ngrok · jonstacks · Jun 11, 2026
@@ -49,6 +49,7 @@ import (
 	agentcontroller "github.com/ngrok/ngrok-operator/internal/controller/agent"
 	"github.com/ngrok/ngrok-operator/internal/controller/labels"
 	"github.com/ngrok/ngrok-operator/internal/drain"
+	"github.com/ngrok/ngrok-operator/internal/env"
 	"github.com/ngrok/ngrok-operator/internal/healthcheck"
 	"github.com/ngrok/ngrok-operator/internal/version"
 	"github.com/ngrok/ngrok-operator/pkg/agent"
@@ -105,27 +106,28 @@ func agentCmd() *cobra.Command {
 	c.Flags().StringVar(&opts.releaseName, "release-name", "ngrok-operator", "Helm Release name for the deployed operator")
 	c.Flags().StringVar(&opts.metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to")
 	c.Flags().StringVar(&opts.probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	c.Flags().StringVar(&opts.description, "description", "Created by the ngrok-operator", "Description for this installation")
+	c.Flags().StringVar(&opts.description, "description", env.StringFromEnv("NGROK_OPERATOR_DESCRIPTION", "Created by the ngrok-operator"), "Description for this installation")
 	// TODO(operator-rename): Same as above, but for the manager name.
 	c.Flags().StringVar(&opts.managerName, "manager-name", "agent-manager", "Manager name to identify unique ngrok operator agent instances")
-	c.Flags().StringVar(&opts.watchNamespace, "watch-namespace", "", "Namespace to watch for AgentEndpoint resources. Defaults to all namespaces.")
+	c.Flags().StringVar(&opts.watchNamespace, "watch-namespace", env.StringFromEnv("NGROK_OPERATOR_FEATURES_INGRESS_WATCH_NAMESPACE", ""), "Namespace to watch for AgentEndpoint resources. Defaults to all namespaces.")
 
 	// agent(tunnel driver) flags
-	c.Flags().StringVar(&opts.region, "region", "", "The region to use for ngrok tunnels")
-	c.Flags().StringVar(&opts.serverAddr, "server-addr", "", "The address of the ngrok server to use for tunnels")
-	c.Flags().StringVar(&opts.rootCAs, "root-cas", "trusted", "trusted (default) or host: use the trusted ngrok agent CA or the host CA")
+	c.Flags().StringVar(&opts.region, "region", env.StringFromEnv("NGROK_OPERATOR_REGION", ""), "The region to use for ngrok tunnels")
+	c.Flags().StringVar(&opts.serverAddr, "server-addr", env.StringFromEnv("NGROK_OPERATOR_SERVER_ADDR", ""), "The address of the ngrok server to use for tunnels")
+	c.Flags().StringVar(&opts.rootCAs, "root-cas", env.StringFromEnv("NGROK_OPERATOR_ROOT_CAS", "trusted"), "trusted (default) or host: use the trusted ngrok agent CA or the host CA")
 
 	// feature flags
-	c.Flags().BoolVar(&opts.enableFeatureIngress, "enable-feature-ingress", true, "Enables the Ingress controller")
-	c.Flags().BoolVar(&opts.enableFeatureGateway, "enable-feature-gateway", true, "When true, enables support for Gateway API if the CRDs are detected. When false, Gateway API support will not be enabled")
-	c.Flags().BoolVar(&opts.disableGatewayReferenceGrants, "disable-reference-grants", false, "Opts-out of requiring ReferenceGrants for cross namespace references in Gateway API config")
-	c.Flags().BoolVar(&opts.enableFeatureBindings, "enable-feature-bindings", false, "Enables the Endpoint Bindings controller")
+	c.Flags().BoolVar(&opts.enableFeatureIngress, "enable-feature-ingress", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_INGRESS_ENABLED", true), "Enables the Ingress controller")
+	c.Flags().BoolVar(&opts.enableFeatureGateway, "enable-feature-gateway", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_GATEWAY_ENABLED", true), "When true, enables support for Gateway API if the CRDs are detected. When false, Gateway API support will not be enabled")
+	c.Flags().BoolVar(&opts.disableGatewayReferenceGrants, "disable-reference-grants", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_GATEWAY_DISABLE_REFERENCE_GRANTS", false), "Opts-out of requiring ReferenceGrants for cross namespace references in Gateway API config")
+	c.Flags().BoolVar(&opts.enableFeatureBindings, "enable-feature-bindings", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_BINDINGS_ENABLED", false), "Enables the Endpoint Bindings controller")
 
-	c.Flags().StringVar(&opts.defaultDomainReclaimPolicy, "default-domain-reclaim-policy", string(ingressv1alpha1.DomainReclaimPolicyDelete), "The default domain reclaim policy to apply to created domains")
+	c.Flags().StringVar(&opts.defaultDomainReclaimPolicy, "default-domain-reclaim-policy", env.StringFromEnv("NGROK_OPERATOR_FEATURES_DEFAULT_DOMAIN_RECLAIM_POLICY", string(ingressv1alpha1.DomainReclaimPolicyDelete)), "The default domain reclaim policy to apply to created domains")
 
 	opts.zapOpts = &zap.Options{}
 	goFlagSet := flag.NewFlagSet("manager", flag.ContinueOnError)
 	opts.zapOpts.BindFlags(goFlagSet)
+	env.BindZapFlagDefaults(goFlagSet)
 	c.Flags().AddGoFlagSet(goFlagSet)
 
 	return c

@@ -67,6 +67,7 @@ import (
 	ngrokcontroller "github.com/ngrok/ngrok-operator/internal/controller/ngrok"
 	servicecontroller "github.com/ngrok/ngrok-operator/internal/controller/service"
 	"github.com/ngrok/ngrok-operator/internal/drain"
+	"github.com/ngrok/ngrok-operator/internal/env"
 	"github.com/ngrok/ngrok-operator/internal/ngrokapi"
 	"github.com/ngrok/ngrok-operator/internal/util"
 	"github.com/ngrok/ngrok-operator/internal/version"
@@ -150,33 +151,35 @@ func apiCmd() *cobra.Command {
 	c.Flags().StringVar(&opts.metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to")
 	c.Flags().StringVar(&opts.probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	c.Flags().StringVar(&opts.electionID, "election-id", "ngrok-operator-leader", "The name of the configmap that is used for holding the leader lock")
-	c.Flags().StringVar(&opts.ngrokMetadata, "ngrokMetadata", "", "A comma separated list of key=value pairs such as 'key1=value1,key2=value2' to be added to ngrok api resources as labels")
-	c.Flags().StringVar(&opts.description, "description", "Created by the ngrok-operator", "Description for this installation")
-	c.Flags().StringVar(&opts.region, "region", "", "The region to use for ngrok tunnels")
-	c.Flags().StringVar(&opts.serverAddr, "server-addr", "", "The address of the ngrok server to use for tunnels")
-	c.Flags().StringVar(&opts.apiURL, "api-url", "", "The base URL to use for the ngrok api")
-	c.Flags().StringVar(&opts.ingressControllerName, "ingress-controller-name", "ngrok.com/ingress-controller", "The name of the controller to use for matching ingresses classes")
-	c.Flags().StringVar(&opts.ingressWatchNamespace, "ingress-watch-namespace", "", "Namespace to watch for Kubernetes Ingress resources. Defaults to all namespaces.")
+	c.Flags().StringVar(&opts.ngrokMetadata, "ngrokMetadata", env.StringFromEnv("NGROK_OPERATOR_METADATA", ""), "A comma separated list of key=value pairs such as 'key1=value1,key2=value2' to be added to ngrok api resources as labels")
+	c.Flags().StringVar(&opts.description, "description", env.StringFromEnv("NGROK_OPERATOR_DESCRIPTION", "Created by the ngrok-operator"), "Description for this installation")
+	c.Flags().StringVar(&opts.region, "region", env.StringFromEnv("NGROK_OPERATOR_REGION", ""), "The region to use for ngrok tunnels")
+	c.Flags().StringVar(&opts.serverAddr, "server-addr", env.StringFromEnv("NGROK_OPERATOR_SERVER_ADDR", ""), "The address of the ngrok server to use for tunnels")
+	c.Flags().StringVar(&opts.apiURL, "api-url", env.StringFromEnv("NGROK_OPERATOR_API_URL", ""), "The base URL to use for the ngrok api")
+	// TODO(operator-rename): This probably needs to be on a per controller basis. Each of the controllers will have their own value or we migrate this to ngrok.com/ngrok-operator.
+	c.Flags().StringVar(&opts.ingressControllerName, "ingress-controller-name", env.StringFromEnv("NGROK_OPERATOR_FEATURES_INGRESS_CONTROLLER_NAME", "ngrok.com/ingress-controller"), "The name of the controller to use for matching ingresses classes")
+	c.Flags().StringVar(&opts.ingressWatchNamespace, "ingress-watch-namespace", env.StringFromEnv("NGROK_OPERATOR_FEATURES_INGRESS_WATCH_NAMESPACE", ""), "Namespace to watch for Kubernetes Ingress resources. Defaults to all namespaces.")
 	// TODO(operator-rename): Same as above, but for the manager name.
 	c.Flags().StringVar(&opts.managerName, "manager-name", "ngrok-ingress-controller-manager", "Manager name to identify unique ngrok ingress controller instances")
-	c.Flags().StringVar(&opts.clusterDomain, "cluster-domain", common.DefaultClusterDomain, "Cluster domain used in the cluster")
-	c.Flags().BoolVar(&opts.oneClickDemoMode, "one-click-demo-mode", false, "Run the operator in one-click-demo mode (Ready, but not running)")
+	c.Flags().StringVar(&opts.clusterDomain, "cluster-domain", env.StringFromEnv("NGROK_OPERATOR_CLUSTER_DOMAIN", common.DefaultClusterDomain), "Cluster domain used in the cluster")
+	c.Flags().BoolVar(&opts.oneClickDemoMode, "one-click-demo-mode", env.BoolFromEnv("NGROK_OPERATOR_ONE_CLICK_DEMO_MODE", false), "Run the operator in one-click-demo mode (Ready, but not running)")
 
 	// feature flags
-	c.Flags().BoolVar(&opts.enableFeatureIngress, "enable-feature-ingress", true, "Enables the Ingress controller")
-	c.Flags().BoolVar(&opts.enableFeatureGateway, "enable-feature-gateway", true, "When true, enables support for Gateway API if the CRDs are detected. When false, Gateway API support will not be enabled")
-	c.Flags().BoolVar(&opts.disableGatewayReferenceGrants, "disable-reference-grants", false, "Opts-out of requiring ReferenceGrants for cross namespace references in Gateway API config")
-	c.Flags().BoolVar(&opts.enableFeatureBindings, "enable-feature-bindings", false, "Enables the Endpoint Bindings controller")
-	c.Flags().StringSliceVar(&opts.bindings.endpointSelectors, "bindings-endpoint-selectors", []string{"true"}, "Endpoint Selectors for Endpoint Bindings")
-	c.Flags().StringVar(&opts.bindings.serviceAnnotations, "bindings-service-annotations", "", "Service Annotations to propagate to the target service")
-	c.Flags().StringVar(&opts.bindings.serviceLabels, "bindings-service-labels", "", "Service Labels to propagate to the target service")
-	c.Flags().StringVar(&opts.bindings.ingressEndpoint, "bindings-ingress-endpoint", "", "The endpoint the bindings forwarder connects to")
-	c.Flags().StringVar(&opts.defaultDomainReclaimPolicy, "default-domain-reclaim-policy", string(ingressv1alpha1.DomainReclaimPolicyDelete), "The default domain reclaim policy to apply to created domains")
-	c.Flags().StringVar((*string)(&opts.drainPolicy), "drain-policy", string(ngrokv1alpha1.DrainPolicyRetain), "Policy for draining resources during uninstall: Delete or Retain")
+	c.Flags().BoolVar(&opts.enableFeatureIngress, "enable-feature-ingress", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_INGRESS_ENABLED", true), "Enables the Ingress controller")
+	c.Flags().BoolVar(&opts.enableFeatureGateway, "enable-feature-gateway", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_GATEWAY_ENABLED", true), "When true, enables support for Gateway API if the CRDs are detected. When false, Gateway API support will not be enabled")
+	c.Flags().BoolVar(&opts.disableGatewayReferenceGrants, "disable-reference-grants", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_GATEWAY_DISABLE_REFERENCE_GRANTS", false), "Opts-out of requiring ReferenceGrants for cross namespace references in Gateway API config")
+	c.Flags().BoolVar(&opts.enableFeatureBindings, "enable-feature-bindings", env.BoolFromEnv("NGROK_OPERATOR_FEATURES_BINDINGS_ENABLED", false), "Enables the Endpoint Bindings controller")
+	c.Flags().StringSliceVar(&opts.bindings.endpointSelectors, "bindings-endpoint-selectors", env.StringSliceFromEnv("NGROK_OPERATOR_FEATURES_BINDINGS_ENDPOINT_SELECTORS", []string{"true"}), "Endpoint Selectors for Endpoint Bindings")
+	c.Flags().StringVar(&opts.bindings.serviceAnnotations, "bindings-service-annotations", env.StringFromEnv("NGROK_OPERATOR_FEATURES_BINDINGS_SERVICE_ANNOTATIONS", ""), "Service Annotations to propagate to the target service")
+	c.Flags().StringVar(&opts.bindings.serviceLabels, "bindings-service-labels", env.StringFromEnv("NGROK_OPERATOR_FEATURES_BINDINGS_SERVICE_LABELS", ""), "Service Labels to propagate to the target service")
+	c.Flags().StringVar(&opts.bindings.ingressEndpoint, "bindings-ingress-endpoint", env.StringFromEnv("NGROK_OPERATOR_FEATURES_BINDINGS_INGRESS_ENDPOINT", ""), "The endpoint the bindings forwarder connects to")
+	c.Flags().StringVar(&opts.defaultDomainReclaimPolicy, "default-domain-reclaim-policy", env.StringFromEnv("NGROK_OPERATOR_FEATURES_DEFAULT_DOMAIN_RECLAIM_POLICY", string(ingressv1alpha1.DomainReclaimPolicyDelete)), "The default domain reclaim policy to apply to created domains")
+	c.Flags().StringVar((*string)(&opts.drainPolicy), "drain-policy", env.StringFromEnv("NGROK_OPERATOR_FEATURES_DRAIN_POLICY", string(ngrokv1alpha1.DrainPolicyRetain)), "Policy for draining resources during uninstall: Delete or Retain")
 
 	opts.zapOpts = &zap.Options{}
 	goFlagSet := flag.NewFlagSet("manager", flag.ContinueOnError)
 	opts.zapOpts.BindFlags(goFlagSet)
+	env.BindZapFlagDefaults(goFlagSet)
 	c.Flags().AddGoFlagSet(goFlagSet)
 
 	return c

@@ -47,6 +47,7 @@ import (
 	ngrokv1alpha1 "github.com/ngrok/ngrok-operator/api/ngrok/v1alpha1"
 	bindingscontroller "github.com/ngrok/ngrok-operator/internal/controller/bindings"
 	"github.com/ngrok/ngrok-operator/internal/drain"
+	"github.com/ngrok/ngrok-operator/internal/env"
 	"github.com/ngrok/ngrok-operator/internal/util"
 	"github.com/ngrok/ngrok-operator/internal/version"
 	"github.com/ngrok/ngrok-operator/pkg/bindingsdriver"
@@ -86,12 +87,13 @@ func bindingsForwarderCmd() *cobra.Command {
 	c.Flags().StringVar(&opts.releaseName, "release-name", "ngrok-operator", "Helm Release name for the deployed operator")
 	c.Flags().StringVar(&opts.metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to")
 	c.Flags().StringVar(&opts.probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	c.Flags().StringVar(&opts.description, "description", "Created by the ngrok-operator", "Description for this installation")
+	c.Flags().StringVar(&opts.description, "description", env.StringFromEnv("NGROK_OPERATOR_DESCRIPTION", "Created by the ngrok-operator"), "Description for this installation")
 	c.Flags().StringVar(&opts.managerName, "manager-name", "bindings-forwarder-manager", "Manager name to identify unique ngrok operator agent instances")
 
 	opts.zapOpts = &zap.Options{}
 	goFlagSet := flag.NewFlagSet("manager", flag.ContinueOnError)
 	opts.zapOpts.BindFlags(goFlagSet)
+	env.BindZapFlagDefaults(goFlagSet)
 	c.Flags().AddGoFlagSet(goFlagSet)
 
 	return c

@@ -27,7 +27,7 @@ kubectl delete -f operator-manifests.yaml
 
 ## Drain Policies
 
-Configure via the `drainPolicy` Helm value:
+Configure via the `features.drainPolicy` Helm value:
 
 | Policy | ngrok API Resources | Best For |
 |--------|---------------------|----------|
@@ -53,7 +53,7 @@ When multiple operator instances exist, drain only affects resources managed by
 
 - **Ingress**: Filtered by `IngressClass`
 - **Gateway/Routes**: Filtered by `GatewayClass`
-- **Other resources**: Filtered by namespace (if `watchNamespace` is set)
+- **Other resources**: Filtered by namespace (if `features.ingress.watchNamespace` is set)
 
 ## Troubleshooting
 
@@ -82,7 +82,8 @@ Delete manually from [ngrok Dashboard](https://dashboard.ngrok.com) or via the n
 ## Helm Configuration
 
 ```yaml
-drainPolicy: "Retain"  # or "Delete"
+features:
+  drainPolicy: "Retain"  # or "Delete"
 
 cleanupHook:
   enabled: true        # default

@@ -13,6 +13,7 @@ require (
 	github.com/onsi/gomega v1.41.0
 	github.com/segmentio/ksuid v1.0.4
 	github.com/spf13/cobra v1.10.2
+	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/mock v0.6.0
 	go.uber.org/zap v1.28.0
@@ -77,7 +78,6 @@ require (
 	github.com/prometheus/common v0.68.0 // indirect
 	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/rivo/uniseg v0.4.3 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.1.0 // indirect
 	go.starlark.net v0.0.0-20230103143115-09991d3a103e // indirect