Documentation ¶
Overview ¶
Package synccontroller provides a Kubernetes reconciler that syncs resources of a specified GVK from a remote Kubernetes cluster to a local Kubernetes cluster.
This can be used to create remote management planes, where many local clusters listen to a management cluster for new resources, create their own copies when they appear remotely, and upload any status that results from local reconciliation.
For a given resource, - The resource on the remote cluster is the source-of-truth, and Reconciler copies its spec to the resource in the local cluster. - The resource on the local cluster is created automatically if it does not exist, and Reconciler copies its status to the resource in the remote cluster. - If the remote resource's namespace does not exist on the local cluster, Reconciler creates it. - If the remote resource is deleted, Reconciler deletes the entire local namespace (if created by sync-controller). - If the local namespace was not created by sync-controller, Reconciler will not delete any resources.
Additionally, if secrets controlled by the local resource are created, and they match pre-defined names, Reconciler updates those secrets in the remote cluster and sets their controller to be the remote resource. The remote secrets must exist already, so that RBAC may be restricted to updates. This feature should only be used with short-lived secrets.
The remote namespace and resource names may be suffixed with strings that are removed when created locally. If these suffixes are missing, the remote resource is ignored.
Index ¶
Constants ¶
const ( // AnnotationPaused is the annotation used to pause the controller (on either local or remote resource). AnnotationPaused = "cloud.teleport.dev/paused" // AnnotationNamespaceOwner is the annotation placed on namespaces to know who created them. AnnotationNamespaceOwner = "cloud.teleport.dev/sync-owner" // AnnotationLastUploadedHash is the annotation placed on resources to represent their last uploaded values. AnnotationLastUploadedHash = "cloud.teleport.dev/last-uploaded-hash" // AnnotationRemoteGeneration is the annotation placed on remote resources to provide the synced remote generation. AnnotationRemoteGeneration = "cloud.teleport.dev/sync-remote-generation" // AnnotationLocalGeneration is the annotation placed on remote resources to provide the synced local generation. AnnotationLocalGeneration = "cloud.teleport.dev/sync-local-generation" // FinalizerRemote is the finalizer that holds remote deletion on local deletion. // FinalizerRemote is added by sync-controller to claim the remote resource. FinalizerRemote = "cloud.teleport.dev/sync-local" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Reconciler ¶
type Reconciler struct { // Client is the local client, where the resource is created client.Client // RemoteClient is the remote client, where spec is copied from RemoteClient client.Client // RemoteCache is the remote cluster cache RemoteCache cache.Cache // Scheme is the Kubernetes scheme Scheme *runtime.Scheme // Resource specifies the GVK to sync. MUST have Spec and Status struct fields. Resource client.Object // RemoteResourceSuffix specifies a suffix to append to all remote resources. // Sync-controller ignores remote resources without this suffix. // It is removed from the locally created sync resource. RemoteResourceSuffix string // LocalNamespaceSuffix specifies a suffix to append to the local namespace. // Sync-controller ignores local namespaces without this suffix. // It is removed from the locally created sync namespace. LocalNamespaceSuffix string // NamespacePrefix specifies a prefix to require for all namespaces. // Sync-controller ignores namespaces without this prefix. NamespacePrefix string // LocalSecretNames specifies secret namespaces to sync from the local cluster // to the remote cluster. For security, // - Local secrets must be controlled by the locally created resource. // - Remote secrets created will be controlled by the remote resource. // - Secrets are only synced after status is successfully synced. LocalSecretNames []string // LocalPropagationPolicy determines how the local resource will be deleted. // Defaults to Foreground if not set. // See client.PropagationPolicy for details. LocalPropagationPolicy client.PropagationPolicy // ConcurrentReconciles sets the number of concurrent reconciles. ConcurrentReconciles int }
Reconciler syncs objects matching the GVK of Resource (and controlled secrets) between clusters. Reconciler does not support runtime configuration of the synced objects, but the synced object may be provided at compile-time in Resource.
func (*Reconciler) Reconcile ¶
Reconcile is part of the main kubernetes reconciliation loop which aims to move the current state of the cluster closer to the desired state. For more details, check Reconcile and its Result here: - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.14.1/pkg/reconcile
func (*Reconciler) SetupWithManager ¶
func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager sets up the controller with the Manager.