From c85d0838d1ab140f4204350781bcf4566a41b13b Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 28 Oct 2021 16:41:42 +0800 Subject: [PATCH] fix: rework featureFlag function * update comment to be more descriptive. * only look for global scope Lagoon variables. * update documentation --- docs/administering-lagoon/feature-flags.md | 10 +++---- .../build-deploy-docker-compose.sh | 27 ++++++++++--------- 2 files changed, 18 insertions(+), 19 deletions(-) diff --git a/docs/administering-lagoon/feature-flags.md b/docs/administering-lagoon/feature-flags.md index 594d02142d..c6414f8aab 100644 --- a/docs/administering-lagoon/feature-flags.md +++ b/docs/administering-lagoon/feature-flags.md @@ -7,12 +7,10 @@ This is designed to assist users and administrators to roll out new platform fea The following environment variables can be set on an environment or project to toggle feature flags. -| Environment Variable Name | Active scope\* | Version introduced | Version removed | Default Value | Description | -| --- | --- | --- | --- | --- | --- | -| `LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD` | `global` | 2.2.0 | - | `disabled` | Set to `enabled` to set a non-root pod security context on the pods in this environment or project.

This flag will eventually be deprecated, at which point non-root workloads will be enforced. | -| `LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY` | `global` | 2.2.0 | - | `disabled` | Set to `enabled` to add a default namespace isolation network policy to each environment on deployment.

This flag will eventually be deprecated, at which point the namespace isolation network policy will be enforced.

NOTE: enabling and then disabling this feature will _not_ remove any existing network policy from previous deployments. Those must be removed manually. | - -\* Active scope indicates whether the variable must be set as `build` or `runtime` scope to take effect. `global` sets the variable in both scopes, so that will work too. +| Environment Variable Name | Active scope | Version introduced | Version removed | Default Value | Description | +| --- | --- | --- | --- | --- | --- | +| `LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD` | `global` | 2.2.0 | - | `disabled` | Set to `enabled` to set a non-root pod security context on the pods in this environment or project.

This flag will eventually be deprecated, at which point non-root workloads will be enforced. | +| `LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY` | `global` | 2.2.0 | - | `disabled` | Set to `enabled` to add a default namespace isolation network policy to each environment on deployment.

This flag will eventually be deprecated, at which point the namespace isolation network policy will be enforced.

NOTE: enabling and then disabling this feature will _not_ remove any existing network policy from previous deployments. Those must be removed manually. | ## Cluster-level controls diff --git a/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh b/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh index 80bd846271..e194dcefa3 100755 --- a/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh +++ b/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh @@ -29,22 +29,23 @@ function contains() { # and order: # # 1. The cluster-force feature flag, prefixed with LAGOON_FEATURE_FLAG_FORCE_, -# in the build environment. This is set via a flag on the build-deploy -# controller. This overrides the other variables and allows policy -# enforcement at the cluster level. +# as a build pod environment variable. This is set via a flag on the +# build-deploy controller. This overrides the other variables and allows +# policy enforcement at the cluster level. # # 2. The regular feature flag, prefixed with LAGOON_FEATURE_FLAG_, in the -# Lagoon environment env-vars. This allows policy control at the environment -# level. +# Lagoon environment global scoped env-vars. This allows policy control at +# the environment level. # # 3. The regular feature flag, prefixed with LAGOON_FEATURE_FLAG_, in the -# Lagoon project env-vars. This allows policy control at the project level. +# Lagoon project global scoped env-vars. This allows policy control at the +# project level. # # 4. The cluster-default feature flag, prefixed with -# LAGOON_FEATURE_FLAG_DEFAULT_, in the build environment. This is set via a -# flag on the build-deploy controller. This allows default policy to be set -# at the cluster level, but maintains the ability to selectively override at -# the project or environment level. +# LAGOON_FEATURE_FLAG_DEFAULT_, as a build pod environment variable. This is +# set via a flag on the build-deploy controller. This allows default policy +# to be set at the cluster level, but maintains the ability to selectively +# override at the project or environment level. # # The value of the first variable found is printed to stdout. If the variable # is not found, print an empty string. Additional arguments are ignored. @@ -54,16 +55,16 @@ function featureFlag() { local forceFlagVar defaultFlagVar flagVar - # check build environment for the force policy first + # check build pod environment for the force policy first forceFlagVar="LAGOON_FEATURE_FLAG_FORCE_$1" [ "${!forceFlagVar}" ] && echo "${!forceFlagVar}" && return flagVar="LAGOON_FEATURE_FLAG_$1" # check Lagoon environment variables - flagValue=$(jq -r '.[] | select((.scope as $scope | ["build", "global"] | index($scope)) and .name == "'"$flagVar"'") | .value' <<<"$LAGOON_ENVIRONMENT_VARIABLES") + flagValue=$(jq -r '.[] | select(.scope == "global" and .name == "'"$flagVar"'") | .value' <<<"$LAGOON_ENVIRONMENT_VARIABLES") [ "$flagValue" ] && echo "$flagValue" && return # check Lagoon project variables - flagValue=$(jq -r '.[] | select((.scope as $scope | ["build", "global"] | index($scope)) and .name == "'"$flagVar"'") | .value' <<<"$LAGOON_PROJECT_VARIABLES") + flagValue=$(jq -r '.[] | select(.scope == "global" and .name == "'"$flagVar"'") | .value' <<<"$LAGOON_PROJECT_VARIABLES") [ "$flagValue" ] && echo "$flagValue" && return # fall back to the default, if set.