From 03064637f14bdc1a088a7833d8da861033ce29de Mon Sep 17 00:00:00 2001 From: Oleksii Kliukin Date: Fri, 12 May 2017 17:18:41 +0200 Subject: [PATCH 1/3] Allow disabling access to the DB and the Teams API. Command-line options --nodatabaseaccess and --noteamsapi disable all teams api interaction and access to the Postgres database. This is useful for debugging purposes when the operator runs out of cluster (with --outofcluster flag). The same effect can be achieved by setting enable_db_access and/or enable_teams_api to false. --- cmd/main.go | 10 ++++++++++ pkg/cluster/cluster.go | 18 ++++++++++-------- pkg/cluster/pg.go | 11 +++++++---- pkg/cluster/sync.go | 3 +++ pkg/controller/controller.go | 2 +- pkg/util/config/config.go | 2 ++ pkg/util/teams/teams.go | 8 +++++++- 7 files changed, 40 insertions(+), 14 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index d283c5a10..697058a04 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -19,12 +19,16 @@ var ( podNamespace string configMapName spec.NamespacedName OutOfCluster bool + noTeamsAPI bool + noDBAccess bool version string ) func init() { flag.StringVar(&KubeConfigFile, "kubeconfig", "", "Path to kubeconfig file with authorization and master location information.") flag.BoolVar(&OutOfCluster, "outofcluster", false, "Whether the operator runs in- our outside of the Kubernetes cluster.") + flag.BoolVar(&noDBAccess, "nodatabaseaccess", false, "Disable all access to the database from the operator side.") + flag.BoolVar(&noTeamsAPI, "noteamsapi", false, "Disable all access to the teams API") flag.Parse() podNamespace = os.Getenv("MY_POD_NAMESPACE") @@ -87,6 +91,12 @@ func main() { if configMapData["namespace"] == "" { // Namespace in ConfigMap has priority over env var configMapData["namespace"] = podNamespace } + if noDBAccess { + configMapData["enable_db_access"] = "false" + } + if noTeamsAPI { + configMapData["enable_teams_api"] = "false" + } cfg := config.NewFromMap(configMapData) log.Printf("Config: %s", cfg.MustMarshal()) diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index b870c9639..895b91944 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -227,18 +227,20 @@ func (c *Cluster) Create(stopCh <-chan struct{}) error { } c.logger.Infof("Pods are ready") - if !c.masterLess { - if err = c.initDbConn(); err != nil { + if !(c.masterLess || c.DatabaseAccessDisabled()) { + if err := c.initDbConn(); err != nil { return fmt.Errorf("Can't init db connection: %s", err) - } - - if err = c.createUsers(); err != nil { - return fmt.Errorf("Can't create users: %s", err) } else { - c.logger.Infof("Users have been successfully created") + if err = c.createUsers(); err != nil { + return fmt.Errorf("Can't create users: %s", err) + } else { + c.logger.Infof("Users have been successfully created") + } } } else { - c.logger.Warnln("Cluster is masterless") + if c.masterLess { + c.logger.Warnln("Cluster is masterless") + } } c.ListResources() diff --git a/pkg/cluster/pg.go b/pkg/cluster/pg.go index fa325047b..34816bcab 100644 --- a/pkg/cluster/pg.go +++ b/pkg/cluster/pg.go @@ -32,10 +32,14 @@ func (c *Cluster) pgConnectionString() string { strings.Replace(password, "$", "\\$", -1)) } -func (c *Cluster) initDbConn() error { - //TODO: concurrent safe? +func (c *Cluster) DatabaseAccessDisabled() bool { + if c.OpConfig.EnableDBAccess == false { + c.logger.Debugf("Database access is disabled") + } + return c.OpConfig.EnableDBAccess == false +} +func (c *Cluster) initDbConn() (err error) { if c.pgDb == nil { - if c.pgDb == nil { conn, err := sql.Open("postgres", c.pgConnectionString()) if err != nil { return err @@ -47,7 +51,6 @@ func (c *Cluster) initDbConn() error { } c.pgDb = conn - } } return nil diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go index 07e076d98..11e89d60d 100644 --- a/pkg/cluster/sync.go +++ b/pkg/cluster/sync.go @@ -36,6 +36,9 @@ func (c *Cluster) SyncCluster(stopCh <-chan struct{}) { if err := c.syncStatefulSet(); err != nil { c.logger.Errorf("Can't sync StatefulSets: %s", err) } + if c.DatabaseAccessDisabled() { + return + } if err := c.initDbConn(); err != nil { c.logger.Errorf("Can't init db connection: %s", err) } else { diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index dcb99797b..05ce145d5 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -50,7 +50,7 @@ func New(controllerConfig *Config, operatorConfig *config.Config) *Controller { logger.Level = logrus.DebugLevel } - controllerConfig.TeamsAPIClient = teams.NewTeamsAPI(operatorConfig.TeamsAPIUrl, logger) + controllerConfig.TeamsAPIClient = teams.NewTeamsAPI(operatorConfig.TeamsAPIUrl, logger, operatorConfig.EnableTeamsAPI) return &Controller{ Config: *controllerConfig, opConfig: operatorConfig, diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index 561c0fc1f..96b9ff65b 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -52,6 +52,8 @@ type Config struct { WALES3Bucket string `name:"wal_s3_bucket"` KubeIAMRole string `name:"kube_iam_role"` DebugLogging bool `name:"debug_logging" default:"false"` + EnableDBAccess bool `name:"enable_db_access" default:"true"` + EnableTeamsAPI bool `name:"enable_teams_api" default:"true"` DNSNameFormat string `name:"dns_name_format" default:"%s.%s.%s"` Workers uint32 `name:"workers" default:"4"` } diff --git a/pkg/util/teams/teams.go b/pkg/util/teams/teams.go index 694803535..6b0ba9e25 100644 --- a/pkg/util/teams/teams.go +++ b/pkg/util/teams/teams.go @@ -42,13 +42,15 @@ type TeamsAPI struct { httpClient *http.Client logger *logrus.Entry RefreshTokenAction func() (string, error) + enabled bool } -func NewTeamsAPI(url string, log *logrus.Logger) *TeamsAPI { +func NewTeamsAPI(url string, log *logrus.Logger, enabled bool) *TeamsAPI { t := TeamsAPI{ url: strings.TrimRight(url, "/"), httpClient: &http.Client{}, logger: log.WithField("pkg", "teamsapi"), + enabled: enabled, } return &t @@ -56,6 +58,10 @@ func NewTeamsAPI(url string, log *logrus.Logger) *TeamsAPI { func (t *TeamsAPI) TeamInfo(teamId string) (*Team, error) { // TODO: avoid getting a new token on every call to the Teams API. + if !t.enabled { + t.logger.Debug("Team API is disabled, returning empty list of members") + return &Team{}, nil + } token, err := t.RefreshTokenAction() if err != nil { return nil, err From abd04e6f5a0aeea0b449fcafd2463b3d4f7617f1 Mon Sep 17 00:00:00 2001 From: Oleksii Kliukin Date: Fri, 12 May 2017 17:44:51 +0200 Subject: [PATCH 2/3] Avoid abbreviations in user-facing parameters. --- cmd/main.go | 8 ++++---- pkg/util/config/config.go | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 697058a04..b1e7f7e73 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -20,14 +20,14 @@ var ( configMapName spec.NamespacedName OutOfCluster bool noTeamsAPI bool - noDBAccess bool + noDatabaseAccess bool version string ) func init() { flag.StringVar(&KubeConfigFile, "kubeconfig", "", "Path to kubeconfig file with authorization and master location information.") flag.BoolVar(&OutOfCluster, "outofcluster", false, "Whether the operator runs in- our outside of the Kubernetes cluster.") - flag.BoolVar(&noDBAccess, "nodatabaseaccess", false, "Disable all access to the database from the operator side.") + flag.BoolVar(&noDatabaseAccess, "nodatabaseaccess", false, "Disable all access to the database from the operator side.") flag.BoolVar(&noTeamsAPI, "noteamsapi", false, "Disable all access to the teams API") flag.Parse() @@ -91,8 +91,8 @@ func main() { if configMapData["namespace"] == "" { // Namespace in ConfigMap has priority over env var configMapData["namespace"] = podNamespace } - if noDBAccess { - configMapData["enable_db_access"] = "false" + if noDatabaseAccess { + configMapData["enable_database_access"] = "false" } if noTeamsAPI { configMapData["enable_teams_api"] = "false" diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index 96b9ff65b..77e5b6364 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -52,7 +52,7 @@ type Config struct { WALES3Bucket string `name:"wal_s3_bucket"` KubeIAMRole string `name:"kube_iam_role"` DebugLogging bool `name:"debug_logging" default:"false"` - EnableDBAccess bool `name:"enable_db_access" default:"true"` + EnableDBAccess bool `name:"enable_database_access" default:"true"` EnableTeamsAPI bool `name:"enable_teams_api" default:"true"` DNSNameFormat string `name:"dns_name_format" default:"%s.%s.%s"` Workers uint32 `name:"workers" default:"4"` From 5adceceb36b831441c8dbb564d1dc21fef9e9367 Mon Sep 17 00:00:00 2001 From: Oleksii Kliukin Date: Fri, 12 May 2017 17:48:25 +0200 Subject: [PATCH 3/3] go fmt run --- cmd/main.go | 12 ++++++------ pkg/cluster/k8sres.go | 2 +- pkg/cluster/pg.go | 20 ++++++++++---------- pkg/controller/exec.go | 2 +- pkg/util/config/config.go | 2 +- pkg/util/teams/teams.go | 4 ++-- 6 files changed, 21 insertions(+), 21 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index b1e7f7e73..2d53f4b82 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -15,13 +15,13 @@ import ( ) var ( - KubeConfigFile string - podNamespace string - configMapName spec.NamespacedName - OutOfCluster bool - noTeamsAPI bool + KubeConfigFile string + podNamespace string + configMapName spec.NamespacedName + OutOfCluster bool + noTeamsAPI bool noDatabaseAccess bool - version string + version string ) func init() { diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go index 8d454e17e..da25a6ac1 100644 --- a/pkg/cluster/k8sres.go +++ b/pkg/cluster/k8sres.go @@ -1,8 +1,8 @@ package cluster import ( - "fmt" "encoding/json" + "fmt" "k8s.io/client-go/pkg/api/resource" "k8s.io/client-go/pkg/api/v1" diff --git a/pkg/cluster/pg.go b/pkg/cluster/pg.go index 34816bcab..c1902c5b5 100644 --- a/pkg/cluster/pg.go +++ b/pkg/cluster/pg.go @@ -40,17 +40,17 @@ func (c *Cluster) DatabaseAccessDisabled() bool { } func (c *Cluster) initDbConn() (err error) { if c.pgDb == nil { - conn, err := sql.Open("postgres", c.pgConnectionString()) - if err != nil { - return err - } - err = conn.Ping() - if err != nil { - conn.Close() - return err - } + conn, err := sql.Open("postgres", c.pgConnectionString()) + if err != nil { + return err + } + err = conn.Ping() + if err != nil { + conn.Close() + return err + } - c.pgDb = conn + c.pgDb = conn } return nil diff --git a/pkg/controller/exec.go b/pkg/controller/exec.go index 21a73c8d2..be408c328 100644 --- a/pkg/controller/exec.go +++ b/pkg/controller/exec.go @@ -4,9 +4,9 @@ import ( "bytes" "fmt" + remotecommandconsts "k8s.io/apimachinery/pkg/util/remotecommand" "k8s.io/client-go/pkg/api" "k8s.io/kubernetes/pkg/client/unversioned/remotecommand" - remotecommandconsts "k8s.io/apimachinery/pkg/util/remotecommand" "github.com/zalando-incubator/postgres-operator/pkg/spec" ) diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index 77e5b6364..7ed7c76aa 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -52,7 +52,7 @@ type Config struct { WALES3Bucket string `name:"wal_s3_bucket"` KubeIAMRole string `name:"kube_iam_role"` DebugLogging bool `name:"debug_logging" default:"false"` - EnableDBAccess bool `name:"enable_database_access" default:"true"` + EnableDBAccess bool `name:"enable_database_access" default:"true"` EnableTeamsAPI bool `name:"enable_teams_api" default:"true"` DNSNameFormat string `name:"dns_name_format" default:"%s.%s.%s"` Workers uint32 `name:"workers" default:"4"` diff --git a/pkg/util/teams/teams.go b/pkg/util/teams/teams.go index 6b0ba9e25..16eead40d 100644 --- a/pkg/util/teams/teams.go +++ b/pkg/util/teams/teams.go @@ -42,7 +42,7 @@ type TeamsAPI struct { httpClient *http.Client logger *logrus.Entry RefreshTokenAction func() (string, error) - enabled bool + enabled bool } func NewTeamsAPI(url string, log *logrus.Logger, enabled bool) *TeamsAPI { @@ -50,7 +50,7 @@ func NewTeamsAPI(url string, log *logrus.Logger, enabled bool) *TeamsAPI { url: strings.TrimRight(url, "/"), httpClient: &http.Client{}, logger: log.WithField("pkg", "teamsapi"), - enabled: enabled, + enabled: enabled, } return &t