From 03064637f14bdc1a088a7833d8da861033ce29de Mon Sep 17 00:00:00 2001
From: Oleksii Kliukin <oleksii.kliukin@zalando.de>
Date: Fri, 12 May 2017 17:18:41 +0200
Subject: [PATCH] Allow disabling access to the DB and the Teams API.

Command-line options --nodatabaseaccess and --noteamsapi disable all
teams api interaction and access to the Postgres database. This is
useful for debugging purposes when the operator runs out of cluster
(with --outofcluster flag).

The same effect can be achieved by setting enable_db_access and/or
enable_teams_api to false.
---
 cmd/main.go                  | 10 ++++++++++
 pkg/cluster/cluster.go       | 18 ++++++++++--------
 pkg/cluster/pg.go            | 11 +++++++----
 pkg/cluster/sync.go          |  3 +++
 pkg/controller/controller.go |  2 +-
 pkg/util/config/config.go    |  2 ++
 pkg/util/teams/teams.go      |  8 +++++++-
 7 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index d283c5a1..697058a0 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -19,12 +19,16 @@ var (
 	podNamespace   string
 	configMapName  spec.NamespacedName
 	OutOfCluster   bool
+	noTeamsAPI bool
+	noDBAccess bool
 	version        string
 )
 
 func init() {
 	flag.StringVar(&KubeConfigFile, "kubeconfig", "", "Path to kubeconfig file with authorization and master location information.")
 	flag.BoolVar(&OutOfCluster, "outofcluster", false, "Whether the operator runs in- our outside of the Kubernetes cluster.")
+	flag.BoolVar(&noDBAccess, "nodatabaseaccess", false, "Disable all access to the database from the operator side.")
+	flag.BoolVar(&noTeamsAPI, "noteamsapi", false, "Disable all access to the teams API")
 	flag.Parse()
 
 	podNamespace = os.Getenv("MY_POD_NAMESPACE")
@@ -87,6 +91,12 @@ func main() {
 	if configMapData["namespace"] == "" { // Namespace in ConfigMap has priority over env var
 		configMapData["namespace"] = podNamespace
 	}
+	if noDBAccess {
+		configMapData["enable_db_access"] = "false"
+	}
+	if noTeamsAPI {
+		configMapData["enable_teams_api"] = "false"
+	}
 	cfg := config.NewFromMap(configMapData)
 
 	log.Printf("Config: %s", cfg.MustMarshal())
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index b870c963..895b9194 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -227,18 +227,20 @@ func (c *Cluster) Create(stopCh <-chan struct{}) error {
 	}
 	c.logger.Infof("Pods are ready")
 
-	if !c.masterLess {
-		if err = c.initDbConn(); err != nil {
+	if !(c.masterLess || c.DatabaseAccessDisabled()) {
+		if err := c.initDbConn(); err != nil {
 			return fmt.Errorf("Can't init db connection: %s", err)
-		}
-
-		if err = c.createUsers(); err != nil {
-			return fmt.Errorf("Can't create users: %s", err)
 		} else {
-			c.logger.Infof("Users have been successfully created")
+			if err = c.createUsers(); err != nil {
+				return fmt.Errorf("Can't create users: %s", err)
+			} else {
+				c.logger.Infof("Users have been successfully created")
+			}
 		}
 	} else {
-		c.logger.Warnln("Cluster is masterless")
+		if c.masterLess {
+			c.logger.Warnln("Cluster is masterless")
+		}
 	}
 
 	c.ListResources()
diff --git a/pkg/cluster/pg.go b/pkg/cluster/pg.go
index fa325047..34816bca 100644
--- a/pkg/cluster/pg.go
+++ b/pkg/cluster/pg.go
@@ -32,10 +32,14 @@ func (c *Cluster) pgConnectionString() string {
 		strings.Replace(password, "$", "\\$", -1))
 }
 
-func (c *Cluster) initDbConn() error {
-	//TODO: concurrent safe?
+func (c *Cluster) DatabaseAccessDisabled() bool {
+	if c.OpConfig.EnableDBAccess == false {
+		c.logger.Debugf("Database access is disabled")
+	}
+	return c.OpConfig.EnableDBAccess == false
+}
+func (c *Cluster) initDbConn() (err error) {
 	if c.pgDb == nil {
-		if c.pgDb == nil {
 			conn, err := sql.Open("postgres", c.pgConnectionString())
 			if err != nil {
 				return err
@@ -47,7 +51,6 @@ func (c *Cluster) initDbConn() error {
 			}
 
 			c.pgDb = conn
-		}
 	}
 
 	return nil
diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
index 07e076d9..11e89d60 100644
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@@ -36,6 +36,9 @@ func (c *Cluster) SyncCluster(stopCh <-chan struct{}) {
 	if err := c.syncStatefulSet(); err != nil {
 		c.logger.Errorf("Can't sync StatefulSets: %s", err)
 	}
+	if c.DatabaseAccessDisabled() {
+		return
+	}
 	if err := c.initDbConn(); err != nil {
 		c.logger.Errorf("Can't init db connection: %s", err)
 	} else {
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index dcb99797..05ce145d 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -50,7 +50,7 @@ func New(controllerConfig *Config, operatorConfig *config.Config) *Controller {
 		logger.Level = logrus.DebugLevel
 	}
 
-	controllerConfig.TeamsAPIClient = teams.NewTeamsAPI(operatorConfig.TeamsAPIUrl, logger)
+	controllerConfig.TeamsAPIClient = teams.NewTeamsAPI(operatorConfig.TeamsAPIUrl, logger, operatorConfig.EnableTeamsAPI)
 	return &Controller{
 		Config:   *controllerConfig,
 		opConfig: operatorConfig,
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
index 561c0fc1..96b9ff65 100644
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@@ -52,6 +52,8 @@ type Config struct {
 	WALES3Bucket       string `name:"wal_s3_bucket"`
 	KubeIAMRole        string `name:"kube_iam_role"`
 	DebugLogging       bool   `name:"debug_logging" default:"false"`
+	EnableDBAccess	   bool   `name:"enable_db_access" default:"true"`
+	EnableTeamsAPI     bool   `name:"enable_teams_api" default:"true"`
 	DNSNameFormat      string `name:"dns_name_format" default:"%s.%s.%s"`
 	Workers            uint32 `name:"workers" default:"4"`
 }
diff --git a/pkg/util/teams/teams.go b/pkg/util/teams/teams.go
index 69480353..6b0ba9e2 100644
--- a/pkg/util/teams/teams.go
+++ b/pkg/util/teams/teams.go
@@ -42,13 +42,15 @@ type TeamsAPI struct {
 	httpClient         *http.Client
 	logger             *logrus.Entry
 	RefreshTokenAction func() (string, error)
+	enabled bool
 }
 
-func NewTeamsAPI(url string, log *logrus.Logger) *TeamsAPI {
+func NewTeamsAPI(url string, log *logrus.Logger, enabled bool) *TeamsAPI {
 	t := TeamsAPI{
 		url:        strings.TrimRight(url, "/"),
 		httpClient: &http.Client{},
 		logger:     log.WithField("pkg", "teamsapi"),
+		enabled: enabled,
 	}
 
 	return &t
@@ -56,6 +58,10 @@ func NewTeamsAPI(url string, log *logrus.Logger) *TeamsAPI {
 
 func (t *TeamsAPI) TeamInfo(teamId string) (*Team, error) {
 	// TODO: avoid getting a new token on every call to the Teams API.
+	if !t.enabled {
+		t.logger.Debug("Team API is disabled, returning empty list of members")
+		return &Team{}, nil
+	}
 	token, err := t.RefreshTokenAction()
 	if err != nil {
 		return nil, err
-- 
GitLab