Documentation ¶
Index ¶
- Constants
- func GetKMSProvider(kmsSpec *hyperv1.KMSSpec, images KubeAPIServerImages) (kms.IKMSProvider, error)
- func InClusterKASReadyURL(platformType hyperv1.PlatformType) string
- func InClusterKASURL(platformType hyperv1.PlatformType) string
- func ReconcileAESCBCEncryptionConfig(config *corev1.Secret, ownerRef hcpconfig.OwnerRef, activeKey []byte, ...) error
- func ReconcileAuditConfig(auditCfgMap *corev1.ConfigMap, ownerRef config.OwnerRef, ...) error
- func ReconcileAuthConfig(ctx context.Context, c crclient.Client, config *corev1.ConfigMap, ...) error
- func ReconcileAuthenticationTokenWebhookConfigSecret(secret *corev1.Secret, ownerRef config.OwnerRef, ...) error
- func ReconcileBootstrapKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, ...) error
- func ReconcileConfig(config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef, ...) error
- func ReconcileEgressSelectorConfig(config *corev1.ConfigMap, ownerRef hcpconfig.OwnerRef) error
- func ReconcileExternalKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, ...) error
- func ReconcileExternalPrivateRoute(route *routev1.Route, owner *metav1.OwnerReference, hostname string) error
- func ReconcileExternalPublicRoute(route *routev1.Route, owner *metav1.OwnerReference, hostname string) error
- func ReconcileInternalRoute(route *routev1.Route, owner *metav1.OwnerReference) error
- func ReconcileKMSEncryptionConfig(config *corev1.Secret, ownerRef hcpconfig.OwnerRef, ...) error
- func ReconcileKonnectivityExternalRoute(route *routev1.Route, ownerRef config.OwnerRef, hostname string, ...) error
- func ReconcileKonnectivityInternalRoute(route *routev1.Route, ownerRef config.OwnerRef) error
- func ReconcileKonnectivityServerLocalService(svc *corev1.Service, ownerRef config.OwnerRef) error
- func ReconcileKonnectivityServerService(svc *corev1.Service, ownerRef config.OwnerRef, ...) error
- func ReconcileKonnectivityServerServiceStatus(svc *corev1.Service, route *routev1.Route, ...) (host string, port int32, message string, err error)
- func ReconcileKubeAPIServerDeployment(deployment *appsv1.Deployment, hcp *hyperv1.HostedControlPlane, ...) error
- func ReconcileLocalhostKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, ...) error
- func ReconcileOauthMetadata(cfg *corev1.ConfigMap, ownerRef config.OwnerRef, userOauthMetadata string, ...) error
- func ReconcilePodDisruptionBudget(pdb *policyv1.PodDisruptionBudget, p *KubeAPIServerParams) error
- func ReconcilePrivateService(svc *corev1.Service, hcp *hyperv1.HostedControlPlane, ...) error
- func ReconcileRecordingRules(r *prometheusoperatorv1.PrometheusRule, clusterID string)
- func ReconcileService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, ...) error
- func ReconcileServiceCAPIKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, ...) error
- func ReconcileServiceClusterIP(svc *corev1.Service, owner *metav1.OwnerReference) error
- func ReconcileServiceKubeconfigSecret(secret, cert *corev1.Secret, ca *corev1.ConfigMap, ownerRef config.OwnerRef, ...) error
- func ReconcileServiceMonitor(sm *prometheusoperatorv1.ServiceMonitor, ownerRef config.OwnerRef, ...) error
- func ReconcileServiceStatus(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, ...) (host string, port int32, message string, err error)
- type AudienceMatchPolicyType
- type AuthenticationConfiguration
- type ClaimMappings
- type ClaimOrExpression
- type ClaimValidationRule
- type ExtraMapping
- type Issuer
- type JWTAuthenticator
- type KubeAPIServerConfigParams
- type KubeAPIServerImages
- type KubeAPIServerParams
- func (p *KubeAPIServerParams) AdditionalCORSAllowedOrigins() []string
- func (p *KubeAPIServerParams) AuditPolicyConfig() configv1.Audit
- func (p *KubeAPIServerParams) CipherSuites() []string
- func (p *KubeAPIServerParams) ClusterNetwork() []string
- func (p *KubeAPIServerParams) ConfigParams() KubeAPIServerConfigParams
- func (p *KubeAPIServerParams) DefaultNodeSelector() string
- func (p *KubeAPIServerParams) ExternalIPConfig() *configv1.ExternalIPConfig
- func (p *KubeAPIServerParams) ExternalKubeconfigKey() string
- func (p *KubeAPIServerParams) ExternalRegistryHostNames() []string
- func (p *KubeAPIServerParams) ExternalURL() string
- func (p *KubeAPIServerParams) FeatureGates() []string
- func (p *KubeAPIServerParams) InternalRegistryHostName() string
- func (p *KubeAPIServerParams) InternalURL() string
- func (p *KubeAPIServerParams) NamedCertificates() []configv1.APIServerNamedServingCert
- func (p *KubeAPIServerParams) ServiceAccountIssuerURL() string
- func (p *KubeAPIServerParams) ServiceNetwork() []string
- func (p *KubeAPIServerParams) ServiceNodePortRange() string
- func (p *KubeAPIServerParams) TLSSecurityProfile() *configv1.TLSSecurityProfile
- type KubeAPIServerServiceParams
- type PrefixedClaimOrExpression
- type UserValidationRule
Constants ¶
const ( AuditPolicyConfigMapKey = "policy.yaml" AuditPolicyProfileMapKey = "profile" )
const ( KubeAPIServerConfigKey = "config.json" AuthenticationConfigKey = "auth.json" OauthMetadataConfigKey = "oauthMetadata.json" AuditLogFile = "audit.log" EgressSelectorConfigKey = "config.yaml" DefaultEtcdPort = 2379 )
const ( KonnectivityHealthPort = 2041 KonnectivityServerLocalPort = 8090 KonnectivityServerPort = 8091 )
const (
AuthConfigMapKey = "auth.json"
)
const (
EgressSelectorConfigMapKey = "config.yaml"
)
const (
KubeconfigKey = util.KubeconfigKey
)
Variables ¶
This section is empty.
Functions ¶
func GetKMSProvider ¶ added in v0.1.17
func GetKMSProvider(kmsSpec *hyperv1.KMSSpec, images KubeAPIServerImages) (kms.IKMSProvider, error)
func InClusterKASReadyURL ¶
func InClusterKASReadyURL(platformType hyperv1.PlatformType) string
func InClusterKASURL ¶
func InClusterKASURL(platformType hyperv1.PlatformType) string
func ReconcileAuditConfig ¶
func ReconcileAuthConfig ¶ added in v0.1.20
func ReconcileConfig ¶
func ReconcileExternalPrivateRoute ¶ added in v0.1.2
func ReconcileExternalPublicRoute ¶ added in v0.1.2
func ReconcileInternalRoute ¶
func ReconcileInternalRoute(route *routev1.Route, owner *metav1.OwnerReference) error
func ReconcileKonnectivityExternalRoute ¶ added in v0.1.10
func ReconcileKonnectivityInternalRoute ¶ added in v0.1.10
func ReconcileKonnectivityServerLocalService ¶ added in v0.1.10
func ReconcileKonnectivityServerService ¶ added in v0.1.10
func ReconcileKonnectivityServerService(svc *corev1.Service, ownerRef config.OwnerRef, strategy *hyperv1.ServicePublishingStrategy, hcp *hyperv1.HostedControlPlane) error
func ReconcileKonnectivityServerServiceStatus ¶ added in v0.1.10
func ReconcileKubeAPIServerDeployment ¶
func ReconcileKubeAPIServerDeployment(deployment *appsv1.Deployment, hcp *hyperv1.HostedControlPlane, ownerRef config.OwnerRef, deploymentConfig config.DeploymentConfig, namedCertificates []configv1.APIServerNamedServingCert, cloudProviderName string, cloudProviderConfigRef *corev1.LocalObjectReference, cloudProviderCreds *corev1.LocalObjectReference, images KubeAPIServerImages, config *corev1.ConfigMap, auditConfig *corev1.ConfigMap, authConfig *corev1.ConfigMap, auditWebhookRef *corev1.LocalObjectReference, aesCBCActiveKey []byte, aesCBCBackupKey []byte, port int32, payloadVersion string, featureGateSpec *configv1.FeatureGateSpec, oidcCA *corev1.LocalObjectReference, cipherSuites []string, ) error
func ReconcileOauthMetadata ¶
func ReconcilePodDisruptionBudget ¶
func ReconcilePodDisruptionBudget(pdb *policyv1.PodDisruptionBudget, p *KubeAPIServerParams) error
func ReconcilePrivateService ¶
func ReconcilePrivateService(svc *corev1.Service, hcp *hyperv1.HostedControlPlane, owner *metav1.OwnerReference) error
func ReconcileRecordingRules ¶
func ReconcileRecordingRules(r *prometheusoperatorv1.PrometheusRule, clusterID string)
func ReconcileService ¶
func ReconcileService(svc *corev1.Service, strategy *hyperv1.ServicePublishingStrategy, owner *metav1.OwnerReference, apiServerServicePort int, apiAllowedCIDRBlocks []string, hcp *hyperv1.HostedControlPlane) error
func ReconcileServiceClusterIP ¶ added in v0.1.16
func ReconcileServiceClusterIP(svc *corev1.Service, owner *metav1.OwnerReference) error
func ReconcileServiceMonitor ¶
func ReconcileServiceMonitor(sm *prometheusoperatorv1.ServiceMonitor, ownerRef config.OwnerRef, clusterID string, metricsSet metrics.MetricsSet) error
func ReconcileServiceStatus ¶
Types ¶
type AudienceMatchPolicyType ¶ added in v0.1.20
type AudienceMatchPolicyType string
AudienceMatchPolicyType is a set of valid values for Issuer.AudienceMatchPolicy
const ( // MatchAny means the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field. AudienceMatchPolicyMatchAny AudienceMatchPolicyType = "MatchAny" )
Valid types for AudienceMatchPolicyType
type AuthenticationConfiguration ¶ added in v0.1.20
type AuthenticationConfiguration struct { metav1.TypeMeta // jwt is a list of authenticator to authenticate Kubernetes users using // JWT compliant tokens. The authenticator will attempt to parse a raw ID token, // verify it's been signed by the configured issuer. The public key to verify the // signature is discovered from the issuer's public endpoint using OIDC discovery. // For an incoming token, each JWT authenticator will be attempted in // the order in which it is specified in this list. Note however that // other authenticators may run before or after the JWT authenticators. // The specific position of JWT authenticators in relation to other // authenticators is neither defined nor stable across releases. Since // each JWT authenticator must have a unique issuer URL, at most one // JWT authenticator will attempt to cryptographically validate the token. JWT []JWTAuthenticator `json:"jwt"` }
AuthenticationConfiguration provides versioned configuration for authentication.
type ClaimMappings ¶ added in v0.1.20
type ClaimMappings struct { // username represents an option for the username attribute. // The claim's value must be a singular string. // Same as the --oidc-username-claim and --oidc-username-prefix flags. // If username.expression is set, the expression must produce a string value. // // In the flag based approach, the --oidc-username-claim and --oidc-username-prefix are optional. If --oidc-username-claim is not set, // the default value is "sub". For the authentication config, there is no defaulting for claim or prefix. The claim and prefix must be set explicitly. // For claim, if --oidc-username-claim was not set with legacy flag approach, configure username.claim="sub" in the authentication config. // For prefix: // (1) --oidc-username-prefix="-", no prefix was added to the username. For the same behavior using authentication config, // set username.prefix="" // (2) --oidc-username-prefix="" and --oidc-username-claim != "email", prefix was "<value of --oidc-issuer-url>#". For the same // behavior using authentication config, set username.prefix="<value of issuer.url>#" // (3) --oidc-username-prefix="<value>". For the same behavior using authentication config, set username.prefix="<value>" // +required Username PrefixedClaimOrExpression `json:"username"` // groups represents an option for the groups attribute. // The claim's value must be a string or string array claim. // If groups.claim is set, the prefix must be specified (and can be the empty string). // If groups.expression is set, the expression must produce a string or string array value. // "", [], and null values are treated as the group mapping not being present. // +optional Groups PrefixedClaimOrExpression `json:"groups,omitempty"` // uid represents an option for the uid attribute. // Claim must be a singular string claim. // If uid.expression is set, the expression must produce a string value. // +optional UID ClaimOrExpression `json:"uid"` // extra represents an option for the extra attribute. // expression must produce a string or string array value. // If the value is empty, the extra mapping will not be present. // // hard-coded extra key/value // - key: "foo" // valueExpression: "'bar'" // This will result in an extra attribute - foo: ["bar"] // // hard-coded key, value copying claim value // - key: "foo" // valueExpression: "claims.some_claim" // This will result in an extra attribute - foo: [value of some_claim] // // hard-coded key, value derived from claim value // - key: "admin" // valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""' // This will result in: // - if is_admin claim is present and true, extra attribute - admin: ["true"] // - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added // // +optional Extra []ExtraMapping `json:"extra,omitempty"` }
ClaimMappings provides the configuration for claim mapping
type ClaimOrExpression ¶ added in v0.1.20
type ClaimOrExpression struct { // claim is the JWT claim to use. // Either claim or expression must be set. // Mutually exclusive with expression. // +optional Claim string `json:"claim,omitempty"` // expression represents the expression which will be evaluated by CEL. // // CEL expressions have access to the contents of the token claims, organized into CEL variable: // - 'claims' is a map of claim names to claim values. // For example, a variable named 'sub' can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'. // // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ // // Mutually exclusive with claim. // +optional Expression string `json:"expression,omitempty"` }
ClaimOrExpression provides the configuration for a single claim or expression.
type ClaimValidationRule ¶ added in v0.1.20
type ClaimValidationRule struct { // claim is the name of a required claim. // Same as --oidc-required-claim flag. // Only string claim keys are supported. // Mutually exclusive with expression and message. // +optional Claim string `json:"claim,omitempty"` // requiredValue is the value of a required claim. // Same as --oidc-required-claim flag. // Only string claim values are supported. // If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string. // Mutually exclusive with expression and message. // +optional RequiredValue string `json:"requiredValue,omitempty"` // expression represents the expression which will be evaluated by CEL. // Must produce a boolean. // // CEL expressions have access to the contents of the token claims, organized into CEL variable: // - 'claims' is a map of claim names to claim values. // For example, a variable named 'sub' can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'. // Must return true for the validation to pass. // // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ // // Mutually exclusive with claim and requiredValue. // +optional Expression string `json:"expression,omitempty"` // message customizes the returned error message when expression returns false. // message is a literal string. // Mutually exclusive with claim and requiredValue. // +optional Message string `json:"message,omitempty"` }
ClaimValidationRule provides the configuration for a single claim validation rule.
type ExtraMapping ¶ added in v0.1.20
type ExtraMapping struct { // key is a string to use as the extra attribute key. // key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid // subdomain as defined by RFC 1123. All characters trailing the first "/" must // be valid HTTP Path characters as defined by RFC 3986. // key must be lowercase. // +required Key string `json:"key"` // valueExpression is a CEL expression to extract extra attribute value. // valueExpression must produce a string or string array value. // "", [], and null values are treated as the extra mapping not being present. // Empty string values contained within a string array are filtered out. // // CEL expressions have access to the contents of the token claims, organized into CEL variable: // - 'claims' is a map of claim names to claim values. // For example, a variable named 'sub' can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'. // // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ // // +required ValueExpression string `json:"valueExpression"` }
ExtraMapping provides the configuration for a single extra mapping.
type Issuer ¶ added in v0.1.20
type Issuer struct { // url points to the issuer URL in a format https://url or https://url/path. // This must match the "iss" claim in the presented JWT, and the issuer returned from discovery. // Same value as the --oidc-issuer-url flag. // Used to fetch discovery information unless overridden by discoveryURL. // Required to be unique. // Note that egress selection configuration is not used for this network connection. // +required URL string `json:"url"` // certificateAuthority contains PEM-encoded certificate authority certificates // used to validate the connection when fetching discovery information. // If unset, the system verifier is used. // Same value as the content of the file referenced by the --oidc-ca-file flag. // +optional CertificateAuthority string `json:"certificateAuthority,omitempty"` // audiences is the set of acceptable audiences the JWT must be issued to. // At least one of the entries must match the "aud" claim in presented JWTs. // Same value as the --oidc-client-id flag (though this field supports an array). // Required to be non-empty. // +required Audiences []string `json:"audiences"` // audienceMatchPolicy defines how the "audiences" field is used to match the "aud" claim in the presented JWT. // Allowed values are: // 1. "MatchAny" when multiple audiences are specified and // 2. empty (or unset) or "MatchAny" when a single audience is specified. // // - MatchAny: the "aud" claim in the presented JWT must match at least one of the entries in the "audiences" field. // For example, if "audiences" is ["foo", "bar"], the "aud" claim in the presented JWT must contain either "foo" or "bar" (and may contain both). // // - "": The match policy can be empty (or unset) when a single audience is specified in the "audiences" field. The "aud" claim in the presented JWT must contain the single audience (and may contain others). // // For more nuanced audience validation, use claimValidationRules. // example: claimValidationRule[].expression: 'sets.equivalent(claims.aud, ["bar", "foo", "baz"])' to require an exact match. // +optional AudienceMatchPolicy AudienceMatchPolicyType `json:"audienceMatchPolicy,omitempty"` }
Issuer provides the configuration for a external provider specific settings.
type JWTAuthenticator ¶ added in v0.1.20
type JWTAuthenticator struct { // issuer contains the basic OIDC provider connection options. // +required Issuer Issuer `json:"issuer"` // claimValidationRules are rules that are applied to validate token claims to authenticate users. // +optional ClaimValidationRules []ClaimValidationRule `json:"claimValidationRules,omitempty"` // claimMappings points claims of a token to be treated as user attributes. // +required ClaimMappings ClaimMappings `json:"claimMappings"` // userValidationRules are rules that are applied to final user before completing authentication. // These allow invariants to be applied to incoming identities such as preventing the // use of the system: prefix that is commonly used by Kubernetes components. // The validation rules are logically ANDed together and must all return true for the validation to pass. // +optional UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"` }
JWTAuthenticator provides the configuration for a single JWT authenticator.
type KubeAPIServerConfigParams ¶
type KubeAPIServerConfigParams struct { ExternalIPConfig *configv1.ExternalIPConfig ClusterNetwork []string ServiceNetwork []string NamedCertificates []configv1.APIServerNamedServingCert KASPodPort int32 TLSSecurityProfile *configv1.TLSSecurityProfile AdditionalCORSAllowedOrigins []string InternalRegistryHostName string ExternalRegistryHostNames []string DefaultNodeSelector string AdvertiseAddress string ServiceAccountIssuerURL string CloudProvider string CloudProviderConfigRef *corev1.LocalObjectReference EtcdURL string FeatureGates []string NodePortRange string AuditWebhookEnabled bool ConsolePublicURL string DisableProfiling bool APIServerSTSDirectives string Authentication *configv1.AuthenticationSpec }
type KubeAPIServerImages ¶
type KubeAPIServerImages struct { ClusterConfigOperator string `json:"clusterConfigOperator"` CLI string `json:"cli"` HyperKube string `json:"hyperKube"` IBMCloudKMS string `json:"ibmcloudKMS"` AWSKMS string `json:"awsKMS"` Portieris string `json:"portieris"` TokenMinterImage string AWSPodIdentityWebhookImage string KonnectivityServer string }
type KubeAPIServerParams ¶
type KubeAPIServerParams struct { APIServer *configv1.APIServerSpec `json:"apiServer"` Authentication *configv1.AuthenticationSpec `json:"authentication"` FeatureGate *configv1.FeatureGateSpec `json:"featureGate"` Network *configv1.NetworkSpec `json:"network"` Image *configv1.ImageSpec `json:"image"` Scheduler *configv1.SchedulerSpec `json:"scheduler"` CloudProvider string `json:"cloudProvider"` CloudProviderConfig *corev1.LocalObjectReference `json:"cloudProviderConfig"` CloudProviderCreds *corev1.LocalObjectReference `json:"cloudProviderCreds"` ServiceAccountIssuer string `json:"serviceAccountIssuer"` ServiceCIDRs []string `json:"serviceCIDRs"` ClusterCIDRs []string `json:"clusterCIDRs"` AdvertiseAddress string `json:"advertiseAddress"` ExternalAddress string `json:"externalAddress"` // ExternalPort is the port coming from the status of the SVC which is exposing the KAS, e.g. common router LB, dedicated private/public/ LB... // This is used to build kas urls for generated internal kubeconfigs for example. ExternalPort int32 `json:"externalPort"` InternalAddress string `json:"internalAddress"` // KASPodPort is the port to expose in the KAS Pod. KASPodPort int32 `json:"apiServerPort"` ExternalOAuthAddress string `json:"externalOAuthAddress"` ExternalOAuthPort int32 `json:"externalOAuthPort"` OIDCCAConfigMap *corev1.LocalObjectReference `json:"oidcCAConfigMap"` EtcdURL string `json:"etcdAddress"` KubeConfigRef *hyperv1.KubeconfigSecretRef `json:"kubeConfigRef"` AuditWebhookRef *corev1.LocalObjectReference `json:"auditWebhookRef"` ConsolePublicURL string `json:"consolePublicURL"` DisableProfiling bool `json:"disableProfiling"` config.DeploymentConfig config.OwnerRef Images KubeAPIServerImages `json:"images"` Availability hyperv1.AvailabilityPolicy APIServerSTSDirectives string }
func NewKubeAPIServerParams ¶
func NewKubeAPIServerParams(ctx context.Context, hcp *hyperv1.HostedControlPlane, releaseImageProvider *imageprovider.ReleaseImageProvider, externalAPIAddress string, externalAPIPort int32, externalOAuthAddress string, externalOAuthPort int32, setDefaultSecurityContext bool) *KubeAPIServerParams
func (*KubeAPIServerParams) AdditionalCORSAllowedOrigins ¶
func (p *KubeAPIServerParams) AdditionalCORSAllowedOrigins() []string
func (*KubeAPIServerParams) AuditPolicyConfig ¶
func (p *KubeAPIServerParams) AuditPolicyConfig() configv1.Audit
func (*KubeAPIServerParams) CipherSuites ¶ added in v0.1.21
func (p *KubeAPIServerParams) CipherSuites() []string
func (*KubeAPIServerParams) ClusterNetwork ¶
func (p *KubeAPIServerParams) ClusterNetwork() []string
func (*KubeAPIServerParams) ConfigParams ¶
func (p *KubeAPIServerParams) ConfigParams() KubeAPIServerConfigParams
func (*KubeAPIServerParams) DefaultNodeSelector ¶
func (p *KubeAPIServerParams) DefaultNodeSelector() string
func (*KubeAPIServerParams) ExternalIPConfig ¶
func (p *KubeAPIServerParams) ExternalIPConfig() *configv1.ExternalIPConfig
func (*KubeAPIServerParams) ExternalKubeconfigKey ¶
func (p *KubeAPIServerParams) ExternalKubeconfigKey() string
func (*KubeAPIServerParams) ExternalRegistryHostNames ¶
func (p *KubeAPIServerParams) ExternalRegistryHostNames() []string
func (*KubeAPIServerParams) ExternalURL ¶
func (p *KubeAPIServerParams) ExternalURL() string
func (*KubeAPIServerParams) FeatureGates ¶
func (p *KubeAPIServerParams) FeatureGates() []string
func (*KubeAPIServerParams) InternalRegistryHostName ¶
func (p *KubeAPIServerParams) InternalRegistryHostName() string
func (*KubeAPIServerParams) InternalURL ¶
func (p *KubeAPIServerParams) InternalURL() string
InternalURL is used by ReconcileBootstrapKubeconfigSecret.
func (*KubeAPIServerParams) NamedCertificates ¶
func (p *KubeAPIServerParams) NamedCertificates() []configv1.APIServerNamedServingCert
func (*KubeAPIServerParams) ServiceAccountIssuerURL ¶
func (p *KubeAPIServerParams) ServiceAccountIssuerURL() string
func (*KubeAPIServerParams) ServiceNetwork ¶
func (p *KubeAPIServerParams) ServiceNetwork() []string
func (*KubeAPIServerParams) ServiceNodePortRange ¶
func (p *KubeAPIServerParams) ServiceNodePortRange() string
func (*KubeAPIServerParams) TLSSecurityProfile ¶
func (p *KubeAPIServerParams) TLSSecurityProfile() *configv1.TLSSecurityProfile
type KubeAPIServerServiceParams ¶
type KubeAPIServerServiceParams struct { AllowedCIDRBlocks []string OwnerReference *metav1.OwnerReference }
func NewKubeAPIServerServiceParams ¶
func NewKubeAPIServerServiceParams(hcp *hyperv1.HostedControlPlane) *KubeAPIServerServiceParams
type PrefixedClaimOrExpression ¶ added in v0.1.20
type PrefixedClaimOrExpression struct { // claim is the JWT claim to use. // Mutually exclusive with expression. // +optional Claim string `json:"claim,omitempty"` // prefix is prepended to claim's value to prevent clashes with existing names. // prefix needs to be set if claim is set and can be the empty string. // Mutually exclusive with expression. // +optional Prefix *string `json:"prefix,omitempty"` // expression represents the expression which will be evaluated by CEL. // // CEL expressions have access to the contents of the token claims, organized into CEL variable: // - 'claims' is a map of claim names to claim values. // For example, a variable named 'sub' can be accessed as 'claims.sub'. // Nested claims can be accessed using dot notation, e.g. 'claims.email.verified'. // // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ // // Mutually exclusive with claim and prefix. // +optional Expression string `json:"expression,omitempty"` }
PrefixedClaimOrExpression provides the configuration for a single prefixed claim or expression.
type UserValidationRule ¶ added in v0.1.20
type UserValidationRule struct { // expression represents the expression which will be evaluated by CEL. // Must return true for the validation to pass. // // CEL expressions have access to the contents of UserInfo, organized into CEL variable: // - 'user' - authentication.k8s.io/v1, Kind=UserInfo object // Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition. // API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io // // Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ // // +required Expression string `json:"expression"` // message customizes the returned error message when rule returns false. // message is a literal string. // +optional Message string `json:"message,omitempty"` }
UserValidationRule provides the configuration for a single user info validation rule.