-
Notifications
You must be signed in to change notification settings - Fork 197
/
config.go
105 lines (91 loc) · 5.03 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package etc
import (
"fmt"
"strings"
"time"
"github.com/caarlos0/env/v6"
)
// Config defines parameters for running the operator.
type Config struct {
Namespace string `env:"OPERATOR_NAMESPACE"`
TargetNamespaces string `env:"OPERATOR_TARGET_NAMESPACES"`
ExcludeNamespaces string `env:"OPERATOR_EXCLUDE_NAMESPACES"`
ServiceAccount string `env:"OPERATOR_SERVICE_ACCOUNT" envDefault:"starboard-operator"`
LogDevMode bool `env:"OPERATOR_LOG_DEV_MODE" envDefault:"false"`
ScanJobTimeout time.Duration `env:"OPERATOR_SCAN_JOB_TIMEOUT" envDefault:"5m"`
ConcurrentScanJobsLimit int `env:"OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT" envDefault:"10"`
ScanJobRetryAfter time.Duration `env:"OPERATOR_SCAN_JOB_RETRY_AFTER" envDefault:"30s"`
BatchDeleteLimit int `env:"OPERATOR_BATCH_DELETE_LIMIT" envDefault:"10"`
BatchDeleteDelay time.Duration `env:"OPERATOR_BATCH_DELETE_DELAY" envDefault:"10s"`
MetricsBindAddress string `env:"OPERATOR_METRICS_BIND_ADDRESS" envDefault:":8080"`
HealthProbeBindAddress string `env:"OPERATOR_HEALTH_PROBE_BIND_ADDRESS" envDefault:":9090"`
CISKubernetesBenchmarkEnabled bool `env:"OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED" envDefault:"true"`
VulnerabilityScannerEnabled bool `env:"OPERATOR_VULNERABILITY_SCANNER_ENABLED" envDefault:"true"`
VulnerabilityScannerScanOnlyCurrentRevisions bool `env:"OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"false"`
VulnerabilityScannerReportTTL *time.Duration `env:"OPERATOR_VULNERABILITY_SCANNER_REPORT_TTL"`
ClusterComplianceEnabled bool `env:"OPERATOR_CLUSTER_COMPLIANCE_ENABLED" envDefault:"true"`
ConfigAuditScannerEnabled bool `env:"OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED" envDefault:"false"`
ConfigAuditScannerScanOnlyCurrentRevisions bool `env:"OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS" envDefault:"false"`
// ConfigAuditScannerBuiltIn tells Starboard to use the built-in
// configuration audit scanner instead of Polaris or Conftest
// plugins.
//
// You cannot use Polaris or Conftest and the built-in scanner at the same
// time. The built-in scanners is much faster and does not create Kubernetes
// Job objects to perform scans asynchronously. Instead, it evaluates OPA
// Rego policies synchronously within the reconciliation loop.
ConfigAuditScannerBuiltIn bool `env:"OPERATOR_CONFIG_AUDIT_SCANNER_BUILTIN" envDefault:"true"`
LeaderElectionEnabled bool `env:"OPERATOR_LEADER_ELECTION_ENABLED" envDefault:"false"`
LeaderElectionID string `env:"OPERATOR_LEADER_ELECTION_ID" envDefault:"starboard-lock"`
}
// GetOperatorConfig loads Config from environment variables.
func GetOperatorConfig() (Config, error) {
var config Config
err := env.Parse(&config)
if config.ConfigAuditScannerEnabled && config.ConfigAuditScannerBuiltIn {
return Config{}, fmt.Errorf("plugin-based and built-in configuration audit scanners cannot be enabled at the same time")
}
return config, err
}
// GetOperatorNamespace returns the namespace the operator should be running in.
func (c Config) GetOperatorNamespace() (string, error) {
namespace := c.Namespace
if namespace != "" {
return namespace, nil
}
return "", fmt.Errorf("%s must be set", "OPERATOR_NAMESPACE")
}
// GetTargetNamespaces returns namespaces the operator should be watching for changes.
func (c Config) GetTargetNamespaces() []string {
namespaces := c.TargetNamespaces
if namespaces != "" {
return strings.Split(namespaces, ",")
}
return []string{}
}
// InstallMode represents multitenancy support defined by the Operator Lifecycle Manager spec.
type InstallMode string
const (
OwnNamespace InstallMode = "OwnNamespace"
SingleNamespace InstallMode = "SingleNamespace"
MultiNamespace InstallMode = "MultiNamespace"
AllNamespaces InstallMode = "AllNamespaces"
)
// ResolveInstallMode resolves InstallMode based on configured Config.Namespace and Config.TargetNamespaces.
func (c Config) ResolveInstallMode() (InstallMode, string, []string, error) {
operatorNamespace, err := c.GetOperatorNamespace()
if err != nil {
return "", "", nil, err
}
targetNamespaces := c.GetTargetNamespaces()
if len(targetNamespaces) == 1 && operatorNamespace == targetNamespaces[0] {
return OwnNamespace, operatorNamespace, targetNamespaces, nil
}
if len(targetNamespaces) == 1 && operatorNamespace != targetNamespaces[0] {
return SingleNamespace, operatorNamespace, targetNamespaces, nil
}
if len(targetNamespaces) > 1 {
return MultiNamespace, operatorNamespace, targetNamespaces, nil
}
return AllNamespaces, operatorNamespace, targetNamespaces, nil
}