gardener

package
v1.60.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 28, 2022 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 36 Imported by: 39

Documentation

Index

Constants

View Source
const (
	// ConfirmationDeletion is an annotation on a Shoot and Project resources whose value must be set to "true" in order to
	// allow deleting the resource (if the annotation is not set any DELETE request will be denied).
	ConfirmationDeletion = "confirmation.gardener.cloud/deletion"
	// DeletionProtected is a label on CustomResourceDefinitions indicating that the deletion is protected, i.e.
	// it must be confirmed with the `confirmation.gardener.cloud/deletion=true` annotation before a `DELETE` call
	// is accepted.
	DeletionProtected = "gardener.cloud/deletion-protected"
)
View Source
const (
	// DNSProvider is the key for an annotation on a Kubernetes Secret object whose value must point to a valid
	// DNS provider.
	DNSProvider = "dns.gardener.cloud/provider"
	// DNSDomain is the key for an annotation on a Kubernetes Secret object whose value must point to a valid
	// domain name.
	DNSDomain = "dns.gardener.cloud/domain"
	// DNSDefaultDomainPriority is the priority of the default domain. In case of multiple default domains
	// the default domain with the highest priority is selected per default for new shoots.
	DNSDefaultDomainPriority = "dns.gardener.cloud/domain-default-priority"
	// DNSZone is the key for an annotation on a Kubernetes Secret object whose value must point to a valid
	// DNS hosted zone id.
	DNSZone = "dns.gardener.cloud/zone"
	// DNSIncludeZones is the key for an annotation on a Kubernetes Secret object whose value must point to a list
	// of zones that shall be included.
	DNSIncludeZones = "dns.gardener.cloud/include-zones"
	// DNSExcludeZones is the key for an annotation on a Kubernetes Secret object whose value must point to a list
	// of zones that shall be excluded.
	DNSExcludeZones = "dns.gardener.cloud/exclude-zones"

	// APIServerFQDNPrefix is the part of a FQDN which will be used to construct the domain name for the kube-apiserver of
	// a Shoot cluster. For example, when a Shoot specifies domain 'cluster.example.com', the apiserver domain would be
	// 'api.cluster.example.com'.
	APIServerFQDNPrefix = "api"
	// OwnerFQDNPrefix is the part of a FQDN which will be used to construct the domain name for the owner of
	// a Shoot cluster. For example, when a Shoot specifies domain 'cluster.example.com', the owner domain would be
	// 'owner.cluster.example.com'.
	OwnerFQDNPrefix = "owner"
	// IngressPrefix is the part of a FQDN which will be used to construct the domain name for an ingress controller of
	// a Shoot cluster. For example, when a Shoot specifies domain 'cluster.example.com', the ingress domain would be
	// '*.<IngressPrefix>.cluster.example.com'.
	IngressPrefix = "ingress"
	// InternalDomainKey is a key which must be present in an internal domain constructed for a Shoot cluster. If the
	// configured internal domain already contains it, it won't be added twice. If it does not contain it, it will be
	// appended.
	InternalDomainKey = "internal"
)
View Source
const (
	// ShootProjectSecretSuffixKubeconfig is a constant for a shoot project secret with suffix 'kubeconfig'.
	ShootProjectSecretSuffixKubeconfig = "kubeconfig"
	// ShootProjectSecretSuffixCACluster is a constant for a shoot project secret with suffix 'ca-cluster'.
	ShootProjectSecretSuffixCACluster = "ca-cluster"
	// ShootProjectSecretSuffixSSHKeypair is a constant for a shoot project secret with suffix 'ssh-keypair'.
	ShootProjectSecretSuffixSSHKeypair = v1beta1constants.SecretNameSSHKeyPair
	// ShootProjectSecretSuffixOldSSHKeypair is a constant for a shoot project secret with suffix 'ssh-keypair.old'.
	ShootProjectSecretSuffixOldSSHKeypair = v1beta1constants.SecretNameSSHKeyPair + ".old"
	// ShootProjectSecretSuffixMonitoring is a constant for a shoot project secret with suffix 'monitoring'.
	ShootProjectSecretSuffixMonitoring = "monitoring"
)
View Source
const (
	// SecretNamePrefixShootAccess is the prefix of all secrets containing credentials for accessing shoot clusters.
	SecretNamePrefixShootAccess = "shoot-access-"
	// VolumeMountPathGenericKubeconfig is a constant for the path to which the generic shoot kubeconfig will be mounted.
	VolumeMountPathGenericKubeconfig = "/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig"
	// PathShootToken is a constant for the path at which the shoot token file is accessible.
	PathShootToken = VolumeMountPathGenericKubeconfig + "/" + resourcesv1alpha1.DataKeyToken
	// PathGenericKubeconfig is a constant for the path at which the kubeconfig file is accessible.
	PathGenericKubeconfig = VolumeMountPathGenericKubeconfig + "/" + secrets.DataKeyKubeconfig
)
View Source
const ProjectNamespacePrefix = "garden-"

ProjectNamespacePrefix is the prefix of namespaces representing projects.

View Source
const (
	// SeedNamespaceNamePrefix is the prefix used for seed namespaces.
	SeedNamespaceNamePrefix = "seed-"
)

Variables

View Source
var (
	// NoControlPlaneSecretsReq is a label selector requirement to select non-control plane secrets.
	NoControlPlaneSecretsReq = utils.MustNewRequirement(constants.GardenRole, selection.NotIn, constants.ControlPlaneSecretRoles...)
	// UncontrolledSecretSelector is a selector for objects which are managed by operators/users and not created by
	// Gardener controllers.
	UncontrolledSecretSelector = client.MatchingLabelsSelector{Selector: labels.NewSelector().Add(NoControlPlaneSecretsReq)}
)
View Source
var TimeNow = time.Now

TimeNow returns the current time. Exposed for testing.

Functions

func CheckIfDeletionIsConfirmed added in v1.21.0

func CheckIfDeletionIsConfirmed(obj client.Object) error

CheckIfDeletionIsConfirmed returns whether the deletion of an object is confirmed or not.

func ComputeGardenNamespace

func ComputeGardenNamespace(seedName string) string

ComputeGardenNamespace returns the name of the namespace belonging to the given seed in the Garden cluster.

func ComputeNginxIngressClassForSeed added in v1.59.0

func ComputeNginxIngressClassForSeed(seed *gardencorev1beta1.Seed, kubernetesVersion *string) (string, error)

ComputeNginxIngressClassForSeed returns the IngressClass for the Nginx Ingress controller.

func ComputeSeedName

func ComputeSeedName(seedNamespaceName string) string

ComputeSeedName computes the name of the seed out of the seed namespace in the Garden cluster.

func ComputeShootProjectSecretName added in v1.24.0

func ComputeShootProjectSecretName(shootName, suffix string) string

ComputeShootProjectSecretName computes the name of a shoot-related project secret.

func ConfirmDeletion added in v1.21.0

func ConfirmDeletion(ctx context.Context, w client.Writer, obj client.Object) error

ConfirmDeletion adds Gardener's deletion confirmation and timestamp annotation to the given object and sends a PATCH request. It does not ignore `NotFound` errors while patching.

func EffectiveMaintenanceTimeWindow added in v1.21.0

func EffectiveMaintenanceTimeWindow(timeWindow *timewindow.MaintenanceTimeWindow) *timewindow.MaintenanceTimeWindow

EffectiveMaintenanceTimeWindow cuts a maintenance time window at the end with a guess of 15 minutes. It is subtracted from the end of a maintenance time window to use a best-effort kind of finishing the operation before the end. Generally, we can't make sure that the maintenance operation is done by the end of the time window anyway (considering large clusters with hundreds of nodes, a rolling update will take several hours).

func EffectiveShootMaintenanceTimeWindow added in v1.21.0

func EffectiveShootMaintenanceTimeWindow(shoot *v1beta1.Shoot) *timewindow.MaintenanceTimeWindow

EffectiveShootMaintenanceTimeWindow returns the effective MaintenanceTimeWindow of the given Shoot.

func ExtractShootDetailsFromBackupEntryName added in v1.24.0

func ExtractShootDetailsFromBackupEntryName(backupEntryName string) (shootTechnicalID string, shootUID types.UID)

ExtractShootDetailsFromBackupEntryName returns Shoot resource technicalID its UID from provided <backupEntryName>.

func GenerateBackupEntryName added in v1.24.0

func GenerateBackupEntryName(shootTechnicalID string, shootUID types.UID) (string, error)

GenerateBackupEntryName returns BackupEntry resource name created from provided <seedNamespace> and <shootUID>.

func GenerateDNSProviderName added in v1.21.0

func GenerateDNSProviderName(secretName, providerType string) string

GenerateDNSProviderName creates a name for the dns provider out of the passed `secretName` and `providerType`.

func GetAPIServerDomain added in v1.21.0

func GetAPIServerDomain(domain string) string

GetAPIServerDomain returns the fully qualified domain name for the api-server of the Shoot cluster. The end result is 'api.<domain>'.

func GetDomainInfoFromAnnotations added in v1.21.0

func GetDomainInfoFromAnnotations(annotations map[string]string) (provider string, domain string, zone string, includeZones, excludeZones []string, err error)

GetDomainInfoFromAnnotations returns the provider, domain, and zones that are specified in the given annotations.

func GetMandatoryExposureClassHandlerSNILabels added in v1.27.0

func GetMandatoryExposureClassHandlerSNILabels(labels map[string]string, exposureClassName string) map[string]string

GetMandatoryExposureClassHandlerSNILabels get the labels of an ExposureClass Handler plus its name and will add the mandatory SNI labels for ExposureClass handlers to it. Existing label keys will be overridden by the mandatory labels keys.

func GetOwnerDomain added in v1.32.0

func GetOwnerDomain(domain string) string

GetOwnerDomain returns the fully qualified domain name for the owner of the Shoot cluster. The end result is 'owner.<domain>'.

func GetShootNameFromOwnerReferences added in v1.22.0

func GetShootNameFromOwnerReferences(objectMeta metav1.Object) string

GetShootNameFromOwnerReferences attempts to get the name of the Shoot object which owns the passed in object. If it is not owned by a Shoot, an empty string is returned.

func GetShootProjectSecretSuffixes added in v1.24.0

func GetShootProjectSecretSuffixes() []string

GetShootProjectSecretSuffixes returns the list of shoot-related project secret suffixes.

func GetWildcardCertificate added in v1.59.0

func GetWildcardCertificate(ctx context.Context, c client.Client) (*corev1.Secret, error)

GetWildcardCertificate gets the wildcard certificate for the seed's ingress domain. Nil is returned if no wildcard certificate is configured.

func InjectGenericKubeconfig added in v1.36.0

func InjectGenericKubeconfig(obj runtime.Object, genericKubeconfigName, accessSecretName string, containerNames ...string) error

InjectGenericKubeconfig injects the volumes and volume mounts for the generic shoot kubeconfig into the provided object. The access secret name must be the name of a secret containing a JWT token which should be used by the kubeconfig. If the object has multiple containers then the default is to inject it into all of them. If it should only be done for a selection of containers then their respective names must be provided.

func IsNowInEffectiveShootMaintenanceTimeWindow added in v1.21.0

func IsNowInEffectiveShootMaintenanceTimeWindow(shoot *v1beta1.Shoot) bool

IsNowInEffectiveShootMaintenanceTimeWindow checks if the current time is in the effective maintenance time window of the Shoot.

func IsObservedAtLatestGenerationAndSucceeded added in v1.21.0

func IsObservedAtLatestGenerationAndSucceeded(shoot *v1beta1.Shoot) bool

IsObservedAtLatestGenerationAndSucceeded checks whether the Shoot's generation has changed or if the LastOperation status is Succeeded.

func IsSeedClientCert added in v1.23.0

func IsSeedClientCert(x509cr *x509.CertificateRequest, usages []certificatesv1.KeyUsage) (bool, string)

IsSeedClientCert returns true when the given CSR and usages match the requirements for a client certificate for a seed. If false is returned, a reason will be returned explaining which requirement was not met.

func IsShootFailed added in v1.21.0

func IsShootFailed(shoot *v1beta1.Shoot) bool

IsShootFailed checks if a Shoot is failed.

func IsShootProjectSecret added in v1.24.0

func IsShootProjectSecret(secretName string) (string, bool)

IsShootProjectSecret checks if the given name matches the name of a shoot-related project secret. If no, it returns an empty string and <false>. Otherwise, it returns the shoot name and <true>.

func LastReconciliationDuringThisTimeWindow added in v1.21.0

func LastReconciliationDuringThisTimeWindow(shoot *v1beta1.Shoot) bool

LastReconciliationDuringThisTimeWindow returns true if <now> is contained in the given effective maintenance time window of the shoot and if the <lastReconciliation> did not happen longer than the longest possible duration of a maintenance time window.

func NamespaceNameForControllerInstallation added in v1.58.0

func NamespaceNameForControllerInstallation(controllerInstallation *gardencorev1beta1.ControllerInstallation) string

NamespaceNameForControllerInstallation returns the name of the namespace that will be used for the extension controller in the seed.

func ProjectAndNamespaceFromReader added in v1.21.0

func ProjectAndNamespaceFromReader(ctx context.Context, reader client.Reader, namespaceName string) (*gardencorev1beta1.Project, *corev1.Namespace, error)

ProjectAndNamespaceFromReader returns the Project responsible for a given <namespace>. It reads the namespace and fetches the project name label. Then it will read the project with the respective name.

func ProjectForNamespaceFromReader added in v1.21.0

func ProjectForNamespaceFromReader(ctx context.Context, reader client.Reader, namespaceName string) (*gardencorev1beta1.Project, error)

ProjectForNamespaceFromReader returns the Project responsible for a given <namespace>. It reads the namespace and fetches the project name label. Then it will read the project with the respective name.

func RespectShootSyncPeriodOverwrite added in v1.21.0

func RespectShootSyncPeriodOverwrite(respectSyncPeriodOverwrite bool, shoot *v1beta1.Shoot) bool

RespectShootSyncPeriodOverwrite checks whether to respect the sync period overwrite of a Shoot or not.

func ShouldIgnoreShoot added in v1.21.0

func ShouldIgnoreShoot(respectSyncPeriodOverwrite bool, shoot *v1beta1.Shoot) bool

ShouldIgnoreShoot determines whether a Shoot should be ignored or not.

func SyncPeriodOfShoot added in v1.21.0

func SyncPeriodOfShoot(respectSyncPeriodOverwrite bool, defaultMinSyncPeriod time.Duration, shoot *v1beta1.Shoot) time.Duration

SyncPeriodOfShoot determines the sync period of the given shoot.

If no overwrite is allowed, the defaultMinSyncPeriod is returned. Otherwise, the overwrite is parsed. If an error occurs or it is smaller than the defaultMinSyncPeriod, the defaultMinSyncPeriod is returned. Otherwise, the overwrite is returned.

Types

type ShootAccessSecret added in v1.36.0

type ShootAccessSecret struct {
	Secret             *corev1.Secret
	ServiceAccountName string
	// contains filtered or unexported fields
}

ShootAccessSecret contains settings for a shoot access secret consumed by a component communicating with a shoot API server.

func NewShootAccessSecret added in v1.36.0

func NewShootAccessSecret(name, namespace string) *ShootAccessSecret

NewShootAccessSecret returns a new ShootAccessSecret object and initializes it with an empty corev1.Secret object with for the given name and namespace. If not already done, the name will be prefixed with the SecretNamePrefixShootAccess. The ServiceAccountName field will be defaulted with the name.

func (*ShootAccessSecret) Reconcile added in v1.36.0

func (s *ShootAccessSecret) Reconcile(ctx context.Context, c client.Client) error

Reconcile creates or patches the given shoot access secret. Based on the struct configuration, it adds the required annotations for the token requestor controller of gardener-resource-manager.

func (*ShootAccessSecret) WithKubeconfig added in v1.36.0

func (s *ShootAccessSecret) WithKubeconfig(kubeconfigRaw *clientcmdv1.Config) *ShootAccessSecret

WithKubeconfig sets the kubeconfig field of the ShootAccessSecret.

func (*ShootAccessSecret) WithNameOverride added in v1.36.0

func (s *ShootAccessSecret) WithNameOverride(name string) *ShootAccessSecret

WithNameOverride sets the ObjectMeta.Name field of the *corev1.Secret inside the ShootAccessSecret.

func (*ShootAccessSecret) WithNamespaceOverride added in v1.36.0

func (s *ShootAccessSecret) WithNamespaceOverride(namespace string) *ShootAccessSecret

WithNamespaceOverride sets the ObjectMeta.Namespace field of the *corev1.Secret inside the ShootAccessSecret.

func (*ShootAccessSecret) WithServiceAccountName added in v1.36.0

func (s *ShootAccessSecret) WithServiceAccountName(name string) *ShootAccessSecret

WithServiceAccountName sets the ServiceAccountName field of the ShootAccessSecret.

func (*ShootAccessSecret) WithTargetSecret added in v1.38.0

func (s *ShootAccessSecret) WithTargetSecret(name, namespace string) *ShootAccessSecret

WithTargetSecret sets the kubeconfig field of the ShootAccessSecret.

func (*ShootAccessSecret) WithTokenExpirationDuration added in v1.36.0

func (s *ShootAccessSecret) WithTokenExpirationDuration(duration string) *ShootAccessSecret

WithTokenExpirationDuration sets the tokenExpirationDuration field of the ShootAccessSecret.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL