Documentation ¶
Index ¶
- Constants
- Variables
- func CentralLoggingConfiguration() (component.CentralLoggingConfig, error)
- func ComputeAuthenticationConfigRawConfig(oidc *gardencorev1beta1.OIDCConfig) (string, error)
- func GetLabels() map[string]string
- func NewDependencyWatchdogProberConfiguration() ([]proberapi.DependentResourceInfo, error)
- func NewDependencyWatchdogWeederConfiguration() (map[string]weederapi.DependantSelectors, error)
- type AuthenticationWebhook
- type AuthorizationWebhook
- type Images
- type Interface
- type SNIConfig
- type ServerCertificateConfig
- type ServiceAccountConfig
- type TLSSNIConfig
- type VPNConfig
- type Values
Constants ¶
const ( // SecretNameUserKubeconfig is the name for the user kubeconfig. SecretNameUserKubeconfig = "user-kubeconfig" // #nosec G101 -- No credential. // ServicePortName is the name of the port in the service. ServicePortName = "kube-apiserver" // UserNameVPNSeedClient is the user name for the HA vpn-seed-client components (used as common name in its client certificate) UserNameVPNSeedClient = "vpn-seed-client" )
const (
// ContainerNameKubeAPIServer is the name of the kube-apiserver container.
ContainerNameKubeAPIServer = "kube-apiserver"
)
const (
// DataKeyConfigMapAuthenticationConfig is the key of the ConfigMap containing the authentication configuration.
DataKeyConfigMapAuthenticationConfig = "config.yaml"
)
const (
// DataKeyConfigMapAuthorizationConfig is the key of the ConfigMap containing the authorization configuration.
DataKeyConfigMapAuthorizationConfig = "config.yaml"
)
const ManagedResourceName = "shoot-core-kube-apiserver"
ManagedResourceName is the name of the ManagedResource containing the resource specifications.
const ( // SecretStaticTokenName is a constant for the name of the static-token secret. SecretStaticTokenName = "kube-apiserver-static-token" // #nosec G101 -- No credential. )
Variables ¶
var ( // IntervalWaitForDeployment is the interval used while waiting for the Deployments to become healthy // or deleted. IntervalWaitForDeployment = 5 * time.Second // TimeoutWaitForDeployment is the timeout used while waiting for the Deployments to become healthy // or deleted. TimeoutWaitForDeployment = 5 * time.Minute // Until is an alias for retry.Until. Exposed for tests. Until = retry.Until )
var ConfigCodec runtime.Codec
ConfigCodec is the code for kube-apiserver configuration APIs.
Functions ¶
func CentralLoggingConfiguration ¶
func CentralLoggingConfiguration() (component.CentralLoggingConfig, error)
CentralLoggingConfiguration returns a fluent-bit parser and filter for the kube-apiserver logs.
func ComputeAuthenticationConfigRawConfig ¶ added in v1.102.0
func ComputeAuthenticationConfigRawConfig(oidc *gardencorev1beta1.OIDCConfig) (string, error)
ComputeAuthenticationConfigRawConfig computes a AuthenticationConfiguration from oidcConfiguration. TODO(AleksandarSavchev): Remove this functionality as soon as v1.32 is the least supported Kubernetes version in Gardener.
func NewDependencyWatchdogProberConfiguration ¶
func NewDependencyWatchdogProberConfiguration() ([]proberapi.DependentResourceInfo, error)
NewDependencyWatchdogProberConfiguration returns the configuration for the dependency watchdog (probe role) ensuring that its dependant pods are scaled as soon a prober fails.
func NewDependencyWatchdogWeederConfiguration ¶
func NewDependencyWatchdogWeederConfiguration() (map[string]weederapi.DependantSelectors, error)
NewDependencyWatchdogWeederConfiguration returns the configuration for the dependency watchdog (weeder role) ensuring that its dependant pods are restarted as soon as it recovers from a crash loop.
Types ¶
type AuthenticationWebhook ¶
type AuthenticationWebhook struct { // Kubeconfig contains the webhook configuration for token authentication in kubeconfig format. The API server will // query the remote service to determine authentication for bearer tokens. Kubeconfig []byte // CacheTTL is the duration to cache responses from the webhook token authenticator. CacheTTL *time.Duration // Version is the API version of the authentication.k8s.io TokenReview to send to and expect from the webhook. Version *string }
AuthenticationWebhook contains configuration for the authentication webhook.
type AuthorizationWebhook ¶
type AuthorizationWebhook struct { // Name is the name of the webhook. Name string // Kubeconfig contains the webhook configuration in kubeconfig format. The API server will query the remote service // to determine access on the API server's secure port. Kubeconfig []byte // WebhookConfiguration is the actual webhook configuration. apiserverv1beta1.WebhookConfiguration }
AuthorizationWebhook contains configuration for the authorization webhook.
type Images ¶
type Images struct { // KubeAPIServer is the container image for the kube-apiserver. KubeAPIServer string // VPNClient is the container image for the vpn-seed-client. VPNClient string }
Images is a set of container images used for the containers of the kube-apiserver pods.
type Interface ¶
type Interface interface { apiserver.Interface // GetValues returns the current configuration values of the deployer. GetValues() Values // AppendAuthorizationWebhook appends an AuthorizationWebhook to AuthorizationWebhooks in the Values of the deployer. // TODO(oliver-goetz): Consider removing this method when we support Kubernetes version with structured authorization only. // See https://github.com/gardener/gardener/pull/10682#discussion_r1816324389 for more information. AppendAuthorizationWebhook(AuthorizationWebhook) // SetExternalHostname sets the ExternalHostname field in the Values of the deployer. SetExternalHostname(string) // SetExternalServer sets the ExternalServer field in the Values of the deployer. SetExternalServer(string) // SetNodeNetworkCIDRs sets the node CIDRs of the shoot network. SetNodeNetworkCIDRs([]net.IPNet) // SetServiceNetworkCIDRs sets the service CIDRs of the shoot network. SetServiceNetworkCIDRs([]net.IPNet) // SetPodNetworkCIDRs sets the pod CIDRs of the shoot network. SetPodNetworkCIDRs([]net.IPNet) // SetServerCertificateConfig sets the ServerCertificateConfig field in the Values of the deployer. SetServerCertificateConfig(ServerCertificateConfig) // SetServiceAccountConfig sets the ServiceAccount field in the Values of the deployer. SetServiceAccountConfig(ServiceAccountConfig) // SetSNIConfig sets the SNI field in the Values of the deployer. SetSNIConfig(SNIConfig) }
Interface contains functions for a kube-apiserver deployer.
func New ¶
func New(client kubernetes.Interface, namespace string, secretsManager secretsmanager.Interface, values Values) Interface
New creates a new instance of DeployWaiter for the kube-apiserver.
type SNIConfig ¶
type SNIConfig struct { // Enabled states whether the SNI feature is enabled. Enabled bool // AdvertiseAddress is the address which should be advertised by the kube-apiserver. AdvertiseAddress string // TLS contains information for configuring the TLS SNI settings for the kube-apiserver. TLS []TLSSNIConfig }
SNIConfig contains information for configuring SNI settings for the kube-apiserver.
type ServerCertificateConfig ¶
type ServerCertificateConfig struct { // ExtraIPAddresses is a list of additional IP addresses to use for the SANS of the server certificate. ExtraIPAddresses []net.IP // ExtraDNSNames is a list of additional DNS names to use for the SANS of the server certificate. ExtraDNSNames []string }
ServerCertificateConfig contains configuration for the server certificate.
type ServiceAccountConfig ¶
type ServiceAccountConfig struct { // Issuer is the issuer of service accounts. Issuer string // AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted. AcceptedIssuers []string // JWKSURI is used to overwrite the URI for the JSON Web Key Set in the discovery document served at /.well-known/openid-configuration. JWKSURI *string // ExtendTokenExpiration states whether the service account token expirations should be extended. ExtendTokenExpiration *bool // MaxTokenExpiration states what the maximal token expiration should be. MaxTokenExpiration *metav1.Duration // RotationPhase specifies the credentials rotation phase of the service account signing key. RotationPhase gardencorev1beta1.CredentialsRotationPhase }
ServiceAccountConfig contains information for configuring ServiceAccountConfig settings for the kube-apiserver.
func ComputeKubeAPIServerServiceAccountConfig ¶ added in v1.91.0
func ComputeKubeAPIServerServiceAccountConfig( config *gardencorev1beta1.ServiceAccountConfig, externalHostname string, serviceAccountKeyRotationPhase gardencorev1beta1.CredentialsRotationPhase, ) ServiceAccountConfig
ComputeKubeAPIServerServiceAccountConfig computes the ServiceAccountConfig needed to configure a kube-apiserver.
type TLSSNIConfig ¶
type TLSSNIConfig struct { // SecretName is the name for an existing secret containing the TLS certificate and private key. Either this or both // Certificate and PrivateKey must be specified. If both is provided, SecretName is taking precedence. SecretName *string // Certificate is the TLS certificate. Either both this and PrivateKey, or SecretName must be specified. If both is // provided, SecretName is taking precedence. Certificate []byte // PrivateKey is the TLS certificate. Either both this and Certificate, or SecretName must be specified. If both is // provided, SecretName is taking precedence. PrivateKey []byte // DomainPatterns is an optional list of domain patterns which are fully qualified domain names, possibly with // prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the // apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names // of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns // trump over extracted names. DomainPatterns []string }
TLSSNIConfig contains information for configuring the TLS SNI settings for the kube-apiserver.
type VPNConfig ¶
type VPNConfig struct { // Enabled states whether VPN is enabled. Enabled bool // PodNetworkCIDRs are the CIDRs of the pod network. PodNetworkCIDRs []net.IPNet // NodeNetworkCIDRs are the CIDRs of the node network. NodeNetworkCIDRs []net.IPNet // HighAvailabilityEnabled states if VPN uses HA configuration. HighAvailabilityEnabled bool // HighAvailabilityNumberOfSeedServers is the number of VPN seed servers used for HA. HighAvailabilityNumberOfSeedServers int // HighAvailabilityNumberOfShootClients is the number of VPN shoot clients used for HA. HighAvailabilityNumberOfShootClients int // DisableNewVPN disable new VPN implementation. // TODO(MartinWeindel) Remove after feature gate `NewVPN` gets promoted to GA. DisableNewVPN bool // IPFamilies are the IPFamilies of the shoot. IPFamilies []gardencorev1beta1.IPFamily }
VPNConfig contains information for configuring the VPN settings for the kube-apiserver.
type Values ¶
type Values struct { apiserver.Values // AnonymousAuthenticationEnabled states whether anonymous authentication is enabled. AnonymousAuthenticationEnabled bool // APIAudiences are identifiers of the API. The service account token authenticator will validate that tokens used // against the API are bound to at least one of these audiences. APIAudiences []string // AuthenticationConfiguration contains authentication configuration. AuthenticationConfiguration *string // AuthenticationWebhook contains configuration for the authentication webhook. AuthenticationWebhook *AuthenticationWebhook // AuthorizationWebhook contains configuration for the authorization webhooks. AuthorizationWebhooks []AuthorizationWebhook // DefaultNotReadyTolerationSeconds indicates the tolerationSeconds of the toleration for notReady:NoExecute // that is added by default to every pod that does not already have such a toleration (flag `--default-not-ready-toleration-seconds`). DefaultNotReadyTolerationSeconds *int64 // DefaultUnreachableTolerationSeconds indicates the tolerationSeconds of the toleration for unreachable:NoExecute // that is added by default to every pod that does not already have such a toleration (flag `--default-unreachable-toleration-seconds`). DefaultUnreachableTolerationSeconds *int64 // EventTTL is the amount of time to retain events. EventTTL *metav1.Duration // ExternalHostname is the external hostname which should be exposed by the kube-apiserver. ExternalHostname string // ExternalServer is the external server which should be used when generating the user kubeconfig. ExternalServer string // Images is a set of container images used for the containers of the kube-apiserver pods. Images Images // IsWorkerless specifies whether the cluster managed by this API server has worker nodes. IsWorkerless bool // NamePrefix is the prefix for the resource names. NamePrefix string // OIDC contains information for configuring OIDC settings for the kube-apiserver. OIDC *gardencorev1beta1.OIDCConfig // PriorityClassName is the name of the priority class. PriorityClassName string // ResourcesToStoreInETCDEvents is a list of resources which should be stored in the etcd-events instead of the // etcd-main. The `events` resource in the `core` group is always stored in etcd-events. ResourcesToStoreInETCDEvents []schema.GroupResource // RuntimeConfig is the set of runtime configurations. RuntimeConfig map[string]bool // ServerCertificate contains configuration for the server certificate. ServerCertificate ServerCertificateConfig // ServiceAccount contains information for configuring ServiceAccount settings for the kube-apiserver. ServiceAccount ServiceAccountConfig // ServiceNetworkCIDRs are the CIDRs of the service network. ServiceNetworkCIDRs []net.IPNet // SNI contains information for configuring SNI settings for the kube-apiserver. SNI SNIConfig // StaticTokenKubeconfigEnabled indicates whether static token kubeconfig secret will be created for shoot. StaticTokenKubeconfigEnabled *bool // Version is the Kubernetes version for the kube-apiserver. Version *semver.Version // VPN contains information for configuring the VPN settings for the kube-apiserver. VPN VPNConfig }
Values contains configuration values for the kube-apiserver resources.