resources

package
v2.11.27 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 18, 2024 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package resources holds simple functions for synthesizing child resources from a Space.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildImagePushSecretName 

func BuildImagePushSecretName(secret *corev1.Secret) string

BuildImagePushSecretName generates a name for a secret given the original secret from config-secrets.

Example 
secret := &corev1.Secret{}
secret.ObjectMeta.Name = "gcr-key"
fmt.Println(BuildImagePushSecretName(secret))

Output:

kf-registry-gcr-key

func BuildServiceAccountName 

func BuildServiceAccountName(space *v1alpha1.Space) string

BuildServiceAccountName gets the name of the service account for given the space.

Example 
space := &v1alpha1.Space{}
space.Status.BuildConfig.ServiceAccount = "some-name"
fmt.Println(BuildServiceAccountName(space))

Output:

some-name

func ClusterRoleBindingName 

func ClusterRoleBindingName(space *v1alpha1.Space, role RoleName) string

ClusterRoleBindingName generates the binding name for a given Role.

func FilterSubjectsByClusterRole 

func FilterSubjectsByClusterRole(includeRoles []RoleName, roleBindings []*rbacv1.RoleBinding) []rbacv1.Subject

FilterSubjectsByClusterRole returns a list of subjects from the given RoleBinding that have any of the given ClusterRoles.

The returned list will be in a determinstic order.

func GetRoleBindingName 

func GetRoleBindingName(role, space string) string

GetRoleBindingName finds the [space] RoleBinding name given an input role name.

func MakeAppNetworkPolicy 

func MakeAppNetworkPolicy(space *v1alpha1.Space) (*networkingv1.NetworkPolicy, error)

MakeAppNetworkPolicy creates a network policy targeting apps.

func MakeBuildNetworkPolicy 

func MakeBuildNetworkPolicy(space *v1alpha1.Space) (*networkingv1.NetworkPolicy, error)

MakeBuildNetworkPolicy creates a network policy targeting builds.

func MakeBuildServiceAccount 

func MakeBuildServiceAccount(
	space *v1alpha1.Space,
	kfSecrets []*corev1.Secret,
	gsaName string,
	containerregistry string,
) (*corev1.ServiceAccount, []*corev1.Secret, error)

MakeBuildServiceAccount creates a ServiceAccount for build pipelines to use.

Example (EmptyGSA) 
sa, secrets, err := MakeBuildServiceAccount(
	&v1alpha1.Space{
		ObjectMeta: metav1.ObjectMeta{
			Name: "some-space",
		},
		Status: v1alpha1.SpaceStatus{
			BuildConfig: v1alpha1.SpaceStatusBuildConfig{
				ServiceAccount: "build-creds",
			},
		},
	},
	[]*corev1.Secret{
		{
			ObjectMeta: metav1.ObjectMeta{
				Name: "gcr-key",
			},
			Data: map[string][]byte{
				"key-1": []byte("value-1"),
				"key-2": []byte("value-2"),
			},
		},
		{
			ObjectMeta: metav1.ObjectMeta{
				Name: "ar-key",
			},
			Data: map[string][]byte{
				"key-3": []byte("value-3"),
				"key-4": []byte("value-4"),
			},
		},
	},
	"",
	"ContainerRegistry",
)

if err != nil {
	panic(err)
}

saSecretNames := []string{}
for _, s := range sa.Secrets {
	saSecretNames = append(saSecretNames, s.Name)
}
saImagePullSecretNames := []string{}
for _, s := range sa.ImagePullSecrets {
	saImagePullSecretNames = append(saImagePullSecretNames, s.Name)
}
fmt.Println("ServiceAccount Name:", sa.Name)
fmt.Println("ServiceAccount Namespace:", sa.Namespace)
fmt.Println("ServiceAccount Managed Label:", sa.Labels[v1alpha1.ManagedByLabel])
fmt.Println("ServiceAccount Annotations:", sa.Annotations)
fmt.Println("ServiceAccount Secrets:", strings.Join(saSecretNames, ", "))
fmt.Println("ServiceAccount ImagePullSecrets:", strings.Join(saImagePullSecretNames, ", "))
fmt.Println("Secrets Count:", len(secrets))
fmt.Println("Secret Name:", secrets[0].Name)
fmt.Println("Secret Type:", secrets[0].Type)
fmt.Println("Secret Namespace:", secrets[0].Namespace)
fmt.Println("Secret Managed Label:", secrets[0].Labels[v1alpha1.ManagedByLabel])
fmt.Println("Secret Data[key-1]:", string(secrets[0].Data["key-1"]))
fmt.Println("Secret Data[key-2]:", string(secrets[0].Data["key-2"]))
fmt.Println("Secret Annotation:", string(secrets[0].Annotations["tekton.dev/docker-0"]))
fmt.Println()
fmt.Println("Secret Name:", secrets[1].Name)
fmt.Println("Secret Type:", secrets[1].Type)
fmt.Println("Secret Namespace:", secrets[1].Namespace)
fmt.Println("Secret Managed Label:", secrets[1].Labels[v1alpha1.ManagedByLabel])
fmt.Println("Secret Data[key-3]:", string(secrets[1].Data["key-3"]))
fmt.Println("Secret Data[key-4]:", string(secrets[1].Data["key-4"]))
fmt.Println("Secret Annotation:", string(secrets[1].Annotations["tekton.dev/docker-1"]))

Output:

ServiceAccount Name: build-creds
ServiceAccount Namespace: some-space
ServiceAccount Managed Label: kf
ServiceAccount Annotations: map[]
ServiceAccount Secrets: kf-registry-gcr-key, kf-registry-ar-key
ServiceAccount ImagePullSecrets: kf-registry-gcr-key, kf-registry-ar-key
Secrets Count: 2
Secret Name: kf-registry-gcr-key
Secret Type: kubernetes.io/dockerconfigjson
Secret Namespace: some-space
Secret Managed Label: kf
Secret Data[key-1]: value-1
Secret Data[key-2]: value-2
Secret Annotation: ContainerRegistry

Secret Name: kf-registry-ar-key
Secret Type: kubernetes.io/dockerconfigjson
Secret Namespace: some-space
Secret Managed Label: kf
Secret Data[key-3]: value-3
Secret Data[key-4]: value-4
Secret Annotation: ContainerRegistry
Example (WithGSA) 
sa, _, err := MakeBuildServiceAccount(
	&v1alpha1.Space{
		Status: v1alpha1.SpaceStatus{
			BuildConfig: v1alpha1.SpaceStatusBuildConfig{
				ServiceAccount: "build-creds",
			},
		},
	},
	nil,
	"some-gsa",
	"",
)

if err != nil {
	panic(err)
}

fmt.Println("ServiceAccount Annotations:", sa.Annotations)
fmt.Println("ServiceAccount len(Secrets):", len(sa.Secrets))

Output:

ServiceAccount Annotations: map[iam.gke.io/gcp-service-account:some-gsa]
ServiceAccount len(Secrets): 0

func MakeClusterRoleBinding 

func MakeClusterRoleBinding(space *v1alpha1.Space, role RoleName, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding

MakeClusterRoleBinding creates a populated RoleBinding for a given Role.

func MakeIAMPolicy 

func MakeIAMPolicy(project, gsaName string, spaces []*v1alpha1.Space) (*unstructured.Unstructured, error)

MakeIAMPolicy returns an IAM Policy for the given Spaces.

func MakeNamespace 

func MakeNamespace(space *v1alpha1.Space, asmRev string) (*v1.Namespace, error)

MakeNamespace creates a Namespace from a Space object.

Example 
space := &v1alpha1.Space{}
space.Name = "my-space"

ns, err := MakeNamespace(space, "some-asm-rev")
if err != nil {
	panic(err)
}

fmt.Println("Name:", NamespaceName(space))
fmt.Println("Label Count:", len(ns.Labels))
fmt.Println("Managed By:", ns.Labels[managedByLabel])
fmt.Println("Metadata name:", ns.Labels[v1.LabelMetadataName])
fmt.Println("Istio Injection:", ns.Labels[networking.IstioInjectionLabel])

Output:

Name: my-space
Label Count: 3
Managed By: kf
Metadata name: my-space
Istio Injection: some-asm-rev

func MakeRoleBindingForClusterRole 

func MakeRoleBindingForClusterRole(space *v1alpha1.Space, clusterRoleName RoleName) *rbacv1.RoleBinding

MakeRoleBindingForClusterRole creates a blank RoleBinding for a given Role. These don't have subjects to ensure Kf isn't in the critical path of actuating or validating capability to update RoleBindings which opens the way to privilige escalation.

Kf is responsible for ensuring this type exists, but allows users to edit it to perform the actual binding.

func MakeSourceBuilderRole 

func MakeSourceBuilderRole(space *v1alpha1.Space) *rbacv1.Role

MakeSourceBuilderRole creates a Role to allow requests to the sourcepackages upload subresource api.

func MakeSourceBuilderRoleBinding 

func MakeSourceBuilderRoleBinding(space *v1alpha1.Space) *rbacv1.RoleBinding

MakeSourceBuilderRoleBinding creates a RoleBinding to allow requests to the sourcepackages upload subresource api from the kf-builder.

func MakeSpaceManagerClusterRole 

func MakeSpaceManagerClusterRole(space *v1alpha1.Space) *rbacv1.ClusterRole

MakeSpaceManagerClusterRole creates a ClusterRole that gives Space managers the ability to read and modify the given Space (but not create or delete it).

func NamespaceName 

func NamespaceName(space *v1alpha1.Space) string

NamespaceName gets the name of a namespace given the space.

Example 
space := &v1alpha1.Space{}
space.Name = "my-space"

fmt.Println(NamespaceName(space))

Output:

my-space

func RoleBindingName 

func RoleBindingName(space *v1alpha1.Space, role RoleName) string

RoleBindingName generates the binding name for a given Role.

Types

type RoleName 

type RoleName string

RoleName contains the names of ClusterRoles that Kf uses. 

const (

	// SpaceManager holds the name of the ClusterRole for Kf Space managers.
	SpaceManager RoleName = "space-manager"
	// SpaceDeveloper holds the name of the ClusterRole for Kf Space developers.
	SpaceDeveloper RoleName = "space-developer"
	// SpaceAuditor holds the name of the ClusterRole for Kf Space auditors.
	SpaceAuditor RoleName = "space-auditor"
)
const (
	// ClusterReaderRole holds the name of the ClusterRole that grants read access
	// at the cluster scope for Kf developers, managers, and auditors.
	ClusterReaderRole RoleName = "kf-cluster-reader"
)

func AllRoleNames 

func AllRoleNames() []RoleName

AllRoleNames returns the list of Roles that Kf supports.

func ClusterRoleName 

func ClusterRoleName(space *v1alpha1.Space) RoleName

ClusterRoleName generates the ClusterRole name for a given Space.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.