config

Documentation

Overview

Package config provides startup configuration loading for the cloudflare-operator. It reads environment variables and an optional Kubernetes Secret to produce a controller.RegistryConfig that is threaded into the DNS, ServiceSource, and HTTPRouteSource controllers.

Index

• Variables
• func LoadRegistryConfig(ctx context.Context, c client.Reader, opts LoadOptions) (controller.RegistryConfig, error)
• func SplitCSV(s string) []string
• type LoadOptions

Variables

var (
	// ErrTxtOwnerIDRequired is returned when TXT_OWNER_ID is unset or empty.
	// Without an owner ID, the annotation-driven sources cannot function.
	ErrTxtOwnerIDRequired = errors.New("TXT_OWNER_ID is required to activate annotation-driven sources")

	// ErrSelfImport is returned when TxtImportOwners contains the same value
	// as TxtOwnerID, which would cause the operator to try to adopt its own
	// records on every reconcile.
	ErrSelfImport = errors.New("TxtImportOwners must not contain TxtOwnerID")

	// ErrInvalidAESKey is returned when a key decoded from the Secret is not
	// exactly 32 bytes (required for AES-256), or cannot be base64-decoded.
	ErrInvalidAESKey = errors.New("invalid AES-256 key length")
)

Sentinel errors for classifiable failure cases. Callers MUST use errors.Is for comparison — never compare error strings.

Functions

func LoadRegistryConfig

func LoadRegistryConfig(ctx context.Context, c client.Reader, opts LoadOptions) (controller.RegistryConfig, error)

LoadRegistryConfig constructs a controller.RegistryConfig from opts and, when opts.SecretName is non-empty, reads the named Secret via c to load optional AES-256 keys.

The primary (most common) path is: TxtOwnerID set, SecretName empty — this produces a plaintext-default config with no encryption keys. Annotation- driven sources work fully on this path.

The encryption path (SecretName set) is hidden infrastructure: the code ships and is exercised by tests, but operator documentation does not surface it in v1. Set encryptKey and/or importKeys in the Secret to enable it.

When opts.TxtOwnerID is empty, ErrTxtOwnerIDRequired is returned. When opts.TxtImportOwners contains TxtOwnerID, ErrSelfImport is returned. When a key in the Secret is malformed, ErrInvalidAESKey is returned (wrapped).

c must be an API-reader (mgr.GetAPIReader()) to bypass the cache, which may not be populated at operator startup.

func SplitCSV

func SplitCSV(s string) []string

SplitCSV splits a comma-separated string into a slice of trimmed, non-empty tokens. Returns nil when s is empty or contains only blank tokens. Exported so that cmd/main.go — and tests in the config_test package — can access it directly.

Types

type LoadOptions

type LoadOptions struct {
	// TxtOwnerID is the value of TXT_OWNER_ID. Required; empty triggers
	// ErrTxtOwnerIDRequired.
	TxtOwnerID string

	// TxtImportOwners is a comma-separated list of owner IDs (e.g.
	// "external-dns,legacy-operator") that this operator is allowed to
	// adopt. Maps to TXT_IMPORT_OWNERS env var.
	TxtImportOwners string

	// TxtPrefix maps to TXT_PREFIX env var.
	TxtPrefix string

	// TxtSuffix maps to TXT_SUFFIX env var.
	TxtSuffix string

	// TxtWildcardReplacement maps to TXT_WILDCARD_REPLACEMENT env var.
	TxtWildcardReplacement string

	// SecretName is the name of the Kubernetes Secret holding optional
	// AES-256 keys. When empty, no Secret is read and the plaintext-default
	// path is taken (the most common deployment).
	SecretName string

	// SecretNamespace is the namespace of the above Secret.
	SecretNamespace string
}

LoadOptions holds the raw values — typically from environment variables and command-line flags — used to construct a RegistryConfig. cmd/main.go reads env vars and passes them here so this package stays testable without os.Getenv calls.