From 3762992710b460b68f84818f97a020f4a41f3fb3 Mon Sep 17 00:00:00 2001 From: Derek Wang Date: Wed, 1 Nov 2023 13:00:20 -0700 Subject: [PATCH] chore: numaflow server start args in a configmap (#1311) Signed-off-by: Derek Wang --- cmd/commands/server-init.go | 4 +- cmd/commands/server.go | 16 ++--- .../namespaced-numaflow-server.yaml | 63 +++++++++++++++++- config/advanced-install/numaflow-server.yaml | 63 ++++++++++++++++++ .../base/numaflow-server/kustomization.yaml | 1 + .../numaflow-server-cmd-params-config.yaml | 27 ++++++++ .../numaflow-server-deployment.yaml | 65 +++++++++++++++++-- config/install.yaml | 64 +++++++++++++++++- config/namespace-install.yaml | 63 +++++++++++++++++- pkg/shared/util/env.go | 12 ++++ pkg/shared/util/env_test.go | 21 ++++++ server/authn/interface.go | 16 +++++ .../authn/{user_id_info.go => user_info.go} | 0 server/authz/interface.go | 16 +++++ 14 files changed, 413 insertions(+), 18 deletions(-) create mode 100644 config/base/numaflow-server/numaflow-server-cmd-params-config.yaml rename server/authn/{user_id_info.go => user_info.go} (100%) diff --git a/cmd/commands/server-init.go b/cmd/commands/server-init.go index 8b6444d3f8..f7bf4fa3f4 100644 --- a/cmd/commands/server-init.go +++ b/cmd/commands/server-init.go @@ -23,6 +23,8 @@ import ( "strings" "github.com/spf13/cobra" + + sharedutil "github.com/numaproj/numaflow/pkg/shared/util" ) func NewServerInitCommand() *cobra.Command { @@ -53,7 +55,7 @@ func NewServerInitCommand() *cobra.Command { }, } - command.Flags().StringVar(&baseHref, "base-href", "/", "Base href for Numaflow server, defaults to '/'.") + command.Flags().StringVar(&baseHref, "base-href", sharedutil.LookupEnvStringOr("NUMAFLOW_SERVER_BASE_HREF", "/"), "Base href for Numaflow server, defaults to '/'.") return command } diff --git a/cmd/commands/server.go b/cmd/commands/server.go index 7b7fbd2518..8a9a0d6f2e 100644 --- a/cmd/commands/server.go +++ b/cmd/commands/server.go @@ -61,13 +61,13 @@ func NewServerCommand() *cobra.Command { server.Start() }, } - command.Flags().BoolVar(&insecure, "insecure", false, "Whether to disable TLS, defaults to false.") - command.Flags().IntVarP(&port, "port", "p", 8443, "Port to listen on, defaults to 8443 or 8080 if insecure is set") - command.Flags().BoolVar(&namespaced, "namespaced", false, "Whether to run in namespaced scope, defaults to false.") - command.Flags().StringVar(&managedNamespace, "managed-namespace", sharedutil.LookupEnvStringOr("NAMESPACE", "numaflow-system"), "The namespace that the server watches when \"--namespaced\" is \"true\".") - command.Flags().StringVar(&baseHref, "base-href", "/", "Base href for Numaflow server, defaults to '/'.") - command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Whether to disable authentication and authorization, defaults to false.") - command.Flags().StringVar(&dexServerAddr, "dex-server-addr", "http://numaflow-dex-server:5556/dex", "The actual address of the Dex server for the reverse proxy to target.") - command.Flags().StringVar(&serverAddr, "server-addr", "https://localhost:8443", "The address of the Numaflow server.") + command.Flags().BoolVar(&insecure, "insecure", sharedutil.LookupEnvBoolOr("NUMAFLOW_SERVER_INSECURE", false), "Whether to disable TLS, defaults to false.") + command.Flags().IntVarP(&port, "port", "p", sharedutil.LookupEnvIntOr("NUMAFLOW_SERVER_PORT_NUMBER", 8443), "Port to listen on, defaults to 8443 or 8080 if insecure is set") + command.Flags().BoolVar(&namespaced, "namespaced", sharedutil.LookupEnvBoolOr("NUMAFLOW_SERVER_NAMESPACED", false), "Whether to run in namespaced scope, defaults to false.") + command.Flags().StringVar(&managedNamespace, "managed-namespace", sharedutil.LookupEnvStringOr("NUMAFLOW_SERVER_MANAGED_NAMESPACE", sharedutil.LookupEnvStringOr("NAMESPACE", "numaflow-system")), "The namespace that the server watches when \"--namespaced\" is \"true\".") + command.Flags().StringVar(&baseHref, "base-href", sharedutil.LookupEnvStringOr("NUMAFLOW_SERVER_BASE_HREF", "/"), "Base href for Numaflow server, defaults to '/'.") + command.Flags().BoolVar(&disableAuth, "disable-auth", sharedutil.LookupEnvBoolOr("NUMAFLOW_SERVER_DISABLE_AUTH", false), "Whether to disable authentication and authorization, defaults to false.") + command.Flags().StringVar(&dexServerAddr, "dex-server-addr", sharedutil.LookupEnvStringOr("NUMAFLOW_SERVER_DEX_SERVER_ADDR", "http://numaflow-dex-server:5556/dex"), "The address of the Dex server.") + command.Flags().StringVar(&serverAddr, "server-addr", sharedutil.LookupEnvStringOr("NUMAFLOW_SERVER_ADDRESS", "https://localhost:8443"), "The external address of the Numaflow server.") return command } diff --git a/config/advanced-install/namespaced-numaflow-server.yaml b/config/advanced-install/namespaced-numaflow-server.yaml index 1d93a6eba3..cb4daef63b 100644 --- a/config/advanced-install/namespaced-numaflow-server.yaml +++ b/config/advanced-install/namespaced-numaflow-server.yaml @@ -83,6 +83,13 @@ subjects: name: numaflow-server-sa --- apiVersion: v1 +data: + server.disable.auth: "true" +kind: ConfigMap +metadata: + name: numaflow-server-cmd-params-config +--- +apiVersion: v1 data: rbac-conf.yaml: | policy.default: role:readonly @@ -138,13 +145,60 @@ spec: containers: - args: - server - - --disable-auth=true - --namespaced env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace + - name: NUMAFLOW_SERVER_INSECURE + valueFrom: + configMapKeyRef: + key: server.insecure + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_PORT_NUMBER + valueFrom: + configMapKeyRef: + key: server.port + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_NAMESPACED + valueFrom: + configMapKeyRef: + key: server.namespaced + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_MANAGED_NAMESPACE + valueFrom: + configMapKeyRef: + key: server.managed.namespace + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DISABLE_AUTH + valueFrom: + configMapKeyRef: + key: server.disable.auth + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DEX_SERVER_ADDR + valueFrom: + configMapKeyRef: + key: server.dex.server + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_ADDRESS + valueFrom: + configMapKeyRef: + key: server.address + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always livenessProbe: @@ -174,6 +228,13 @@ spec: initContainers: - args: - server-init + env: + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always name: server-init diff --git a/config/advanced-install/numaflow-server.yaml b/config/advanced-install/numaflow-server.yaml index 253f8682b4..640b211e3f 100644 --- a/config/advanced-install/numaflow-server.yaml +++ b/config/advanced-install/numaflow-server.yaml @@ -85,6 +85,14 @@ subjects: namespace: numaflow-system --- apiVersion: v1 +data: + server.disable.auth: "true" +kind: ConfigMap +metadata: + name: numaflow-server-cmd-params-config + namespace: numaflow-system +--- +apiVersion: v1 data: rbac-conf.yaml: | policy.default: role:readonly @@ -148,6 +156,54 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: NUMAFLOW_SERVER_INSECURE + valueFrom: + configMapKeyRef: + key: server.insecure + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_PORT_NUMBER + valueFrom: + configMapKeyRef: + key: server.port + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_NAMESPACED + valueFrom: + configMapKeyRef: + key: server.namespaced + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_MANAGED_NAMESPACE + valueFrom: + configMapKeyRef: + key: server.managed.namespace + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DISABLE_AUTH + valueFrom: + configMapKeyRef: + key: server.disable.auth + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DEX_SERVER_ADDR + valueFrom: + configMapKeyRef: + key: server.dex.server + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_ADDRESS + valueFrom: + configMapKeyRef: + key: server.address + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always livenessProbe: @@ -177,6 +233,13 @@ spec: initContainers: - args: - server-init + env: + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always name: server-init diff --git a/config/base/numaflow-server/kustomization.yaml b/config/base/numaflow-server/kustomization.yaml index cc1329bfdf..4a99f886b6 100644 --- a/config/base/numaflow-server/kustomization.yaml +++ b/config/base/numaflow-server/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization resources: - numaflow-server-sa.yaml - numaflow-server-rbac-config.yaml + - numaflow-server-cmd-params-config.yaml - numaflow-server-deployment.yaml - numaflow-server-service.yaml diff --git a/config/base/numaflow-server/numaflow-server-cmd-params-config.yaml b/config/base/numaflow-server/numaflow-server-cmd-params-config.yaml new file mode 100644 index 0000000000..a7a0428ef8 --- /dev/null +++ b/config/base/numaflow-server/numaflow-server-cmd-params-config.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: numaflow-server-cmd-params-config +data: + ### Whether to disable TLS. + # server.insecure: "false" + # + ### Port to listen on, defaults to 8443 or 8080 if insecure is set. + # server.port: "8443" + # + ### Whether to run in namespaced scope, defaults to false. + # server.namespaced: "false" + # + ### The namespace that the server watches when "server.namespaced" is true. + # server.managed.namespace=numaflow-system + ### Base href for Numaflow server, defaults to '/'. + # server.base.href: "/" + # + ### Whether to disable authentication and authorization, defaults to false. + server.disable.auth: "true" + # + ### The address of the Dex server for authentication. + # server.dex.server: http://numaflow-dex-server:5556/dex + # + ### The external address of the Numaflow server. This is needed when using Dex for authentication. + # server.address=https://localhost:8443 diff --git a/config/base/numaflow-server/numaflow-server-deployment.yaml b/config/base/numaflow-server/numaflow-server-deployment.yaml index 06eb8dfff5..00e91019a1 100644 --- a/config/base/numaflow-server/numaflow-server-deployment.yaml +++ b/config/base/numaflow-server/numaflow-server-deployment.yaml @@ -32,6 +32,13 @@ spec: args: - "server-init" imagePullPolicy: Always + env: + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.base.href + optional: true volumeMounts: - mountPath: /opt/numaflow name: env-volume @@ -40,8 +47,6 @@ spec: image: quay.io/numaproj/numaflow:latest args: - "server" - # By default, turn off authentication and authorization. - - "--disable-auth=true" imagePullPolicy: Always volumeMounts: - mountPath: /ui/build/runtime-env.js @@ -53,10 +58,58 @@ spec: - mountPath: /etc/numaflow name: rbac-config env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NUMAFLOW_SERVER_INSECURE + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.insecure + optional: true + - name: NUMAFLOW_SERVER_PORT_NUMBER + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.port + optional: true + - name: NUMAFLOW_SERVER_NAMESPACED + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.namespaced + optional: true + - name: NUMAFLOW_SERVER_MANAGED_NAMESPACE + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.managed.namespace + optional: true + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.base.href + optional: true + - name: NUMAFLOW_SERVER_DISABLE_AUTH + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.disable.auth + optional: true + - name: NUMAFLOW_SERVER_DEX_SERVER_ADDR + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.dex.server + optional: true + - name: NUMAFLOW_SERVER_ADDRESS + valueFrom: + configMapKeyRef: + name: numaflow-server-cmd-params-config + key: server.address + optional: true resources: limits: cpu: 500m diff --git a/config/install.yaml b/config/install.yaml index ff9401bf31..59a2583b99 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -16386,6 +16386,14 @@ metadata: namespace: numaflow-system --- apiVersion: v1 +data: + server.disable.auth: "true" +kind: ConfigMap +metadata: + name: numaflow-server-cmd-params-config + namespace: numaflow-system +--- +apiVersion: v1 data: rbac-conf.yaml: | policy.default: role:readonly @@ -16581,12 +16589,59 @@ spec: containers: - args: - server - - --disable-auth=true env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace + - name: NUMAFLOW_SERVER_INSECURE + valueFrom: + configMapKeyRef: + key: server.insecure + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_PORT_NUMBER + valueFrom: + configMapKeyRef: + key: server.port + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_NAMESPACED + valueFrom: + configMapKeyRef: + key: server.namespaced + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_MANAGED_NAMESPACE + valueFrom: + configMapKeyRef: + key: server.managed.namespace + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DISABLE_AUTH + valueFrom: + configMapKeyRef: + key: server.disable.auth + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DEX_SERVER_ADDR + valueFrom: + configMapKeyRef: + key: server.dex.server + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_ADDRESS + valueFrom: + configMapKeyRef: + key: server.address + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always livenessProbe: @@ -16616,6 +16671,13 @@ spec: initContainers: - args: - server-init + env: + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always name: server-init diff --git a/config/namespace-install.yaml b/config/namespace-install.yaml