apiserver

package
v4.5.5-rc.2+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 2, 2021 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ErrMessageLimitInvalid indicates that a limit is lower than the request
	ErrMessageLimitInvalid = `limit %q is lower than the request %q`
	// ErrMessagePVCSize provides a standard error message when a PVCSize is not
	// specified to the Kubernetes stnadard
	ErrMessagePVCSize = `could not parse PVC size "%s": %s (hint: try a value like "1Gi")`
	// ErrMessageReplicas provides a standard error message when the count of
	// replicas is incorrect
	ErrMessageReplicas = `must have at least %d replica(s)`
)
View Source
const (
	// MISC
	APPLY_POLICY_PERM = "ApplyPolicy"
	CAT_PERM          = "Cat"
	CLONE_PERM        = "Clone"
	DF_CLUSTER_PERM   = "DfCluster"
	LABEL_PERM        = "Label"
	RELOAD_PERM       = "Reload"
	RESTART_PERM      = "Restart"
	RESTORE_PERM      = "Restore"
	STATUS_PERM       = "Status"
	TEST_CLUSTER_PERM = "TestCluster"
	VERSION_PERM      = "Version"

	// CREATE
	CREATE_BACKUP_PERM    = "CreateBackup"
	CREATE_CLUSTER_PERM   = "CreateCluster"
	CREATE_DUMP_PERM      = "CreateDump"
	CREATE_FAILOVER_PERM  = "CreateFailover"
	CREATE_NAMESPACE_PERM = "CreateNamespace"
	CREATE_PGADMIN_PERM   = "CreatePgAdmin"
	CREATE_PGBOUNCER_PERM = "CreatePgbouncer"
	CREATE_PGOUSER_PERM   = "CreatePgouser"
	CREATE_PGOROLE_PERM   = "CreatePgorole"
	CREATE_POLICY_PERM    = "CreatePolicy"
	CREATE_SCHEDULE_PERM  = "CreateSchedule"
	CREATE_UPGRADE_PERM   = "CreateUpgrade"
	CREATE_USER_PERM      = "CreateUser"

	// RESTORE
	RESTORE_DUMP_PERM = "RestoreDump"

	// DELETE
	DELETE_BACKUP_PERM    = "DeleteBackup"
	DELETE_CLUSTER_PERM   = "DeleteCluster"
	DELETE_NAMESPACE_PERM = "DeleteNamespace"
	DELETE_PGADMIN_PERM   = "DeletePgAdmin"
	DELETE_PGBOUNCER_PERM = "DeletePgbouncer"
	DELETE_PGOROLE_PERM   = "DeletePgorole"
	DELETE_PGOUSER_PERM   = "DeletePgouser"
	DELETE_POLICY_PERM    = "DeletePolicy"
	DELETE_SCHEDULE_PERM  = "DeleteSchedule"
	DELETE_USER_PERM      = "DeleteUser"

	// SHOW
	SHOW_BACKUP_PERM          = "ShowBackup"
	SHOW_CLUSTER_PERM         = "ShowCluster"
	SHOW_CONFIG_PERM          = "ShowConfig"
	SHOW_NAMESPACE_PERM       = "ShowNamespace"
	SHOW_PGADMIN_PERM         = "ShowPgAdmin"
	SHOW_PGBOUNCER_PERM       = "ShowPgBouncer"
	SHOW_PGOROLE_PERM         = "ShowPgorole"
	SHOW_PGOUSER_PERM         = "ShowPgouser"
	SHOW_POLICY_PERM          = "ShowPolicy"
	SHOW_PVC_PERM             = "ShowPVC"
	SHOW_SCHEDULE_PERM        = "ShowSchedule"
	SHOW_SECRETS_PERM         = "ShowSecrets"
	SHOW_SYSTEM_ACCOUNTS_PERM = "ShowSystemAccounts"
	SHOW_USER_PERM            = "ShowUser"
	SHOW_WORKFLOW_PERM        = "ShowWorkflow"

	// SCALE
	SCALE_CLUSTER_PERM = "ScaleCluster"

	// UPDATE
	UPDATE_CLUSTER_PERM   = "UpdateCluster"
	UPDATE_NAMESPACE_PERM = "UpdateNamespace"
	UPDATE_PGBOUNCER_PERM = "UpdatePgBouncer"
	UPDATE_PGOROLE_PERM   = "UpdatePgorole"
	UPDATE_PGOUSER_PERM   = "UpdatePgouser"
	UPDATE_USER_PERM      = "UpdateUser"
)

The below constants contains the "apiserver RBAC permissions" -- this was reorganized to make it...slightly more organized as we continue to evole the system

View Source
const PGOSecretName = "pgo.tls"
View Source
const TreeBranch = "├── "

TreeBranch is for debugging only in this context

View Source
const TreeTrunk = "└── "

TreeTrunk is for debugging only in this context

View Source
const VERSION_MISMATCH_ERROR = "pgo client and server version mismatch"

Variables

View Source
var (

	// ErrDBContainerNotFound is an error that indicates that a "database" container
	// could not be found in a specific pod
	ErrDBContainerNotFound = errors.New("\"database\" container not found in pod")
	// ErrLabelInvalid indicates that a label is invalid
	ErrLabelInvalid = errors.New("invalid label")
	// ErrPasswordTypeInvalid is used when a string that's not included in
	// PasswordTypeStrings is used
	ErrPasswordTypeInvalid = errors.New("invalid password type. choices are (md5, scram-sha-256)")
	// ErrStandbyNotAllowed contains the error message returned when an API call is not
	// permitted because it involves a cluster that is in standby mode
	ErrStandbyNotAllowed = errors.New("Action not permitted because standby mode is enabled")

	// ErrMethodNotAllowed represents the error that is thrown when a feature is disabled within the
	// current Operator install
	ErrMethodNotAllowed = errors.New("This method has is not allowed in the current PostgreSQL " +
		"Operator installation")
)
View Source
var (
	// Clientset is a client for Kubernetes resources
	Clientset kubeapi.Interface
	// RESTConfig holds the REST configuration for a Kube client
	RESTConfig *rest.Config
)
View Source
var AuditFlag bool

AuditFlag if set to true will cause auditing to occur in the logs

View Source
var BasicAuth bool

BasicAuth comes from the apiserver config

View Source
var CRUNCHY_DEBUG bool
View Source
var DebugFlag bool

DebugFlag is the debug flag value

View Source
var InstallationName string
View Source
var MetricsFlag, BadgerFlag bool

MetricsFlag if set to true will cause crunchy-postgres-exporter to be added into new clusters

View Source
var PermMap map[string]string
View Source
var PgoNamespace string

Namespace comes from the apiserver config in this version

View Source
var RoleMap map[string]map[string]string

Functions

func Authn

func Authn(perm string, w http.ResponseWriter, r *http.Request) (string, error)

Authn performs HTTP Basic Authentication against a user if "BasicAuth" is set to "true" (which it is by default).

...it also performs Authorization (Authz) against the user that is attempting to authenticate, and as such, to truly "authenticate/authorize," one needs at least a valid Operator User account.

func BasicAuthCheck

func BasicAuthCheck(username, password string) bool

func BasicAuthzCheck

func BasicAuthzCheck(username, perm string) bool

func CreateRMDataTask

func CreateRMDataTask(clusterName, replicaName, taskName string, deleteBackups, deleteData, isReplica, isBackup bool, ns, clusterPGHAScope string) error

func FindStandbyClusters

func FindStandbyClusters(clusterList crv1.PgclusterList) (standbyClusters []string)

FindStandbyClusters takes a list of pgcluster structs and returns a slice containing the names of those clusters that are in standby mode as indicated by whether or not the standby prameter in the pgcluster spec is true.

func GetBackrestStorageTypes

func GetBackrestStorageTypes() []string

func GetNamespace

func GetNamespace(clientset kubernetes.Interface, username, requestedNS string) (string, error)

GetNamespace determines if a user has permission for a namespace they are requesting a valid requested namespace is required

func GetPasswordType

func GetPasswordType(passwordTypeStr string) (pgpassword.PasswordType, error)

GetPasswordType returns the enumerated password type based on the string, and an error if it cannot match one

func Initialize

func Initialize()

func IsValidPVC

func IsValidPVC(pvcName, ns string) bool

IsValidPVC determines if a PVC with the name provided exits

func IsValidStorageName

func IsValidStorageName(name string) bool

func NamespaceOperatingMode

func NamespaceOperatingMode() ns.NamespaceOperatingMode

NamespaceOperatingMode returns the namespace operating mode for the current Operator installation, which is stored in the "namespaceOperatingMode" variable

func NewCertEnforcer

func NewCertEnforcer(reqRoutes []string) (*certEnforcer, error)

NewCertEnforcer ensures a certEnforcer is created with skipped routes and validates that the configured routes are allowed

func PGClusterListHasStandby

func PGClusterListHasStandby(clusterList crv1.PgclusterList) (bool, []string)

PGClusterListHasStandby determines if a PgclusterList has any standby clusters, specifically returning "true" if one or more standby clusters exist, along with a slice of strings containing the names of the clusters in standby mode

func UserIsPermittedInNamespace

func UserIsPermittedInNamespace(username, requestedNS string) (bool, bool, error)

UserIsPermittedInNamespace returns installation access and user access. Installation access means a namespace belongs to this Operator installation. User access means this user has access to a namespace.

func ValidateLabel

func ValidateLabel(labelStr string) (map[string]string, error)

ValidateLabel is derived from a legacy method and validates if the input is a valid Kubernetes label.

A label is composed of a key and value.

The key can either be a name or have an optional prefix that i terminated by a "/", e.g. "prefix/name"

The name must be a valid DNS 1123 value THe prefix must be a valid DNS 1123 subdomain

The value can be validated by machinery provided by Kubenretes

Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

func ValidateNodeLabel

func ValidateNodeLabel(nodeLabel string) error

ValidateNodeLabel returns error if node label is invalid based on format

func ValidateQuantity

func ValidateQuantity(quantity string) error

ValidateQuantity runs the Kubernetes "ParseQuantity" function on a string and determine whether or not it is a valid quantity object. Returns an error if it is invalid, along with the error message.

If it is empty, it returns no error

See: https://github.com/kubernetes/apimachinery/blob/master/pkg/api/resource/quantity.go

func ValidateResourceRequestLimit

func ValidateResourceRequestLimit(request, limit string, defaultQuantity resource.Quantity) error

ValidateResourceRequestLimit validates that a Kubernetes Requests/Limit pair is valid, both by validating the values are valid quantity values, and then by checking that the limit >= request. This also needs to check against the configured values for a request, which must be provided as a value

func WriteTLSCert

func WriteTLSCert(certPath, keyPath string) error

WriteTLSCert is a legacy method that writes the server certificate and key to files from the PGOSecretName secret or generates a new key (writing to both the secret and the expected files

Types

type CredentialDetail

type CredentialDetail struct {
	Username   string
	Password   string
	Role       string
	Namespaces []string
}

Directories

Path Synopsis
Package routing temporarily breaks circular dependencies within the structure of the apiserver package The apiserver package contains a mix of package content (used by external code) and refactored functionality from the *service folders.
Package routing temporarily breaks circular dependencies within the structure of the apiserver package The apiserver package contains a mix of package content (used by external code) and refactored functionality from the *service folders.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL