v1

package
v1.1.0-beta26 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 28, 2021 License: Apache-2.0 Imports: 29 Imported by: 0

Documentation

Overview

Package v1 contains API Schema definitions for the certificates.mesh.gloo.solo.io v1 API group +k8s:deepcopy-gen=package,register +groupName=certificates.mesh.gloo.solo.io

NOTE: Boilerplate only. Ignore this file. Used to register the Go types with the Kubernetes internal scheme

Definitions for the Kubernetes types

Definitions for the Kubernetes types

Index

Constants

This section is empty.

Variables

View Source
var (
	CertificateRotationState_name = map[int32]string{
		0: "NOT_ROTATING",
		1: "PREVIOUS_CA",
		2: "ADDING_NEW_ROOT",
		3: "PROPAGATING_NEW_INTERMEDIATE",
		4: "DELETING_OLD_ROOT",
		5: "VERIFYING",
		6: "VERIFIED",
		7: "ROLLING_BACK",
		8: "FINISHED",
		9: "FAILED",
	}
	CertificateRotationState_value = map[string]int32{
		"NOT_ROTATING":                 0,
		"PREVIOUS_CA":                  1,
		"ADDING_NEW_ROOT":              2,
		"PROPAGATING_NEW_INTERMEDIATE": 3,
		"DELETING_OLD_ROOT":            4,
		"VERIFYING":                    5,
		"VERIFIED":                     6,
		"ROLLING_BACK":                 7,
		"FINISHED":                     8,
		"FAILED":                       9,
	}
)

Enum value maps for CertificateRotationState.

View Source
var (
	CertificateRotationStrategy_name = map[int32]string{
		0: "MULTI_ROOT",
		1: "NONE",
	}
	CertificateRotationStrategy_value = map[string]int32{
		"MULTI_ROOT": 0,
		"NONE":       1,
	}
)

Enum value maps for CertificateRotationStrategy.

View Source
var (
	CertificateRequestStatus_State_name = map[int32]string{
		0: "PENDING",
		1: "FINISHED",
		2: "FAILED",
	}
	CertificateRequestStatus_State_value = map[string]int32{
		"PENDING":  0,
		"FINISHED": 1,
		"FAILED":   2,
	}
)

Enum value maps for CertificateRequestStatus_State.

View Source
var (
	IssuedCertificateStatus_State_name = map[int32]string{
		0: "PENDING",
		1: "REQUESTED",
		2: "ISSUED",
		3: "FINISHED",
		4: "FAILED",
	}
	IssuedCertificateStatus_State_value = map[string]int32{
		"PENDING":   0,
		"REQUESTED": 1,
		"ISSUED":    2,
		"FINISHED":  3,
		"FAILED":    4,
	}
)

Enum value maps for IssuedCertificateStatus_State.

View Source
var (
	// SchemeGroupVersion is group version used to register these objects
	SchemeGroupVersion = schema.GroupVersion{Group: "certificates.mesh.gloo.solo.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
)
View Source
var CertificateRequestGVK = schema.GroupVersionKind{
	Group:   "certificates.mesh.gloo.solo.io",
	Version: "v1",
	Kind:    "CertificateRequest",
}

GroupVersionKind for CertificateRequest

View Source
var File_github_com_solo_io_gloo_mesh_api_certificates_v1_ca_options_proto protoreflect.FileDescriptor
View Source
var File_github_com_solo_io_gloo_mesh_api_certificates_v1_certificate_request_proto protoreflect.FileDescriptor
View Source
var File_github_com_solo_io_gloo_mesh_api_certificates_v1_issued_certificate_proto protoreflect.FileDescriptor
View Source
var File_github_com_solo_io_gloo_mesh_api_certificates_v1_pod_bounce_directive_proto protoreflect.FileDescriptor
View Source
var File_github_com_solo_io_gloo_mesh_api_certificates_v1_vault_ca_proto protoreflect.FileDescriptor
View Source
var IssuedCertificateGVK = schema.GroupVersionKind{
	Group:   "certificates.mesh.gloo.solo.io",
	Version: "v1",
	Kind:    "IssuedCertificate",
}

GroupVersionKind for IssuedCertificate

View Source
var PodBounceDirectiveGVK = schema.GroupVersionKind{
	Group:   "certificates.mesh.gloo.solo.io",
	Version: "v1",
	Kind:    "PodBounceDirective",
}

GroupVersionKind for PodBounceDirective

Functions

func AddToScheme

func AddToScheme(s *runtime.Scheme) error

func NewCertificateRequestClient

func NewCertificateRequestClient(client client.Client) *certificateRequestClient

func NewIssuedCertificateClient

func NewIssuedCertificateClient(client client.Client) *issuedCertificateClient

func NewPodBounceDirectiveClient

func NewPodBounceDirectiveClient(client client.Client) *podBounceDirectiveClient

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type CertificateRequest

type CertificateRequest struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   CertificateRequestSpec   `json:"spec,omitempty"`
	Status CertificateRequestStatus `json:"status,omitempty"`
}

CertificateRequest is the Schema for the certificateRequest API

func (*CertificateRequest) DeepCopy

func (in *CertificateRequest) DeepCopy() *CertificateRequest

func (*CertificateRequest) DeepCopyInto

func (in *CertificateRequest) DeepCopyInto(out *CertificateRequest)

func (*CertificateRequest) DeepCopyObject

func (in *CertificateRequest) DeepCopyObject() runtime.Object

func (CertificateRequest) GVK

GVK returns the GroupVersionKind associated with the resource type.

type CertificateRequestClient

Client knows how to perform CRUD operations on CertificateRequests.

type CertificateRequestList

type CertificateRequestList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []CertificateRequest `json:"items"`
}

CertificateRequestList contains a list of CertificateRequest

func (*CertificateRequestList) DeepCopy

func (*CertificateRequestList) DeepCopyInto

func (in *CertificateRequestList) DeepCopyInto(out *CertificateRequestList)

func (*CertificateRequestList) DeepCopyObject

func (in *CertificateRequestList) DeepCopyObject() runtime.Object

type CertificateRequestReader

type CertificateRequestReader interface {
	// Get retrieves a CertificateRequest for the given object key
	GetCertificateRequest(ctx context.Context, key client.ObjectKey) (*CertificateRequest, error)

	// List retrieves list of CertificateRequests for a given namespace and list options.
	ListCertificateRequest(ctx context.Context, opts ...client.ListOption) (*CertificateRequestList, error)
}

Reader knows how to read and list CertificateRequests.

type CertificateRequestSlice

type CertificateRequestSlice []*CertificateRequest

CertificateRequestSlice represents a slice of *CertificateRequest

type CertificateRequestSpec

type CertificateRequestSpec struct {

	// Base64-encoded data for the PKCS#10 Certificate Signing Request issued
	// by the Gloo Mesh agent deployed in the managed cluster, corresponding
	// to the IssuedRequest received by the Gloo Mesh agent.
	CertificateSigningRequest []byte `` /* 138-byte string literal not displayed */
	// contains filtered or unexported fields
}

CertificateRequests are generated by the Gloo Mesh agent installed on managed clusters. They are used to request a signed certificate from the certificate issuer (the Gloo Mesh server) based on a private key generated by the agent (which never leaves the managed cluster).

When Gloo Mesh creates an IssuedCertificate on a managed cluster, the local Gloo Mesh Agent will generate a CertificateRequest corresponding to it.

Gloo Mesh will then process the certificate signing request contained in the `CertificateRequestSpec` and write the signed SSL certificate back as a Kubernetes secret in the managed cluster, and update the `CertificateRequestStatus` to point to that secret.

func (*CertificateRequestSpec) DeepCopyInto

func (in *CertificateRequestSpec) DeepCopyInto(out *CertificateRequestSpec)

DeepCopyInto for the CertificateRequest.Spec

func (*CertificateRequestSpec) Descriptor deprecated

func (*CertificateRequestSpec) Descriptor() ([]byte, []int)

Deprecated: Use CertificateRequestSpec.ProtoReflect.Descriptor instead.

func (*CertificateRequestSpec) Equal

func (m *CertificateRequestSpec) Equal(that interface{}) bool

Equal function

func (*CertificateRequestSpec) GetCertificateSigningRequest

func (x *CertificateRequestSpec) GetCertificateSigningRequest() []byte

func (*CertificateRequestSpec) MarshalJSON

func (this *CertificateRequestSpec) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for CertificateRequestSpec

func (*CertificateRequestSpec) ProtoMessage

func (*CertificateRequestSpec) ProtoMessage()

func (*CertificateRequestSpec) ProtoReflect

func (x *CertificateRequestSpec) ProtoReflect() protoreflect.Message

func (*CertificateRequestSpec) Reset

func (x *CertificateRequestSpec) Reset()

func (*CertificateRequestSpec) String

func (x *CertificateRequestSpec) String() string

func (*CertificateRequestSpec) UnmarshalJSON

func (this *CertificateRequestSpec) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for CertificateRequestSpec

type CertificateRequestStatus

type CertificateRequestStatus struct {

	// The most recent generation observed in the the CertificateRequest metadata.
	// If the `observedGeneration` does not match `metadata.generation`, the issuer has not processed the most
	// recent version of this request.
	ObservedGeneration int64 `protobuf:"varint,1,opt,name=observed_generation,json=observedGeneration,proto3" json:"observed_generation,omitempty"`
	// Any error observed which prevented the CertificateRequest from being processed.
	// If the error is empty, the request has been processed successfully
	Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
	// The current state of the CertificateRequest workflow reported by the issuer.
	State CertificateRequestStatus_State `` /* 131-byte string literal not displayed */
	// The signed intermediate certificate issued by the CA.
	SignedCertificate []byte `protobuf:"bytes,4,opt,name=signed_certificate,json=signedCertificate,proto3" json:"signed_certificate,omitempty"`
	// The root CA used by the issuer to sign the certificate.
	SigningRootCa []byte `protobuf:"bytes,5,opt,name=signing_root_ca,json=signingRootCa,proto3" json:"signing_root_ca,omitempty"`
	// The cert chain of signing CA.
	CertChain []byte `protobuf:"bytes,6,opt,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
	// contains filtered or unexported fields
}

func (*CertificateRequestStatus) DeepCopyInto

func (in *CertificateRequestStatus) DeepCopyInto(out *CertificateRequestStatus)

DeepCopyInto for the CertificateRequest.Status

func (*CertificateRequestStatus) Descriptor deprecated

func (*CertificateRequestStatus) Descriptor() ([]byte, []int)

Deprecated: Use CertificateRequestStatus.ProtoReflect.Descriptor instead.

func (*CertificateRequestStatus) Equal

func (m *CertificateRequestStatus) Equal(that interface{}) bool

Equal function

func (*CertificateRequestStatus) GetCertChain added in v1.1.0

func (x *CertificateRequestStatus) GetCertChain() []byte

func (*CertificateRequestStatus) GetError

func (x *CertificateRequestStatus) GetError() string

func (*CertificateRequestStatus) GetObservedGeneration

func (x *CertificateRequestStatus) GetObservedGeneration() int64

func (*CertificateRequestStatus) GetSignedCertificate

func (x *CertificateRequestStatus) GetSignedCertificate() []byte

func (*CertificateRequestStatus) GetSigningRootCa

func (x *CertificateRequestStatus) GetSigningRootCa() []byte

func (*CertificateRequestStatus) GetState

func (*CertificateRequestStatus) MarshalJSON

func (this *CertificateRequestStatus) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for CertificateRequestStatus

func (*CertificateRequestStatus) ProtoMessage

func (*CertificateRequestStatus) ProtoMessage()

func (*CertificateRequestStatus) ProtoReflect

func (x *CertificateRequestStatus) ProtoReflect() protoreflect.Message

func (*CertificateRequestStatus) Reset

func (x *CertificateRequestStatus) Reset()

func (*CertificateRequestStatus) String

func (x *CertificateRequestStatus) String() string

func (*CertificateRequestStatus) UnmarshalJSON

func (this *CertificateRequestStatus) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for CertificateRequestStatus

type CertificateRequestStatusWriter

type CertificateRequestStatusWriter interface {
	// Update updates the fields corresponding to the status subresource for the
	// given CertificateRequest object.
	UpdateCertificateRequestStatus(ctx context.Context, obj *CertificateRequest, opts ...client.UpdateOption) error

	// Patch patches the given CertificateRequest object's subresource.
	PatchCertificateRequestStatus(ctx context.Context, obj *CertificateRequest, patch client.Patch, opts ...client.PatchOption) error
}

StatusWriter knows how to update status subresource of a CertificateRequest object.

type CertificateRequestStatus_State

type CertificateRequestStatus_State int32

Possible states in which a CertificateRequest can exist.

const (
	// The CertificateRequest has yet to be picked up by the issuer.
	CertificateRequestStatus_PENDING CertificateRequestStatus_State = 0
	// The issuer has replied to the request and the `signedCertificate` and `signingRootCa`
	// status fields will be populated.
	CertificateRequestStatus_FINISHED CertificateRequestStatus_State = 1
	// Processing the certificate workflow failed.
	CertificateRequestStatus_FAILED CertificateRequestStatus_State = 2
)

func (CertificateRequestStatus_State) Descriptor

func (CertificateRequestStatus_State) Enum

func (CertificateRequestStatus_State) EnumDescriptor deprecated

func (CertificateRequestStatus_State) EnumDescriptor() ([]byte, []int)

Deprecated: Use CertificateRequestStatus_State.Descriptor instead.

func (CertificateRequestStatus_State) Number

func (CertificateRequestStatus_State) String

func (CertificateRequestStatus_State) Type

type CertificateRequestTransitionFunction

type CertificateRequestTransitionFunction func(existing, desired *CertificateRequest) error

CertificateRequestTransitionFunction instructs the CertificateRequestWriter how to transition between an existing CertificateRequest object and a desired on an Upsert

type CertificateRequestWriter

type CertificateRequestWriter interface {
	// Create saves the CertificateRequest object.
	CreateCertificateRequest(ctx context.Context, obj *CertificateRequest, opts ...client.CreateOption) error

	// Delete deletes the CertificateRequest object.
	DeleteCertificateRequest(ctx context.Context, key client.ObjectKey, opts ...client.DeleteOption) error

	// Update updates the given CertificateRequest object.
	UpdateCertificateRequest(ctx context.Context, obj *CertificateRequest, opts ...client.UpdateOption) error

	// Patch patches the given CertificateRequest object.
	PatchCertificateRequest(ctx context.Context, obj *CertificateRequest, patch client.Patch, opts ...client.PatchOption) error

	// DeleteAllOf deletes all CertificateRequest objects matching the given options.
	DeleteAllOfCertificateRequest(ctx context.Context, opts ...client.DeleteAllOfOption) error

	// Create or Update the CertificateRequest object.
	UpsertCertificateRequest(ctx context.Context, obj *CertificateRequest, transitionFuncs ...CertificateRequestTransitionFunction) error
}

Writer knows how to create, delete, and update CertificateRequests.

type CertificateRotationCondition added in v1.1.0

type CertificateRotationCondition struct {

	// The time at which this condition was recorded
	Timestamp string `protobuf:"bytes,1,opt,name=timestamp,proto3" json:"timestamp,omitempty"`
	// The current state of the cert rotation
	State CertificateRotationState `protobuf:"varint,2,opt,name=state,proto3,enum=certificates.mesh.gloo.solo.io.CertificateRotationState" json:"state,omitempty"`
	// A human readable message related to the current condition
	Message string `protobuf:"bytes,3,opt,name=message,proto3" json:"message,omitempty"`
	// Any errors which occurred during the current rotation stage
	Errors []string `protobuf:"bytes,4,rep,name=errors,proto3" json:"errors,omitempty"`
	// contains filtered or unexported fields
}

CertificateRotationCondition represents a timesptamped snapshot of the certificate rotation workflow. This is used to keep track of the steps which have been completed thus far.

func (*CertificateRotationCondition) Descriptor deprecated added in v1.1.0

func (*CertificateRotationCondition) Descriptor() ([]byte, []int)

Deprecated: Use CertificateRotationCondition.ProtoReflect.Descriptor instead.

func (*CertificateRotationCondition) Equal added in v1.1.0

func (m *CertificateRotationCondition) Equal(that interface{}) bool

Equal function

func (*CertificateRotationCondition) GetErrors added in v1.1.0

func (x *CertificateRotationCondition) GetErrors() []string

func (*CertificateRotationCondition) GetMessage added in v1.1.0

func (x *CertificateRotationCondition) GetMessage() string

func (*CertificateRotationCondition) GetState added in v1.1.0

func (*CertificateRotationCondition) GetTimestamp added in v1.1.0

func (x *CertificateRotationCondition) GetTimestamp() string

func (*CertificateRotationCondition) ProtoMessage added in v1.1.0

func (*CertificateRotationCondition) ProtoMessage()

func (*CertificateRotationCondition) ProtoReflect added in v1.1.0

func (*CertificateRotationCondition) Reset added in v1.1.0

func (x *CertificateRotationCondition) Reset()

func (*CertificateRotationCondition) String added in v1.1.0

type CertificateRotationState added in v1.1.0

type CertificateRotationState int32

State of Certificate Rotation Possible states in which a CertificateRotation can exist.

const (
	// No Certificate rotation is currently happening
	CertificateRotationState_NOT_ROTATING CertificateRotationState = 0
	// Signing the certificate using the previously applied CA. This step is mostly used when `ADDING_NEW_ROOT`
	// fails, and the rotation has to be ROLLED_BACK
	CertificateRotationState_PREVIOUS_CA CertificateRotationState = 1
	// The CertificateRotation is underway, both roots are set, and the new root is being propagated
	CertificateRotationState_ADDING_NEW_ROOT CertificateRotationState = 2
	// The CertificateRotation is underway again.
	// The initial verification is over, the traffic continues to work with both roots present.
	// Now the old root is being removed, and the new root is being propagated alone to the data-plane clusters
	CertificateRotationState_PROPAGATING_NEW_INTERMEDIATE CertificateRotationState = 3
	// The CertificateRotation is underway again.
	// Removing the old-root from all data-plane clusters
	CertificateRotationState_DELETING_OLD_ROOT CertificateRotationState = 4
	// Verifying connectivity between workloads, the workflow will not progress until connectivity has been verified.
	// This can either be manual or in the future automated
	CertificateRotationState_VERIFYING CertificateRotationState = 5
	// The connectivity has been verified.
	CertificateRotationState_VERIFIED CertificateRotationState = 6
	// The connectivity has been deemed to not be functioning properly, rolling back to the last
	// known good state.
	CertificateRotationState_ROLLING_BACK CertificateRotationState = 7
	// The rotation has finished, the new root has been propagated to all data-plane clusters, and traffic has
	// been verified successfully.
	CertificateRotationState_FINISHED CertificateRotationState = 8
	// Processing the certificate rotation workflow failed.
	CertificateRotationState_FAILED CertificateRotationState = 9
)

func (CertificateRotationState) Descriptor added in v1.1.0

func (CertificateRotationState) Enum added in v1.1.0

func (CertificateRotationState) EnumDescriptor deprecated added in v1.1.0

func (CertificateRotationState) EnumDescriptor() ([]byte, []int)

Deprecated: Use CertificateRotationState.Descriptor instead.

func (CertificateRotationState) Number added in v1.1.0

func (CertificateRotationState) String added in v1.1.0

func (x CertificateRotationState) String() string

func (CertificateRotationState) Type added in v1.1.0

type CertificateRotationStrategy added in v1.1.0

type CertificateRotationStrategy int32
const (
	// The default certificate rotation strategy. This strategy involves three steps which
	// ensure that traffic in the mesh will experience no downtime.
	// For an in depth explination of how this strategy works in Istio see the [following blog](https://blog.christianposta.com/diving-into-istio-1-6-certificate-rotation/)
	// The steps are as follows:
	// 1. ADDING_NEW_ROOT
	//    During this step the new root-cert will be appended to the old root-cert, and then distributed.
	//    The intermediate will continue to be signed by the original root.
	// 2. PROPAGATING_NEW_INTERMEDIATE
	//    During this step both root-certs will still be distributed. In addition the intermediate will now
	//    be signed by the new root key.
	// 3. DELETING_OLD_ROOT
	//    During this step the old root is no longer included, and the intermediate will continue to be signed
	//    by the new root key.
	CertificateRotationStrategy_MULTI_ROOT CertificateRotationStrategy = 0
	// Do not use any rotation strategy.
	// NOTE: This can lead to downtime while workloads transition
	// from one root of trust to another
	CertificateRotationStrategy_NONE CertificateRotationStrategy = 1
)

func (CertificateRotationStrategy) Descriptor added in v1.1.0

func (CertificateRotationStrategy) Enum added in v1.1.0

func (CertificateRotationStrategy) EnumDescriptor deprecated added in v1.1.0

func (CertificateRotationStrategy) EnumDescriptor() ([]byte, []int)

Deprecated: Use CertificateRotationStrategy.Descriptor instead.

func (CertificateRotationStrategy) Number added in v1.1.0

func (CertificateRotationStrategy) String added in v1.1.0

func (CertificateRotationStrategy) Type added in v1.1.0

type CertificateRotationVerificationMethod added in v1.1.0

type CertificateRotationVerificationMethod struct {

	// Types that are assignable to Method:
	//	*CertificateRotationVerificationMethod_None
	//	*CertificateRotationVerificationMethod_Manual
	Method isCertificateRotationVerificationMethod_Method `protobuf_oneof:"method"`
	// contains filtered or unexported fields
}

func (*CertificateRotationVerificationMethod) Descriptor deprecated added in v1.1.0

func (*CertificateRotationVerificationMethod) Descriptor() ([]byte, []int)

Deprecated: Use CertificateRotationVerificationMethod.ProtoReflect.Descriptor instead.

func (*CertificateRotationVerificationMethod) Equal added in v1.1.0

func (m *CertificateRotationVerificationMethod) Equal(that interface{}) bool

Equal function

func (*CertificateRotationVerificationMethod) GetManual added in v1.1.0

func (*CertificateRotationVerificationMethod) GetMethod added in v1.1.0

func (m *CertificateRotationVerificationMethod) GetMethod() isCertificateRotationVerificationMethod_Method

func (*CertificateRotationVerificationMethod) GetNone added in v1.1.0

func (*CertificateRotationVerificationMethod) ProtoMessage added in v1.1.0

func (*CertificateRotationVerificationMethod) ProtoMessage()

func (*CertificateRotationVerificationMethod) ProtoReflect added in v1.1.0

func (*CertificateRotationVerificationMethod) Reset added in v1.1.0

func (*CertificateRotationVerificationMethod) String added in v1.1.0

type CertificateRotationVerificationMethod_Manual added in v1.1.0

type CertificateRotationVerificationMethod_Manual struct {
	// Verification must be completed manually. This involves using our certificate verification
	// endpoint when the certificates are in a VERIFYING state
	Manual *empty.Empty `protobuf:"bytes,2,opt,name=manual,proto3,oneof"`
}

type CertificateRotationVerificationMethod_None added in v1.1.0

type CertificateRotationVerificationMethod_None struct {
	// Verification not enabled. NOTE: This setting is only recommended for testing.
	// When enabled rotation will continue from step to step without any kind of verification.
	None *empty.Empty `protobuf:"bytes,1,opt,name=none,proto3,oneof"`
}

type Clientset

type Clientset interface {
	// clienset for the certificates.mesh.gloo.solo.io/v1/v1 APIs
	IssuedCertificates() IssuedCertificateClient
	// clienset for the certificates.mesh.gloo.solo.io/v1/v1 APIs
	CertificateRequests() CertificateRequestClient
	// clienset for the certificates.mesh.gloo.solo.io/v1/v1 APIs
	PodBounceDirectives() PodBounceDirectiveClient
}

clienset for the certificates.mesh.gloo.solo.io/v1 APIs

func NewClientset

func NewClientset(client client.Client) Clientset

func NewClientsetFromConfig

func NewClientsetFromConfig(cfg *rest.Config) (Clientset, error)

type CommonCertOptions added in v1.1.0

type CommonCertOptions struct {

	// Number of days before root cert expires. Defaults to 365.
	TtlDays uint32 `protobuf:"varint,1,opt,name=ttl_days,json=ttlDays,proto3" json:"ttl_days,omitempty"`
	// Size in bytes of the root cert's private key. Defaults to 4096.
	RsaKeySizeBytes uint32 `protobuf:"varint,2,opt,name=rsa_key_size_bytes,json=rsaKeySizeBytes,proto3" json:"rsa_key_size_bytes,omitempty"`
	// Root cert organization name. Defaults to "gloo-mesh".
	OrgName string `protobuf:"bytes,3,opt,name=org_name,json=orgName,proto3" json:"org_name,omitempty"`
	// The ratio of cert lifetime to refresh a cert. For example, at 0.10 and 1 hour TTL,
	// we would refresh 6 minutes before expiration
	SecretRotationGracePeriodRatio float32 `` /* 159-byte string literal not displayed */
	// contains filtered or unexported fields
}

Configuration for generating a self-signed root certificate. Uses the X.509 format, RFC5280.

func (*CommonCertOptions) Descriptor deprecated added in v1.1.0

func (*CommonCertOptions) Descriptor() ([]byte, []int)

Deprecated: Use CommonCertOptions.ProtoReflect.Descriptor instead.

func (*CommonCertOptions) Equal added in v1.1.0

func (m *CommonCertOptions) Equal(that interface{}) bool

Equal function

func (*CommonCertOptions) GetOrgName added in v1.1.0

func (x *CommonCertOptions) GetOrgName() string

func (*CommonCertOptions) GetRsaKeySizeBytes added in v1.1.0

func (x *CommonCertOptions) GetRsaKeySizeBytes() uint32

func (*CommonCertOptions) GetSecretRotationGracePeriodRatio added in v1.1.0

func (x *CommonCertOptions) GetSecretRotationGracePeriodRatio() float32

func (*CommonCertOptions) GetTtlDays added in v1.1.0

func (x *CommonCertOptions) GetTtlDays() uint32

func (*CommonCertOptions) ProtoMessage added in v1.1.0

func (*CommonCertOptions) ProtoMessage()

func (*CommonCertOptions) ProtoReflect added in v1.1.0

func (x *CommonCertOptions) ProtoReflect() protoreflect.Message

func (*CommonCertOptions) Reset added in v1.1.0

func (x *CommonCertOptions) Reset()

func (*CommonCertOptions) String added in v1.1.0

func (x *CommonCertOptions) String() string

type IntermediateCertificateAuthority added in v1.1.0

type IntermediateCertificateAuthority struct {

	// Specify the source of the Root CA data which Gloo Mesh will use for the VirtualMesh.
	//
	// Types that are assignable to CaSource:
	//	*IntermediateCertificateAuthority_Vault
	CaSource isIntermediateCertificateAuthority_CaSource `protobuf_oneof:"ca_source"`
	// contains filtered or unexported fields
}

Specify parameters for configuring the root certificate authority for a VirtualMesh.

func (*IntermediateCertificateAuthority) Descriptor deprecated added in v1.1.0

func (*IntermediateCertificateAuthority) Descriptor() ([]byte, []int)

Deprecated: Use IntermediateCertificateAuthority.ProtoReflect.Descriptor instead.

func (*IntermediateCertificateAuthority) Equal added in v1.1.0

func (m *IntermediateCertificateAuthority) Equal(that interface{}) bool

Equal function

func (*IntermediateCertificateAuthority) GetCaSource added in v1.1.0

func (m *IntermediateCertificateAuthority) GetCaSource() isIntermediateCertificateAuthority_CaSource

func (*IntermediateCertificateAuthority) GetVault added in v1.1.0

func (*IntermediateCertificateAuthority) ProtoMessage added in v1.1.0

func (*IntermediateCertificateAuthority) ProtoMessage()

func (*IntermediateCertificateAuthority) ProtoReflect added in v1.1.0

func (*IntermediateCertificateAuthority) Reset added in v1.1.0

func (*IntermediateCertificateAuthority) String added in v1.1.0

type IntermediateCertificateAuthority_Vault added in v1.1.0

type IntermediateCertificateAuthority_Vault struct {
	// Use vault as the intermediate CA source
	Vault *VaultCA `protobuf:"bytes,1,opt,name=vault,proto3,oneof"`
}

type IssuedCertificate

type IssuedCertificate struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   IssuedCertificateSpec   `json:"spec,omitempty"`
	Status IssuedCertificateStatus `json:"status,omitempty"`
}

IssuedCertificate is the Schema for the issuedCertificate API

func (*IssuedCertificate) DeepCopy

func (in *IssuedCertificate) DeepCopy() *IssuedCertificate

func (*IssuedCertificate) DeepCopyInto

func (in *IssuedCertificate) DeepCopyInto(out *IssuedCertificate)

func (*IssuedCertificate) DeepCopyObject

func (in *IssuedCertificate) DeepCopyObject() runtime.Object

func (IssuedCertificate) GVK

GVK returns the GroupVersionKind associated with the resource type.

type IssuedCertificateClient

Client knows how to perform CRUD operations on IssuedCertificates.

type IssuedCertificateList

type IssuedCertificateList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []IssuedCertificate `json:"items"`
}

IssuedCertificateList contains a list of IssuedCertificate

func (*IssuedCertificateList) DeepCopy

func (*IssuedCertificateList) DeepCopyInto

func (in *IssuedCertificateList) DeepCopyInto(out *IssuedCertificateList)

func (*IssuedCertificateList) DeepCopyObject

func (in *IssuedCertificateList) DeepCopyObject() runtime.Object

type IssuedCertificateReader

type IssuedCertificateReader interface {
	// Get retrieves a IssuedCertificate for the given object key
	GetIssuedCertificate(ctx context.Context, key client.ObjectKey) (*IssuedCertificate, error)

	// List retrieves list of IssuedCertificates for a given namespace and list options.
	ListIssuedCertificate(ctx context.Context, opts ...client.ListOption) (*IssuedCertificateList, error)
}

Reader knows how to read and list IssuedCertificates.

type IssuedCertificateSlice

type IssuedCertificateSlice []*IssuedCertificate

IssuedCertificateSlice represents a slice of *IssuedCertificate

type IssuedCertificateSpec

type IssuedCertificateSpec struct {

	//
	//A list of hostnames and IPs to generate a certificate for.
	//This can also be set to the identity running the workload,
	//e.g. a Kubernetes service account.
	//
	//Generally for an Istio CA this will take the form `spiffe://cluster.local/ns/istio-system/sa/citadel`.
	//
	//"cluster.local" may be replaced by the root of trust domain for the mesh.
	Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"`
	// DEPRECATED: in favor of `common_cert_options.org_name`
	Org string `protobuf:"bytes,2,opt,name=org,proto3" json:"org,omitempty"`
	// DEPRECATED: in favor of `gloo_mesh_ca.signing_certificate_secret`
	// The secret containing the root SSL certificate used to sign this IssuedCertificate (located in the certificate issuer's cluster).
	SigningCertificateSecret *v1.ObjectRef `` /* 135-byte string literal not displayed */
	// The secret containing the SSL certificate to be generated for this IssuedCertificate (located in the Gloo Mesh agent's cluster).
	// If nil, the sidecar agent stores the signing certificate in memory. (Enterprise only)
	IssuedCertificateSecret *v1.ObjectRef `` /* 132-byte string literal not displayed */
	// A reference to a PodBounceDirective specifying a list of Kubernetes pods to bounce
	// (delete and cause a restart) when the certificate is issued.
	//
	// Istio-controlled pods require restarting in order for Envoy proxies to pick up the newly issued certificate
	// due to [this issue](https://github.com/istio/istio/issues/22993).
	//
	// This will include the control plane pods as well as any Pods
	// which share a data plane with the target mesh.
	PodBounceDirective *v1.ObjectRef `protobuf:"bytes,5,opt,name=pod_bounce_directive,json=podBounceDirective,proto3" json:"pod_bounce_directive,omitempty"`
	// Set of options to configure the intermediate certificate being generated
	CertOptions *CommonCertOptions `protobuf:"bytes,6,opt,name=cert_options,json=certOptions,proto3" json:"cert_options,omitempty"`
	// The location of the certificate authority to sign this certificate
	//
	// Types that are assignable to CertificateAuthority:
	//	*IssuedCertificateSpec_GlooMeshCa
	//	*IssuedCertificateSpec_AgentCa
	CertificateAuthority isIssuedCertificateSpec_CertificateAuthority `protobuf_oneof:"certificate_authority"`
	// The current state of rotation, this value signals to the cert issuer how to
	// construct the intermediary certs which the data-plane clusters receive
	RotationState CertificateRotationState `` /* 162-byte string literal not displayed */
	// contains filtered or unexported fields
}

IssuedCertificates are used to issue SSL certificates to remote Kubernetes clusters from a central (out-of-cluster) Certificate Authority.

When an IssuedCertificate is created, a certificate is issued to a remote cluster by a central Certificate Authority via the following workflow:

1. The Certificate Issuer creates the IssuedCertificate resource on the remote cluster 2. The Certificate Signature Requesting Agent installed to the remote cluster generates a Certificate Signing Request and writes it to the status of the IssuedCertificate 3. Finally, the Certificate Issuer generates signed a certificate for the CSR and writes it back as Kubernetes Secret in the remote cluster.

Trust can therefore be established across clusters without requiring private keys to ever leave the node.

func (*IssuedCertificateSpec) DeepCopyInto

func (in *IssuedCertificateSpec) DeepCopyInto(out *IssuedCertificateSpec)

DeepCopyInto for the IssuedCertificate.Spec

func (*IssuedCertificateSpec) Descriptor deprecated

func (*IssuedCertificateSpec) Descriptor() ([]byte, []int)

Deprecated: Use IssuedCertificateSpec.ProtoReflect.Descriptor instead.

func (*IssuedCertificateSpec) Equal

func (m *IssuedCertificateSpec) Equal(that interface{}) bool

Equal function

func (*IssuedCertificateSpec) GetAgentCa added in v1.1.0

func (*IssuedCertificateSpec) GetCertOptions added in v1.1.0

func (x *IssuedCertificateSpec) GetCertOptions() *CommonCertOptions

func (*IssuedCertificateSpec) GetCertificateAuthority added in v1.1.0

func (m *IssuedCertificateSpec) GetCertificateAuthority() isIssuedCertificateSpec_CertificateAuthority

func (*IssuedCertificateSpec) GetGlooMeshCa added in v1.1.0

func (x *IssuedCertificateSpec) GetGlooMeshCa() *RootCertificateAuthority

func (*IssuedCertificateSpec) GetHosts

func (x *IssuedCertificateSpec) GetHosts() []string

func (*IssuedCertificateSpec) GetIssuedCertificateSecret

func (x *IssuedCertificateSpec) GetIssuedCertificateSecret() *v1.ObjectRef

func (*IssuedCertificateSpec) GetOrg

func (x *IssuedCertificateSpec) GetOrg() string

func (*IssuedCertificateSpec) GetPodBounceDirective

func (x *IssuedCertificateSpec) GetPodBounceDirective() *v1.ObjectRef

func (*IssuedCertificateSpec) GetRotationState added in v1.1.0

func (x *IssuedCertificateSpec) GetRotationState() CertificateRotationState

func (*IssuedCertificateSpec) GetSigningCertificateSecret

func (x *IssuedCertificateSpec) GetSigningCertificateSecret() *v1.ObjectRef

func (*IssuedCertificateSpec) MarshalJSON

func (this *IssuedCertificateSpec) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for IssuedCertificateSpec

func (*IssuedCertificateSpec) ProtoMessage

func (*IssuedCertificateSpec) ProtoMessage()

func (*IssuedCertificateSpec) ProtoReflect

func (x *IssuedCertificateSpec) ProtoReflect() protoreflect.Message

func (*IssuedCertificateSpec) Reset

func (x *IssuedCertificateSpec) Reset()

func (*IssuedCertificateSpec) String

func (x *IssuedCertificateSpec) String() string

func (*IssuedCertificateSpec) UnmarshalJSON

func (this *IssuedCertificateSpec) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for IssuedCertificateSpec

type IssuedCertificateSpec_AgentCa added in v1.1.0

type IssuedCertificateSpec_AgentCa struct {
	// Agent CA options
	AgentCa *IntermediateCertificateAuthority `protobuf:"bytes,8,opt,name=agent_ca,json=agentCa,proto3,oneof"`
}

type IssuedCertificateSpec_GlooMeshCa added in v1.1.0

type IssuedCertificateSpec_GlooMeshCa struct {
	// Gloo Mesh CA options
	GlooMeshCa *RootCertificateAuthority `protobuf:"bytes,7,opt,name=gloo_mesh_ca,json=glooMeshCa,proto3,oneof"`
}

type IssuedCertificateStatus

type IssuedCertificateStatus struct {

	// The most recent generation observed in the the IssuedCertificate metadata.
	// If the `observedGeneration` does not match `metadata.generation`, the Gloo Mesh agent has not processed the most
	// recent version of this IssuedCertificate.
	ObservedGeneration int64 `protobuf:"varint,1,opt,name=observed_generation,json=observedGeneration,proto3" json:"observed_generation,omitempty"`
	// Any error observed which prevented the CertificateRequest from being processed.
	// If the error is empty, the request has been processed successfully.
	Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"`
	// The current state of the IssuedCertificate workflow, reported by the agent.
	State IssuedCertificateStatus_State `` /* 130-byte string literal not displayed */
	// The location of the certificate authority to sign this certificate
	//
	// Types that are assignable to AppliedCertificateAuthority:
	//	*IssuedCertificateStatus_AppliedGlooMeshCa
	//	*IssuedCertificateStatus_AppliedAgentCa
	AppliedCertificateAuthority isIssuedCertificateStatus_AppliedCertificateAuthority `protobuf_oneof:"applied_certificate_authority"`
	// The rotation state as recorded by the issued cert agent. This is read by the networking
	// reconciler to ensure it is looking at the correct iteration of the object.
	ObservedRotationState CertificateRotationState `` /* 188-byte string literal not displayed */
	// contains filtered or unexported fields
}

The IssuedCertificate status is written by the CertificateRequesting agent.

func (*IssuedCertificateStatus) DeepCopyInto

func (in *IssuedCertificateStatus) DeepCopyInto(out *IssuedCertificateStatus)

DeepCopyInto for the IssuedCertificate.Status

func (*IssuedCertificateStatus) Descriptor deprecated

func (*IssuedCertificateStatus) Descriptor() ([]byte, []int)

Deprecated: Use IssuedCertificateStatus.ProtoReflect.Descriptor instead.

func (*IssuedCertificateStatus) Equal

func (m *IssuedCertificateStatus) Equal(that interface{}) bool

Equal function

func (*IssuedCertificateStatus) GetAppliedAgentCa added in v1.1.0

func (*IssuedCertificateStatus) GetAppliedCertificateAuthority added in v1.1.0

func (m *IssuedCertificateStatus) GetAppliedCertificateAuthority() isIssuedCertificateStatus_AppliedCertificateAuthority

func (*IssuedCertificateStatus) GetAppliedGlooMeshCa added in v1.1.0

func (x *IssuedCertificateStatus) GetAppliedGlooMeshCa() *RootCertificateAuthority

func (*IssuedCertificateStatus) GetError

func (x *IssuedCertificateStatus) GetError() string

func (*IssuedCertificateStatus) GetObservedGeneration

func (x *IssuedCertificateStatus) GetObservedGeneration() int64

func (*IssuedCertificateStatus) GetObservedRotationState added in v1.1.0

func (x *IssuedCertificateStatus) GetObservedRotationState() CertificateRotationState

func (*IssuedCertificateStatus) GetState

func (*IssuedCertificateStatus) MarshalJSON

func (this *IssuedCertificateStatus) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for IssuedCertificateStatus

func (*IssuedCertificateStatus) ProtoMessage

func (*IssuedCertificateStatus) ProtoMessage()

func (*IssuedCertificateStatus) ProtoReflect

func (x *IssuedCertificateStatus) ProtoReflect() protoreflect.Message

func (*IssuedCertificateStatus) Reset

func (x *IssuedCertificateStatus) Reset()

func (*IssuedCertificateStatus) String

func (x *IssuedCertificateStatus) String() string

func (*IssuedCertificateStatus) UnmarshalJSON

func (this *IssuedCertificateStatus) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for IssuedCertificateStatus

type IssuedCertificateStatusWriter

type IssuedCertificateStatusWriter interface {
	// Update updates the fields corresponding to the status subresource for the
	// given IssuedCertificate object.
	UpdateIssuedCertificateStatus(ctx context.Context, obj *IssuedCertificate, opts ...client.UpdateOption) error

	// Patch patches the given IssuedCertificate object's subresource.
	PatchIssuedCertificateStatus(ctx context.Context, obj *IssuedCertificate, patch client.Patch, opts ...client.PatchOption) error
}

StatusWriter knows how to update status subresource of a IssuedCertificate object.

type IssuedCertificateStatus_AppliedAgentCa added in v1.1.0

type IssuedCertificateStatus_AppliedAgentCa struct {
	// Agent CA options
	AppliedAgentCa *IntermediateCertificateAuthority `protobuf:"bytes,5,opt,name=applied_agent_ca,json=appliedAgentCa,proto3,oneof"`
}

type IssuedCertificateStatus_AppliedGlooMeshCa added in v1.1.0

type IssuedCertificateStatus_AppliedGlooMeshCa struct {
	// Gloo Mesh CA options
	AppliedGlooMeshCa *RootCertificateAuthority `protobuf:"bytes,4,opt,name=applied_gloo_mesh_ca,json=appliedGlooMeshCa,proto3,oneof"`
}

type IssuedCertificateStatus_State

type IssuedCertificateStatus_State int32

Possible states in which an IssuedCertificate can exist.

const (
	// The IssuedCertificate has yet to be picked up by the agent.
	IssuedCertificateStatus_PENDING IssuedCertificateStatus_State = 0
	// The agent has created a local private key
	// and a CertificateRequest for the IssuedCertificate.
	// In this state, the agent is waiting for the Issuer
	// to issue certificates for the CertificateRequest before proceeding.
	IssuedCertificateStatus_REQUESTED IssuedCertificateStatus_State = 1
	// The certificate has been issued. Any pods that require restarting will be restarted at this point.
	IssuedCertificateStatus_ISSUED IssuedCertificateStatus_State = 2
	// The reply from the Issuer has been processed and
	// the agent has placed the final certificate secret
	// in the target location specified by the IssuedCertificate.
	IssuedCertificateStatus_FINISHED IssuedCertificateStatus_State = 3
	// Processing the certificate workflow failed.
	IssuedCertificateStatus_FAILED IssuedCertificateStatus_State = 4
)

func (IssuedCertificateStatus_State) Descriptor

func (IssuedCertificateStatus_State) Enum

func (IssuedCertificateStatus_State) EnumDescriptor deprecated

func (IssuedCertificateStatus_State) EnumDescriptor() ([]byte, []int)

Deprecated: Use IssuedCertificateStatus_State.Descriptor instead.

func (IssuedCertificateStatus_State) Number

func (IssuedCertificateStatus_State) String

func (IssuedCertificateStatus_State) Type

type IssuedCertificateTransitionFunction

type IssuedCertificateTransitionFunction func(existing, desired *IssuedCertificate) error

IssuedCertificateTransitionFunction instructs the IssuedCertificateWriter how to transition between an existing IssuedCertificate object and a desired on an Upsert

type IssuedCertificateWriter

type IssuedCertificateWriter interface {
	// Create saves the IssuedCertificate object.
	CreateIssuedCertificate(ctx context.Context, obj *IssuedCertificate, opts ...client.CreateOption) error

	// Delete deletes the IssuedCertificate object.
	DeleteIssuedCertificate(ctx context.Context, key client.ObjectKey, opts ...client.DeleteOption) error

	// Update updates the given IssuedCertificate object.
	UpdateIssuedCertificate(ctx context.Context, obj *IssuedCertificate, opts ...client.UpdateOption) error

	// Patch patches the given IssuedCertificate object.
	PatchIssuedCertificate(ctx context.Context, obj *IssuedCertificate, patch client.Patch, opts ...client.PatchOption) error

	// DeleteAllOf deletes all IssuedCertificate objects matching the given options.
	DeleteAllOfIssuedCertificate(ctx context.Context, opts ...client.DeleteAllOfOption) error

	// Create or Update the IssuedCertificate object.
	UpsertIssuedCertificate(ctx context.Context, obj *IssuedCertificate, transitionFuncs ...IssuedCertificateTransitionFunction) error
}

Writer knows how to create, delete, and update IssuedCertificates.

type MulticlusterCertificateRequestClient

type MulticlusterCertificateRequestClient interface {
	// Cluster returns a CertificateRequestClient for the given cluster
	Cluster(cluster string) (CertificateRequestClient, error)
}

Provides CertificateRequestClients for multiple clusters.

func NewMulticlusterCertificateRequestClient

func NewMulticlusterCertificateRequestClient(client multicluster.Client) MulticlusterCertificateRequestClient

type MulticlusterClientset

type MulticlusterClientset interface {
	// Cluster returns a Clientset for the given cluster
	Cluster(cluster string) (Clientset, error)
}

MulticlusterClientset for the certificates.mesh.gloo.solo.io/v1 APIs

func NewMulticlusterClientset

func NewMulticlusterClientset(client multicluster.Client) MulticlusterClientset

type MulticlusterIssuedCertificateClient

type MulticlusterIssuedCertificateClient interface {
	// Cluster returns a IssuedCertificateClient for the given cluster
	Cluster(cluster string) (IssuedCertificateClient, error)
}

Provides IssuedCertificateClients for multiple clusters.

func NewMulticlusterIssuedCertificateClient

func NewMulticlusterIssuedCertificateClient(client multicluster.Client) MulticlusterIssuedCertificateClient

type MulticlusterPodBounceDirectiveClient

type MulticlusterPodBounceDirectiveClient interface {
	// Cluster returns a PodBounceDirectiveClient for the given cluster
	Cluster(cluster string) (PodBounceDirectiveClient, error)
}

Provides PodBounceDirectiveClients for multiple clusters.

func NewMulticlusterPodBounceDirectiveClient

func NewMulticlusterPodBounceDirectiveClient(client multicluster.Client) MulticlusterPodBounceDirectiveClient

type PodBounceDirective

type PodBounceDirective struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   PodBounceDirectiveSpec   `json:"spec,omitempty"`
	Status PodBounceDirectiveStatus `json:"status,omitempty"`
}

PodBounceDirective is the Schema for the podBounceDirective API

func (*PodBounceDirective) DeepCopy

func (in *PodBounceDirective) DeepCopy() *PodBounceDirective

func (*PodBounceDirective) DeepCopyInto

func (in *PodBounceDirective) DeepCopyInto(out *PodBounceDirective)

func (*PodBounceDirective) DeepCopyObject

func (in *PodBounceDirective) DeepCopyObject() runtime.Object

func (PodBounceDirective) GVK

GVK returns the GroupVersionKind associated with the resource type.

type PodBounceDirectiveClient

Client knows how to perform CRUD operations on PodBounceDirectives.

type PodBounceDirectiveList

type PodBounceDirectiveList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []PodBounceDirective `json:"items"`
}

PodBounceDirectiveList contains a list of PodBounceDirective

func (*PodBounceDirectiveList) DeepCopy

func (*PodBounceDirectiveList) DeepCopyInto

func (in *PodBounceDirectiveList) DeepCopyInto(out *PodBounceDirectiveList)

func (*PodBounceDirectiveList) DeepCopyObject

func (in *PodBounceDirectiveList) DeepCopyObject() runtime.Object

type PodBounceDirectiveReader

type PodBounceDirectiveReader interface {
	// Get retrieves a PodBounceDirective for the given object key
	GetPodBounceDirective(ctx context.Context, key client.ObjectKey) (*PodBounceDirective, error)

	// List retrieves list of PodBounceDirectives for a given namespace and list options.
	ListPodBounceDirective(ctx context.Context, opts ...client.ListOption) (*PodBounceDirectiveList, error)
}

Reader knows how to read and list PodBounceDirectives.

type PodBounceDirectiveSlice

type PodBounceDirectiveSlice []*PodBounceDirective

PodBounceDirectiveSlice represents a slice of *PodBounceDirective

type PodBounceDirectiveSpec

type PodBounceDirectiveSpec struct {

	// A list of Kubernetes pods to bounce (delete and cause a restart)
	// when the certificate is issued.
	// This will include the control plane pods as well as any Pods
	// which share a data plane with the target mesh.
	PodsToBounce []*PodBounceDirectiveSpec_PodSelector `protobuf:"bytes,6,rep,name=pods_to_bounce,json=podsToBounce,proto3" json:"pods_to_bounce,omitempty"`
	// contains filtered or unexported fields
}

When certificates are issued, Istio-controlled pods need to be bounced (restarted) to ensure they pick up the new certificates due to [this issue](https://github.com/istio/istio/issues/22993). The certificate issuer will create a PodBounceDirective containing the namespaces and labels of the pods that need to be bounced in order to pick up the new certs.

func (*PodBounceDirectiveSpec) DeepCopyInto

func (in *PodBounceDirectiveSpec) DeepCopyInto(out *PodBounceDirectiveSpec)

DeepCopyInto for the PodBounceDirective.Spec

func (*PodBounceDirectiveSpec) Descriptor deprecated

func (*PodBounceDirectiveSpec) Descriptor() ([]byte, []int)

Deprecated: Use PodBounceDirectiveSpec.ProtoReflect.Descriptor instead.

func (*PodBounceDirectiveSpec) Equal

func (m *PodBounceDirectiveSpec) Equal(that interface{}) bool

Equal function

func (*PodBounceDirectiveSpec) GetPodsToBounce

func (*PodBounceDirectiveSpec) MarshalJSON

func (this *PodBounceDirectiveSpec) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for PodBounceDirectiveSpec

func (*PodBounceDirectiveSpec) ProtoMessage

func (*PodBounceDirectiveSpec) ProtoMessage()

func (*PodBounceDirectiveSpec) ProtoReflect

func (x *PodBounceDirectiveSpec) ProtoReflect() protoreflect.Message

func (*PodBounceDirectiveSpec) Reset

func (x *PodBounceDirectiveSpec) Reset()

func (*PodBounceDirectiveSpec) String

func (x *PodBounceDirectiveSpec) String() string

func (*PodBounceDirectiveSpec) UnmarshalJSON

func (this *PodBounceDirectiveSpec) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for PodBounceDirectiveSpec

type PodBounceDirectiveSpec_PodSelector

type PodBounceDirectiveSpec_PodSelector struct {

	// The namespace in which the pods live.
	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
	// Any labels shared by the Pods.
	Labels map[string]string `` /* 153-byte string literal not displayed */
	// Wait for this number of replacement pods to reach be fully ready before
	// deleting the next set of selected Pods.
	// This is used to ensure the control plane pods are allowed to restart
	// before sidecars and gateways are restarted.
	WaitForReplicas uint32 `protobuf:"varint,3,opt,name=wait_for_replicas,json=waitForReplicas,proto3" json:"wait_for_replicas,omitempty"`
	// Wait for the control plane to have synced all root cert configmaps in data plane namespaces before
	// bouncing these Pods.
	RootCertSync *PodBounceDirectiveSpec_PodSelector_RootCertSync `protobuf:"bytes,4,opt,name=root_cert_sync,json=rootCertSync,proto3" json:"root_cert_sync,omitempty"`
	// contains filtered or unexported fields
}

pods that will be restarted.

func (*PodBounceDirectiveSpec_PodSelector) Descriptor deprecated

func (*PodBounceDirectiveSpec_PodSelector) Descriptor() ([]byte, []int)

Deprecated: Use PodBounceDirectiveSpec_PodSelector.ProtoReflect.Descriptor instead.

func (*PodBounceDirectiveSpec_PodSelector) Equal

func (m *PodBounceDirectiveSpec_PodSelector) Equal(that interface{}) bool

Equal function

func (*PodBounceDirectiveSpec_PodSelector) GetLabels

func (*PodBounceDirectiveSpec_PodSelector) GetNamespace

func (x *PodBounceDirectiveSpec_PodSelector) GetNamespace() string

func (*PodBounceDirectiveSpec_PodSelector) GetRootCertSync

func (*PodBounceDirectiveSpec_PodSelector) GetWaitForReplicas

func (x *PodBounceDirectiveSpec_PodSelector) GetWaitForReplicas() uint32

func (*PodBounceDirectiveSpec_PodSelector) ProtoMessage

func (*PodBounceDirectiveSpec_PodSelector) ProtoMessage()

func (*PodBounceDirectiveSpec_PodSelector) ProtoReflect

func (*PodBounceDirectiveSpec_PodSelector) Reset

func (*PodBounceDirectiveSpec_PodSelector) String

type PodBounceDirectiveSpec_PodSelector_RootCertSync

type PodBounceDirectiveSpec_PodSelector_RootCertSync struct {
	SecretRef    *v1.ObjectRef `protobuf:"bytes,1,opt,name=secret_ref,json=secretRef,proto3" json:"secret_ref,omitempty"`
	SecretKey    string        `protobuf:"bytes,2,opt,name=secret_key,json=secretKey,proto3" json:"secret_key,omitempty"`
	ConfigMapRef *v1.ObjectRef `protobuf:"bytes,3,opt,name=config_map_ref,json=configMapRef,proto3" json:"config_map_ref,omitempty"`
	ConfigMapKey string        `protobuf:"bytes,4,opt,name=config_map_key,json=configMapKey,proto3" json:"config_map_key,omitempty"`
	// contains filtered or unexported fields
}

RootCertSync describes values in a secret and configmap which must be equal in order for a Pod to be bounced.

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) Descriptor deprecated

Deprecated: Use PodBounceDirectiveSpec_PodSelector_RootCertSync.ProtoReflect.Descriptor instead.

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) Equal

func (m *PodBounceDirectiveSpec_PodSelector_RootCertSync) Equal(that interface{}) bool

Equal function

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) GetConfigMapKey

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) GetConfigMapRef

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) GetSecretKey

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) GetSecretRef

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) ProtoMessage

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) ProtoReflect

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) Reset

func (*PodBounceDirectiveSpec_PodSelector_RootCertSync) String

type PodBounceDirectiveStatus

type PodBounceDirectiveStatus struct {

	// A list of Kubernetes pods to bounce (delete and cause a restart)
	// when the certificate is issued.
	// This will include the control plane pods as well as any Pods
	// which share a data plane with the target mesh.
	PodsBounced []*PodBounceDirectiveStatus_BouncedPodSet `protobuf:"bytes,4,rep,name=pods_bounced,json=podsBounced,proto3" json:"pods_bounced,omitempty"`
	// contains filtered or unexported fields
}

PodBounceDirectiveStatus reports the status for stateful Pod bounces (when bouncing pods requires waiting for readiness).

func (*PodBounceDirectiveStatus) DeepCopyInto

func (in *PodBounceDirectiveStatus) DeepCopyInto(out *PodBounceDirectiveStatus)

DeepCopyInto for the PodBounceDirective.Status

func (*PodBounceDirectiveStatus) Descriptor deprecated

func (*PodBounceDirectiveStatus) Descriptor() ([]byte, []int)

Deprecated: Use PodBounceDirectiveStatus.ProtoReflect.Descriptor instead.

func (*PodBounceDirectiveStatus) Equal

func (m *PodBounceDirectiveStatus) Equal(that interface{}) bool

Equal function

func (*PodBounceDirectiveStatus) GetPodsBounced

func (*PodBounceDirectiveStatus) MarshalJSON

func (this *PodBounceDirectiveStatus) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for PodBounceDirectiveStatus

func (*PodBounceDirectiveStatus) ProtoMessage

func (*PodBounceDirectiveStatus) ProtoMessage()

func (*PodBounceDirectiveStatus) ProtoReflect

func (x *PodBounceDirectiveStatus) ProtoReflect() protoreflect.Message

func (*PodBounceDirectiveStatus) Reset

func (x *PodBounceDirectiveStatus) Reset()

func (*PodBounceDirectiveStatus) String

func (x *PodBounceDirectiveStatus) String() string

func (*PodBounceDirectiveStatus) UnmarshalJSON

func (this *PodBounceDirectiveStatus) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for PodBounceDirectiveStatus

type PodBounceDirectiveStatusWriter

type PodBounceDirectiveStatusWriter interface {
	// Update updates the fields corresponding to the status subresource for the
	// given PodBounceDirective object.
	UpdatePodBounceDirectiveStatus(ctx context.Context, obj *PodBounceDirective, opts ...client.UpdateOption) error

	// Patch patches the given PodBounceDirective object's subresource.
	PatchPodBounceDirectiveStatus(ctx context.Context, obj *PodBounceDirective, patch client.Patch, opts ...client.PatchOption) error
}

StatusWriter knows how to update status subresource of a PodBounceDirective object.

type PodBounceDirectiveStatus_BouncedPodSet

type PodBounceDirectiveStatus_BouncedPodSet struct {

	// The names of the pods that were bounced for the corresponding selector specified in `PodBounceDirectiveSpec.PodSelector.labels`.
	BouncedPods []string `protobuf:"bytes,1,rep,name=bounced_pods,json=bouncedPods,proto3" json:"bounced_pods,omitempty"`
	// contains filtered or unexported fields
}

A set of pods that were restarted.

func (*PodBounceDirectiveStatus_BouncedPodSet) Descriptor deprecated

func (*PodBounceDirectiveStatus_BouncedPodSet) Descriptor() ([]byte, []int)

Deprecated: Use PodBounceDirectiveStatus_BouncedPodSet.ProtoReflect.Descriptor instead.

func (*PodBounceDirectiveStatus_BouncedPodSet) Equal

func (m *PodBounceDirectiveStatus_BouncedPodSet) Equal(that interface{}) bool

Equal function

func (*PodBounceDirectiveStatus_BouncedPodSet) GetBouncedPods

func (x *PodBounceDirectiveStatus_BouncedPodSet) GetBouncedPods() []string

func (*PodBounceDirectiveStatus_BouncedPodSet) ProtoMessage

func (*PodBounceDirectiveStatus_BouncedPodSet) ProtoReflect

func (*PodBounceDirectiveStatus_BouncedPodSet) Reset

func (*PodBounceDirectiveStatus_BouncedPodSet) String

type PodBounceDirectiveTransitionFunction

type PodBounceDirectiveTransitionFunction func(existing, desired *PodBounceDirective) error

PodBounceDirectiveTransitionFunction instructs the PodBounceDirectiveWriter how to transition between an existing PodBounceDirective object and a desired on an Upsert

type PodBounceDirectiveWriter

type PodBounceDirectiveWriter interface {
	// Create saves the PodBounceDirective object.
	CreatePodBounceDirective(ctx context.Context, obj *PodBounceDirective, opts ...client.CreateOption) error

	// Delete deletes the PodBounceDirective object.
	DeletePodBounceDirective(ctx context.Context, key client.ObjectKey, opts ...client.DeleteOption) error

	// Update updates the given PodBounceDirective object.
	UpdatePodBounceDirective(ctx context.Context, obj *PodBounceDirective, opts ...client.UpdateOption) error

	// Patch patches the given PodBounceDirective object.
	PatchPodBounceDirective(ctx context.Context, obj *PodBounceDirective, patch client.Patch, opts ...client.PatchOption) error

	// DeleteAllOf deletes all PodBounceDirective objects matching the given options.
	DeleteAllOfPodBounceDirective(ctx context.Context, opts ...client.DeleteAllOfOption) error

	// Create or Update the PodBounceDirective object.
	UpsertPodBounceDirective(ctx context.Context, obj *PodBounceDirective, transitionFuncs ...PodBounceDirectiveTransitionFunction) error
}

Writer knows how to create, delete, and update PodBounceDirectives.

type RootCertificateAuthority added in v1.1.0

type RootCertificateAuthority struct {

	// Certificate authority which gloo-mesh management will use to sign the intermediate cert
	//
	// Types that are assignable to CertificateAuthority:
	//	*RootCertificateAuthority_SigningCertificateSecret
	CertificateAuthority isRootCertificateAuthority_CertificateAuthority `protobuf_oneof:"certificate_authority"`
	// contains filtered or unexported fields
}

Set of options which represent the certificate authorities the management cluster can use to sign the intermediate certs.

func (*RootCertificateAuthority) Descriptor deprecated added in v1.1.0

func (*RootCertificateAuthority) Descriptor() ([]byte, []int)

Deprecated: Use RootCertificateAuthority.ProtoReflect.Descriptor instead.

func (*RootCertificateAuthority) Equal added in v1.1.0

func (m *RootCertificateAuthority) Equal(that interface{}) bool

Equal function

func (*RootCertificateAuthority) GetCertificateAuthority added in v1.1.0

func (m *RootCertificateAuthority) GetCertificateAuthority() isRootCertificateAuthority_CertificateAuthority

func (*RootCertificateAuthority) GetSigningCertificateSecret added in v1.1.0

func (x *RootCertificateAuthority) GetSigningCertificateSecret() *v1.ObjectRef

func (*RootCertificateAuthority) ProtoMessage added in v1.1.0

func (*RootCertificateAuthority) ProtoMessage()

func (*RootCertificateAuthority) ProtoReflect added in v1.1.0

func (x *RootCertificateAuthority) ProtoReflect() protoreflect.Message

func (*RootCertificateAuthority) Reset added in v1.1.0

func (x *RootCertificateAuthority) Reset()

func (*RootCertificateAuthority) String added in v1.1.0

func (x *RootCertificateAuthority) String() string

type RootCertificateAuthority_SigningCertificateSecret added in v1.1.0

type RootCertificateAuthority_SigningCertificateSecret struct {
	SigningCertificateSecret *v1.ObjectRef `protobuf:"bytes,1,opt,name=signing_certificate_secret,json=signingCertificateSecret,proto3,oneof"`
}

type VaultCA added in v1.1.0

type VaultCA struct {

	// `ca_path` is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
	// "my_pki_mount/sign/my-role-name".
	CaPath string `protobuf:"bytes,1,opt,name=ca_path,json=caPath,proto3" json:"ca_path,omitempty"`
	// `csr_path` is the mount path of the Vault PKI backend's `generate` endpoint, e.g:
	// "my_pki_mount/intermediate/generate/exported".
	// "exported" is necessary here as istio needs access to the private key
	// See vault docs here: https://www.vaultproject.io/api-docs/secret/pki#parameters-4
	CsrPath string `protobuf:"bytes,2,opt,name=csr_path,json=csrPath,proto3" json:"csr_path,omitempty"`
	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
	Server string `protobuf:"bytes,3,opt,name=server,proto3" json:"server,omitempty"`
	// PEM encoded CA bundle used to validate Vault server certificate. Only used
	// if the Server URL is using HTTPS protocol. This parameter is ignored for
	// plain HTTP protocol connection. If not set the system root certificates
	// are used to validate the TLS connection.
	CaBundle []byte `protobuf:"bytes,4,opt,name=ca_bundle,json=caBundle,proto3" json:"ca_bundle,omitempty"`
	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
	// More about namespaces can be found [here](https://www.vaultproject.io/docs/enterprise/namespaces)
	Namespace string `protobuf:"bytes,5,opt,name=namespace,proto3" json:"namespace,omitempty"`
	// Types that are assignable to AuthType:
	//	*VaultCA_TokenSecretRef
	//	*VaultCA_KubernetesAuth
	AuthType isVaultCA_AuthType `protobuf_oneof:"auth_type"`
	// contains filtered or unexported fields
}

func (*VaultCA) Descriptor deprecated added in v1.1.0

func (*VaultCA) Descriptor() ([]byte, []int)

Deprecated: Use VaultCA.ProtoReflect.Descriptor instead.

func (*VaultCA) Equal added in v1.1.0

func (m *VaultCA) Equal(that interface{}) bool

Equal function

func (*VaultCA) GetAuthType added in v1.1.0

func (m *VaultCA) GetAuthType() isVaultCA_AuthType

func (*VaultCA) GetCaBundle added in v1.1.0

func (x *VaultCA) GetCaBundle() []byte

func (*VaultCA) GetCaPath added in v1.1.0

func (x *VaultCA) GetCaPath() string

func (*VaultCA) GetCsrPath added in v1.1.0

func (x *VaultCA) GetCsrPath() string

func (*VaultCA) GetKubernetesAuth added in v1.1.0

func (x *VaultCA) GetKubernetesAuth() *VaultKubernetesAuth

func (*VaultCA) GetNamespace added in v1.1.0

func (x *VaultCA) GetNamespace() string

func (*VaultCA) GetServer added in v1.1.0

func (x *VaultCA) GetServer() string

func (*VaultCA) GetTokenSecretRef added in v1.1.0

func (x *VaultCA) GetTokenSecretRef() *v1.ObjectRef

func (*VaultCA) ProtoMessage added in v1.1.0

func (*VaultCA) ProtoMessage()

func (*VaultCA) ProtoReflect added in v1.1.0

func (x *VaultCA) ProtoReflect() protoreflect.Message

func (*VaultCA) Reset added in v1.1.0

func (x *VaultCA) Reset()

func (*VaultCA) String added in v1.1.0

func (x *VaultCA) String() string

type VaultCA_KubernetesAuth added in v1.1.0

type VaultCA_KubernetesAuth struct {
	// Kubernetes authenticates with Vault by passing the ServiceAccount
	// token stored in the named Secret resource to the Vault server.
	KubernetesAuth *VaultKubernetesAuth `protobuf:"bytes,8,opt,name=kubernetes_auth,json=kubernetesAuth,proto3,oneof"`
}

type VaultCA_TokenSecretRef added in v1.1.0

type VaultCA_TokenSecretRef struct {
	// TokenSecretRef authenticates with Vault by presenting a token.
	TokenSecretRef *v1.ObjectRef `protobuf:"bytes,6,opt,name=token_secret_ref,json=tokenSecretRef,proto3,oneof"`
}

type VaultKubernetesAuth added in v1.1.0

type VaultKubernetesAuth struct {

	// The Vault mountPath here is the mount path to use when authenticating with
	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
	// default value "/v1/auth/kubernetes" will be used.
	MountPath string `protobuf:"bytes,1,opt,name=mount_path,json=mountPath,proto3" json:"mount_path,omitempty"`
	// A required field containing the Vault Role to assume. A Role binds a
	// Kubernetes ServiceAccount with a set of Vault policies.
	Role string `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"`
	// Key to search for the sa_token
	// Default to "token"
	SecretTokenKey string `protobuf:"bytes,3,opt,name=secret_token_key,json=secretTokenKey,proto3" json:"secret_token_key,omitempty"`
	// The method by which to get the service account token.
	// If unspecified will default to mounted_sa_path
	//
	// Types that are assignable to ServiceAccountLocation:
	//	*VaultKubernetesAuth_ServiceAccountRef
	//	*VaultKubernetesAuth_MountedSaPath
	ServiceAccountLocation isVaultKubernetesAuth_ServiceAccountLocation `protobuf_oneof:"service_account_location"`
	// contains filtered or unexported fields
}

func (*VaultKubernetesAuth) Descriptor deprecated added in v1.1.0

func (*VaultKubernetesAuth) Descriptor() ([]byte, []int)

Deprecated: Use VaultKubernetesAuth.ProtoReflect.Descriptor instead.

func (*VaultKubernetesAuth) Equal added in v1.1.0

func (m *VaultKubernetesAuth) Equal(that interface{}) bool

Equal function

func (*VaultKubernetesAuth) GetMountPath added in v1.1.0

func (x *VaultKubernetesAuth) GetMountPath() string

func (*VaultKubernetesAuth) GetMountedSaPath added in v1.1.0

func (x *VaultKubernetesAuth) GetMountedSaPath() string

func (*VaultKubernetesAuth) GetRole added in v1.1.0

func (x *VaultKubernetesAuth) GetRole() string

func (*VaultKubernetesAuth) GetSecretTokenKey added in v1.1.0

func (x *VaultKubernetesAuth) GetSecretTokenKey() string

func (*VaultKubernetesAuth) GetServiceAccountLocation added in v1.1.0

func (m *VaultKubernetesAuth) GetServiceAccountLocation() isVaultKubernetesAuth_ServiceAccountLocation

func (*VaultKubernetesAuth) GetServiceAccountRef added in v1.1.0

func (x *VaultKubernetesAuth) GetServiceAccountRef() *v1.ObjectRef

func (*VaultKubernetesAuth) ProtoMessage added in v1.1.0

func (*VaultKubernetesAuth) ProtoMessage()

func (*VaultKubernetesAuth) ProtoReflect added in v1.1.0

func (x *VaultKubernetesAuth) ProtoReflect() protoreflect.Message

func (*VaultKubernetesAuth) Reset added in v1.1.0

func (x *VaultKubernetesAuth) Reset()

func (*VaultKubernetesAuth) String added in v1.1.0

func (x *VaultKubernetesAuth) String() string

type VaultKubernetesAuth_MountedSaPath added in v1.1.0

type VaultKubernetesAuth_MountedSaPath struct {
	// File System path to grab the service account token from.
	// Defaults to /var/run/secrets/kubernetes.io/serviceaccount
	MountedSaPath string `protobuf:"bytes,5,opt,name=mounted_sa_path,json=mountedSaPath,proto3,oneof"`
}

type VaultKubernetesAuth_ServiceAccountRef added in v1.1.0

type VaultKubernetesAuth_ServiceAccountRef struct {
	// Reference to service account, other than the one mounted to the current pod.
	ServiceAccountRef *v1.ObjectRef `protobuf:"bytes,4,opt,name=service_account_ref,json=serviceAccountRef,proto3,oneof"`
}

Directories

Path Synopsis
Definitions for the Kubernetes Controllers Definitions for the multicluster Kubernetes Controllers Definitions for the Kubernetes Controllers
Definitions for the Kubernetes Controllers Definitions for the multicluster Kubernetes Controllers Definitions for the Kubernetes Controllers
mocks
Package mock_controller is a generated GoMock package.
Package mock_controller is a generated GoMock package.
Package mock_v1 is a generated GoMock package.
Package mock_v1 is a generated GoMock package.
mocks
Package mock_v1sets is a generated GoMock package.
Package mock_v1sets is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL