secretsync

package
v1.17.0-pre.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 1, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const (
	OwningSecretNamespace = "secretsync.cilium.io/owning-secret-namespace"
	OwningSecretName      = "secretsync.cilium.io/owning-secret-name"
)

Variables

View Source
var Cell = cell.Module(
	"secret-sync",
	"Syncs TLS secrets into a dedicated secrets namespace",

	cell.Invoke(initSecretSyncReconciliation),
)

Cell manages K8s Secret synchronization from application namespaces into dedicated Cilium secrets namespace.

Subsystems that are interested in having K8s Secrets synced (e.g. Gateway API, Ingress, ...) can register themselves via SecretSyncRegistrationOut.

This way, multiple use-cases are sharing the same reconciler. This potentially prevents multiple reconcilers from interfering with each other.

Example:

cell.Provide(func registerSecretSyncRegistration(...) secretsync.SecretSyncRegistrationOut {...})

Functions

func NewSecretSyncReconciler

func NewSecretSyncReconciler(c client.Client, logger *slog.Logger, registrations []*SecretSyncRegistration) *secretSyncer

Types

type AdditionalWatch

type AdditionalWatch struct {
	RefObject             client.Object
	RefObjectEnqueueFunc  handler.EventHandler
	RefObjectWatchOptions []builder.WatchesOption
}

type DefaultSecret

type DefaultSecret struct {
	Namespace string
	Name      string
}

type SecretSyncRegistration

type SecretSyncRegistration struct {
	// RefObject defines the Kubernetes Object that is referencing a K8s Secret that needs to be synced.
	RefObject client.Object
	// RefObjectEnqueueFunc defines the mapping function from the reference object to the Secret.
	RefObjectEnqueueFunc handler.EventHandler
	// RefObjectCheckFunc defines a function that is called to check whether the given K8s Secret
	// is still referenced by a reference object.
	// Synced Secrets that origin from K8s Secrets that are no longer referenced by any registration are deleted.
	RefObjectCheckFunc func(ctx context.Context, c client.Client, logger *slog.Logger, obj *corev1.Secret) bool
	// SecretsNamespace defines the name of the namespace in which the referenced K8s Secrets are to be synchronized.
	SecretsNamespace string
	// AdditionalWatches defines additional watches beside watching the directly referencing Kubernetes Object.
	AdditionalWatches []AdditionalWatch
	// DefaultSecret defines an optional reference to a TLS Secret that should be synced regardless of whether it's referenced or not.
	DefaultSecret *DefaultSecret
}

func (SecretSyncRegistration) IsDefaultSecret

func (r SecretSyncRegistration) IsDefaultSecret(secret *corev1.Secret) bool

func (SecretSyncRegistration) String

func (r SecretSyncRegistration) String() string

type SecretSyncRegistrationOut

type SecretSyncRegistrationOut struct {
	cell.Out

	SecretSyncRegistration *SecretSyncRegistration `group:"secretSyncRegistrations"`
}

SecretSyncRegistrationOut can be used by other subsystems to register their need to have K8s Secrets synced into a dedicated secrets namespace.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL