Documentation
¶
Overview ¶
sharing package introduces SecretExport and SecretImport concepts for sharing secrets between namespaces.
Index ¶
- Constants
- func NewCombinedDockerConfigJSON(secrets []*corev1.Secret) (map[string][]byte, error)
- type K8sReader
- type NamespaceWildcardExclusionCheck
- type NamespacesMatcher
- type SecretExportReconciler
- type SecretExports
- type SecretExportsProvider
- type SecretExportsWarmedUp
- type SecretImportReconciler
- type SecretMatcher
- type SecretReconciler
- type SecretStatus
Constants ¶
const ( // WeightAnnKey allows to control which secrets are preferred to others // during fulfillment of secret requests. It's especially handy for // controlling how multiple image pull secrets are merged together. WeightAnnKey = "secretgen.carvel.dev/weight" )
Variables ¶
This section is empty.
Functions ¶
func NewCombinedDockerConfigJSON ¶
NewCombinedDockerConfigJSON combines multiple kubernetes.io/dockerconfigjson Secrets into a single map to be used in single Secret. (https://kubernetes.io/docs/concepts/configuration/secret/#docker-config-secrets)
Types ¶
type K8sReader ¶
type K8sReader interface {
Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error
}
K8sReader is an interface for reading Kubernetes resources.
type NamespaceWildcardExclusionCheck ¶
NamespaceWildcardExclusionCheck is a function that takes the name of a namespace and returns whether that ns is excluded from wildcard matches
type NamespacesMatcher ¶
type NamespacesMatcher struct {
Selectors []sg2v1alpha1.SelectorMatchField
}
NamespacesMatcher allows to specify criteria for matching exported secrets based on namespaces fields.
func (NamespacesMatcher) MatchNamespace ¶
func (nm NamespacesMatcher) MatchNamespace(matcher SecretMatcher, log logr.Logger, k8sReader K8sReader) bool
MatchNamespace returns true if the given SecretMatcher matches one of the Selectors.
type SecretExportReconciler ¶
type SecretExportReconciler struct {
// contains filtered or unexported fields
}
SecretExportReconciler watches SecretExport CRs to record which Secret resources are exported so that they could be imported in other namespaces.
func NewSecretExportReconciler ¶
func NewSecretExportReconciler(client client.Client, secretExports SecretExportsProvider, log logr.Logger) *SecretExportReconciler
NewSecretExportReconciler constructs SecretExportReconciler.
func (*SecretExportReconciler) AttachWatches ¶
func (r *SecretExportReconciler) AttachWatches(controller controller.Controller) error
func (*SecretExportReconciler) Reconcile ¶
func (r *SecretExportReconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error)
Reconcile acs on a request for a SecretExport to implement a kubernetes reconciler
func (*SecretExportReconciler) WarmUp ¶
func (r *SecretExportReconciler) WarmUp()
WarmUp hydrates SecretExports given to this SecretExportReconciler with latest secret exports. If this method is not called before using SecretExports then users of SecretExports such as SecretReconciler will not have complete/accurate data.
type SecretExports ¶
type SecretExports struct {
// contains filtered or unexported fields
}
SecretExports is an in-memory cache of exported secrets. It can be asked to return secrets that match specific criteria for importing. (SecretExports is used by SecretExportReconciler to export/unexport secrets; SecretExports is used by SecretReconciler to determine imported secrets.)
func NewSecretExports ¶
func NewSecretExports(k8sReader K8sReader, log logr.Logger) *SecretExports
NewSecretExports constructs new SecretExports cache.
func (*SecretExports) Export ¶
func (se *SecretExports) Export(export *sg2v1alpha1.SecretExport, secret *corev1.Secret)
Export adds the in-memory representation (cached) of both the SecretExport and underlying Secret.
func (*SecretExports) MatchedSecretsForImport ¶
func (se *SecretExports) MatchedSecretsForImport(matcher SecretMatcher, nsIsExcludedFromWildcard NamespaceWildcardExclusionCheck) []*corev1.Secret
MatchedSecretsForImport filters secrets export cache by the given criteria. Returned order (last in the array is most specific):
- secret with highest weight? (default weight=0), or
- secret within the same namespace
- secret with specific namespace
- secret with wildcard namespace match
- secret within other namespaces
- secret with specific namespace
- secret with wildcard namespace match (in all cases fallback to secret namespace/name sort)
func (*SecretExports) Unexport ¶
func (se *SecretExports) Unexport(export *sg2v1alpha1.SecretExport)
Unexport deletes the in-memory representation (cached) of both the SecretExport and underlying Secret.
type SecretExportsProvider ¶
type SecretExportsProvider interface {
Export(*sg2v1alpha1.SecretExport, *corev1.Secret)
Unexport(*sg2v1alpha1.SecretExport)
MatchedSecretsForImport(SecretMatcher, NamespaceWildcardExclusionCheck) []*corev1.Secret
}
SecretExportsProvider provides a way to record and later query secrets based on a given criteria.
type SecretExportsWarmedUp ¶
type SecretExportsWarmedUp struct {
WarmUpFunc func()
// contains filtered or unexported fields
}
SecretExportsWarmedUp is a SecretExportsProvider that calls WarmUpFunc once on first access.
func NewSecretExportsWarmedUp ¶
func NewSecretExportsWarmedUp(delegate SecretExportsProvider) *SecretExportsWarmedUp
NewSecretExportsWarmedUp constructs new SecretExportsWarmedUp.
func (*SecretExportsWarmedUp) Export ¶
func (se *SecretExportsWarmedUp) Export(export *sg2v1alpha1.SecretExport, secret *corev1.Secret)
Export delegates.
func (*SecretExportsWarmedUp) MatchedSecretsForImport ¶
func (se *SecretExportsWarmedUp) MatchedSecretsForImport(matcher SecretMatcher, nsIsExcludedFromWildcard NamespaceWildcardExclusionCheck) []*corev1.Secret
MatchedSecretsForImport warms up and then delegates.
func (*SecretExportsWarmedUp) Unexport ¶
func (se *SecretExportsWarmedUp) Unexport(export *sg2v1alpha1.SecretExport)
Unexport delegates.
type SecretImportReconciler ¶
type SecretImportReconciler struct {
// contains filtered or unexported fields
}
SecretImportReconciler creates an imported Secret if it was exported.
func NewSecretImportReconciler ¶
func NewSecretImportReconciler(client client.Client, secretExports SecretExportsProvider, log logr.Logger) *SecretImportReconciler
NewSecretImportReconciler constructs SecretImportReconciler.
func (*SecretImportReconciler) AttachWatches ¶
func (r *SecretImportReconciler) AttachWatches(controller controller.Controller) error
type SecretMatcher ¶
type SecretMatcher struct {
FromName string
FromNamespace string
ToNamespace string
Subject string
SecretType corev1.SecretType
Ctx context.Context
}
SecretMatcher allows to specify criteria for matching exported secrets.
type SecretReconciler ¶
type SecretReconciler struct {
// contains filtered or unexported fields
}
SecretReconciler watches Secret resources. If a Secret is recognized to be a placeholder secret for image pull secrets it gets filled with a combined image pull secret that matched import criteria for that Secret.
func NewSecretReconciler ¶
func NewSecretReconciler(client client.Client, secretExports SecretExportsProvider, log logr.Logger) *SecretReconciler
NewSecretReconciler constructs SecretReconciler.
func (*SecretReconciler) AttachWatches ¶
func (r *SecretReconciler) AttachWatches(controller controller.Controller) error
type SecretStatus ¶
type SecretStatus struct {
Conditions []sgv1alpha1.Condition `json:"conditions,omitempty"`
SecretNames []string `json:"secretNames,omitempty"`
}
Source Files