flag source, this can be either a `host:port` or the `namespace/name` of a `FeatureFlagConfiguration` | `string` |
| Provider | Defines the provider to be used, can be set to `kubernetes`, `filepath` or `http`. If not provided the default sync provider is used. | optional `string` |
| HttpSyncBearerToken | Defines the bearer token to be used with a `http` sync. Has no effect if `Provider` is not `http` | optional `string` |

## Configuration Merging

Expand All @@ -84,7 +84,7 @@ Config-A:
apiVersion: core.openfeature.dev/v1alpha2
kind: FlagSourceConfiguration
metadata:
name: test-configuration-A
name: config-A
spec:
metricsPort: 8080
tag: latest
Expand All @@ -94,7 +94,7 @@ Config-B:
apiVersion: core.openfeature.dev/v1alpha2
kind: FlagSourceConfiguration
metadata:
name: test-configuration-B
name: config-B
spec:
port: 8000
tag: main
Expand Down
26 changes: 13 additions & 13 deletions docs/getting_started.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,18 +81,18 @@ spec:
matchLabels:
app: my-busybox-curl-app
template:
metadata:
labels:
app: my-busybox-curl-app
annotations:
openfeature.dev/enabled: "true"
openfeature.dev/flagsourceconfiguration: "default/flagsourceconfiguration-sample"
spec:
containers:
metadata:
labels:
app: my-busybox-curl-app
annotations:
openfeature.dev/enabled: "true"
openfeature.dev/flagsourceconfiguration: "default/flagsourceconfiguration-sample"
spec:
containers:
- name: busybox
image: yauritux/busybox-curl:latest
ports:
- containerPort: 80
- containerPort: 80
args:
- sleep
- "30000"
Expand All @@ -115,15 +115,15 @@ kubectl describe pod busybox-curl-7bd5767999-spf7v
```
```yaml
flagd:
Image: ghcr.io/open-feature/flagd:v0.4.1
Port: 8014/TCP
Host Port: 0/TCP
Image: ghcr.io/open-feature/flagd:v0.4.1
Port: 8014/TCP
Host Port: 0/TCP
Args:
start
--uri
core.openfeature.dev/default/featureflagconfiguration-sample
Environment:
FLAGD_METRICS_PORT: 8014
FLAGD_METRICS_PORT: 8014
```

Now that we have confirmed that the `flagd` sidecar has been injected and the configuration is correct, we can test the flag evaluation using `curl`.
Expand Down
45 changes: 22 additions & 23 deletions docs/permissions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,46 +11,45 @@ The open feature operator uses the `open-feature-operator-controller-manager` se
The `leader-election-role` provides the operator with the required permissions to perform leader election.
The definition of this role can be found [here](../config/rbac//leader_election_role.yaml)

| API Group | Resource | Verbs |
| ----------- | ----------- | ----------- |
| - | `ConfigMap` | create, delete, get, list, patch, update, watch |
| - | `Event` | create, patch, |
| `coordination.k8s.io` | `Lease` | create, delete, get, list, patch, update, watch |

| API Group | Resource | Verbs |
|-----------------------|-------------|-------------------------------------------------|
| - | `ConfigMap` | create, delete, get, list, patch, update, watch |
| - | `Event` | create, patch, |
| `coordination.k8s.io` | `Lease` | create, delete, get, list, patch, update, watch |

### Manager Role

The `manager-role` applies the rules described below, its definition can be found [here](../config/rbac/role.yaml). It provides the operator with sufficient permissions over the `core.openfeature.dev` resources, and the required permissions for injecting the `flagd` sidecar into appropriate pods. The `ConfigMap` permissions are needed to allow the mounting of `FeatureFlagConfiguration` resources for filepath syncs.

| API Group | Resource | Verbs |
| ----------- | ----------- | ----------- |
| - | `ConfigMap` | create, delete, get, list, patch, update, watch |
| - | `Pod` | create, delete, get, list, patch, update, watch |
| - | `ServiceAccount` | get, list, watch |
| `core.openfeature.dev` | `FeatureFlagConfiguration` | create, delete, get, list, patch, update, watch |
| `core.openfeature.dev` | `FeatureFlagConfiguration Finalizers` | update |
| `core.openfeature.dev` | `FeatureFlagConfiguration Status` | get, patch, update |
| `rbac.authorization.k8s.io` | `ClusterRoleBinding` | get, list, update, watch |
| API Group | Resource | Verbs |
|-----------------------------|---------------------------------------|-------------------------------------------------|
| - | `ConfigMap` | create, delete, get, list, patch, update, watch |
| - | `Pod` | create, delete, get, list, patch, update, watch |
| - | `ServiceAccount` | get, list, watch |
| `core.openfeature.dev` | `FeatureFlagConfiguration` | create, delete, get, list, patch, update, watch |
| `core.openfeature.dev` | `FeatureFlagConfiguration Finalizers` | update |
| `core.openfeature.dev` | `FeatureFlagConfiguration Status` | get, patch, update |
| `rbac.authorization.k8s.io` | `ClusterRoleBinding` | get, list, update, watch |

### Proxy Role

The `proxy-role` definition can be found [here](../config/rbac/auth_proxy_role.yaml)

| API Group | Resource | Verbs |
| ----------- | ----------- | ----------- |
| `authentication.k8s.io` | `Token Review` | create |
| `authentication.k8s.io` | `Subject Access Review` | create |
| API Group | Resource | Verbs |
|-------------------------|-------------------------|--------|
| `authentication.k8s.io` | `Token Review` | create |
| `authentication.k8s.io` | `Subject Access Review` | create |

### Flagd Kubernetes Sync

The `flagd-kubernetes-sync` role providers the permission to get, watch and list all `core.openfeature.dev` resources, permitting the kubernetes sync feature in injected `flagd` containers.
Its definition can be found [here](../config/rbac/flagd_kubernetes_sync_clusterrole.yaml).
During startup the operator will backfill permissions to the `flagd-kubernetes-sync` cluster role binding from the current state of the cluster, adding all service accounts from pods with the `core.openfeature.dev/enabled` annotation set to `"true"`, preventing unexpected behavior during upgrades.

| API Group | Resource | Verbs |
| ----------- | ----------- | ----------- |
| `core.openfeature.dev` | `FlagSourceConfiguration` | get, watch, list |
| `core.openfeature.dev` | `FeatureFlagConfiguration` | get, watch, list |
| API Group | Resource | Verbs |
|------------------------|----------------------------|------------------|
| `core.openfeature.dev` | `FlagSourceConfiguration` | get, watch, list |
| `core.openfeature.dev` | `FeatureFlagConfiguration` | get, watch, list |

When a `Pod` has the `core.openfeature.dev/enabled` annotation value set to `"true"`, its `Service Account` is added as a subject for this role's `Role Binding`, granting it all required permissions for watching its associated `FeatureFlagConfigurations`. As a result `flagd` can provide real time events describing flag configuration changes.

0 comments on commit c5a6a32

Please sign in to comment.