diff --git a/cmd/main.go b/cmd/main.go
index d283c5a107e47fbc2f0fc3e7d4c7e9c282825a60..697058a04d77f298ef58d7fa95dcf6ddb0e5cd25 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -19,12 +19,16 @@ var (
podNamespace string
configMapName spec.NamespacedName
OutOfCluster bool
+ noTeamsAPI bool
+ noDBAccess bool
version string
)
func init() {
flag.StringVar(&KubeConfigFile, "kubeconfig", "", "Path to kubeconfig file with authorization and master location information.")
flag.BoolVar(&OutOfCluster, "outofcluster", false, "Whether the operator runs in- our outside of the Kubernetes cluster.")
+ flag.BoolVar(&noDBAccess, "nodatabaseaccess", false, "Disable all access to the database from the operator side.")
+ flag.BoolVar(&noTeamsAPI, "noteamsapi", false, "Disable all access to the teams API")
flag.Parse()
podNamespace = os.Getenv("MY_POD_NAMESPACE")
@@ -87,6 +91,12 @@ func main() {
if configMapData["namespace"] == "" { // Namespace in ConfigMap has priority over env var
configMapData["namespace"] = podNamespace
}
+ if noDBAccess {
+ configMapData["enable_db_access"] = "false"
+ }
+ if noTeamsAPI {
+ configMapData["enable_teams_api"] = "false"
+ }
cfg := config.NewFromMap(configMapData)
log.Printf("Config: %s", cfg.MustMarshal())
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index b870c963948717422c8613f5d3ad27376660448d..895b919447ba0df9eb83125451ae28ddc3154e12 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -227,18 +227,20 @@ func (c *Cluster) Create(stopCh <-chan struct{}) error {
}
c.logger.Infof("Pods are ready")
- if !c.masterLess {
- if err = c.initDbConn(); err != nil {
+ if !(c.masterLess || c.DatabaseAccessDisabled()) {
+ if err := c.initDbConn(); err != nil {
return fmt.Errorf("Can't init db connection: %s", err)
- }
-
- if err = c.createUsers(); err != nil {
- return fmt.Errorf("Can't create users: %s", err)
} else {
- c.logger.Infof("Users have been successfully created")
+ if err = c.createUsers(); err != nil {
+ return fmt.Errorf("Can't create users: %s", err)
+ } else {
+ c.logger.Infof("Users have been successfully created")
+ }
}
} else {
- c.logger.Warnln("Cluster is masterless")
+ if c.masterLess {
+ c.logger.Warnln("Cluster is masterless")
+ }
}
c.ListResources()
diff --git a/pkg/cluster/pg.go b/pkg/cluster/pg.go
index fa325047bdbfb54c7df41a25512f921b0ccaa714..34816bcab604e02b17eea83b081041bbe2907c02 100644
--- a/pkg/cluster/pg.go
+++ b/pkg/cluster/pg.go
@@ -32,10 +32,14 @@ func (c *Cluster) pgConnectionString() string {
strings.Replace(password, "$", "\\$", -1))
}
-func (c *Cluster) initDbConn() error {
- //TODO: concurrent safe?
+func (c *Cluster) DatabaseAccessDisabled() bool {
+ if c.OpConfig.EnableDBAccess == false {
+ c.logger.Debugf("Database access is disabled")
+ }
+ return c.OpConfig.EnableDBAccess == false
+}
+func (c *Cluster) initDbConn() (err error) {
if c.pgDb == nil {
- if c.pgDb == nil {
conn, err := sql.Open("postgres", c.pgConnectionString())
if err != nil {
return err
@@ -47,7 +51,6 @@ func (c *Cluster) initDbConn() error {
}
c.pgDb = conn
- }
}
return nil
diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
index 07e076d98b09f778904f208be4106d0f9864715d..11e89d60dc22ce9532b0a560de8a213a17d6950f 100644
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@@ -36,6 +36,9 @@ func (c *Cluster) SyncCluster(stopCh <-chan struct{}) {
if err := c.syncStatefulSet(); err != nil {
c.logger.Errorf("Can't sync StatefulSets: %s", err)
}
+ if c.DatabaseAccessDisabled() {
+ return
+ }
if err := c.initDbConn(); err != nil {
c.logger.Errorf("Can't init db connection: %s", err)
} else {
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index dcb99797b911bc6413105302f3f2f3921fd07181..05ce145d58260a7cc901560c8edba47b4da2a1c5 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -50,7 +50,7 @@ func New(controllerConfig *Config, operatorConfig *config.Config) *Controller {
logger.Level = logrus.DebugLevel
}
- controllerConfig.TeamsAPIClient = teams.NewTeamsAPI(operatorConfig.TeamsAPIUrl, logger)
+ controllerConfig.TeamsAPIClient = teams.NewTeamsAPI(operatorConfig.TeamsAPIUrl, logger, operatorConfig.EnableTeamsAPI)
return &Controller{
Config: *controllerConfig,
opConfig: operatorConfig,
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
index 561c0fc1fd758b1148cb7ba94484cc0891577037..96b9ff65b84e42bc7f1efc08652d52e302b9d239 100644
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@@ -52,6 +52,8 @@ type Config struct {
WALES3Bucket string `name:"wal_s3_bucket"`
KubeIAMRole string `name:"kube_iam_role"`
DebugLogging bool `name:"debug_logging" default:"false"`
+ EnableDBAccess bool `name:"enable_db_access" default:"true"`
+ EnableTeamsAPI bool `name:"enable_teams_api" default:"true"`
DNSNameFormat string `name:"dns_name_format" default:"%s.%s.%s"`
Workers uint32 `name:"workers" default:"4"`
}
diff --git a/pkg/util/teams/teams.go b/pkg/util/teams/teams.go
index 694803535852e2866201bc064e8eb521a16a95b9..6b0ba9e25b86be9656fa36ba856414a09b2beeaf 100644
--- a/pkg/util/teams/teams.go
+++ b/pkg/util/teams/teams.go
@@ -42,13 +42,15 @@ type TeamsAPI struct {
httpClient *http.Client
logger *logrus.Entry
RefreshTokenAction func() (string, error)
+ enabled bool
}
-func NewTeamsAPI(url string, log *logrus.Logger) *TeamsAPI {
+func NewTeamsAPI(url string, log *logrus.Logger, enabled bool) *TeamsAPI {
t := TeamsAPI{
url: strings.TrimRight(url, "/"),
httpClient: &http.Client{},
logger: log.WithField("pkg", "teamsapi"),
+ enabled: enabled,
}
return &t
@@ -56,6 +58,10 @@ func NewTeamsAPI(url string, log *logrus.Logger) *TeamsAPI {
func (t *TeamsAPI) TeamInfo(teamId string) (*Team, error) {
// TODO: avoid getting a new token on every call to the Teams API.
+ if !t.enabled {
+ t.logger.Debug("Team API is disabled, returning empty list of members")
+ return &Team{}, nil
+ }
token, err := t.RefreshTokenAction()
if err != nil {
return nil, err