This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 60
/
config.go
99 lines (84 loc) · 4.31 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package config
import (
"github.com/flyteorg/flytestdlib/config"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
)
//go:generate enumer --type=SecretManagerType --trimprefix=SecretManagerType -json -yaml
//go:generate enumer --type=KVVersion --trimprefix=KVVersion -json -yaml
//go:generate pflags Config --default-var=DefaultConfig
var (
DefaultConfig = &Config{
SecretName: "flyte-pod-webhook",
ServiceName: "flyte-pod-webhook",
ServicePort: 443,
MetricsPrefix: "flyte:",
CertDir: "/etc/webhook/certs",
LocalCert: false,
ListenPort: 9443,
SecretManagerType: SecretManagerTypeK8s,
AWSSecretManagerConfig: AWSSecretManagerConfig{
SidecarImage: "docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4",
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("500Mi"),
corev1.ResourceCPU: resource.MustParse("200m"),
},
Limits: corev1.ResourceList{
corev1.ResourceMemory: resource.MustParse("500Mi"),
corev1.ResourceCPU: resource.MustParse("200m"),
},
},
},
VaultSecretManagerConfig: VaultSecretManagerConfig{
Role: "flyte",
KVVersion: KVVersion2,
},
}
configSection = config.MustRegisterSection("webhook", DefaultConfig)
)
// SecretManagerType defines which secret manager to use.
type SecretManagerType int
const (
// SecretManagerTypeGlobal defines a global secret manager that can read env vars and mounted secrets to the webhook
// pod.
SecretManagerTypeGlobal SecretManagerType = iota
// SecretManagerTypeK8s defines a secret manager webhook that injects K8s volume mounts to mount K8s secrets.
SecretManagerTypeK8s
// SecretManagerTypeAWS defines a secret manager webhook that injects a side car to pull secrets from AWS Secret
// Manager and mount them to a local file system (in memory) and share that mount with other containers in the pod.
SecretManagerTypeAWS
// SecretManagerTypeVault defines a secret manager webhook that pulls secrets from Hashicorp Vault.
SecretManagerTypeVault
)
// Defines with KV Engine Version to use with VaultSecretManager - https://www.vaultproject.io/docs/secrets/kv#kv-secrets-engine
type KVVersion int
const (
// KV v1 refers to unversioned secrets
KVVersion1 KVVersion = iota
// KV v2 refers to versioned secrets
KVVersion2
)
type Config struct {
MetricsPrefix string `json:"metrics-prefix" pflag:",An optional prefix for all published metrics."`
CertDir string `json:"certDir" pflag:",Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/"`
LocalCert bool `json:"localCert" pflag:",write certs locally. Defaults to false"`
ListenPort int `json:"listenPort" pflag:",The port to use to listen to webhook calls. Defaults to 9443"`
ServiceName string `json:"serviceName" pflag:",The name of the webhook service."`
ServicePort int32 `json:"servicePort" pflag:",The port on the service that hosting webhook."`
SecretName string `json:"secretName" pflag:",Secret name to write generated certs to."`
SecretManagerType SecretManagerType `json:"secretManagerType" pflag:"-,Secret manager type to use if secrets are not found in global secrets."`
AWSSecretManagerConfig AWSSecretManagerConfig `json:"awsSecretManager" pflag:",AWS Secret Manager config."`
VaultSecretManagerConfig VaultSecretManagerConfig `json:"vaultSecretManager" pflag:",Vault Secret Manager config."`
}
type AWSSecretManagerConfig struct {
SidecarImage string `json:"sidecarImage" pflag:",Specifies the sidecar docker image to use"`
Resources corev1.ResourceRequirements `json:"resources" pflag:"-,Specifies resource requirements for the init container."`
}
type VaultSecretManagerConfig struct {
Role string `json:"role" pflag:",Specifies the vault role to use"`
KVVersion KVVersion `json:"kvVersion" pflag:"-,The KV Engine Version. Defaults to 2. Use 1 for unversioned secrets. Refer to - https://www.vaultproject.io/docs/secrets/kv#kv-secrets-engine."`
}
func GetConfig() *Config {
return configSection.GetConfig().(*Config)
}