generated from vshn/go-bootstrap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.go
126 lines (104 loc) · 5.11 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package main
import (
"errors"
"os"
"github.com/appuio/appuio-cloud-agent/limits"
"go.uber.org/multierr"
"gopkg.in/inf.v0"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
"sigs.k8s.io/yaml"
)
type Config struct {
// OrganizationLabel is the label used to mark namespaces to belong to an organization
OrganizationLabel string
// UserDefaultOrganizationAnnotation is the annotation the default organization setting for a user is stored in.
UserDefaultOrganizationAnnotation string
// QuotaOverrideNamespace is the namespace where the quota overrides for organizations are stored.
QuotaOverrideNamespace string
// MemoryPerCoreLimit is the fair use limit of memory usage per CPU core
// it is deprecated and will be removed in a future version.
// Use MemoryPerCoreLimits: {Limit: "XGi"} instead.
MemoryPerCoreLimit *resource.Quantity
// MemoryPerCoreLimits is the fair use limit of memory usage per CPU core
// It is possible to select limits by node selector labels
MemoryPerCoreLimits limits.Limits
// MemoryPerCoreWarnThreshold is the threshold at which a warning is emitted if the memory per core limit is exceeded.
// Should be a decimal number resembling a percentage (e.g. "0.8" for 80%), represented as a string.
// The limit is multiplied by the optional threshold before comparison.
// A threshold of 0.95 would mean that the warnings are emitted if the ratio is below 95% of the limit.
// Thus adding a leniency of 5% to the limit.
MemoryPerCoreWarnThreshold *inf.Dec
// Privileged* is a list of the given type allowed to bypass restrictions.
// Wildcards are supported (e.g. "system:serviceaccount:default:*" or "cluster-*-operator").
// ClusterRoles are only ever matched if they are bound through a ClusterRoleBinding,
// this is different from the behavior of Kyverno.
// This is done to prevent a user from wrongly configuring a low-privileged ClusterRole which users
// can then bind to themselves to bypass the restrictions.
PrivilegedGroups []string
PrivilegedUsers []string
PrivilegedClusterRoles []string
// DefaultNodeSelector are the default node selectors to add to pods if not set from namespace annotation
DefaultNodeSelector map[string]string
// DefaultNamespaceNodeSelectorAnnotation is the annotation used to set the default node selector for pods in this namespace
DefaultNamespaceNodeSelectorAnnotation string
// DefaultOrganizationClusterRoles is a map containing the configuration for rolebindings that are created by default in each organization namespace.
// The keys are the name of default rolebindings to create and the values are the names of the clusterroles they bind to.
DefaultOrganizationClusterRoles map[string]string
// ReservedNamespaces is a list of namespaces that are reserved and can't be created by users.
// Supports '*' and '?' wildcards.
ReservedNamespaces []string
// AllowedAnnotations is a list of annotations that are allowed on namespaces.
// Supports '*' and '?' wildcards.
AllowedAnnotations []string
// AllowedLabels is a list of labels that are allowed on namespaces.
// Supports '*' and '?' wildcards.
AllowedLabels []string
// LegacyNamespaceQuota is the default quota for namespaces if no ZoneUsageProfile is selected.
LegacyNamespaceQuota int
// PodRunOnceActiveDeadlineSecondsOverrideAnnotation is the annotation used to override the activeDeadlineSeconds for RunOnce pods.
PodRunOnceActiveDeadlineSecondsOverrideAnnotation string
// PodRunOnceActiveDeadlineSecondsDefault is the default activeDeadlineSeconds for RunOnce pods.
PodRunOnceActiveDeadlineSecondsDefault int
// LegacyResourceQuotaAnnotationBase is the base label for the default resource quotas.
// The actual annotation is `$base/$quotaname.$resource`.
LegacyResourceQuotaAnnotationBase string
// LegacyDefaultResourceQuotas is a map containing the default resource quotas for each organization.
// The keys are the name of the manifest and the values are the resource quotas spec.
LegacyDefaultResourceQuotas map[string]corev1.ResourceQuotaSpec
// LegacyLimitRangeName is the name of the default limit range.
LegacyLimitRangeName string
// LegacyDefaultLimitRange is the default limit range.
LegacyDefaultLimitRange corev1.LimitRangeSpec
}
func ConfigFromFile(path string) (c Config, warn []string, err error) {
raw, err := os.ReadFile(path)
if err != nil {
return Config{}, nil, err
}
err = yaml.Unmarshal(raw, &c, yaml.DisallowUnknownFields)
if err != nil {
return Config{}, nil, err
}
c, warnings := migrateConfig(c)
return c, warnings, nil
}
func (c Config) Validate() error {
var errs []error
if c.OrganizationLabel == "" {
errs = append(errs, errors.New("OrganizationLabel must not be empty"))
}
return multierr.Combine(errs...)
}
func migrateConfig(c Config) (Config, []string) {
warnings := make([]string, 0)
if c.MemoryPerCoreLimit != nil && c.MemoryPerCoreLimits == nil {
warnings = append(warnings, "MemoryPerCoreLimit is deprecated and will be removed in a future version. Use MemoryPerCoreLimits: {Limit: \"XGi\"} instead.")
c.MemoryPerCoreLimits = limits.Limits{
{
Limit: c.MemoryPerCoreLimit,
},
}
}
return c, warnings
}