Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add feature flags for new Lagoon features
Browse files Browse the repository at this point in the history
These feature flags integrate with these Lagoon PRs:

* uselagoon/lagoon#2523
* uselagoon/lagoon#2536
smlx committed Mar 10, 2021
1 parent 1ee78ee commit 43605da
Showing 2 changed files with 65 additions and 15 deletions.
30 changes: 30 additions & 0 deletions controllers/lagoonbuild_controller.go
Original file line number Diff line number Diff line change
@@ -64,6 +64,11 @@ type LagoonBuildReconciler struct {
BuildPodRunAsGroup int64
// BuildPodFSGroup sets the build pod securityContext.fsGroup value.
BuildPodFSGroup int64
// Lagoon feature flags
LFFForceRootlessWorkload string
LFFDefaultRootlessWorkload string
LFFForceIsolationNetworkPolicy string
LFFDefaultIsolationNetworkPolicy string
}

// +kubebuilder:rbac:groups=lagoon.amazee.io,resources=lagoonbuilds,verbs=get;list;watch;create;update;patch;delete
@@ -429,6 +434,31 @@ func (r *LagoonBuildReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
Value: r.FastlyServiceID,
})
}
// Set any defined Lagoon feature flags in the build environment.
if r.LFFForceRootlessWorkload != "" {
podEnvs = append(podEnvs, corev1.EnvVar{
Name: "LAGOON_FEATURE_FLAG_FORCE_ROOTLESS_WORKLOAD",
Value: r.LFFForceRootlessWorkload,
})
}
if r.LFFDefaultRootlessWorkload != "" {
podEnvs = append(podEnvs, corev1.EnvVar{
Name: "LAGOON_FEATURE_FLAG_DEFAULT_ROOTLESS_WORKLOAD",
Value: r.LFFDefaultRootlessWorkload,
})
}
if r.LFFForceIsolationNetworkPolicy != "" {
podEnvs = append(podEnvs, corev1.EnvVar{
Name: "LAGOON_FEATURE_FLAG_FORCE_ISOLATION_NETWORK_POLICY",
Value: r.LFFForceIsolationNetworkPolicy,
})
}
if r.LFFDefaultIsolationNetworkPolicy != "" {
podEnvs = append(podEnvs, corev1.EnvVar{
Name: "LAGOON_FEATURE_FLAG_DEFAULT_ISOLATION_NETWORK_POLICY",
Value: r.LFFDefaultIsolationNetworkPolicy,
})
}
// Use the build image in the controller definition
buildImage := r.BuildImage
if lagoonBuild.Spec.Build.Image != "" {
50 changes: 35 additions & 15 deletions main.go
Original file line number Diff line number Diff line change
@@ -81,6 +81,13 @@ func main() {
var buildPodRunAsUser uint
var buildPodRunAsGroup uint
var buildPodFSGroup uint
// Lagoon Feature Flags options control features in Lagoon. Default options
// set a default cluster policy, while Force options enforce a cluster policy
// and cannot be overridden.
var lffForceRootlessWorkload string
var lffDefaultRootlessWorkload string
var lffForceIsolationNetworkPolicy string
var lffDefaultIsolationNetworkPolicy string

flag.StringVar(&metricsAddr, "metrics-addr", ":8080",
"The address the metric endpoint binds to.")
@@ -136,6 +143,15 @@ func main() {
flag.UintVar(&buildPodRunAsUser, "build-pod-run-as-user", 0, "The build pod security context runAsUser.")
flag.UintVar(&buildPodRunAsGroup, "build-pod-run-as-group", 0, "The build pod security context runAsGroup.")
flag.UintVar(&buildPodFSGroup, "build-pod-fs-group", 0, "The build pod security context fsGroup.")
// Lagoon feature flags
flag.StringVar(&lffForceRootlessWorkload, "lagoon-feature-flag-force-rootless-workload", "",
"sets the LAGOON_FEATURE_FLAG_FORCE_ROOTLESS_WORKLOAD build environment variable to enforce cluster policy")
flag.StringVar(&lffDefaultRootlessWorkload, "lagoon-feature-flag-default-rootless-workload", "",
"sets the LAGOON_FEATURE_FLAG_DEFAULT_ROOTLESS_WORKLOAD build environment variable to control default cluster policy")
flag.StringVar(&lffForceIsolationNetworkPolicy, "lagoon-feature-flag-force-isolation-network-policy", "",
"sets the LAGOON_FEATURE_FLAG_FORCE_ISOLATION_NETWORK_POLICY build environment variable to enforce cluster policy")
flag.StringVar(&lffDefaultIsolationNetworkPolicy, "lagoon-feature-flag-default-isolation-network-policy", "",
"sets the LAGOON_FEATURE_FLAG_DEFAULT_ISOLATION_NETWORK_POLICY build environment variable to control default cluster policy")
flag.Parse()

// get overrides from environment variables
@@ -337,21 +353,25 @@ func main() {

setupLog.Info("starting controllers")
if err = (&controllers.LagoonBuildReconciler{
Client: mgr.GetClient(),
Log: ctrl.Log.WithName("controllers").WithName("LagoonBuild"),
Scheme: mgr.GetScheme(),
EnableMQ: enableMQ,
BuildImage: overrideBuildDeployImage,
IsOpenshift: isOpenshift,
NamespacePrefix: namespacePrefix,
RandomNamespacePrefix: randomPrefix,
ControllerNamespace: controllerNamespace,
EnableDebug: enableDebug,
FastlyServiceID: fastlyServiceID,
FastlyWatchStatus: fastlyWatchStatus,
BuildPodRunAsUser: int64(buildPodRunAsUser),
BuildPodRunAsGroup: int64(buildPodRunAsGroup),
BuildPodFSGroup: int64(buildPodFSGroup),
Client: mgr.GetClient(),
Log: ctrl.Log.WithName("controllers").WithName("LagoonBuild"),
Scheme: mgr.GetScheme(),
EnableMQ: enableMQ,
BuildImage: overrideBuildDeployImage,
IsOpenshift: isOpenshift,
NamespacePrefix: namespacePrefix,
RandomNamespacePrefix: randomPrefix,
ControllerNamespace: controllerNamespace,
EnableDebug: enableDebug,
FastlyServiceID: fastlyServiceID,
FastlyWatchStatus: fastlyWatchStatus,
BuildPodRunAsUser: int64(buildPodRunAsUser),
BuildPodRunAsGroup: int64(buildPodRunAsGroup),
BuildPodFSGroup: int64(buildPodFSGroup),
LFFForceRootlessWorkload: lffForceRootlessWorkload,
LFFDefaultRootlessWorkload: lffDefaultRootlessWorkload,
LFFForceIsolationNetworkPolicy: lffForceIsolationNetworkPolicy,
LFFDefaultIsolationNetworkPolicy: lffDefaultIsolationNetworkPolicy,
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "LagoonBuild")
os.Exit(1)

0 comments on commit 43605da

Please sign in to comment.