config

package
v2.0.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 17, 2026 License: Apache-2.0, Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	EmbeddedSecretsFileMountInitContainerName = "init-embedded-secret"
	DefaultSecretEnvVarPrefix                 = "_UNION_"
)

Variables

View Source 
var (
	DefaultConfig = &Config{
		SecretName:        "flyte-pod-webhook",
		ServiceName:       "flyte-pod-webhook",
		ServicePort:       443,
		MetricsPrefix:     "flyte:",
		CertDir:           "/etc/webhook/certs",
		LocalCert:         false,
		ListenPort:        9443,
		SecretManagerType: SecretManagerTypeK8s,
		AWSSecretManagerConfig: AWSSecretManagerConfig{
			SidecarImage: "docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4",
			Resources: corev1.ResourceRequirements{
				Requests: corev1.ResourceList{
					corev1.ResourceMemory: resource.MustParse("500Mi"),
					corev1.ResourceCPU:    resource.MustParse("200m"),
				},
				Limits: corev1.ResourceList{
					corev1.ResourceMemory: resource.MustParse("500Mi"),
					corev1.ResourceCPU:    resource.MustParse("200m"),
				},
			},
		},
		GCPSecretManagerConfig: GCPSecretManagerConfig{
			SidecarImage: "gcr.io/google.com/cloudsdktool/cloud-sdk:alpine",
			Resources: corev1.ResourceRequirements{
				Requests: corev1.ResourceList{
					corev1.ResourceMemory: resource.MustParse("500Mi"),
					corev1.ResourceCPU:    resource.MustParse("200m"),
				},
				Limits: corev1.ResourceList{
					corev1.ResourceMemory: resource.MustParse("500Mi"),
					corev1.ResourceCPU:    resource.MustParse("200m"),
				},
			},
		},
		AzureSecretManagerConfig: AzureSecretManagerConfig{
			SidecarImage: "mcr.microsoft.com/azure-cli:cbl-mariner2.0",
			Resources: corev1.ResourceRequirements{
				Requests: corev1.ResourceList{
					corev1.ResourceMemory: resource.MustParse("500Mi"),
					corev1.ResourceCPU:    resource.MustParse("200m"),
				},
				Limits: corev1.ResourceList{
					corev1.ResourceMemory: resource.MustParse("500Mi"),
					corev1.ResourceCPU:    resource.MustParse("200m"),
				},
			},
		},
		VaultSecretManagerConfig: VaultSecretManagerConfig{
			Role:      "flyte",
			KVVersion: KVVersion2,
		},
		EmbeddedSecretManagerConfig: EmbeddedSecretManagerConfig{
			FileMountInitContainer: FileMountInitContainerConfig{
				Image: "busybox:1.28",
				Resources: corev1.ResourceRequirements{
					Requests: corev1.ResourceList{
						corev1.ResourceMemory: resource.MustParse("100Mi"),
						corev1.ResourceCPU:    resource.MustParse("100m"),
					},
					Limits: corev1.ResourceList{
						corev1.ResourceMemory: resource.MustParse("100Mi"),
						corev1.ResourceCPU:    resource.MustParse("100m"),
					},
				},
				ContainerName: EmbeddedSecretsFileMountInitContainerName,
			},
			ImagePullSecrets: ImagePullSecretsConfig{
				Enabled: false,
			},
		},
		ImageBuilderConfig: ImageBuilderConfig{
			ExcludedContainerNames: []string{EmbeddedSecretsFileMountInitContainerName},
		},
		WebhookTimeout:                     30,
		DisableCreateMutatingWebhookConfig: false,
		KubeClientConfig: KubeClientConfig{
			QPS:     100,
			Burst:   25,
			Timeout: config.Duration{Duration: 30 * time.Second},
		},
		SecretEnvVarPrefix: DefaultSecretEnvVarPrefix,
	}
)

Functions

func MustRegisterSubsection 

func MustRegisterSubsection(key config.SectionKey, section config.Config) config.Section

Types

type AWSConfig 

type AWSConfig struct {
	Region string `json:"region" pflag:",AWS region"`
}

type AWSSecretManagerConfig 

type AWSSecretManagerConfig struct {
	SidecarImage string                      `json:"sidecarImage" pflag:",Specifies the sidecar docker image to use"`
	Resources    corev1.ResourceRequirements `json:"resources" pflag:"-,Specifies resource requirements for the init container."`
}

type AzureConfig 

type AzureConfig struct {
	VaultURI string `json:"vaultURI" pflag:",Azure Vault URI"`
}

type AzureSecretManagerConfig 

type AzureSecretManagerConfig struct {
	SidecarImage string                      `json:"sidecarImage" pflag:",Specifies the sidecar docker image to use"`
	Resources    corev1.ResourceRequirements `json:"resources" pflag:"-,Specifies resource requirements for the init container."`
}

type Config 

type Config struct {
	MetricsPrefix string `json:"metrics-prefix" pflag:",An optional prefix for all published metrics."`
	CertDir       string `json:"certDir" pflag:",Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/"`
	LocalCert     bool   `json:"localCert" pflag:",write certs locally. Defaults to false"`
	ListenPort    int    `json:"listenPort" pflag:",The port to use to listen to webhook calls. Defaults to 9443"`
	ServiceName   string `json:"serviceName" pflag:",The name of the webhook service."`
	ServicePort   int32  `json:"servicePort" pflag:",The port on the service that hosting webhook."`
	SecretName    string `json:"secretName" pflag:",Secret name to write generated certs to."`
	// Deprecated: use SecretManagerTypes instead.
	SecretManagerType           SecretManagerType           `` /* 155-byte string literal not displayed */
	SecretManagerTypes          []SecretManagerType         `` /* 175-byte string literal not displayed */
	AWSSecretManagerConfig      AWSSecretManagerConfig      `json:"awsSecretManager" pflag:",AWS Secret Manager config."`
	GCPSecretManagerConfig      GCPSecretManagerConfig      `json:"gcpSecretManager" pflag:",GCP Secret Manager config."`
	VaultSecretManagerConfig    VaultSecretManagerConfig    `json:"vaultSecretManager" pflag:",Vault Secret Manager config."`
	EmbeddedSecretManagerConfig EmbeddedSecretManagerConfig `` /* 145-byte string literal not displayed */
	AzureSecretManagerConfig    AzureSecretManagerConfig    `json:"azureSecretManager" pflag:",Azure Secret Manager config."`

	// Ignore PFlag for Image Builder
	ImageBuilderConfig                 ImageBuilderConfig `json:"imageBuilderConfig,omitempty" pflag:"-,"`
	WebhookTimeout                     int32              `json:"webhookTimeout" pflag:",Timeout for webhook calls in seconds. Defaults to 30 seconds."`
	DisableCreateMutatingWebhookConfig bool               `json:"disableCreateMutatingWebhookConfig"`
	KubeClientConfig                   KubeClientConfig   `json:"kubeClientConfig" pflag:",Configuration to control the Kubernetes client used by the webhook"`
	SecretEnvVarPrefix                 string             `` /* 150-byte string literal not displayed */
}

func GetConfig 

func GetConfig() *Config

func (Config) ExpandCertDir 

func (c Config) ExpandCertDir() string

func (Config) GetPFlagSet 

func (cfg Config) GetPFlagSet(prefix string) *pflag.FlagSet

GetPFlagSet will return strongly types pflags for all fields in Config and its nested types. The format of the flags is json-name.json-sub-name... etc.

func (*Config) ResolveKubeClientConfigs 

func (c *Config) ResolveKubeClientConfigs()

ResolveKubeClientConfigs initializes KubeClientConfig with fallback values For K8s secretfetcher: if k8sConfig.kubeClientConfig is not set, use webhook-level kubeClientConfig as fallback

type EmbeddedSecretManagerConfig 

type EmbeddedSecretManagerConfig struct {
	Type                   EmbeddedSecretManagerType    `json:"type" pflags:"-,Type of embedded secret manager to initialize"`
	AWSConfig              AWSConfig                    `json:"awsConfig" pflag:",Config for AWS settings"`
	GCPConfig              GCPConfig                    `json:"gcpConfig" pflag:",Config for GCP settings"`
	AzureConfig            AzureConfig                  `json:"azureConfig" pflag:",Config for Azure settings"`
	K8sConfig              K8sConfig                    `json:"k8sConfig" pflag:",Config for K8s settings"`
	FileMountInitContainer FileMountInitContainerConfig `json:"fileMountInitContainer" pflag:",Init container configuration to use for mounting secrets as files."`
	ImagePullSecrets       ImagePullSecretsConfig       `json:"imagePullSecrets" pflag:",Whether to enable image pull secrets for the webhook pod."`
}

type EmbeddedSecretManagerType 

type EmbeddedSecretManagerType uint8
const (
	EmbeddedSecretManagerTypeAWS EmbeddedSecretManagerType = iota
	EmbeddedSecretManagerTypeGCP
	EmbeddedSecretManagerTypeAzure
	EmbeddedSecretManagerTypeK8s
)

func EmbeddedSecretManagerTypeString 

func EmbeddedSecretManagerTypeString(s string) (EmbeddedSecretManagerType, error)

EmbeddedSecretManagerTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func EmbeddedSecretManagerTypeValues 

func EmbeddedSecretManagerTypeValues() []EmbeddedSecretManagerType

EmbeddedSecretManagerTypeValues returns all values of the enum

func (EmbeddedSecretManagerType) IsAEmbeddedSecretManagerType 

func (i EmbeddedSecretManagerType) IsAEmbeddedSecretManagerType() bool

IsAEmbeddedSecretManagerType returns "true" if the value is listed in the enum definition. "false" otherwise

func (EmbeddedSecretManagerType) MarshalJSON 

func (i EmbeddedSecretManagerType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for EmbeddedSecretManagerType

func (EmbeddedSecretManagerType) MarshalYAML 

func (i EmbeddedSecretManagerType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for EmbeddedSecretManagerType

func (EmbeddedSecretManagerType) String 

func (i EmbeddedSecretManagerType) String() string

func (*EmbeddedSecretManagerType) UnmarshalJSON 

func (i *EmbeddedSecretManagerType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for EmbeddedSecretManagerType

func (*EmbeddedSecretManagerType) UnmarshalYAML 

func (i *EmbeddedSecretManagerType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for EmbeddedSecretManagerType

type FileMountInitContainerConfig 

type FileMountInitContainerConfig struct {
	Image         string                      `json:"image" pflag:",Specifies init container image to use for mounting secrets as files."`
	Resources     corev1.ResourceRequirements `json:"resources" pflag:"-,Specifies resource requirements for the init container."`
	ContainerName string                      `json:"containerName" pflag:",Specifies the name of the init container that mounts secrets as files."`
}

type GCPConfig 

type GCPConfig struct {
	Project string `json:"project" pflag:",GCP project to be used for secret manager"`
}

type GCPSecretManagerConfig 

type GCPSecretManagerConfig struct {
	SidecarImage string                      `json:"sidecarImage" pflag:",Specifies the sidecar docker image to use"`
	Resources    corev1.ResourceRequirements `json:"resources" pflag:"-,Specifies resource requirements for the init container."`
}

type HostnameReplacement 

type HostnameReplacement struct {
	Existing            string `json:"existing" pflag:",The existing hostname to replace"`
	Replacement         string `json:"replacement" pflag:",The replacement hostname"`
	DisableVerification bool   `json:"disableVerification" pflag:",Allow disabling URI verification for development environments"`
}

type ImageBuilderConfig 

type ImageBuilderConfig struct {
	Enabled                bool                 `json:"enabled"`
	HostnameReplacement    HostnameReplacement  `json:"hostnameReplacement"`
	LabelSelector          metav1.LabelSelector `json:"labelSelector"`
	ExcludedContainerNames []string             `json:"excludedContainerNames"`
	ExcludedImagePrefixes  []string             `json:"excludedImagePrefixes"`
}

type ImagePullSecretsConfig 

type ImagePullSecretsConfig struct {
	Enabled bool `json:"enabled" pflag:",Whether to enable image pull secrets for the webhook pod."`
}

type K8sConfig 

type K8sConfig struct {
	Namespace        string           `json:"namespace" pflag:",K8s namespace to be used for storing union secrets"`
	KubeClientConfig KubeClientConfig `` /* 190-byte string literal not displayed */
}

type KVVersion 

type KVVersion int

Defines with KV Engine Version to use with VaultSecretManager - https://www.vaultproject.io/docs/secrets/kv#kv-secrets-engine 

const (
	// KV v1 refers to unversioned secrets
	KVVersion1 KVVersion = iota
	// KV v2 refers to versioned secrets
	KVVersion2
)

func KVVersionString 

func KVVersionString(s string) (KVVersion, error)

KVVersionString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func KVVersionValues 

func KVVersionValues() []KVVersion

KVVersionValues returns all values of the enum

func (KVVersion) IsAKVVersion 

func (i KVVersion) IsAKVVersion() bool

IsAKVVersion returns "true" if the value is listed in the enum definition. "false" otherwise

func (KVVersion) MarshalJSON 

func (i KVVersion) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for KVVersion

func (KVVersion) MarshalYAML 

func (i KVVersion) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for KVVersion

func (KVVersion) String 

func (i KVVersion) String() string

func (*KVVersion) UnmarshalJSON 

func (i *KVVersion) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for KVVersion

func (*KVVersion) UnmarshalYAML 

func (i *KVVersion) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for KVVersion

type KubeClientConfig 

type KubeClientConfig struct {
	// QPS indicates the maximum QPS to the master from this client.
	QPS int32 `json:"qps" pflag:",Max QPS to the master for requests to KubeAPI. 0 defaults to 5."`
	// Maximum burst for throttle.
	Burst int `json:"burst" pflag:",Max burst rate for throttle. 0 defaults to 10"`
	// The maximum length of time to wait before giving up on a server request.
	Timeout config.Duration `json:"timeout" pflag:",Max duration allowed for every request to KubeAPI before giving up. 0 implies no timeout."`
}

KubeClientConfig contains the configuration used by the webhook to configure its internal Kubernetes Client.

type SecretManagerType 

type SecretManagerType int

SecretManagerType defines which secret manager to use. 

const (
	// SecretManagerTypeGlobal defines a global secret manager that can read env vars and mounted secrets to the webhook
	// pod.
	SecretManagerTypeGlobal SecretManagerType = iota

	// SecretManagerTypeK8s defines a secret manager webhook that injects K8s volume mounts to mount K8s secrets.
	SecretManagerTypeK8s

	// SecretManagerTypeAWS defines a secret manager webhook that injects a side car to pull secrets from AWS Secret
	// Manager and mount them to a local file system (in memory) and share that mount with other containers in the pod.
	SecretManagerTypeAWS

	// SecretManagerTypeGCP defines a secret manager webhook that injects a side car to pull secrets from GCP Secret
	// Manager and mount them to a local file system (in memory) and share that mount with other containers in the pod.
	SecretManagerTypeGCP

	// SecretManagerTypeVault defines a secret manager webhook that pulls secrets from Hashicorp Vault.
	SecretManagerTypeVault

	// SecretManagerTypeEmbedded defines an embedded secret manager webhook that pulls secrets from the configured secrets manager.
	// Without using sidecar. This type directly calls into the secrets manager for the configured provider directly.
	// Currently supported only for AWS.
	SecretManagerTypeEmbedded

	// SecretManagerTypeAzure defines a secret manager webhook that injects a side car to pull secrets from Azure Key Vault
	SecretManagerTypeAzure
)

func SecretManagerTypeString 

func SecretManagerTypeString(s string) (SecretManagerType, error)

SecretManagerTypeString retrieves an enum value from the enum constants string name. Throws an error if the param is not part of the enum.

func SecretManagerTypeValues 

func SecretManagerTypeValues() []SecretManagerType

SecretManagerTypeValues returns all values of the enum

func (SecretManagerType) IsASecretManagerType 

func (i SecretManagerType) IsASecretManagerType() bool

IsASecretManagerType returns "true" if the value is listed in the enum definition. "false" otherwise

func (SecretManagerType) MarshalJSON 

func (i SecretManagerType) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface for SecretManagerType

func (SecretManagerType) MarshalYAML 

func (i SecretManagerType) MarshalYAML() (interface{}, error)

MarshalYAML implements a YAML Marshaler for SecretManagerType

func (SecretManagerType) String 

func (i SecretManagerType) String() string

func (*SecretManagerType) UnmarshalJSON 

func (i *SecretManagerType) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface for SecretManagerType

func (*SecretManagerType) UnmarshalYAML 

func (i *SecretManagerType) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML implements a YAML Unmarshaler for SecretManagerType

type VaultSecretManagerConfig 

type VaultSecretManagerConfig struct {
	Role        string            `json:"role" pflag:",Specifies the vault role to use"`
	KVVersion   KVVersion         `` /* 239-byte string literal not displayed */
	Annotations map[string]string `` /* 266-byte string literal not displayed */
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.