injector

package

v0.7.6 Latest Latest Go to latest Published: May 23, 2020 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/jacops/kubers

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func EscapeJSONPointer(s string) string
func Init(pod *corev1.Pod, cfg *AgentInjectorConfig) error
func ShouldInject(pod *corev1.Pod) (bool, error)
type AgentInjector
- func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*AgentInjector, error)
type AgentInjectorConfig
type Handler
- func (h *Handler) Handle(w http.ResponseWriter, r *http.Request)
- func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse

Constants ¶

View Source

const (
	// AnnotationAgentProvider sets a provider for the agent used to retrieve secrets
	AnnotationAgentProvider = "kubers.jacops.pl/agent-provider"

	// AnnotationAgentProviderAzureCredentialsSecret enables authentication via Azure service principal
	AnnotationAgentProviderAzureCredentialsSecret = "kubers.jacops.pl/agent-provider-azure-credentials-secret"

	// AnnotationAgentProviderAWSCredentialsSecret enables authentication via AWS keys
	AnnotationAgentProviderAWSCredentialsSecret = "kubers.jacops.pl/agent-provider-aws-credentials-secret"

	// AnnotationAgentProviderAWSRegion overrides aws region passed to the operator
	AnnotationAgentProviderAWSRegion = "kubers.jacops.pl/agent-provider-aws-region"

	// AnnotationAgentLogLevel sets a log level for the agent
	AnnotationAgentLogLevel = "kubers.jacops.pl/agent-log-level"

	// AnnotationAgentLogFormat sets a log format for the agent
	AnnotationAgentLogFormat = "kubers.jacops.pl/agent-log-format"

	// AnnotationAgentStatus is the key of the annotation that is added to
	// a pod after an injection is done.
	// There's only one valid status we care about: "injected".
	AnnotationAgentStatus = "kubers.jacops.pl/agent-inject-status"

	// AnnotationAgentInject is the key of the annotation that controls whether
	// injection is explicitly enabled or disabled for a pod. This should
	// be set to a true or false value, as parseable by strconv.ParseBool
	AnnotationAgentInject = "kubers.jacops.pl/agent-inject"

	// AnnotationAgentInjectSecret is the key annotation that configures Vault
	// Agent to retrieve the secrets from Vault required by the app.  The name
	// of the secret is any unique string after "vault.hashicorp.com/agent-inject-secret-",
	// such as "vault.hashicorp.com/agent-inject-secret-foobar".  The value is the
	// path in Vault where the secret is located.
	AnnotationAgentInjectSecret = "kubers.jacops.pl/agent-inject-secret"

	// AnnotationAgentImage is the name of the Vault docker image to use.
	AnnotationAgentImage = "kubers.jacops.pl/agent-image"

	// AnnotationVaultSecretVolumePath specifies where the secrets are to be
	// Mounted after fetching.
	AnnotationVaultSecretVolumePath = "kubers.jacops.pl/secret-volume-path"

	// AnnotationPreserveSecretCase if enabled will preserve the case of secret name
	// by default the name is converted to lower case.
	AnnotationPreserveSecretCase = "kubers.jacops.pl/preserve-secret-case"
)

View Source

const (
	DefaultVaultImage = "jacops/kubers-agent"
)

Variables ¶

This section is empty.

Functions ¶

func EscapeJSONPointer ¶

func EscapeJSONPointer(s string) string

EscapeJSONPointer escapes a JSON string to be compliant with the JavaScript Object Notation (JSON) Pointer syntax RFC: https://tools.ietf.org/html/rfc6901.

func Init ¶

func Init(pod *corev1.Pod, cfg *AgentInjectorConfig) error

Init configures the expected annotations required to create a new instance of Agent. This should be run before running new to ensure all annotations are present.

func ShouldInject ¶

func ShouldInject(pod *corev1.Pod) (bool, error)

ShouldInject checks whether the pod in question should be injected with Vault Agent containers.

Types ¶

type AgentInjector ¶

type AgentInjector struct {

	// Annotations are the current pod annotations used to
	// configure the Vault Agent container.
	Annotations map[string]string

	// ImageName is the name of the Vault image to use for the
	// sidecar container.
	ImageName string

	// Inject is the flag used to determine if a container should be requested
	// in a pod request.
	Inject bool

	// Patches are all the mutations we will make to the pod request.
	Patches []*jsonpatch.JsonPatchOperation

	// Pod is the original Kubernetes pod spec.
	Pod *corev1.Pod

	// Secrets are all the templates, the path in Vault where the secret can be
	//found, and the unique name of the secret which will be used for the filename.
	Secrets []*agent.Secret

	// Status is the current injection status.  The only status considered is "injected",
	// which prevents further mutations.  A user can patch this annotation to force a new
	// mutation.
	Status string
}

AgentInjector is the top level structure holding all the configurations for the Vault Agent container.

func New ¶

func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*AgentInjector, error)

New creates a new instance of Agent by parsing all the Kubernetes annotations.

func (*AgentInjector) ContainerEnvVars ¶

func (a *AgentInjector) ContainerEnvVars(init bool) ([]corev1.EnvVar, error)

ContainerEnvVars adds the applicable environment vars for the Vault Agent sidecar.

func (*AgentInjector) ContainerInitSidecar ¶

func (a *AgentInjector) ContainerInitSidecar() (corev1.Container, error)

ContainerInitSidecar creates a new init container to be added to the pod being mutated. After Vault 1.4 is released, this can be removed because an exit_after_auth environment variable is available for the agent. This means we won't need to generate two config files.

func (*AgentInjector) ContainerVolumeMounts ¶

func (a *AgentInjector) ContainerVolumeMounts() []corev1.VolumeMount

ContainerVolumeMounts mounts the shared memory volume where secrets will be rendered.

func (*AgentInjector) ContainerVolumes ¶

func (a *AgentInjector) ContainerVolumes() []corev1.Volume

ContainerVolumes returns the volume data to add to the pod. This volumes are used for shared data between containers.

func (*AgentInjector) Patch ¶

func (a *AgentInjector) Patch() ([]byte, error)

Patch creates the necessary pod patches to inject the Vault Agent containers.

func (*AgentInjector) Validate ¶

func (a *AgentInjector) Validate() error

Validate the instance of Agent to ensure we have everything needed for basic functionality.

type AgentInjectorConfig ¶

type AgentInjectorConfig struct {
	Image                  string
	AgentProviderName      string
	AgentProviderAWSRegion string
	LogLevel               string
	LogFormat              string
}

AgentInjectorConfig ...

type Handler ¶

type Handler struct {
	// RequireAnnotation means that the annotation must be given to inject.
	// If this is false, injection is default.
	RequireAnnotation bool
	Clientset         *kubernetes.Clientset
	Log               hclog.Logger
	InjectorConfig    *AgentInjectorConfig
}

Handler is the HTTP handler for admission webhooks.

func (*Handler) Handle ¶

func (h *Handler) Handle(w http.ResponseWriter, r *http.Request)

Handle is the http.HandlerFunc implementation that actually handles the webhook request for admission control. This should be registered or served via an HTTP server.

func (*Handler) Mutate ¶

func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse

Mutate takes an admission request and performs mutation if necessary, returning the final API response.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL