resources

package
v2.14.12+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 22, 2021 License: Apache-2.0 Imports: 39 Imported by: 815

Documentation

Index

Constants

View Source
const (
	RancherStatefulSetName              = "rancher-server"
	RancherServerServiceAccountName     = "rancher-server-sa"
	RancherServerClusterRoleBindingName = "rancher-server-crb"
	RancherServerClusterRoleName        = "rancher-server-rb"
	RancherServerServiceName            = "rancher-server-svc"
	RancherServerIngressName            = "rancher-server-ingress"
)
View Source
const (
	// ApiserverDeploymentName is the name of the apiserver deployment
	ApiserverDeploymentName = "apiserver"
	//ControllerManagerDeploymentName is the name for the controller manager deployment
	ControllerManagerDeploymentName = "controller-manager"
	//SchedulerDeploymentName is the name for the scheduler deployment
	SchedulerDeploymentName = "scheduler"
	//MachineControllerDeploymentName is the name for the machine-controller deployment
	MachineControllerDeploymentName = "machine-controller"
	// MachineControllerWebhookDeploymentName is the name for the machine-controller webhook deployment
	MachineControllerWebhookDeploymentName = "machine-controller-webhook"
	//MetricsServerDeploymentName is the name for the metrics-server deployment
	MetricsServerDeploymentName = "metrics-server"
	//OpenVPNServerDeploymentName is the name for the openvpn server deployment
	OpenVPNServerDeploymentName = "openvpn-server"
	//DNSResolverDeploymentName is the name of the dns resolver deployment
	DNSResolverDeploymentName = "dns-resolver"
	//DNSResolverConfigMapName is the name of the dns resolvers configmap
	DNSResolverConfigMapName = "dns-resolver"
	//DNSResolverServiceName is the name of the dns resolvers service
	DNSResolverServiceName = "dns-resolver"
	//DNSResolverPodDisruptionBudetName is the name of the dns resolvers pdb
	DNSResolverPodDisruptionBudetName = "dns-resolver"
	//DNSResolverVPAName is the name of the dns resolvers VerticalPodAutoscaler
	KubeStateMetricsDeploymentName = "kube-state-metrics"
	// UserClusterControllerDeploymentName is the name of the usercluster-controller deployment
	UserClusterControllerDeploymentName = "usercluster-controller"
	// ClusterAutoscalerDeploymentName is the name of the cluster-autoscaler deployment
	ClusterAutoscalerDeploymentName = "cluster-autoscaler"
	// KubernetesDashboardDeploymentName is the name of the Kubernetes Dashboard deployment
	KubernetesDashboardDeploymentName = "kubernetes-dashboard"
	// MetricsScraperDeploymentName is the name of dashboard-metrics-scraper deployment
	MetricsScraperDeploymentName = "dashboard-metrics-scraper"
	// MetricsScraperServiceName is the name of dashboard-metrics-scraper service
	MetricsScraperServiceName = "dashboard-metrics-scraper"

	//PrometheusStatefulSetName is the name for the prometheus StatefulSet
	PrometheusStatefulSetName = "prometheus"
	//EtcdStatefulSetName is the name for the etcd StatefulSet
	EtcdStatefulSetName = "etcd"

	//ApiserverExternalServiceName is the name for the external apiserver service
	ApiserverExternalServiceName = "apiserver-external"
	//ApiserverInternalServiceName is the name for the internal apiserver service
	ApiserverInternalServiceName = "apiserver"
	// FrontLoadBalancerServiceName is the name of the LoadBalancer service that fronts everything
	// when using exposeStrategy "LoadBalancer"
	FrontLoadBalancerServiceName = "front-loadbalancer"
	// MetricsServerServiceName is the name for the metrics-server service
	MetricsServerServiceName = "metrics-server"
	// MetricsServerExternalNameServiceName is the name for the metrics-server service inside the user cluster
	MetricsServerExternalNameServiceName = "metrics-server"
	//EtcdServiceName is the name for the etcd service
	EtcdServiceName = "etcd"
	//EtcdDefragCronJobName is the name for the defrag cronjob deployment
	EtcdDefragCronJobName = "etcd-defragger"
	//OpenVPNServerServiceName is the name for the openvpn server service
	OpenVPNServerServiceName = "openvpn-server"
	//MachineControllerWebhookServiceName is the name of the machine-controller webhook service
	MachineControllerWebhookServiceName = "machine-controller-webhook"

	// MetricsServerAPIServiceName is the name for the metrics-server APIService
	MetricsServerAPIServiceName = "v1beta1.metrics.k8s.io"

	//AdminKubeconfigSecretName is the name for the secret containing the private ca key
	AdminKubeconfigSecretName = "admin-kubeconfig"
	//ViewerKubeconfigSecretName is the name for the secret containing the viewer kubeconfig
	ViewerKubeconfigSecretName = "viewer-kubeconfig"
	//SchedulerKubeconfigSecretName is the name for the secret containing the kubeconfig used by the scheduler
	SchedulerKubeconfigSecretName = "scheduler-kubeconfig"
	//KubeletDnatControllerKubeconfigSecretName is the name for the secret containing the kubeconfig used by the kubeletdnatcontroller
	KubeletDnatControllerKubeconfigSecretName = "kubeletdnatcontroller-kubeconfig"
	//KubeStateMetricsKubeconfigSecretName is the name for the secret containing the kubeconfig used by kube-state-metrics
	KubeStateMetricsKubeconfigSecretName = "kube-state-metrics-kubeconfig"
	//MetricsServerKubeconfigSecretName is the name for the secret containing the kubeconfig used by the metrics-server
	MetricsServerKubeconfigSecretName = "metrics-server"
	//ControllerManagerKubeconfigSecretName is the name of the secret containing the kubeconfig used by controller manager
	ControllerManagerKubeconfigSecretName = "controllermanager-kubeconfig"
	//MachineControllerKubeconfigSecretName is the name for the secret containing the kubeconfig used by the machinecontroller
	MachineControllerKubeconfigSecretName = "machinecontroller-kubeconfig"
	//CloudControllerManagerKubeconfigSecretName is the name for the secret containing the kubeconfig used by the external cloud provider
	CloudControllerManagerKubeconfigSecretName = "cloud-controller-manager-kubeconfig"
	//MachineControllerWebhookServingCertSecretName is the name for the secret containing the serving cert for the
	//machine-controller webhook
	MachineControllerWebhookServingCertSecretName = "machinecontroller-webhook-serving-cert"
	//MachineControllerWebhookServingCertCertKeyName is the name for the key that contains the cert
	MachineControllerWebhookServingCertCertKeyName = "cert.pem"
	//MachineControllerWebhookServingCertKeyKeyName is the name for the key that contains the key
	MachineControllerWebhookServingCertKeyKeyName = "key.pem"
	//PrometheusApiserverClientCertificateSecretName is the name for the secret containing the client certificate used by prometheus to access the apiserver
	PrometheusApiserverClientCertificateSecretName = "prometheus-apiserver-certificate"
	// ClusterAutoscalerKubeconfigSecretName is the name of the kubeconfig secret used for
	// the cluster-autoscaler
	ClusterAutoscalerKubeconfigSecretName = "cluster-autoscaler-kubeconfig"
	// KubernetesDashboardKubeconfigSecretName is the name of the kubeconfig secret user for Kubernetes Dashboard
	KubernetesDashboardKubeconfigSecretName = "kubernetes-dashboard-kubeconfig"

	// ImagePullSecretName specifies the name of the dockercfg secret used to access the private repo.
	ImagePullSecretName = "dockercfg"

	//FrontProxyCASecretName is the name for the secret containing the front proxy ca
	FrontProxyCASecretName = "front-proxy-ca"
	//CASecretName is the name for the secret containing the root ca
	CASecretName = "ca"
	//ApiserverTLSSecretName is the name for the secrets required for the apiserver tls
	ApiserverTLSSecretName = "apiserver-tls"
	//KubeletClientCertificatesSecretName is the name for the secret containing the kubelet client certificates
	KubeletClientCertificatesSecretName = "kubelet-client-certificates"
	//ServiceAccountKeySecretName is the name for the secret containing the service account key
	ServiceAccountKeySecretName = "service-account-key"
	//TokensSecretName is the name for the secret containing the user tokens
	TokensSecretName = "tokens"
	//ViewerTokenSecretName is the name for the secret containing the viewer token
	ViewerTokenSecretName = "viewer-token"
	// OpenVPNCASecretName is the name of the secret that contains the OpenVPN CA
	OpenVPNCASecretName = "openvpn-ca"
	//OpenVPNServerCertificatesSecretName is the name for the secret containing the openvpn server certificates
	OpenVPNServerCertificatesSecretName = "openvpn-server-certificates"
	//OpenVPNClientCertificatesSecretName is the name for the secret containing the openvpn client certificates
	OpenVPNClientCertificatesSecretName = "openvpn-client-certificates"
	//CloudConfigSecretName is the name for the secret containing the cloud-config inside the user cluster.
	CloudConfigSecretName = "cloud-config"
	//EtcdTLSCertificateSecretName is the name for the secret containing the etcd tls certificate used for transport security
	EtcdTLSCertificateSecretName = "etcd-tls-certificate"
	//ApiserverEtcdClientCertificateSecretName is the name for the secret containing the client certificate used by the apiserver for authenticating against etcd
	ApiserverEtcdClientCertificateSecretName = "apiserver-etcd-client-certificate"
	//ApiserverFrontProxyClientCertificateSecretName is the name for the secret containing the apiserver's client certificate for proxy auth
	ApiserverFrontProxyClientCertificateSecretName = "apiserver-proxy-client-certificate"
	// DexCASecretName is the name of the secret that contains the Dex CA bundle
	DexCASecretName = "dex-ca"
	// DexCAFileName is the name of Dex CA bundle file
	DexCAFileName = "caBundle.pem"
	// GoogleServiceAccountSecretName is the name of the secret that contains the Google Service Acccount.
	GoogleServiceAccountSecretName = "google-service-account"
	// GoogleServiceAccountVolumeName is the name of the volume containing the Google Service Account secret.
	GoogleServiceAccountVolumeName = "google-service-account-volume"
	// AuditLogVolumeName is the name of the volume that hold the audit log of the apiserver.
	AuditLogVolumeName = "audit-log"
	// KubernetesDashboardKeyHolderSecretName is the name of the secret that contains JWE token encryption key
	// used by the Kubernetes Dashboard
	KubernetesDashboardKeyHolderSecretName = "kubernetes-dashboard-key-holder"
	// KubernetesDashboardCsrfTokenSecretName is the name of the secret that contains CSRF token used by
	// the Kubernetes Dashboard
	KubernetesDashboardCsrfTokenSecretName = "kubernetes-dashboard-csrf"

	// CloudConfigConfigMapName is the name for the configmap containing the cloud-config
	CloudConfigConfigMapName = "cloud-config"
	// CloudConfigConfigMapKey is the key under which the cloud-config in the cloud-config configmap can be found
	CloudConfigConfigMapKey = "config"
	//OpenVPNClientConfigsConfigMapName is the name for the ConfigMap containing the OpenVPN client config used within the user cluster
	OpenVPNClientConfigsConfigMapName = "openvpn-client-configs"
	//OpenVPNClientConfigConfigMapName is the name for the ConfigMap containing the OpenVPN client config used by the client inside the user cluster
	OpenVPNClientConfigConfigMapName = "openvpn-client-config"
	//ClusterInfoConfigMapName is the name for the ConfigMap containing the cluster-info used by the bootstrap token machanism
	ClusterInfoConfigMapName = "cluster-info"
	//PrometheusConfigConfigMapName is the name for the configmap containing the prometheus config
	PrometheusConfigConfigMapName = "prometheus"
	//AuditConfigMapName is the name for the configmap that contains the content of the file that will be passed to the apiserver with the flag "--audit-policy-file".
	AuditConfigMapName = "audit-config"
	//AdmissionControlConfigMapName is the name for the configmap that contains the Admission Controller config file
	AdmissionControlConfigMapName = "adm-control"

	//PrometheusServiceAccountName is the name for the Prometheus serviceaccount
	PrometheusServiceAccountName = "prometheus"

	//PrometheusRoleName is the name for the Prometheus role
	PrometheusRoleName = "prometheus"

	//PrometheusRoleBindingName is the name for the Prometheus rolebinding
	PrometheusRoleBindingName = "prometheus"

	//CloudControllerManagerRoleBindingName is the name for the cloud controller manager rolebinding.
	CloudControllerManagerRoleBindingName = "cloud-controller-manager"

	//MachineControllerCertUsername is the name of the user coming from kubeconfig cert
	MachineControllerCertUsername = "machine-controller"
	//KubeStateMetricsCertUsername is the name of the user coming from kubeconfig cert
	KubeStateMetricsCertUsername = "kube-state-metrics"
	//MetricsServerCertUsername is the name of the user coming from kubeconfig cert
	MetricsServerCertUsername = "metrics-server"
	//ControllerManagerCertUsername is the name of the user coming from kubeconfig cert
	ControllerManagerCertUsername = "system:kube-controller-manager"
	//CloudControllerManagerCertUsername is the name of the user coming from kubeconfig cert
	CloudControllerManagerCertUsername = "system:cloud-controller-manager"
	//SchedulerCertUsername is the name of the user coming from kubeconfig cert
	SchedulerCertUsername = "system:kube-scheduler"
	//KubeletDnatControllerCertUsername is the name of the user coming from kubeconfig cert
	KubeletDnatControllerCertUsername = "kubermatic:kubeletdnat-controller"
	// PrometheusCertUsername is the name of the user coming from kubeconfig cert
	PrometheusCertUsername = "prometheus"
	// ClusterAutoscalerCertUsername is the name of the user coming from the CA kubeconfig cert
	ClusterAutoscalerCertUsername = "kubermatic:cluster-autoscaler"
	// KubernetesDashboardCertUsername is the name of the user coming from kubeconfig cert
	KubernetesDashboardCertUsername = "kubermatic:kubernetes-dashboard"
	// MetricsScraperServiceAccountUsername is the name of the user coming from kubeconfig cert
	MetricsScraperServiceAccountUsername = "dashboard-metrics-scraper"

	// KubeletDnatControllerClusterRoleName is the name for the KubeletDnatController cluster role
	KubeletDnatControllerClusterRoleName = "system:kubermatic-kubeletdnat-controller"
	// KubeletDnatControllerClusterRoleBindingName is the name for the KubeletDnatController clusterrolebinding
	KubeletDnatControllerClusterRoleBindingName = "system:kubermatic-kubeletdnat-controller"

	//ClusterInfoReaderRoleName is the name for the role which allows reading the cluster-info ConfigMap
	ClusterInfoReaderRoleName = "cluster-info"
	//MachineControllerRoleName is the name for the MachineController roles
	MachineControllerRoleName = "machine-controller"
	//MachineControllerRoleBindingName is the name for the MachineController rolebinding
	MachineControllerRoleBindingName = "machine-controller"
	//ClusterInfoAnonymousRoleBindingName is the name for the RoleBinding giving access to the cluster-info ConfigMap to anonymous users
	ClusterInfoAnonymousRoleBindingName = "cluster-info"
	//MetricsServerAuthReaderRoleName is the name for the metrics server role
	MetricsServerAuthReaderRoleName = "metrics-server-auth-reader"
	//MachineControllerClusterRoleName is the name for the MachineController cluster role
	MachineControllerClusterRoleName = "system:kubermatic-machine-controller"
	//KubeStateMetricsClusterRoleName is the name for the KubeStateMetrics cluster role
	KubeStateMetricsClusterRoleName = "system:kubermatic-kube-state-metrics"
	//MetricsServerClusterRoleName is the name for the metrics server cluster role
	MetricsServerClusterRoleName = "system:metrics-server"
	//PrometheusClusterRoleName is the name for the Prometheus cluster role
	PrometheusClusterRoleName = "external-prometheus"
	//MachineControllerClusterRoleBindingName is the name for the MachineController ClusterRoleBinding
	MachineControllerClusterRoleBindingName = "system:kubermatic-machine-controller"
	//KubeStateMetricsClusterRoleBindingName is the name for the KubeStateMetrics ClusterRoleBinding
	KubeStateMetricsClusterRoleBindingName = "system:kubermatic-kube-state-metrics"
	//PrometheusClusterRoleBindingName is the name for the Prometheus ClusterRoleBinding
	PrometheusClusterRoleBindingName = "system:external-prometheus"
	//MetricsServerResourceReaderClusterRoleBindingName is the name for the metrics server ClusterRoleBinding
	MetricsServerResourceReaderClusterRoleBindingName = "system:metrics-server"
	// ClusterAutoscalerClusterRoleName is the name of the clusterrole for the cluster autoscaler
	ClusterAutoscalerClusterRoleName = "system:kubermatic-cluster-autoscaler"
	// ClusterAutoscalerClusterRoleBindingName is the name of the clusterrolebinding for the CA
	ClusterAutoscalerClusterRoleBindingName = "system:kubermatic-cluster-autoscaler"
	// KubernetesDashboardRoleName is the name of the role for the Kubernetes Dashboard
	KubernetesDashboardRoleName = "system:kubernetes-dashboard"
	// KubernetesDashboardRoleBindingName is the name of the role binding for the Kubernetes Dashboard
	KubernetesDashboardRoleBindingName = "system:kubernetes-dashboard"
	// MetricsScraperClusterRoleName is the name of the role for the dashboard-metrics-scraper
	MetricsScraperClusterRoleName = "system:dashboard-metrics-scraper"
	// MetricsScraperClusterRoleBindingName is the name of the role binding for the dashboard-metrics-scraper
	MetricsScraperClusterRoleBindingName = "system:dashboard-metrics-scraper"

	// EtcdPodDisruptionBudgetName is the name of the PDB for the etcd StatefulSet
	EtcdPodDisruptionBudgetName = "etcd"
	// ApiserverPodDisruptionBudgetName is the name of the PDB for the apiserver deployment
	ApiserverPodDisruptionBudgetName = "apiserver"
	// MetricsServerPodDisruptionBudgetName is the name of the PDB for the metrics-server deployment
	MetricsServerPodDisruptionBudgetName = "metrics-server"

	// KubermaticNamespace is the main kubermatic namespace
	KubermaticNamespace = "kubermatic"

	// DefaultOwnerReadOnlyMode represents file mode with read permission for owner only
	DefaultOwnerReadOnlyMode = 0400

	// DefaultAllReadOnlyMode represents file mode with read permissions for all
	DefaultAllReadOnlyMode = 0444

	// AppLabelKey defines the label key app which should be used within resources
	AppLabelKey = "app"
	// ClusterLabelKey defines the label key for the cluster name
	ClusterLabelKey = "cluster"

	// EtcdClusterSize defines the size of the etcd to use
	EtcdClusterSize = 3

	// RegistryK8SGCR defines the kubernetes specific docker registry at google
	RegistryK8SGCR = "k8s.gcr.io"
	// RegistryGCR defines the kubernetes docker registry at google
	RegistryGCR = "gcr.io"
	// RegistryDocker defines the default docker.io registry
	RegistryDocker = "docker.io"
	// RegistryQuay defines the image registry from coreos/redhat - quay
	RegistryQuay = "quay.io"

	// TopologyKeyHostname defines the topology key for the node hostname
	TopologyKeyHostname = "kubernetes.io/hostname"
	// TopologyKeyFailureDomainZone defines the topology key for the node's cloud provider zone
	TopologyKeyFailureDomainZone = "failure-domain.beta.kubernetes.io/zone"

	// MachineCRDName defines the CRD name for machine objects
	MachineCRDName = "machines.cluster.k8s.io"
	// MachineSetCRDName defines the CRD name for machineset objects
	MachineSetCRDName = "machinesets.cluster.k8s.io"
	// MachineDeploymentCRDName defines the CRD name for machinedeployment objects
	MachineDeploymentCRDName = "machinedeployments.cluster.k8s.io"
	// ClusterCRDName defines the CRD name for cluster objects
	ClusterCRDName = "clusters.cluster.k8s.io"

	// MachineControllerMutatingWebhookConfigurationName is the name of the machine-controllers mutating webhook
	// configuration
	MachineControllerMutatingWebhookConfigurationName = "machine-controller.kubermatic.io"

	// InternalUserClusterAdminKubeconfigSecretName is the name of the secret containing an admin kubeconfig that can only be used from
	// within the seed cluster
	InternalUserClusterAdminKubeconfigSecretName = "internal-admin-kubeconfig"
	// InternalUserClusterAdminKubeconfigCertUsername is the name of the user coming from kubeconfig cert
	InternalUserClusterAdminKubeconfigCertUsername = "kubermatic-controllers"

	// IPVSProxyMode defines the ipvs kube-proxy mode.
	IPVSProxyMode = "ipvs"
	// IPTablesProxyMode defines the iptables kube-proxy mode.
	IPTablesProxyMode = "iptables"

	// PodNodeSelectorAdmissionPlugin defines PodNodeSelector admission plugin
	PodNodeSelectorAdmissionPlugin = "PodNodeSelector"
)
View Source
const (
	// CAKeySecretKey ca.key
	CAKeySecretKey = "ca.key"
	// CACertSecretKey ca.crt
	CACertSecretKey = "ca.crt"
	// ApiserverTLSKeySecretKey apiserver-tls.key
	ApiserverTLSKeySecretKey = "apiserver-tls.key"
	// ApiserverTLSCertSecretKey apiserver-tls.crt
	ApiserverTLSCertSecretKey = "apiserver-tls.crt"
	// KubeletClientKeySecretKey kubelet-client.key
	KubeletClientKeySecretKey = "kubelet-client.key"
	// KubeletClientCertSecretKey kubelet-client.crt
	KubeletClientCertSecretKey = "kubelet-client.crt" // FIXME confusing naming: s/CertSecretKey/CertSecretName/
	// ServiceAccountKeySecretKey sa.key
	ServiceAccountKeySecretKey = "sa.key"
	// ServiceAccountKeyPublicKey is the public key for the service account signer key
	ServiceAccountKeyPublicKey = "sa.pub"
	// KubeconfigSecretKey kubeconfig
	KubeconfigSecretKey = "kubeconfig"
	// TokensSecretKey tokens.csv
	TokensSecretKey = "tokens.csv"
	// ViewersTokenSecretKey viewersToken
	ViewerTokenSecretKey = "viewerToken"
	// OpenVPNCACertKey cert.pem, must match CACertSecretKey, otherwise getClusterCAFromLister doesnt work as it has
	// the key hardcoded
	OpenVPNCACertKey = CACertSecretKey
	// OpenVPNCAKeyKey key.pem, must match CAKeySecretKey, otherwise getClusterCAFromLister doesnt work as it has
	// the key hardcoded
	OpenVPNCAKeyKey = CAKeySecretKey
	// OpenVPNServerKeySecretKey server.key
	OpenVPNServerKeySecretKey = "server.key"
	// OpenVPNServerCertSecretKey server.crt
	OpenVPNServerCertSecretKey = "server.crt"
	// OpenVPNInternalClientKeySecretKey client.key
	OpenVPNInternalClientKeySecretKey = "client.key"
	// OpenVPNInternalClientCertSecretKey client.crt
	OpenVPNInternalClientCertSecretKey = "client.crt"
	// EtcdTLSCertSecretKey etcd-tls.crt
	EtcdTLSCertSecretKey = "etcd-tls.crt"
	// EtcdTLSKeySecretKey etcd-tls.key
	EtcdTLSKeySecretKey = "etcd-tls.key"

	// KubeconfigDefaultContextKey is the context key used for all kubeconfigs
	KubeconfigDefaultContextKey = "default"

	// ApiserverEtcdClientCertificateCertSecretKey apiserver-etcd-client.crt
	ApiserverEtcdClientCertificateCertSecretKey = "apiserver-etcd-client.crt"
	// ApiserverEtcdClientCertificateKeySecretKey apiserver-etcd-client.key
	ApiserverEtcdClientCertificateKeySecretKey = "apiserver-etcd-client.key"

	// ApiserverProxyClientCertificateCertSecretKey apiserver-proxy-client.crt
	ApiserverProxyClientCertificateCertSecretKey = "apiserver-proxy-client.crt"
	// ApiserverProxyClientCertificateKeySecretKey apiserver-proxy-client.key
	ApiserverProxyClientCertificateKeySecretKey = "apiserver-proxy-client.key"

	// BackupEtcdClientCertificateCertSecretKey backup-etcd-client.crt
	BackupEtcdClientCertificateCertSecretKey = "backup-etcd-client.crt"
	// BackupEtcdClientCertificateKeySecretKey backup-etcd-client.key
	BackupEtcdClientCertificateKeySecretKey = "backup-etcd-client.key"

	// PrometheusClientCertificateCertSecretKey prometheus-client.crt
	PrometheusClientCertificateCertSecretKey = "prometheus-client.crt"
	// PrometheusClientCertificateKeySecretKey prometheus-client.key
	PrometheusClientCertificateKeySecretKey = "prometheus-client.key"

	// ServingCertSecretKey is the secret key for a generic serving cert
	ServingCertSecretKey = "serving.crt"
	// ServingCertKeySecretKey is the secret key for the key of a generic serving cert
	ServingCertKeySecretKey = "serving.key"

	// CloudConfigSecretKey is the secret key for cloud-config
	CloudConfigSecretKey = "config"
)
View Source
const (
	AWSAccessKeyID     = "accessKeyId"
	AWSSecretAccessKey = "secretAccessKey"

	AzureTenantID       = "tenantID"
	AzureSubscriptionID = "subscriptionID"
	AzureClientID       = "clientID"
	AzureClientSecret   = "clientSecret"

	DigitaloceanToken = "token"

	GCPServiceAccount = "serviceAccount"

	HetznerToken = "token"

	OpenstackUsername = "username"
	OpenstackPassword = "password"
	OpenstackTenant   = "tenant"
	OpenstackTenantID = "tenantID"
	OpenstackDomain   = "domain"

	PacketAPIKey    = "apiKey"
	PacketProjectID = "projectID"

	KubevirtKubeConfig = "kubeConfig"

	VsphereUsername                    = "username"
	VspherePassword                    = "password"
	VsphereInfraManagementUserUsername = "infraManagementUserUsername"
	VsphereInfraManagementUserPassword = "infraManagementUserPassword"

	AlibabaAccessKeyID     = "accessKeyId"
	AlibabaAccessKeySecret = "accessKeySecret"

	UserSSHKeys = "usersshkeys"
)
View Source
const (
	CoreDNSClusterRoleName         = "system:coredns"
	CoreDNSClusterRoleBindingName  = "system:coredns"
	CoreDNSServiceAccountName      = "coredns"
	CoreDNSServiceName             = "kube-dns"
	CoreDNSConfigMapName           = "coredns"
	CoreDNSDeploymentName          = "coredns"
	CoreDNSPodDisruptionBudgetName = "coredns"
)
View Source
const (
	NodeLocalDNSServiceAccountName = "node-local-dns"
	NodeLocalDNSConfigMapName      = "node-local-dns"
	NodeLocalDNSDaemonSetName      = "node-local-dns"
)
View Source
const (
	// DefaultKubermaticImage defines the default Docker repository containing the Kubermatic API image.
	DefaultKubermaticImage = "quay.io/kubermatic/kubermatic"

	// DefaultDNATControllerImage defines the default Docker repository containing the DNAT controller image.
	DefaultDNATControllerImage = "quay.io/kubermatic/kubeletdnat-controller"

	// DefaultDashboardAddonImage defines the default Docker repository containing the dashboard image.
	DefaultDashboardImage = "quay.io/kubermatic/dashboard"

	// DefaultKubernetesAddonImage defines the default Docker repository containing the Kubernetes addons.
	DefaultKubernetesAddonImage = "quay.io/kubermatic/addons"

	// DefaultOpenshiftAddonImage defines the default Docker repository containing the Openshift addons.
	DefaultOpenshiftAddonImage = "quay.io/kubermatic/openshift-addons"
)
View Source
const (
	TokenBlacklist = "token-blacklist"
)

Variables

View Source
var KUBERMATICCOMMIT string

KUBERMATICCOMMIT is a magic variable containing the git commit hash of the current (as in currently executing) kubermatic api. It gets fed by Makefile as an ldflag.

View Source
var KUBERMATICGITTAG = "manual_build"

KUBERMATICGITTAG is a magic variable containing the output of `git describe` for the current (as in currently executing) kubermatic api. It gets fed by Makefile as an ldflag.

Functions

func AdminKubeconfigCreator

func AdminKubeconfigCreator(data adminKubeconfigCreatorData) reconciling.NamedSecretCreatorGetter

AdminKubeconfigCreator returns a function to create/update the secret with the admin kubeconfig

func AppClusterLabels

func AppClusterLabels(appName, clusterName string, additionalLabels map[string]string) map[string]string

AppClusterLabels returns the base app label + the cluster label. Additional labels can be included as well

func BaseAppLabels

func BaseAppLabels(name string, additionalLabels map[string]string) map[string]string

BaseAppLabels returns the minimum required labels

func Bool

func Bool(v bool) *bool

Bool returns a pointer to the bool value passed in.

func BuildNewKubeconfigAsByte

func BuildNewKubeconfigAsByte(ca *triple.KeyPair, server, commonName string, organizations []string, clusterName string) ([]byte, error)

func CertWillExpireSoon

func CertWillExpireSoon(cert *x509.Certificate) bool

CertWillExpireSoon returns if the certificate will expire in the next 30 days

func ClusterIPForService

func ClusterIPForService(name, namespace string, serviceLister corev1lister.ServiceLister) (*net.IP, error)

ClusterIPForService returns the cluster ip for the given service

func ClusterRoleBindingAuthDelegatorCreator

func ClusterRoleBindingAuthDelegatorCreator(username string) reconciling.NamedClusterRoleBindingCreatorGetter

ClusterRoleBindingAuthDelegatorCreator returns a function to create the ClusterRoleBinding which is needed for extension apiserver which do auth delegation

func ConfigMapRevision

func ConfigMapRevision(ctx context.Context, key types.NamespacedName, client ctrlruntimeclient.Client) (string, error)

ConfigMapRevision returns the resource version of the ConfigMap specified by name.

func FailureDomainZoneAntiAffinity

func FailureDomainZoneAntiAffinity(app, clusterName string) corev1.WeightedPodAffinityTerm

FailureDomainZoneAntiAffinity ensures that same-kind pods are spread across different availability zones.

func GetAbsoluteServiceDNSName

func GetAbsoluteServiceDNSName(service, namespace string) string

GetAbsoluteServiceDNSName returns the absolute DNS name for the given service and the given cluster. Absolute means a trailing dot will be appended to the DNS name

func GetBaseKubeconfig

func GetBaseKubeconfig(caCert *x509.Certificate, server, clusterName string) *clientcmdapi.Config

func GetClusterExternalIP

func GetClusterExternalIP(cluster *kubermaticv1.Cluster) (*net.IP, error)

GetClusterExternalIP returns a net.IP for the given Cluster

func GetClusterFrontProxyCA

func GetClusterFrontProxyCA(ctx context.Context, namespace string, client ctrlruntimeclient.Client) (*triple.KeyPair, error)

GetClusterFrontProxyCA returns the frontproxy CA of the cluster from the lister

func GetClusterRef

func GetClusterRef(cluster *kubermaticv1.Cluster) metav1.OwnerReference

GetClusterRef returns a metav1.OwnerReference for the given Cluster

func GetClusterRootCA

func GetClusterRootCA(ctx context.Context, namespace string, client ctrlruntimeclient.Client) (*triple.KeyPair, error)

GetClusterRootCA returns the root CA of the cluster from the lister

func GetDexCAFromFile

func GetDexCAFromFile(caBundleFilePath string) ([]*x509.Certificate, error)

GetDexCAFromFile returns the Dex CA from the lister

func GetHTTPProxyEnvVarsFromSeed

func GetHTTPProxyEnvVarsFromSeed(seed *kubermaticv1.Seed, inClusterAPIServerURL string) []corev1.EnvVar

func GetInternalKubeconfigCreator

func GetInternalKubeconfigCreator(name, commonName string, organizations []string, data internalKubeconfigCreatorData) reconciling.NamedSecretCreatorGetter

GetInternalKubeconfigCreator is a generic function to return a secret generator to create a kubeconfig which must only be used within the seed-cluster as it uses the ClusterIP of the apiserver.

func GetKubernetesCloudProviderName

func GetKubernetesCloudProviderName(cluster *kubermaticv1.Cluster) string

func GetOverrides

func GetOverrides(componentSettings kubermaticv1.ComponentSettings) map[string]*corev1.ResourceRequirements

func GetPodTemplateLabels

func GetPodTemplateLabels(
	ctx context.Context,
	client ctrlruntimeclient.Client,
	appName, clusterName, namespace string,
	volumes []corev1.Volume,
	additionalLabels map[string]string,
) (map[string]string, error)

GetPodTemplateLabels is a specialized version of VolumeRevisionLabels that adds additional typical labels like app and cluster names.

func GetVerticalPodAutoscalersForAll

func GetVerticalPodAutoscalersForAll(ctx context.Context, client ctrlruntimeclient.Client, deploymentNames, statefulSetNames []string, namespace string, enabled bool) ([]reconciling.NamedVerticalPodAutoscalerCreatorGetter, error)

GetVerticalPodAutoscalersForAll will return functions to create VPA resource for all supplied Deployments and StatefulSets. All resources must exist in the specified namespace. The VPA resource will have the same selector as the Deployment/StatefulSet. The pod container limits will be set as VPA limits.

func HealthyDeployment

func HealthyDeployment(ctx context.Context, client client.Client, nn types.NamespacedName, minReady int32) (kubermaticv1.HealthStatus, error)

HealthyDeployment tells if the deployment has a minimum of minReady replicas in Ready status

func HealthyStatefulSet

func HealthyStatefulSet(ctx context.Context, client client.Client, nn types.NamespacedName, minReady int32) (kubermaticv1.HealthStatus, error)

HealthyStatefulSe tells if the deployment has a minimum of minReady replicas in Ready status

func HostnameAntiAffinity

func HostnameAntiAffinity(app, clusterName string) *corev1.Affinity

HostnameAntiAffinity returns a simple Affinity rule to prevent* scheduling of same kind pods on the same node. It contains 2 AntiAffinity terms: High priority: We don't schedule multiple pods of this app & cluster on a single node Low priority: We don't schedule multiple pods of this app on a single node - regardless of the cluster. This prevents that we schedule all API server pods on a single node *if scheduling is not possible with this rule, it will be ignored.

func ImagePullSecretCreator

func ImagePullSecretCreator(dockerPullConfigJSON []byte) reconciling.NamedSecretCreatorGetter

ImagePullSecretCreator returns a creator function to create a ImagePullSecret

func InClusterApiserverIP

func InClusterApiserverIP(cluster *kubermaticv1.Cluster) (*net.IP, error)

InClusterApiserverIP returns the first usable IP of the service cidr. Its the in cluster IP for the apiserver

func Int32

func Int32(v int32) *int32

Int32 returns a pointer to the int32 value passed in.

func Int64

func Int64(v int64) *int64

Int64 returns a pointer to the int64 value passed in.

func IsClientCertificateValidForAllOf

func IsClientCertificateValidForAllOf(cert *x509.Certificate, commonName string, organizations []string, ca *x509.Certificate) bool

IsClientCertificateValidForAllOf validates if the given data matches exactly the given client certificate (It also returns true if all given data is in the cert, but the cert has more organizations)

func IsServerCertificateValidForAllOf

func IsServerCertificateValidForAllOf(cert *x509.Certificate, commonName string, altNames certutil.AltNames, ca *x509.Certificate) bool

IsServerCertificateValidForAllOf validates if the given data is present in the given server certificate

func IsValidKubeconfig

func IsValidKubeconfig(kubeconfigBytes []byte, caCert *x509.Certificate, server, commonName string, organizations []string, clusterName string) (bool, error)

func RoleBindingAuthenticationReaderCreator

func RoleBindingAuthenticationReaderCreator(username string) reconciling.NamedRoleBindingCreatorGetter

RoleBindingAuthenticationReaderCreator returns a function to create the RoleBinding which is needed for extension apiserver which do auth delegation

func SecretRevision

func SecretRevision(ctx context.Context, key types.NamespacedName, client ctrlruntimeclient.Client) (string, error)

SecretRevision returns the resource version of the Secret specified by name.

func ServiceAccountSecretCreator

func ServiceAccountSecretCreator(data CredentialsData) reconciling.NamedSecretCreatorGetter

ServiceAccountSecretCreator returns a creator function to create a Google Service Account.

func SetResourceRequirements

func SetResourceRequirements(containers []corev1.Container, defaultRequirements, overrides map[string]*corev1.ResourceRequirements, annotations map[string]string) error

SetResourceRequirements sets resource requirements on provided slice of containers. The highest priority has requirements provided using overrides, then requirements provided by the vpa-updater (if VPA is enabled), and at the end provided default requirements for a given resource.

func String

func String(v string) *string

String returns a pointer to the string value passed in.

func SupportsFailureDomainZoneAntiAffinity

func SupportsFailureDomainZoneAntiAffinity(ctx context.Context, client ctrlruntimeclient.Client) (bool, error)

SupportsFailureDomainZoneAntiAffinity checks if there are any nodes with the TopologyKeyFailureDomainZone label.

func UserClusterDNSPolicyAndConfig

func UserClusterDNSPolicyAndConfig(d userClusterDNSPolicyAndConfigData) (corev1.DNSPolicy, *corev1.PodDNSConfig, error)

UserClusterDNSPolicyAndConfig returns a DNSPolicy and DNSConfig to configure Pods to use user cluster DNS

func UserClusterDNSResolverIP

func UserClusterDNSResolverIP(cluster *kubermaticv1.Cluster) (string, error)

UserClusterDNSResolverIP returns the 9th usable IP address from the first Service CIDR block from ClusterNetwork spec. This is by convention the IP address of the DNS resolver. Returns "" on error.

func ViewerKubeconfigCreator

func ViewerKubeconfigCreator(data *TemplateData) reconciling.NamedSecretCreatorGetter

ViewerKubeconfigCreator returns a function to create/update the secret with the viewer kubeconfig

func VolumeRevisionLabels

func VolumeRevisionLabels(
	ctx context.Context,
	client ctrlruntimeclient.Client,
	namespace string,
	volumes []corev1.Volume,
) (map[string]string, error)

VolumeRevisionLabels returns a set of labels for the given volumes, with one label per ConfigMap or Secret, containing the objects' revisions. When used for pod template labels, this will force pods being restarted as soon as one of the secrets/configmaps get updated.

Types

type APIServiceCreator

type APIServiceCreator = func(existing *apiregistrationv1beta1.APIService) (*apiregistrationv1beta1.APIService, error)

APIServiceCreator defines an interface to create/update APIService's

type AWSCredentials

type AWSCredentials struct {
	AccessKeyID     string
	SecretAccessKey string
}

func GetAWSCredentials

func GetAWSCredentials(data CredentialsData) (AWSCredentials, error)

type AlibabaCredentials

type AlibabaCredentials struct {
	AccessKeyID     string
	AccessKeySecret string
}

func GetAlibabaCredentials

func GetAlibabaCredentials(data CredentialsData) (AlibabaCredentials, error)

type AzureCredentials

type AzureCredentials struct {
	TenantID       string
	SubscriptionID string
	ClientID       string
	ClientSecret   string
}

func GetAzureCredentials

func GetAzureCredentials(data CredentialsData) (AzureCredentials, error)

type CRDCreateor

CRDCreateor defines an interface to create/update CustomRessourceDefinitions

type Credentials

func GetCredentials

func GetCredentials(data CredentialsData) (Credentials, error)

type CredentialsData

type CredentialsData interface {
	Cluster() *kubermaticv1.Cluster
	GetGlobalSecretKeySelectorValue(configVar *providerconfig.GlobalSecretKeySelector, key string) (string, error)
}

func NewCredentialsData

func NewCredentialsData(ctx context.Context, cluster *kubermaticv1.Cluster, client ctrlruntimeclient.Client) CredentialsData

type DigitaloceanCredentials

type DigitaloceanCredentials struct {
	Token string
}

func GetDigitaloceanCredentials

func GetDigitaloceanCredentials(data CredentialsData) (DigitaloceanCredentials, error)

type ECDSAKeyPair

type ECDSAKeyPair struct {
	Key  *ecdsa.PrivateKey
	Cert *x509.Certificate
}

ECDSAKeyPair is a ECDSA x509 certifcate and private key

func GetOpenVPNCA

func GetOpenVPNCA(ctx context.Context, namespace string, client ctrlruntimeclient.Client) (*ECDSAKeyPair, error)

GetOpenVPNCA returns the OpenVPN CA of the cluster from the lister

type GCPCredentials

type GCPCredentials struct {
	ServiceAccount string
}

func GetGCPCredentials

func GetGCPCredentials(data CredentialsData) (GCPCredentials, error)

type HetznerCredentials

type HetznerCredentials struct {
	Token string
}

func GetHetznerCredentials

func GetHetznerCredentials(data CredentialsData) (HetznerCredentials, error)

type KubevirtCredentials

type KubevirtCredentials struct {
	KubeConfig string
}

func GetKubevirtCredentials

func GetKubevirtCredentials(data CredentialsData) (KubevirtCredentials, error)

type OpenstackCredentials

type OpenstackCredentials struct {
	Username string
	Password string
	Tenant   string
	TenantID string
	Domain   string
}

func GetOpenstackCredentials

func GetOpenstackCredentials(data CredentialsData) (OpenstackCredentials, error)

type PacketCredentials

type PacketCredentials struct {
	APIKey    string
	ProjectID string
}

func GetPacketCredentials

func GetPacketCredentials(data CredentialsData) (PacketCredentials, error)

type Requirements

type Requirements struct {
	Name     string                       `json:"name,omitempty"`
	Requires *corev1.ResourceRequirements `json:"requires,omitempty"`
}

Requirements are how much resources are needed by containers in the pod

type TemplateData

type TemplateData struct {
	OverwriteRegistry string
	// contains filtered or unexported fields
}

TemplateData is a group of data required for template generation

func NewTemplateData

func NewTemplateData(
	ctx context.Context,
	client ctrlruntimeclient.Client,
	cluster *kubermaticv1.Cluster,
	dc *kubermaticv1.Datacenter,
	seed *kubermaticv1.Seed,
	overwriteRegistry string,
	nodePortRange string,
	nodeAccessNetwork string,
	etcdDiskSize resource.Quantity,
	monitoringScrapeAnnotationPrefix string,
	inClusterPrometheusRulesFile string,
	inClusterPrometheusDisableDefaultRules bool,
	inClusterPrometheusDisableDefaultScrapingConfigs bool,
	inClusterPrometheusScrapingConfigsFile string,
	oidcCAFile string,
	oidcURL string,
	oidcIssuerClientID string,
	nodeLocalDNSCacheEnabled bool,
	kubermaticImage string,
	dnatControllerImage string,
	supportsFailureDomainZoneAntiAffinity bool) *TemplateData

NewTemplateData returns an instance of TemplateData

func (*TemplateData) CloudCredentialSecretTemplate

func (d *TemplateData) CloudCredentialSecretTemplate() ([]byte, error)

func (*TemplateData) Cluster

func (d *TemplateData) Cluster() *kubermaticv1.Cluster

Cluster returns the cluster

func (*TemplateData) ClusterIPByServiceName

func (d *TemplateData) ClusterIPByServiceName(name string) (string, error)

ClusterIPByServiceName returns the ClusterIP as string for the Service specified by `name`. Service lookup happens within `Cluster.Status.NamespaceName`. When ClusterIP fails to parse as valid IP address, an error is returned.

func (*TemplateData) ClusterVersion

func (d *TemplateData) ClusterVersion() string

ClusterVersion returns version of the cluster

func (*TemplateData) DC

DC returns the dc

func (*TemplateData) DNATControllerImage

func (d *TemplateData) DNATControllerImage() string

func (*TemplateData) EtcdDiskSize

func (d *TemplateData) EtcdDiskSize() resource.Quantity

EtcdDiskSize returns the etcd disk size

func (*TemplateData) ExternalIP

func (d *TemplateData) ExternalIP() (*net.IP, error)

ExternalIP returns the external facing IP or an error if no IP exists

func (*TemplateData) GetClusterRef

func (d *TemplateData) GetClusterRef() metav1.OwnerReference

GetClusterRef returns a instance of a OwnerReference for the Cluster in the TemplateData

func (*TemplateData) GetDexCA

func (d *TemplateData) GetDexCA() ([]*x509.Certificate, error)

GetDexCA returns the chain of public certificates of the Dex

func (*TemplateData) GetFrontProxyCA

func (d *TemplateData) GetFrontProxyCA() (*triple.KeyPair, error)

GetFrontProxyCA returns the root CA for the front proxy

func (*TemplateData) GetGlobalSecretKeySelectorValue

func (d *TemplateData) GetGlobalSecretKeySelectorValue(configVar *providerconfig.GlobalSecretKeySelector, key string) (string, error)

func (*TemplateData) GetKubernetesCloudProviderName

func (d *TemplateData) GetKubernetesCloudProviderName() string

func (*TemplateData) GetOpenVPNCA

func (d *TemplateData) GetOpenVPNCA() (*ECDSAKeyPair, error)

GetOpenVPNCA returns the root ca for the OpenVPN

func (*TemplateData) GetOpenVPNServerPort

func (d *TemplateData) GetOpenVPNServerPort() (int32, error)

GetApiserverExternalNodePort returns the nodeport of the external apiserver service

func (*TemplateData) GetPodTemplateLabels

func (d *TemplateData) GetPodTemplateLabels(appName string, volumes []corev1.Volume, additionalLabels map[string]string) (map[string]string, error)

GetPodTemplateLabels returns a set of labels for a Pod including the revisions of depending secrets and configmaps. This will force pods being restarted as soon as one of the secrets/configmaps get updated.

func (*TemplateData) GetRootCA

func (d *TemplateData) GetRootCA() (*triple.KeyPair, error)

GetRootCA returns the root CA of the cluster

func (*TemplateData) GetViewerToken

func (d *TemplateData) GetViewerToken() (string, error)

GetViewerToken returns the viewer token

func (*TemplateData) HasEtcdOperatorService

func (d *TemplateData) HasEtcdOperatorService() (bool, error)

GetPodTemplateLabels returns a set of labels for a Pod including the revisions of depending secrets and configmaps. This will force pods being restarted as soon as one of the secrets/configmaps get updated.

func (*TemplateData) ImageRegistry

func (d *TemplateData) ImageRegistry(defaultRegistry string) string

ImageRegistry returns the image registry to use or the passed in default if no override is specified

func (*TemplateData) InClusterPrometheusDisableDefaultRules

func (d *TemplateData) InClusterPrometheusDisableDefaultRules() bool

InClusterPrometheusDisableDefaultRules returns whether to disable default rules

func (*TemplateData) InClusterPrometheusDisableDefaultScrapingConfigs

func (d *TemplateData) InClusterPrometheusDisableDefaultScrapingConfigs() bool

InClusterPrometheusDisableDefaultScrapingConfigs returns whether to disable default scrape configs

func (*TemplateData) InClusterPrometheusRulesFile

func (d *TemplateData) InClusterPrometheusRulesFile() string

InClusterPrometheusRulesFile returns inClusterPrometheusRulesFile

func (*TemplateData) InClusterPrometheusScrapingConfigsFile

func (d *TemplateData) InClusterPrometheusScrapingConfigsFile() string

InClusterPrometheusScrapingConfigsFile returns inClusterPrometheusScrapingConfigsFile

func (*TemplateData) KubermaticAPIImage

func (d *TemplateData) KubermaticAPIImage() string

func (*TemplateData) MonitoringScrapeAnnotationPrefix

func (d *TemplateData) MonitoringScrapeAnnotationPrefix() string

MonitoringScrapeAnnotationPrefix returns the scrape annotation prefix

func (*TemplateData) NodeAccessNetwork

func (d *TemplateData) NodeAccessNetwork() string

NodeAccessNetwork returns the node access network

func (*TemplateData) NodeLocalDNSCacheEnabled

func (d *TemplateData) NodeLocalDNSCacheEnabled() bool

func (*TemplateData) NodePortRange

func (d *TemplateData) NodePortRange() string

NodePortRange returns the node access network

func (*TemplateData) OIDCCAFile

func (d *TemplateData) OIDCCAFile() string

OIDCCAFile return CA file

func (*TemplateData) OIDCIssuerClientID

func (d *TemplateData) OIDCIssuerClientID() string

OIDCIssuerClientID return the issuer client ID

func (*TemplateData) OIDCIssuerURL

func (d *TemplateData) OIDCIssuerURL() string

OIDCIssuerURL returns URL of the OpenID token issuer

func (*TemplateData) ProviderName

func (d *TemplateData) ProviderName() string

ProviderName returns the name of the clusters providerName

func (*TemplateData) Seed

func (d *TemplateData) Seed() *kubermaticv1.Seed

func (*TemplateData) SupportsFailureDomainZoneAntiAffinity

func (d *TemplateData) SupportsFailureDomainZoneAntiAffinity() bool

type VSphereCredentials

type VSphereCredentials struct {
	Username string
	Password string
}

func GetVSphereCredentials

func GetVSphereCredentials(data CredentialsData) (VSphereCredentials, error)

Directories

Path Synopsis
triple
Package triple generates key-certificate pairs for the triple (CA, Server, Client).
Package triple generates key-certificate pairs for the triple (CA, Server, Client).
This file is generated.
This file is generated.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL