Documentation ¶
Index ¶
Constants ¶
View Source
const ( OwningSecretNamespace = "secretsync.cilium.io/owning-secret-namespace" OwningSecretName = "secretsync.cilium.io/owning-secret-name" )
Variables ¶
View Source
var Cell = cell.Module( "secret-sync", "Syncs TLS secrets into a dedicated secrets namespace", cell.Invoke(initSecretSyncReconciliation), )
Cell manages K8s Secret synchronization from application namespaces into dedicated Cilium secrets namespace.
Subsystems that are interested in having K8s Secrets synced (e.g. Gateway API, Ingress, ...) can register themselves via SecretSyncRegistrationOut.
This way, multiple use-cases are sharing the same reconciler. This potentially prevents multiple reconcilers from interfering with each other.
Example:
cell.Provide(func registerSecretSyncRegistration(...) secretsync.SecretSyncRegistrationOut {...})
Functions ¶
func NewSecretSyncReconciler ¶
func NewSecretSyncReconciler(c client.Client, logger *slog.Logger, registrations []*SecretSyncRegistration) *secretSyncer
Types ¶
type AdditionalWatch ¶
type AdditionalWatch struct { RefObject client.Object RefObjectEnqueueFunc handler.EventHandler RefObjectWatchOptions []builder.WatchesOption }
type DefaultSecret ¶
type SecretSyncRegistration ¶
type SecretSyncRegistration struct { // RefObject defines the Kubernetes Object that is referencing a K8s Secret that needs to be synced. RefObject client.Object // RefObjectEnqueueFunc defines the mapping function from the reference object to the Secret. RefObjectEnqueueFunc handler.EventHandler // RefObjectCheckFunc defines a function that is called to check whether the given K8s Secret // is still referenced by a reference object. // Synced Secrets that origin from K8s Secrets that are no longer referenced by any registration are deleted. RefObjectCheckFunc func(ctx context.Context, c client.Client, logger *slog.Logger, obj *corev1.Secret) bool // SecretsNamespace defines the name of the namespace in which the referenced K8s Secrets are to be synchronized. SecretsNamespace string // AdditionalWatches defines additional watches beside watching the directly referencing Kubernetes Object. AdditionalWatches []AdditionalWatch // DefaultSecret defines an optional reference to a TLS Secret that should be synced regardless of whether it's referenced or not. DefaultSecret *DefaultSecret }
func (SecretSyncRegistration) IsDefaultSecret ¶
func (r SecretSyncRegistration) IsDefaultSecret(secret *corev1.Secret) bool
func (SecretSyncRegistration) String ¶
func (r SecretSyncRegistration) String() string
type SecretSyncRegistrationOut ¶
type SecretSyncRegistrationOut struct { cell.Out SecretSyncRegistration *SecretSyncRegistration `group:"secretSyncRegistrations"` }
SecretSyncRegistrationOut can be used by other subsystems to register their need to have K8s Secrets synced into a dedicated secrets namespace.
Click to show internal directories.
Click to hide internal directories.