Skip to main content

Overview

The controller-manager subcommand runs the Datum control plane controller manager, which extends the Milo control plane with Datum Cloud-specific functionality.

Usage

datum controller-manager [flags]

Description

The controller-manager watches for Kubernetes resources and reconciles them to maintain the desired state. It currently includes:
  • PersonalOrganizationController: Automatically creates personal organizations and projects for users

Flags

Metrics and Health

--metrics-bind-address
string
default:"0"
The address the metrics endpoint binds to. Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.
--health-probe-bind-address
string
default:":8081"
The address the probe endpoint binds to.
--metrics-secure
boolean
default:"true"
If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.

Leader Election

--leader-elect
boolean
default:"false"
Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
--leader-election-id
string
default:"81afa9db.datumapis.com"
The name of the resource that leader election will use for holding the leader lock.
--leader-election-namespace
string
default:""
The namespace in which the leader election resource will be created. If not specified, it will use the namespace where the controller is running.
--leader-election-lease-duration
duration
default:"15s"
The duration that non-leader candidates will wait to force acquire leadership.
--leader-election-renew-deadline
duration
default:"10s"
The duration that the acting leader will retry refreshing leadership before giving up.
--leader-election-retry-period
duration
default:"2s"
The duration the LeaderElector clients should wait between tries of actions.
--leader-election-release-on-cancel
boolean
default:"false"
If the leader should step down voluntarily when the Manager ends. This requires the binary to immediately end when the Manager is stopped.

Security and Certificates

--webhook-cert-path
string
default:""
The directory that contains the webhook certificate.
--webhook-cert-name
string
default:"tls.crt"
The name of the webhook certificate file.
--webhook-cert-key
string
default:"tls.key"
The name of the webhook key file.
--metrics-cert-path
string
default:""
The directory that contains the metrics server certificate.
--metrics-cert-name
string
default:"tls.crt"
The name of the metrics server certificate file.
--metrics-cert-key
string
default:"tls.key"
The name of the metrics server key file.
--enable-http2
boolean
default:"false"
If set, HTTP/2 will be enabled for the metrics and webhook servers. Disabled by default due to HTTP/2 vulnerabilities (CVE-2023-44487, CVE-2023-39325).

Configuration

--config
string
default:""
Path to the controller manager config file. The config file allows you to configure controllers and their behavior.

Configuration File

The controller manager can be configured using a YAML configuration file: 
apiVersion: config.datumapis.com/v1alpha1
kind: DatumControllerManager
metricsServer:
  secureServing: true
  bindAddress: ":8443"
  tls:
    certDir: /tmp/k8s-metrics-server/serving-certs
    certName: tls.crt
    keyName: tls.key
personalOrganizationController:
  roleName: datum-cloud-owner
  roleNamespace: datum-assignable-organization-roles

Configuration Fields

Examples

Basic usage with metrics enabled

datum controller-manager \
  --metrics-bind-address=:8443 \
  --health-probe-bind-address=:8081

Enable leader election for high availability

datum controller-manager \
  --leader-elect \
  --leader-election-namespace=datum-system

Use custom certificates

datum controller-manager \
  --metrics-cert-path=/etc/certs/metrics \
  --metrics-cert-name=server.crt \
  --metrics-cert-key=server.key

Load configuration from file

datum controller-manager \
  --config=/etc/datum/controller-config.yaml

Production deployment example

datum controller-manager \
  --config=/etc/datum/controller-config.yaml \
  --leader-elect \
  --metrics-bind-address=:8443 \
  --health-probe-bind-address=:8081 \
  --metrics-secure=true \
  --zap-log-level=info

Health Checks

The controller manager exposes two health check endpoints:
  • /healthz - Liveness probe endpoint
  • /readyz - Readiness probe endpoint
Both endpoints respond with HTTP 200 when healthy.

Metrics

When metrics are enabled, Prometheus metrics are exposed at the configured metrics bind address. By default, the metrics endpoint is protected with authentication and authorization using Kubernetes RBAC.

Source Reference

Source: cmd/controller/manager.go:50-138