Documentation
¶
Index ¶
- Constants
- func CreateNewServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, ...) error
- func DeleteOldServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, ...) error
- func PatchKubeAPIServerDeploymentMeta(ctx context.Context, c client.Client, namespace, namePrefix string, ...) error
- func RewriteSecretsAddLabel(ctx context.Context, log logr.Logger, c client.Client, ...) error
- func RewriteSecretsRemoveLabel(ctx context.Context, log logr.Logger, ...) error
- func SnapshotETCDAfterRewritingSecrets(ctx context.Context, runtimeClient client.Client, ...) error
Constants ¶
const ( // AnnotationKeyNewEncryptionKeyPopulated is an annotation indicating that the new ETCD encryption key was populated AnnotationKeyNewEncryptionKeyPopulated = "credentials.gardener.cloud/new-encryption-key-populated" // AnnotationKeyEtcdSnapshotted is an annotation indicating that ETCD snapshot was completed AnnotationKeyEtcdSnapshotted = "credentials.gardener.cloud/etcd-snapshotted" )
Variables ¶
This section is empty.
Functions ¶
func CreateNewServiceAccountSecrets ¶
func CreateNewServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, secretsManager secretsmanager.Interface) error
CreateNewServiceAccountSecrets creates new secrets for all service accounts in the target cluster. This should only be executed in the 'Preparing' phase of the service account signing key rotation operation.
func DeleteOldServiceAccountSecrets ¶
func DeleteOldServiceAccountSecrets(ctx context.Context, log logr.Logger, c client.Client, serviceAccountLastInitiationFinishedTime time.Time) error
DeleteOldServiceAccountSecrets deletes old secrets for all service accounts in the target cluster. This should only be executed in the 'Completing' phase of the service account signing key rotation operation.
func PatchKubeAPIServerDeploymentMeta ¶
func PatchKubeAPIServerDeploymentMeta(ctx context.Context, c client.Client, namespace, namePrefix string, mutate func(deployment *metav1.PartialObjectMetadata)) error
PatchKubeAPIServerDeploymentMeta patches metadata of a Kubernetes API-Server deployment
func RewriteSecretsAddLabel ¶
func RewriteSecretsAddLabel(ctx context.Context, log logr.Logger, c client.Client, secretsManager secretsmanager.Interface) error
RewriteSecretsAddLabel patches all secrets in all namespaces in the target clusters and adds a label whose value is the name of the current ETCD encryption key secret. This function is useful for the ETCD encryption key secret rotation which requires all secrets to be rewritten to ETCD so that they become encrypted with the new key. After it's done, it snapshots ETCD so that we can restore backups in case we lose the cluster before the next incremental snapshot is taken.
func RewriteSecretsRemoveLabel ¶
func RewriteSecretsRemoveLabel(ctx context.Context, log logr.Logger, runtimeClient, targetClient client.Client, kubeAPIServerNamespace, namePrefix string) error
RewriteSecretsRemoveLabel patches all secrets in all namespaces in the target clusters and removes the label whose value is the name of the current ETCD encryption key secret. This function is useful for the ETCD encryption key secret rotation which requires all secrets to be rewritten to ETCD so that they become encrypted with the new key.
func SnapshotETCDAfterRewritingSecrets ¶
func SnapshotETCDAfterRewritingSecrets(ctx context.Context, runtimeClient client.Client, snapshotEtcd func(ctx context.Context) error, kubeAPIServerNamespace, namePrefix string) error
SnapshotETCDAfterRewritingSecrets performs a full snapshot on ETCD after the secrets got rewritten as part of the ETCD encryption secret rotation. It adds an annotation to the kube-apiserver deployment after it's done so that it does not take another snapshot again after it succeeded once.
Types ¶
This section is empty.
Source Files