-
Notifications
You must be signed in to change notification settings - Fork 123
/
zz_main.go
208 lines (186 loc) · 10.3 KB
/
zz_main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
// SPDX-FileCopyrightText: 2024 The Crossplane Authors <https://crossplane.io>
//
// SPDX-License-Identifier: Apache-2.0
package main
import (
"context"
"fmt"
"io"
"log"
"os"
"path/filepath"
"time"
xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
"github.com/crossplane/crossplane-runtime/pkg/certificates"
xpcontroller "github.com/crossplane/crossplane-runtime/pkg/controller"
"github.com/crossplane/crossplane-runtime/pkg/feature"
"github.com/crossplane/crossplane-runtime/pkg/logging"
"github.com/crossplane/crossplane-runtime/pkg/ratelimiter"
"github.com/crossplane/crossplane-runtime/pkg/resource"
tjcontroller "github.com/crossplane/upjet/pkg/controller"
"github.com/crossplane/upjet/pkg/controller/conversion"
"gopkg.in/alecthomas/kingpin.v2"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/tools/leaderelection/resourcelock"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"github.com/upbound/provider-aws/apis"
"github.com/upbound/provider-aws/apis/v1alpha1"
"github.com/upbound/provider-aws/config"
resolverapis "github.com/upbound/provider-aws/internal/apis"
"github.com/upbound/provider-aws/internal/clients"
"github.com/upbound/provider-aws/internal/controller"
"github.com/upbound/provider-aws/internal/features"
)
const (
webhookTLSCertDirEnvVar = "WEBHOOK_TLS_CERT_DIR"
tlsServerCertDirEnvVar = "TLS_SERVER_CERTS_DIR"
certsDirEnvVar = "CERTS_DIR"
tlsServerCertDir = "/tls/server"
)
func deprecationAction(flagName string) kingpin.Action {
return func(c *kingpin.ParseContext) error {
_, err := fmt.Fprintf(os.Stderr, "warning: Command-line flag %q is deprecated and no longer used. It will be removed in a future release. Please remove it from all of your configurations (ControllerConfigs, etc.).\n", flagName)
kingpin.FatalIfError(err, "Failed to print the deprecation notice.")
return nil
}
}
func main() {
var (
app = kingpin.New(filepath.Base(os.Args[0]), "AWS support for Crossplane.").DefaultEnvars()
debug = app.Flag("debug", "Run with debug logging.").Short('d').Bool()
syncInterval = app.Flag("sync", "Sync interval controls how often all resources will be double checked for drift.").Short('s').Default("1h").Duration()
pollInterval = app.Flag("poll", "Poll interval controls how often an individual resource should be checked for drift.").Default("10m").Duration()
leaderElection = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").OverrideDefaultFromEnvar("LEADER_ELECTION").Bool()
maxReconcileRate = app.Flag("max-reconcile-rate", "The global maximum rate per second at which resources may be checked for drift from the desired state.").Default("100").Int()
namespace = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("crossplane-system").Envar("POD_NAMESPACE").String()
enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool()
essTLSCertsPath = app.Flag("ess-tls-cert-dir", "Path of ESS TLS certificates.").Envar("ESS_TLS_CERTS_DIR").String()
enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool()
certsDirSet = false
// we record whether the command-line option "--certs-dir" was supplied
// in the registered PreAction for the flag.
certsDir = app.Flag("certs-dir", "The directory that contains the server key and certificate.").Default(tlsServerCertDir).Envar(certsDirEnvVar).PreAction(func(_ *kingpin.ParseContext) error {
certsDirSet = true
return nil
}).String()
// now deprecated command-line arguments with the Terraform SDK-based upjet architecture
_ = app.Flag("provider-ttl", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] TTL for the native plugin processes before they are replaced. Changing the default may increase memory consumption.").Hidden().Action(deprecationAction("provider-ttl")).Int()
_ = app.Flag("terraform-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform version.").Envar("TERRAFORM_VERSION").Hidden().Action(deprecationAction("terraform-version")).String()
_ = app.Flag("terraform-provider-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider version.").Envar("TERRAFORM_PROVIDER_VERSION").Hidden().Action(deprecationAction("terraform-provider-version")).String()
_ = app.Flag("terraform-native-provider-path", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform native provider path for shared execution.").Envar("TERRAFORM_NATIVE_PROVIDER_PATH").Hidden().Action(deprecationAction("terraform-native-provider-path")).String()
_ = app.Flag("terraform-provider-source", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider source.").Envar("TERRAFORM_PROVIDER_SOURCE").Hidden().Action(deprecationAction("terraform-provider-source")).String()
)
kingpin.MustParse(app.Parse(os.Args[1:]))
log.Default().SetOutput(io.Discard)
ctrl.SetLogger(zap.New(zap.WriteTo(io.Discard)))
zl := zap.New(zap.UseDevMode(*debug))
logr := logging.NewLogrLogger(zl.WithName("provider-aws"))
if *debug {
// The controller-runtime runs with a no-op logger by default. It is
// *very* verbose even at info level, so we only provide it a real
// logger when we're running in debug mode.
ctrl.SetLogger(zl)
}
// currently, we configure the jitter to be the 5% of the poll interval
pollJitter := time.Duration(float64(*pollInterval) * 0.05)
logr.Debug("Starting", "sync-interval", syncInterval.String(),
"poll-interval", pollInterval.String(), "poll-jitter", pollJitter, "max-reconcile-rate", *maxReconcileRate)
cfg, err := ctrl.GetConfig()
kingpin.FatalIfError(err, "Cannot get API server rest config")
// Get the TLS certs directory from the environment variables set by
// Crossplane if they're available.
// In older XP versions we used WEBHOOK_TLS_CERT_DIR, in newer versions
// we use TLS_SERVER_CERTS_DIR. If an explicit certs dir is not supplied
// via the command-line options, then these environment variables are used
// instead.
if !certsDirSet {
// backwards-compatibility concerns
xpCertsDir := os.Getenv(certsDirEnvVar)
if xpCertsDir == "" {
xpCertsDir = os.Getenv(tlsServerCertDirEnvVar)
}
if xpCertsDir == "" {
xpCertsDir = os.Getenv(webhookTLSCertDirEnvVar)
}
// we probably don't need this condition but just to be on the
// safe side, if we are missing any kingpin machinery details...
if xpCertsDir != "" {
*certsDir = xpCertsDir
}
}
mgr, err := ctrl.NewManager(ratelimiter.LimitRESTConfig(cfg, *maxReconcileRate), ctrl.Options{
LeaderElection: *leaderElection,
LeaderElectionID: "crossplane-leader-election-provider-aws-config",
Cache: cache.Options{
SyncPeriod: syncInterval,
},
WebhookServer: webhook.NewServer(
webhook.Options{
CertDir: *certsDir,
}),
LeaderElectionResourceLock: resourcelock.LeasesResourceLock,
LeaseDuration: func() *time.Duration { d := 60 * time.Second; return &d }(),
RenewDeadline: func() *time.Duration { d := 50 * time.Second; return &d }(),
})
kingpin.FatalIfError(err, "Cannot create controller manager")
kingpin.FatalIfError(apis.AddToScheme(mgr.GetScheme()), "Cannot add AWS APIs to scheme")
kingpin.FatalIfError(resolverapis.BuildScheme(apis.AddToSchemes), "Cannot register the AWS APIs with the API resolver's runtime scheme")
ctx := context.Background()
provider, err := config.GetProvider(ctx, false)
kingpin.FatalIfError(err, "Cannot initialize the provider configuration")
setupConfig := &clients.SetupConfig{
Logger: logr,
TerraformProvider: provider.TerraformProvider,
}
o := tjcontroller.Options{
Options: xpcontroller.Options{
Logger: logr,
GlobalRateLimiter: ratelimiter.NewGlobal(*maxReconcileRate),
PollInterval: *pollInterval,
MaxConcurrentReconciles: *maxReconcileRate,
Features: &feature.Flags{},
},
Provider: provider,
SetupFn: clients.SelectTerraformSetup(setupConfig),
PollJitter: pollJitter,
OperationTrackerStore: tjcontroller.NewOperationStore(logr),
StartWebhooks: *certsDir != "",
}
if *enableManagementPolicies {
o.Features.Enable(features.EnableBetaManagementPolicies)
logr.Info("Beta feature enabled", "flag", features.EnableBetaManagementPolicies)
}
if *enableExternalSecretStores {
o.SecretStoreConfigGVK = &v1alpha1.StoreConfigGroupVersionKind
logr.Info("Alpha feature enabled", "flag", features.EnableAlphaExternalSecretStores)
o.ESSOptions = &tjcontroller.ESSOptions{}
if *essTLSCertsPath != "" {
logr.Info("ESS TLS certificates path is set. Loading mTLS configuration.")
tCfg, err := certificates.LoadMTLSConfig(filepath.Join(*essTLSCertsPath, "ca.crt"), filepath.Join(*essTLSCertsPath, "tls.crt"), filepath.Join(*essTLSCertsPath, "tls.key"), false)
kingpin.FatalIfError(err, "Cannot load ESS TLS config.")
o.ESSOptions.TLSConfig = tCfg
}
// Ensure default store config exists.
kingpin.FatalIfError(resource.Ignore(kerrors.IsAlreadyExists, mgr.GetClient().Create(ctx, &v1alpha1.StoreConfig{
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Name: "default",
},
Spec: v1alpha1.StoreConfigSpec{
// NOTE(turkenh): We only set required spec and expect optional
// ones to properly be initialized with CRD level default values.
SecretStoreConfig: xpv1.SecretStoreConfig{
DefaultScope: *namespace,
},
},
Status: v1alpha1.StoreConfigStatus{},
})), "cannot create default store config")
}
kingpin.FatalIfError(conversion.RegisterConversions(o.Provider), "Cannot initialize the webhook conversion registry")
kingpin.FatalIfError(controller.Setup_config(mgr, o), "Cannot setup AWS controllers")
kingpin.FatalIfError(mgr.Start(ctrl.SetupSignalHandler()), "Cannot start controller manager")
}