Merge pull request #840 from weaveworks/enable-cross-ns-refs

Add flag --allow-cross-namespace-refs to tf-controller and branch-planner
flux-iac · Sep 7, 2023 · f328d62 · f328d62
2 parents e2a906c + 08c8c57
commit f328d62
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 4 deletions.
diff --git a/cmd/branch-planner/flags.go b/cmd/branch-planner/flags.go
@@ -19,11 +19,12 @@ type applicationOptions struct {
 	allowedNamespaces []string
 
 	logOptions logger.Options
-	aclOptions acl.Options
 
 	runtimeNamespace   string
 	watchAllNamespaces bool
 	watchNamespace     string
+
+	noCrossNamespaceRefs bool
 }
 
 func parseFlags() *applicationOptions {
@@ -47,7 +48,13 @@ func parseFlags() *applicationOptions {
 		"Allowed namespaced. If it's empty, all namespaces are allowed for the planner. If it's not empty, only resources in the defined namespaces are allowed.")
 
 	opts.logOptions.BindFlags(flag.CommandLine)
-	opts.aclOptions.BindFlags(flag.CommandLine)
+
+	aclOptions := &acl.Options{}
+	aclOptions.BindFlags(flag.CommandLine)
+	// this flag exists so that the default is to _disallow_ cross-namespace refs. If supplied, it'll override `--no-cross-namespace-refs`; in other words, you can supply `--allow-cross-namespace-refs` with or without a value, and it will be observed.
+	var allowCrossNamespaceRefs bool
+	flag.BoolVar(&allowCrossNamespaceRefs, "allow-cross-namespace-refs", false,
+		"Enable following cross-namespace references. Overrides --no-cross-namespace-refs")
 
 	flag.Parse()
 
@@ -61,5 +68,12 @@ func parseFlags() *applicationOptions {
 		opts.watchNamespace = opts.runtimeNamespace
 	}
 
+	// as in ../manager/main.go, this checks for the case where the --no-cross-namespace-refs value is used.
+	if !flag.CommandLine.Changed("allow-cross-namespace-refs") && flag.CommandLine.Changed("no-cross-namespace-refs") {
+		opts.noCrossNamespaceRefs = aclOptions.NoCrossNamespaceRefs
+	} else {
+		opts.noCrossNamespaceRefs = !allowCrossNamespaceRefs
+	}
+
 	return opts
 }
diff --git a/cmd/branch-planner/polling.go b/cmd/branch-planner/polling.go
@@ -16,7 +16,7 @@ func startPollingServer(ctx context.Context, log logr.Logger, clusterClient clie
 		polling.WithConfigMap(opts.pollingConfigMap),
 		polling.WithPollingInterval(opts.pollingInterval),
 		polling.WithBranchPollingInterval(opts.branchPollingInterval),
-		polling.WithNoCrossNamespaceRefs(opts.aclOptions.NoCrossNamespaceRefs),
+		polling.WithNoCrossNamespaceRefs(opts.noCrossNamespaceRefs),
 	)
 	if err != nil {
 		return fmt.Errorf("problem configuring the polling server: %w", err)

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -93,6 +93,7 @@ func main() {
 		allowBreakTheGlass        bool
 		clusterDomain             string
 		aclOptions                acl.Options
+		allowCrossNamespaceRefs   bool
 		usePodSubdomainResolution bool
 	)
 
@@ -120,7 +121,12 @@ func main() {
 	clientOptions.BindFlags(flag.CommandLine)
 	logOptions.BindFlags(flag.CommandLine)
 	leaderElectionOptions.BindFlags(flag.CommandLine)
+	// this adds the flag `--no-cross-namespace-refs`, for backward-compatibility of deployments that use that Flux-like flag.
 	aclOptions.BindFlags(flag.CommandLine)
+	// this flag exists so that the default is to _disallow_ cross-namespace refs. If supplied, it'll override `--no-cross-namespace-refs`; in other words, you can supply `--allow-cross-namespace-refs` with or without a value, and it will be observed.
+	flag.BoolVar(&allowCrossNamespaceRefs, "allow-cross-namespace-refs", false,
+		"Enable following cross-namespace references. Overrides --no-cross-namespace-refs")
+
 	flag.Parse()
 
 	ctrl.SetLogger(logger.NewLogger(logOptions))
@@ -190,6 +196,20 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Cross-namespace refs enabled:
+	//
+	// --allow... \ --no... | true | false |  - |
+	// ---------------------|------|-------|----|
+	//     true             |  t   |   t   |  t |
+	//     false            |  f   |   f   |  f |
+	//     -                |  f   |   t*  |  f |
+	//
+	// '-' means "not supplied"
+	// * is the only place the value of `--no-cross-namespace-refs` is used, so check for this case.
+	if !flag.CommandLine.Changed("allow-cross-namespace-refs") && flag.CommandLine.Changed("no-cross-namespace-refs") {
+		allowCrossNamespaceRefs = !aclOptions.NoCrossNamespaceRefs
+	}
+
 	reconciler := &controllers.TerraformReconciler{
 		Client:                    mgr.GetClient(),
 		Scheme:                    mgr.GetScheme(),
@@ -202,7 +222,7 @@ func main() {
 		RunnerGRPCMaxMessageSize:  runnerGRPCMaxMessageSize,
 		AllowBreakTheGlass:        allowBreakTheGlass,
 		ClusterDomain:             clusterDomain,
-		NoCrossNamespaceRefs:      aclOptions.NoCrossNamespaceRefs,
+		NoCrossNamespaceRefs:      !allowCrossNamespaceRefs,
 		UsePodSubdomainResolution: usePodSubdomainResolution,
 	}