Documentation
¶
Index ¶
- Variables
- func Build(opts Options) []client.Object
- func BuildClusterRole(opts Options) *rbacv1.ClusterRole
- func BuildClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding
- func BuildRoute(opts Options) client.Object
- func BuildServiceAccount(opts Options) client.Object
- func BuildServiceCAConfigMap(opts Options) *corev1.ConfigMap
- func ConfigureGatewayDeployment(d *appsv1.Deployment, gwContainerName string, ...) error
- func ConfigureGatewayService(s *corev1.ServiceSpec) error
- func ConfigureGatewayServiceMonitor(sm *monitoringv1.ServiceMonitor, withTLS bool) error
- type AuthenticationSpec
- type AuthorizationSpec
- type BuildOptions
- type Options
- type TenantData
Constants ¶
This section is empty.
Variables ¶
var ( // GatewayOPAHTTPPort is the HTTP port of the OpenPolicyAgent sidecar. GatewayOPAHTTPPort int32 = 8082 // GatewayOPAInternalPort is the HTTP metrics port of the OpenPolicyAgent sidecar. GatewayOPAInternalPort int32 = 8083 // GatewayOPAHTTPPortName is the HTTP container port name of the OpenPolicyAgent sidecar. GatewayOPAHTTPPortName = "public" // GatewayOPAInternalPortName is the HTTP container metrics port name of the OpenPolicyAgent sidecar. GatewayOPAInternalPortName = "opa-metrics" // ServingCertKey is the annotation key for services used the // cert-signing service to create a new key/cert pair signed // by the service CA stored in a secret with the same name // as the annotated service. ServingCertKey = "service.beta.openshift.io/serving-cert-secret-name" // InjectCABundleKey is the annotation key for configmaps used by the // cert-signing service to inject the service CA into the annotated // configmap. InjectCABundleKey = "service.beta.openshift.io/inject-cabundle" )
Functions ¶
func Build ¶
Build returns a list of auxiliary openshift/k8s objects for lokistack gateway deployments on OpenShift.
func BuildClusterRole ¶
func BuildClusterRole(opts Options) *rbacv1.ClusterRole
BuildClusterRole returns a k8s ClusterRole object for the lokistack gateway serviceaccount to allow creating:
- TokenReviews to authenticate the user by bearer token.
- SubjectAccessReview to authorize the user by bearer token. if having access to read/create logs.
func BuildClusterRoleBinding ¶
func BuildClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding
BuildClusterRoleBinding returns a k8s ClusterRoleBinding object for the lokistack gateway serviceaccount to grant access to: - rbac.authentication.k8s.io/TokenReviews - rbac.authorization.k8s.io/SubjectAccessReviews
func BuildRoute ¶
BuildRoute builds an OpenShift route object for the LokiStack Gateway
func BuildServiceAccount ¶
BuildServiceAccount returns a k8s object for the LokiStack Gateway serviceaccount. This ServiceAccount is used in parallel as an OpenShift OAuth Client.
func BuildServiceCAConfigMap ¶
BuildServiceCAConfigMap returns a k8s configmap for the LokiStack gateway serviceCA configmap. This configmap is used to configure the gateway to proxy server-side TLS encrypted requests to Loki.
func ConfigureGatewayDeployment ¶
func ConfigureGatewayDeployment( d *appsv1.Deployment, gwContainerName string, sercretVolumeName, tlsDir, certFile, keyFile string, caDir, caFile string, withTLS, withCertSigningService bool, ) error
ConfigureGatewayDeployment merges an OpenPolicyAgent sidecar into the deployment spec. With this, the deployment will route authorization request to the OpenShift apiserver through the sidecar.
func ConfigureGatewayService ¶
func ConfigureGatewayService(s *corev1.ServiceSpec) error
ConfigureGatewayService merges the OpenPolicyAgent sidecar metrics port into the service spec. With this the metrics are exposed through the same service.
func ConfigureGatewayServiceMonitor ¶
func ConfigureGatewayServiceMonitor(sm *monitoringv1.ServiceMonitor, withTLS bool) error
ConfigureGatewayServiceMonitor merges the OpenPolicyAgent sidecar endpoint into the service monitor. With this cluster-monitoring prometheus can scrape the sidecar metrics.
Types ¶
type AuthenticationSpec ¶
type AuthenticationSpec struct {
TenantName string
TenantID string
ServiceAccount string
RedirectURL string
CookieSecret string
}
AuthenticationSpec describes the authentication specification for a single tenant to authenticate it's subjects through OpenShift Auth.
type AuthorizationSpec ¶
type AuthorizationSpec struct {
OPAUrl string
}
AuthorizationSpec describes the authorization specification for all tenants to authorize access for it's subjects through the opa-openshift sidecar.
type BuildOptions ¶
type BuildOptions struct {
LokiStackName string
GatewayName string
GatewayNamespace string
GatewaySvcName string
GatewaySvcTargetPort string
Labels map[string]string
EnableCertificateSigningService bool
}
BuildOptions represents the set of options required to build extra lokistack gateway k8s objects (e.g. ServiceAccount, Route, RBAC) on openshift.
type Options ¶
type Options struct {
BuildOpts BuildOptions
Authentication []AuthenticationSpec
Authorization AuthorizationSpec
}
Options is the set of internal template options for rendering the lokistack-gateway tenants configuration file when mode openshift-logging.
func NewOptions ¶
func NewOptions( stackName string, gwName, gwNamespace, gwBaseDomain, gwSvcName, gwPortName string, gwLabels map[string]string, enableCertSigningService bool, tenantConfigMap map[string]TenantData, ) Options
NewOptions returns an openshift options struct.
type TenantData ¶
TenantData defines the existing tenantID and cookieSecret for lokistack reconcile.
Source Files