-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathconfig.go
More file actions
170 lines (159 loc) · 9.99 KB
/
config.go
File metadata and controls
170 lines (159 loc) · 9.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
package enforcement
import (
"github.com/amit7itz/goset"
"github.com/otterize/intents-operator/src/shared/operatorconfig/automate_third_party_network_policy"
"github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity"
"github.com/samber/lo"
"github.com/sirupsen/logrus"
"github.com/spf13/pflag"
"github.com/spf13/viper"
)
type Config struct {
EnforcementDefaultState bool
EnableNetworkPolicy bool
EnableKafkaACL bool
EnableIstioPolicy bool
EnableDatabasePolicy bool
EnableEgressNetworkPolicyReconcilers bool
EnableAWSPolicy bool
EnableGCPPolicy bool
EnableAzurePolicy bool
EnableLinkerdPolicies bool
StrictModeEnabled bool
EnforcedNamespaces *goset.Set[string]
ExcludedStrictModeNamespaces *goset.Set[string]
AutomateThirdPartyNetworkPolicies automate_third_party_network_policy.Enum
AutomateAllowWebhookTraffic automate_third_party_network_policy.Enum
PrometheusServiceIdentities []serviceidentity.ServiceIdentity
}
func (c Config) GetAutomateThirdPartyNetworkPolicy() automate_third_party_network_policy.Enum {
// rewrite the above code to use a switch statement
switch c.AutomateThirdPartyNetworkPolicies {
case automate_third_party_network_policy.Off:
return automate_third_party_network_policy.Off
case automate_third_party_network_policy.Always:
if !c.EnforcementDefaultState {
// We don't want to create network policies for third parties when enforcement is disabled.
// However, if one uses shadow mode we can still block third party traffic to his protected services
// therefore we should return automate_third_party_network_policy.IfBlockedByOtterize
return automate_third_party_network_policy.IfBlockedByOtterize
}
return automate_third_party_network_policy.Always
default:
return automate_third_party_network_policy.IfBlockedByOtterize
}
}
func (c Config) GetAutomateAllowWebhookTraffic() automate_third_party_network_policy.Enum {
switch c.AutomateAllowWebhookTraffic {
case automate_third_party_network_policy.Off:
return automate_third_party_network_policy.Off
case automate_third_party_network_policy.Always:
if !c.EnforcementDefaultState {
// We don't want to create network policies for third parties when enforcement is disabled.
// However, if one uses shadow mode we can still block third party traffic to his protected services
// therefore we should return automate_third_party_network_policy.IfBlockedByOtterize
return automate_third_party_network_policy.IfBlockedByOtterize
}
return automate_third_party_network_policy.Always
default:
return automate_third_party_network_policy.IfBlockedByOtterize
}
}
const (
ActiveEnforcementNamespacesKey = "active-enforcement-namespaces" // When using the "shadow enforcement" mode, namespaces in this list will be treated as if the enforcement were active
AutomateThirdPartyNetworkPoliciesKey = "automate-third-party-network-policies" // Whether to automatically create network policies for external traffic & metrics collection traffic
AutomateThirdPartyNetworkPoliciesDefault = string(automate_third_party_network_policy.IfBlockedByOtterize)
AutomateAllowWebhookTrafficKey = "automate-allow-webhook-traffic" // Whether to automatically create network policies for webhook services
AutomateAllowWebhookTrafficDefault = string(automate_third_party_network_policy.IfBlockedByOtterize)
EnforcementDefaultStateKey = "enforcement-default-state" // Sets the default state of the If true, always enforces. If false, can be overridden using ProtectedService.
EnforcementDefaultStateDefault = true
EnableNetworkPolicyKey = "enable-network-policy-creation" // Whether to enable Intents network policy creation
EnableNetworkPolicyDefault = true
EnableIstioPolicyKey = "enable-istio-policy-creation" // Whether to enable Istio authorization policy creation
EnableIstioPolicyDefault = true
EnableLinkerdPolicyKey = "enable-linkerd-policy"
EnableLinkerdPolicyDefault = true
EnableKafkaACLKey = "enable-kafka-acl-creation" // Whether to disable Intents Kafka ACL creation
EnableKafkaACLDefault = true
EnableDatabasePolicy = "enable-database-policy-creation" // Whether to enable the new database reconciler
EnableDatabasePolicyDefault = true
EnableEgressNetworkPolicyReconcilersKey = "enable-egress-network-policies" // Enable the generation of egress network policies alongside ingress network policies
EnableEgressNetworkPolicyReconcilersDefault = false
EnableAWSPolicyKey = "enable-aws-iam-policy"
EnableAWSPolicyDefault = false
EnableGCPPolicyKey = "enable-gcp-iam-policy"
EnableGCPPolicyDefault = false
EnableAzurePolicyKey = "enable-azure-iam-policy"
EnableAzurePolicyDefault = false
PrometheusServiceConfigKey = "prometheusServerConfigs"
EnableStrictModeIntentsKey = "enable-strict-mode-intents" // Whether to enable strict mode intents
EnableStrictModeIntentsDefault = false
ExcludedStrictModeNamespacesKey = "excluded-strict-mode-namespaces"
)
func init() {
viper.SetDefault(EnforcementDefaultStateKey, EnforcementDefaultStateDefault)
viper.SetDefault(EnableNetworkPolicyKey, EnableNetworkPolicyDefault)
viper.SetDefault(EnableKafkaACLKey, EnableKafkaACLDefault)
viper.SetDefault(ActiveEnforcementNamespacesKey, nil)
viper.SetDefault(EnableIstioPolicyKey, EnableIstioPolicyDefault)
viper.SetDefault(EnableDatabasePolicy, EnableDatabasePolicyDefault)
viper.SetDefault(EnableEgressNetworkPolicyReconcilersKey, EnableEgressNetworkPolicyReconcilersDefault)
viper.SetDefault(EnableAWSPolicyKey, EnableAWSPolicyDefault)
viper.SetDefault(EnableGCPPolicyKey, EnableGCPPolicyDefault)
viper.SetDefault(EnableAzurePolicyKey, EnableAzurePolicyDefault)
viper.SetDefault(AutomateThirdPartyNetworkPoliciesKey, AutomateThirdPartyNetworkPoliciesDefault)
viper.SetDefault(AutomateAllowWebhookTrafficKey, AutomateAllowWebhookTrafficDefault)
viper.SetDefault(EnableStrictModeIntentsKey, EnableStrictModeIntentsDefault)
}
func InitCLIFlags() {
pflag.Bool(EnforcementDefaultStateKey, EnforcementDefaultStateDefault, "Sets the default state of the enforcement. If true, always enforces. If false, can be overridden using ProtectedService.")
pflag.Bool(EnableNetworkPolicyKey, EnableNetworkPolicyDefault, "Whether to enable Intents network policy creation")
pflag.Bool(EnableKafkaACLKey, EnableKafkaACLDefault, "Whether to disable Intents Kafka ACL creation")
pflag.StringSlice(ActiveEnforcementNamespacesKey, nil, "While using the shadow enforcement mode, namespaces in this list will be treated as if the enforcement were active.")
pflag.StringSlice(ExcludedStrictModeNamespacesKey, nil, "Namespaces to exclude from strict mode intents when it is enabled.")
pflag.Bool(EnableStrictModeIntentsKey, EnableStrictModeIntentsDefault, "Whether to enable strict mode intents")
pflag.Bool(EnableIstioPolicyKey, EnableIstioPolicyDefault, "Whether to enable Istio authorization policy creation")
pflag.Bool(EnableLinkerdPolicyKey, EnableLinkerdPolicyDefault, "Experimental - enable Linkerd policy creation")
pflag.Bool(EnableDatabasePolicy, EnableDatabasePolicyDefault, "Enable the database reconciler")
pflag.Bool(EnableEgressNetworkPolicyReconcilersKey, EnableEgressNetworkPolicyReconcilersDefault, "Experimental - enable the generation of egress network policies alongside ingress network policies")
pflag.Bool(EnableAWSPolicyKey, EnableAWSPolicyDefault, "Enable the AWS IAM reconciler")
}
func GetConfig() Config {
return Config{
EnforcementDefaultState: viper.GetBool(EnforcementDefaultStateKey),
EnableNetworkPolicy: viper.GetBool(EnableNetworkPolicyKey),
EnableKafkaACL: viper.GetBool(EnableKafkaACLKey),
EnableIstioPolicy: viper.GetBool(EnableIstioPolicyKey),
EnableLinkerdPolicies: viper.GetBool(EnableLinkerdPolicyKey),
EnableDatabasePolicy: viper.GetBool(EnableDatabasePolicy),
EnableEgressNetworkPolicyReconcilers: viper.GetBool(EnableEgressNetworkPolicyReconcilersKey),
EnableAWSPolicy: viper.GetBool(EnableAWSPolicyKey),
EnableGCPPolicy: viper.GetBool(EnableGCPPolicyKey),
EnableAzurePolicy: viper.GetBool(EnableAzurePolicyKey),
StrictModeEnabled: viper.GetBool(EnableStrictModeIntentsKey),
EnforcedNamespaces: goset.FromSlice(viper.GetStringSlice(ActiveEnforcementNamespacesKey)),
ExcludedStrictModeNamespaces: goset.FromSlice(viper.GetStringSlice(ActiveEnforcementNamespacesKey)),
AutomateThirdPartyNetworkPolicies: automate_third_party_network_policy.Enum(viper.GetString(AutomateThirdPartyNetworkPoliciesKey)),
AutomateAllowWebhookTraffic: automate_third_party_network_policy.Enum(viper.GetString(AutomateAllowWebhookTrafficKey)),
PrometheusServiceIdentities: GetPrometheusServiceIdentities(),
}
}
type ServiceIdentityConfig struct {
Name string
Namespace string
Kind string
}
func GetPrometheusServiceIdentities() []serviceidentity.ServiceIdentity {
controllers := make([]ServiceIdentityConfig, 0)
err := viper.UnmarshalKey(PrometheusServiceConfigKey, &controllers)
if err != nil {
logrus.WithError(err).Panic("Failed to unmarshal Prometheus server config")
}
return lo.Map(controllers, func(controller ServiceIdentityConfig, _ int) serviceidentity.ServiceIdentity {
return serviceidentity.ServiceIdentity{
Name: controller.Name,
Namespace: controller.Namespace,
Kind: controller.Kind,
}
})
}