index c45d954d13..6615c81b77 100644 --- a/config/namespace-install.yaml +++ b/config/namespace-install.yaml @@ -16291,6 +16291,13 @@ metadata: name: numaflow-dex-server --- apiVersion: v1 +data: + server.disable.auth: "true" +kind: ConfigMap +metadata: + name: numaflow-server-cmd-params-config +--- +apiVersion: v1 data: rbac-conf.yaml: | policy.default: role:readonly @@ -16480,13 +16487,60 @@ spec: containers: - args: - server - - --disable-auth=true - --namespaced env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace + - name: NUMAFLOW_SERVER_INSECURE + valueFrom: + configMapKeyRef: + key: server.insecure + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_PORT_NUMBER + valueFrom: + configMapKeyRef: + key: server.port + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_NAMESPACED + valueFrom: + configMapKeyRef: + key: server.namespaced + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_MANAGED_NAMESPACE + valueFrom: + configMapKeyRef: + key: server.managed.namespace + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DISABLE_AUTH + valueFrom: + configMapKeyRef: + key: server.disable.auth + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_DEX_SERVER_ADDR + valueFrom: + configMapKeyRef: + key: server.dex.server + name: numaflow-server-cmd-params-config + optional: true + - name: NUMAFLOW_SERVER_ADDRESS + valueFrom: + configMapKeyRef: + key: server.address + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always livenessProbe: @@ -16516,6 +16570,13 @@ spec: initContainers: - args: - server-init + env: + - name: NUMAFLOW_SERVER_BASE_HREF + valueFrom: + configMapKeyRef: + key: server.base.href + name: numaflow-server-cmd-params-config + optional: true image: quay.io/numaproj/numaflow:v1.0.0-rc1 imagePullPolicy: Always name: server-init diff --git a/pkg/shared/util/env.go b/pkg/shared/util/env.go index 6c903685fd..ed770408d1 100644 --- a/pkg/shared/util/env.go +++ b/pkg/shared/util/env.go @@ -41,3 +41,15 @@ func LookupEnvIntOr(key string, defaultValue int) int { return defaultValue } } + +func LookupEnvBoolOr(key string, defaultValue bool) bool { + if valStr, existing := os.LookupEnv(key); existing && valStr != "" { + val, err := strconv.ParseBool(valStr) + if err != nil { + panic(fmt.Errorf("invalid value for env variable %q, value %q", key, valStr)) + } + return val + } else { + return defaultValue + } +} diff --git a/pkg/shared/util/env_test.go b/pkg/shared/util/env_test.go index e2f0a6e09c..7674efc5d5 100644 --- a/pkg/shared/util/env_test.go +++ b/pkg/shared/util/env_test.go @@ -17,6 +17,7 @@ limitations under the License. package util import ( + "os" "testing" "github.com/stretchr/testify/assert" @@ -26,3 +27,23 @@ func TestLookupEnvStringOr(t *testing.T) { assert.Equal(t, LookupEnvStringOr("fake_env", "hello"), "hello") assert.Equal(t, LookupEnvStringOr("HOME", "#")[0], "/"[0]) } + +func TestLookupEnvIntOr(t *testing.T) { + assert.Equal(t, LookupEnvIntOr("fake_int_env", 3), 3) + os.Setenv("fake_int_env", "4") + assert.Equal(t, LookupEnvIntOr("fake_int_env", 3), 4) +} + +func TestLookupEnvBoolOr(t *testing.T) { + assert.Equal(t, LookupEnvBoolOr("fake_bool_env", false), false) + os.Setenv("fake_bool_env", "1") + assert.Equal(t, LookupEnvBoolOr("fake_bool_env", false), true) + os.Setenv("fake_bool_env", "True") + assert.Equal(t, LookupEnvBoolOr("fake_bool_env", false), true) + os.Setenv("fake_bool_env", "TRUE") + assert.Equal(t, LookupEnvBoolOr("fake_bool_env", false), true) + os.Setenv("fake_bool_env", "False") + assert.Equal(t, LookupEnvBoolOr("fake_bool_env", false), false) + os.Setenv("fake_bool_env", "5") + assert.Panics(t, func() { LookupEnvBoolOr("fake_bool_env", false) }) +} diff --git a/server/authn/interface.go b/server/authn/interface.go index 24e8a660c3..c600329286 100644 --- a/server/authn/interface.go +++ b/server/authn/interface.go @@ -1,3 +1,19 @@ +/* +Copyright 2022 The Numaproj Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package authn import "github.com/gin-gonic/gin" diff --git a/server/authn/user_id_info.go b/server/authn/user_info.go similarity index 100% rename from server/authn/user_id_info.go rename to server/authn/user_info.go diff --git a/server/authz/interface.go b/server/authz/interface.go index d14f7bffb0..14fc2f5385 100644 --- a/server/authz/interface.go +++ b/server/authz/interface.go @@ -1,3 +1,19 @@ +/* +Copyright 2022 The Numaproj Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package authz import (