Documentation ¶
Index ¶
- Constants
- func CipherSuites(securityProfile *configv1.TLSSecurityProfile) []string
- func ControllerOwnerRef(obj client.Object) *metav1.OwnerReference
- func CopyStringMap(source map[string]string) map[string]string
- func DefaultReplicas(hcp *hyperv1.HostedControlPlane, isRequestServingComponent bool) int
- func FeatureGates(fg configv1.FeatureGateSelection) []string
- func KMSEncryptedObjects() []string
- func MinTLSVersion(securityProfile *configv1.TLSSecurityProfile) string
- func OpenSSLToIANACipherSuites(ciphers []string) []string
- func SerializeAuditPolicy(policy *auditv1.Policy) ([]byte, error)
- type AdditionalAnnotations
- type AdditionalLabels
- type DeploymentConfig
- func (c *DeploymentConfig) ApplyTo(deployment *appsv1.Deployment)
- func (c *DeploymentConfig) ApplyToDaemonSet(daemonset *appsv1.DaemonSet)
- func (c *DeploymentConfig) ApplyToStatefulSet(sts *appsv1.StatefulSet)
- func (c *DeploymentConfig) SetContainerResourcesIfPresent(container *corev1.Container)
- func (c *DeploymentConfig) SetDefaults(hcp *hyperv1.HostedControlPlane, multiZoneSpreadLabels map[string]string, ...)
- func (c *DeploymentConfig) SetMultizoneSpread(labels map[string]string, required bool)
- func (c *DeploymentConfig) SetReleaseImageAnnotation(releaseImage string)
- func (c *DeploymentConfig) SetRequestServingDefaults(hcp *hyperv1.HostedControlPlane, multiZoneSpreadLabels map[string]string, ...)
- func (c *DeploymentConfig) SetRestartAnnotation(objectMetadata metav1.ObjectMeta)
- type LivenessProbes
- type OwnerRef
- type ReadinessProbes
- type ResourceOverrides
- type ResourcesSpec
- type Scheduling
- type SecurityContextSpec
Constants ¶
const ( // NeedManagementKASAccessLabel is used by network policies // to prevent any pod which doesn't contain the label from accessing the management cluster KAS. NeedManagementKASAccessLabel = "hypershift.openshift.io/need-management-kas-access" // NeedMetricsServerAccessLabel is used by network policies // to allow egress communication to the metrics server on the management cluster. NeedMetricsServerAccessLabel = "hypershift.openshift.io/need-metrics-server-access" // EtcdPriorityClass is for etcd pods. EtcdPriorityClass = "hypershift-etcd" // APICriticalPriorityClass is for pods that are required for API calls and // resource admission to succeed. This includes pods like kube-apiserver, // aggregated API servers, and webhooks. APICriticalPriorityClass = "hypershift-api-critical" // DefaultPriorityClass is for pods in the Hypershift control plane that are // not API critical but still need elevated priority. DefaultPriorityClass = "hypershift-control-plane" DefaultServiceAccountIssuer = "https://kubernetes.default.svc" DefaultImageRegistryHostname = "image-registry.openshift-image-registry.svc:5000" DefaultAdvertiseIPv4Address = "172.20.0.1" DefaultAdvertiseIPv6Address = "fd00::1" DefaultEtcdURL = "https://etcd-client:2379" // KASSVCLBAzurePort is needed because for Azure we currently hardcode 7443 for the SVC LB as 6443 collides with public LB rule for the management cluster. // https://bugzilla.redhat.com/show_bug.cgi?id=2060650 // TODO(alberto): explore exposing multiple Azure frontend IPs on the load balancer. KASSVCLBAzurePort = 7443 KASSVCPort = 6443 KASPodDefaultPort = 6443 KASSVCIBMCloudPort = 2040 DefaultServiceNodePortRange = "30000-32767" DefaultSecurityContextUser = 1001 RecommendedLeaseDuration = "137s" RecommendedRenewDeadline = "107s" RecommendedRetryPeriod = "26s" KCMRecommendedRenewDeadline = "12s" KCMRecommendedRetryPeriod = "3s" DefaultIngressDomainEnvVar = "DEFAULT_INGRESS_DOMAIN" EnableCVOManagementClusterMetricsAccessEnvVar = "ENABLE_CVO_MANAGEMENT_CLUSTER_METRICS_ACCESS" EnableEtcdRecoveryEnvVar = "ENABLE_ETCD_RECOVERY" CPOOverridesEnvVar = "ENABLE_CPO_OVERRIDES" AuditWebhookService = "audit-webhook" // DefaultMachineNetwork is the default network CIDR for the machine network. DefaultMachineNetwork = "10.0.0.0/16" )
const ( // AROHCPKeyVaultManagedIdentityClientID captures the client ID of the managed identity created on an ARO HCP // management cluster. This managed identity is used to pull secrets and certificates out of Azure Key Vaults in the // management cluster's resource group in Azure. AROHCPKeyVaultManagedIdentityClientID = "ARO_HCP_KEY_VAULT_USER_CLIENT_ID" ManagedAzureClientIdEnvVarKey = "ARO_HCP_MI_CLIENT_ID" ManagedAzureTenantIdEnvVarKey = "ARO_HCP_TENANT_ID" ManagedAzureCertificatePathEnvVarKey = "ARO_HCP_CLIENT_CERTIFICATE_PATH" ManagedAzureCertificateMountPath = "/mnt/certs" ManagedAzureCertificatePath = "/mnt/certs/" ManagedAzureSecretsStoreCSIDriver = "secrets-store.csi.k8s.io" ManagedAzureSecretProviderClass = "secretProviderClass" ManagedAzureCPOSecretProviderClassName = "managed-azure-cpo" ManagedAzureCPOSecretStoreVolumeName = "cpo-cert" ManagedAzureCloudProviderSecretProviderClassName = "managed-azure-cloud-provider" ManagedAzureCloudProviderSecretStoreVolumeName = "cloud-provider-cert" ManagedAzureDiskCSISecretStoreProviderClassName = "managed-azure-disk-csi" ManagedAzureFileCSISecretStoreProviderClassName = "managed-azure-file-csi" ManagedAzureImageRegistrySecretStoreProviderClassName = "managed-azure-image-registry" ManagedAzureImageRegistrySecretStoreVolumeName = "image-registry-cert" ManagedAzureIngressSecretStoreProviderClassName = "managed-azure-ingress" ManagedAzureIngressSecretStoreVolumeName = "ingress-cert" ManagedAzureKMSSecretProviderClassName = "managed-azure-kms" ManagedAzureKMSSecretStoreVolumeName = "kms-cert" ManagedAzureNetworkSecretStoreProviderClassName = "managed-azure-network" ManagedAzureNodePoolMgmtSecretProviderClassName = "managed-azure-nodepool-management" ManagedAzureNodePoolMgmtSecretStoreVolumeName = "nodepool-management-cert" )
Managed Azure Related Constants
const ( // PodSafeToEvictLocalVolumesKey is an annotation used by the CA operator which makes sure // all the pods annotated with it and the picking the desired local volumes that are safe to evict, could be drained properly. PodSafeToEvictLocalVolumesKey = "cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes" // HCCOUser references the user used by the HostedClusterConfigOperator HCCOUser = "hosted-cluster-config" // HCCOUserAgent references the userAgent used by the HostedClusterConfigOperator HCCOUserAgent = "hosted-cluster-config-operator-manager" )
const (
// ManagedByLabel can be used to filter deployments.
ManagedByLabel = "hypershift.openshift.io/managed-by"
)
Variables ¶
This section is empty.
Functions ¶
func CipherSuites ¶
func CipherSuites(securityProfile *configv1.TLSSecurityProfile) []string
func ControllerOwnerRef ¶
func ControllerOwnerRef(obj client.Object) *metav1.OwnerReference
func CopyStringMap ¶ added in v0.1.10
func DefaultReplicas ¶ added in v0.1.51
func DefaultReplicas(hcp *hyperv1.HostedControlPlane, isRequestServingComponent bool) int
func FeatureGates ¶
func FeatureGates(fg configv1.FeatureGateSelection) []string
func KMSEncryptedObjects ¶ added in v0.1.18
func KMSEncryptedObjects() []string
func MinTLSVersion ¶
func MinTLSVersion(securityProfile *configv1.TLSSecurityProfile) string
func OpenSSLToIANACipherSuites ¶
OpenSSLToIANACipherSuites maps input OpenSSL Cipher Suite names to their IANA counterparts. Unknown ciphers are left out.
Types ¶
type AdditionalAnnotations ¶
func (AdditionalAnnotations) ApplyTo ¶
func (l AdditionalAnnotations) ApplyTo(podMeta *metav1.ObjectMeta)
type AdditionalLabels ¶
func (AdditionalLabels) ApplyTo ¶
func (l AdditionalLabels) ApplyTo(podMeta *metav1.ObjectMeta)
type DeploymentConfig ¶
type DeploymentConfig struct { Replicas int Scheduling Scheduling AdditionalLabels AdditionalLabels AdditionalAnnotations AdditionalAnnotations SecurityContexts SecurityContextSpec SetDefaultSecurityContext bool LivenessProbes LivenessProbes ReadinessProbes ReadinessProbes Resources ResourcesSpec DebugDeployments sets.String ResourceRequestOverrides ResourceOverrides IsolateAsRequestServing bool RevisionHistoryLimit int AdditionalRequestServingNodeSelector map[string]string }
func (*DeploymentConfig) ApplyTo ¶
func (c *DeploymentConfig) ApplyTo(deployment *appsv1.Deployment)
func (*DeploymentConfig) ApplyToDaemonSet ¶
func (c *DeploymentConfig) ApplyToDaemonSet(daemonset *appsv1.DaemonSet)
func (*DeploymentConfig) ApplyToStatefulSet ¶
func (c *DeploymentConfig) ApplyToStatefulSet(sts *appsv1.StatefulSet)
func (*DeploymentConfig) SetContainerResourcesIfPresent ¶
func (c *DeploymentConfig) SetContainerResourcesIfPresent(container *corev1.Container)
func (*DeploymentConfig) SetDefaults ¶
func (c *DeploymentConfig) SetDefaults(hcp *hyperv1.HostedControlPlane, multiZoneSpreadLabels map[string]string, replicas *int)
SetDefaults populates opinionated default DeploymentConfig for any Deployment.
func (*DeploymentConfig) SetMultizoneSpread ¶ added in v0.1.48
func (c *DeploymentConfig) SetMultizoneSpread(labels map[string]string, required bool)
SetMultizoneSpread sets PodAntiAffinity with corev1.LabelTopologyZone as the topology key for a given set of labels. This is useful to e.g ensure pods are spread across availavility zones. If required is true, the rule is set as RequiredDuringSchedulingIgnoredDuringExecution, otherwise it is set as PreferredDuringSchedulingIgnoredDuringExecution.
func (*DeploymentConfig) SetReleaseImageAnnotation ¶
func (c *DeploymentConfig) SetReleaseImageAnnotation(releaseImage string)
func (*DeploymentConfig) SetRequestServingDefaults ¶ added in v0.1.10
func (c *DeploymentConfig) SetRequestServingDefaults(hcp *hyperv1.HostedControlPlane, multiZoneSpreadLabels map[string]string, replicas *int)
SetRequestServingDefaults wraps the call to SetDefaults. It is meant to be invoked by request serving components so that their sheduling attributes can be modified accordingly.
func (*DeploymentConfig) SetRestartAnnotation ¶
func (c *DeploymentConfig) SetRestartAnnotation(objectMetadata metav1.ObjectMeta)
type LivenessProbes ¶
func (LivenessProbes) ApplyTo ¶
func (p LivenessProbes) ApplyTo(podSpec *corev1.PodSpec)
func (LivenessProbes) ApplyToContainer ¶
func (p LivenessProbes) ApplyToContainer(container string, c *corev1.Container)
type ReadinessProbes ¶
func (ReadinessProbes) ApplyTo ¶
func (p ReadinessProbes) ApplyTo(podSpec *corev1.PodSpec)
func (ReadinessProbes) ApplyToContainer ¶
func (p ReadinessProbes) ApplyToContainer(container string, c *corev1.Container)
type ResourceOverrides ¶
type ResourceOverrides map[string]ResourcesSpec
func (ResourceOverrides) ApplyRequestsTo ¶
func (o ResourceOverrides) ApplyRequestsTo(name string, podSpec *corev1.PodSpec)
type ResourcesSpec ¶
type ResourcesSpec map[string]corev1.ResourceRequirements
func (ResourcesSpec) ApplyRequestsOverrideTo ¶
func (s ResourcesSpec) ApplyRequestsOverrideTo(podSpec *corev1.PodSpec)
func (ResourcesSpec) ApplyTo ¶
func (s ResourcesSpec) ApplyTo(podSpec *corev1.PodSpec)
type Scheduling ¶
type Scheduling struct { Affinity *corev1.Affinity `json:"affinity,omitempty"` Tolerations []corev1.Toleration `json:"tolerations,omitempty"` PriorityClass string `json:"priorityClass"` NodeSelector map[string]string `json:"nodeSelector"` }
func (*Scheduling) ApplyTo ¶
func (s *Scheduling) ApplyTo(podSpec *corev1.PodSpec)
type SecurityContextSpec ¶
type SecurityContextSpec map[string]corev1.SecurityContext
func (SecurityContextSpec) ApplyTo ¶
func (s SecurityContextSpec) ApplyTo(podSpec *corev1.PodSpec)
func (SecurityContextSpec) ApplyToContainer ¶
func (s SecurityContextSpec) ApplyToContainer(name string, c *corev1.Container)