config

package
v0.1.52 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 28, 2024 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// NeedManagementKASAccessLabel is used by network policies
	// to prevent any pod which doesn't contain the label from accessing the management cluster KAS.
	NeedManagementKASAccessLabel = "hypershift.openshift.io/need-management-kas-access"

	// NeedMetricsServerAccessLabel is used by network policies
	// to allow egress communication to the metrics server on the management cluster.
	NeedMetricsServerAccessLabel = "hypershift.openshift.io/need-metrics-server-access"

	// EtcdPriorityClass is for etcd pods.
	EtcdPriorityClass = "hypershift-etcd"

	// APICriticalPriorityClass is for pods that are required for API calls and
	// resource admission to succeed. This includes pods like kube-apiserver,
	// aggregated API servers, and webhooks.
	APICriticalPriorityClass = "hypershift-api-critical"

	// DefaultPriorityClass is for pods in the Hypershift control plane that are
	// not API critical but still need elevated priority.
	DefaultPriorityClass = "hypershift-control-plane"

	DefaultServiceAccountIssuer  = "https://kubernetes.default.svc"
	DefaultImageRegistryHostname = "image-registry.openshift-image-registry.svc:5000"
	DefaultAdvertiseIPv4Address  = "172.20.0.1"
	DefaultAdvertiseIPv6Address  = "fd00::1"
	DefaultEtcdURL               = "https://etcd-client:2379"
	// KASSVCLBAzurePort is needed because for Azure we currently hardcode 7443 for the SVC LB as 6443 collides with public LB rule for the management cluster.
	// https://bugzilla.redhat.com/show_bug.cgi?id=2060650
	// TODO(alberto): explore exposing multiple Azure frontend IPs on the load balancer.
	KASSVCLBAzurePort           = 7443
	KASSVCPort                  = 6443
	KASPodDefaultPort           = 6443
	KASSVCIBMCloudPort          = 2040
	DefaultServiceNodePortRange = "30000-32767"
	DefaultSecurityContextUser  = 1001
	RecommendedLeaseDuration    = "137s"
	RecommendedRenewDeadline    = "107s"
	RecommendedRetryPeriod      = "26s"
	KCMRecommendedRenewDeadline = "12s"
	KCMRecommendedRetryPeriod   = "3s"

	DefaultIngressDomainEnvVar                    = "DEFAULT_INGRESS_DOMAIN"
	EnableCVOManagementClusterMetricsAccessEnvVar = "ENABLE_CVO_MANAGEMENT_CLUSTER_METRICS_ACCESS"

	EnableEtcdRecoveryEnvVar = "ENABLE_ETCD_RECOVERY"

	CPOOverridesEnvVar = "ENABLE_CPO_OVERRIDES"

	AuditWebhookService = "audit-webhook"

	// DefaultMachineNetwork is the default network CIDR for the machine network.
	DefaultMachineNetwork = "10.0.0.0/16"
)
View Source
const (
	// AROHCPKeyVaultManagedIdentityClientID captures the client ID of the managed identity created on an ARO HCP
	// management cluster. This managed identity is used to pull secrets and certificates out of Azure Key Vaults in the
	// management cluster's resource group in Azure.
	AROHCPKeyVaultManagedIdentityClientID = "ARO_HCP_KEY_VAULT_USER_CLIENT_ID"

	ManagedAzureClientIdEnvVarKey        = "ARO_HCP_MI_CLIENT_ID"
	ManagedAzureTenantIdEnvVarKey        = "ARO_HCP_TENANT_ID"
	ManagedAzureCertificatePathEnvVarKey = "ARO_HCP_CLIENT_CERTIFICATE_PATH"
	ManagedAzureCertificateMountPath     = "/mnt/certs"
	ManagedAzureCertificatePath          = "/mnt/certs/"
	ManagedAzureSecretsStoreCSIDriver    = "secrets-store.csi.k8s.io"
	ManagedAzureSecretProviderClass      = "secretProviderClass"

	ManagedAzureCPOSecretProviderClassName                = "managed-azure-cpo"
	ManagedAzureCPOSecretStoreVolumeName                  = "cpo-cert"
	ManagedAzureCloudProviderSecretProviderClassName      = "managed-azure-cloud-provider"
	ManagedAzureCloudProviderSecretStoreVolumeName        = "cloud-provider-cert"
	ManagedAzureDiskCSISecretStoreProviderClassName       = "managed-azure-disk-csi"
	ManagedAzureFileCSISecretStoreProviderClassName       = "managed-azure-file-csi"
	ManagedAzureImageRegistrySecretStoreProviderClassName = "managed-azure-image-registry"
	ManagedAzureImageRegistrySecretStoreVolumeName        = "image-registry-cert"
	ManagedAzureIngressSecretStoreProviderClassName       = "managed-azure-ingress"
	ManagedAzureIngressSecretStoreVolumeName              = "ingress-cert"
	ManagedAzureKMSSecretProviderClassName                = "managed-azure-kms"
	ManagedAzureKMSSecretStoreVolumeName                  = "kms-cert"
	ManagedAzureNetworkSecretStoreProviderClassName       = "managed-azure-network"
	ManagedAzureNodePoolMgmtSecretProviderClassName       = "managed-azure-nodepool-management"
	ManagedAzureNodePoolMgmtSecretStoreVolumeName         = "nodepool-management-cert"
)

Managed Azure Related Constants

View Source
const (
	// PodSafeToEvictLocalVolumesKey is an annotation used by the CA operator which makes sure
	// all the pods annotated with it and the picking the desired local volumes that are safe to evict, could be drained properly.
	PodSafeToEvictLocalVolumesKey = "cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes"

	// HCCOUser references the user used by the HostedClusterConfigOperator
	HCCOUser = "hosted-cluster-config"
	// HCCOUserAgent references the userAgent used by the HostedClusterConfigOperator
	HCCOUserAgent = "hosted-cluster-config-operator-manager"
)
View Source
const (
	// ManagedByLabel can be used to filter deployments.
	ManagedByLabel = "hypershift.openshift.io/managed-by"
)

Variables

This section is empty.

Functions

func CipherSuites

func CipherSuites(securityProfile *configv1.TLSSecurityProfile) []string

func ControllerOwnerRef

func ControllerOwnerRef(obj client.Object) *metav1.OwnerReference

func CopyStringMap added in v0.1.10

func CopyStringMap(source map[string]string) map[string]string

func DefaultReplicas added in v0.1.51

func DefaultReplicas(hcp *hyperv1.HostedControlPlane, isRequestServingComponent bool) int

func FeatureGates

func FeatureGates(fg configv1.FeatureGateSelection) []string

func KMSEncryptedObjects added in v0.1.18

func KMSEncryptedObjects() []string

func MinTLSVersion

func MinTLSVersion(securityProfile *configv1.TLSSecurityProfile) string

func OpenSSLToIANACipherSuites

func OpenSSLToIANACipherSuites(ciphers []string) []string

OpenSSLToIANACipherSuites maps input OpenSSL Cipher Suite names to their IANA counterparts. Unknown ciphers are left out.

func SerializeAuditPolicy

func SerializeAuditPolicy(policy *auditv1.Policy) ([]byte, error)

Types

type AdditionalAnnotations

type AdditionalAnnotations map[string]string

func (AdditionalAnnotations) ApplyTo

func (l AdditionalAnnotations) ApplyTo(podMeta *metav1.ObjectMeta)

type AdditionalLabels

type AdditionalLabels map[string]string

func (AdditionalLabels) ApplyTo

func (l AdditionalLabels) ApplyTo(podMeta *metav1.ObjectMeta)

type DeploymentConfig

type DeploymentConfig struct {
	Replicas                  int
	Scheduling                Scheduling
	AdditionalLabels          AdditionalLabels
	AdditionalAnnotations     AdditionalAnnotations
	SecurityContexts          SecurityContextSpec
	SetDefaultSecurityContext bool
	LivenessProbes            LivenessProbes
	ReadinessProbes           ReadinessProbes
	Resources                 ResourcesSpec
	DebugDeployments          sets.String
	ResourceRequestOverrides  ResourceOverrides
	IsolateAsRequestServing   bool
	RevisionHistoryLimit      int

	AdditionalRequestServingNodeSelector map[string]string
}

func (*DeploymentConfig) ApplyTo

func (c *DeploymentConfig) ApplyTo(deployment *appsv1.Deployment)

func (*DeploymentConfig) ApplyToDaemonSet

func (c *DeploymentConfig) ApplyToDaemonSet(daemonset *appsv1.DaemonSet)

func (*DeploymentConfig) ApplyToStatefulSet

func (c *DeploymentConfig) ApplyToStatefulSet(sts *appsv1.StatefulSet)

func (*DeploymentConfig) SetContainerResourcesIfPresent

func (c *DeploymentConfig) SetContainerResourcesIfPresent(container *corev1.Container)

func (*DeploymentConfig) SetDefaults

func (c *DeploymentConfig) SetDefaults(hcp *hyperv1.HostedControlPlane, multiZoneSpreadLabels map[string]string, replicas *int)

SetDefaults populates opinionated default DeploymentConfig for any Deployment.

func (*DeploymentConfig) SetMultizoneSpread added in v0.1.48

func (c *DeploymentConfig) SetMultizoneSpread(labels map[string]string, required bool)

SetMultizoneSpread sets PodAntiAffinity with corev1.LabelTopologyZone as the topology key for a given set of labels. This is useful to e.g ensure pods are spread across availavility zones. If required is true, the rule is set as RequiredDuringSchedulingIgnoredDuringExecution, otherwise it is set as PreferredDuringSchedulingIgnoredDuringExecution.

func (*DeploymentConfig) SetReleaseImageAnnotation

func (c *DeploymentConfig) SetReleaseImageAnnotation(releaseImage string)

func (*DeploymentConfig) SetRequestServingDefaults added in v0.1.10

func (c *DeploymentConfig) SetRequestServingDefaults(hcp *hyperv1.HostedControlPlane, multiZoneSpreadLabels map[string]string, replicas *int)

SetRequestServingDefaults wraps the call to SetDefaults. It is meant to be invoked by request serving components so that their sheduling attributes can be modified accordingly.

func (*DeploymentConfig) SetRestartAnnotation

func (c *DeploymentConfig) SetRestartAnnotation(objectMetadata metav1.ObjectMeta)

type LivenessProbes

type LivenessProbes map[string]corev1.Probe

func (LivenessProbes) ApplyTo

func (p LivenessProbes) ApplyTo(podSpec *corev1.PodSpec)

func (LivenessProbes) ApplyToContainer

func (p LivenessProbes) ApplyToContainer(container string, c *corev1.Container)

type OwnerRef

type OwnerRef struct {
	Reference *metav1.OwnerReference
}

func OwnerRefFrom

func OwnerRefFrom(obj client.Object) OwnerRef

func (OwnerRef) ApplyTo

func (c OwnerRef) ApplyTo(obj client.Object)

type ReadinessProbes

type ReadinessProbes map[string]corev1.Probe

func (ReadinessProbes) ApplyTo

func (p ReadinessProbes) ApplyTo(podSpec *corev1.PodSpec)

func (ReadinessProbes) ApplyToContainer

func (p ReadinessProbes) ApplyToContainer(container string, c *corev1.Container)

type ResourceOverrides

type ResourceOverrides map[string]ResourcesSpec

func (ResourceOverrides) ApplyRequestsTo

func (o ResourceOverrides) ApplyRequestsTo(name string, podSpec *corev1.PodSpec)

type ResourcesSpec

type ResourcesSpec map[string]corev1.ResourceRequirements

func (ResourcesSpec) ApplyRequestsOverrideTo

func (s ResourcesSpec) ApplyRequestsOverrideTo(podSpec *corev1.PodSpec)

func (ResourcesSpec) ApplyTo

func (s ResourcesSpec) ApplyTo(podSpec *corev1.PodSpec)

type Scheduling

type Scheduling struct {
	Affinity      *corev1.Affinity    `json:"affinity,omitempty"`
	Tolerations   []corev1.Toleration `json:"tolerations,omitempty"`
	PriorityClass string              `json:"priorityClass"`
	NodeSelector  map[string]string   `json:"nodeSelector"`
}

func (*Scheduling) ApplyTo

func (s *Scheduling) ApplyTo(podSpec *corev1.PodSpec)

type SecurityContextSpec

type SecurityContextSpec map[string]corev1.SecurityContext

func (SecurityContextSpec) ApplyTo

func (s SecurityContextSpec) ApplyTo(podSpec *corev1.PodSpec)

func (SecurityContextSpec) ApplyToContainer

func (s SecurityContextSpec) ApplyToContainer(name string, c *corev1.Container)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL