register

package
v0.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 7, 2020 License: Apache-2.0 Imports: 26 Imported by: 2

Documentation

Index

Constants

View Source
const (
	// visible for testing
	SecretTokenKey = "token"

	DefaultClusterDomain = "cluster.local"
)

Variables

View Source
var (
	MalformedSecret = eris.New("service account secret does not contain a bearer token")
	SecretNotReady  = func(err error) error {
		return eris.Wrap(err, "secret for service account not ready yet")
	}
	// exponential backoff retry with an initial period of 0.1s for 7 iterations, which will mean a cumulative retry period of ~6s
	// visible for testing
	SecretLookupOpts = []retry.Option{
		retry.Delay(time.Millisecond * 100),
		retry.Attempts(7),
		retry.DelayType(retry.BackOffDelay),
	}
)
View Source
var (
	NewClusterRBACBinderFactory = internal.NewClusterRBACBinderFactory
)

Expose internal providers for Dependency Injection

Functions

func DeregisterClusterFromConfig added in v0.7.17

func DeregisterClusterFromConfig(
	ctx context.Context,
	masterClusterCfg *rest.Config,
	remoteCfg clientcmd.ClientConfig,
	opts Options,
	registrant ClusterRegistrant,
) error

func RegisterClusterFromConfig

func RegisterClusterFromConfig(
	ctx context.Context,
	masterClusterCfg *rest.Config,
	remoteCfg clientcmd.ClientConfig,
	opts Options,
	registrant ClusterRegistrant,
) error

Types

type ClusterRegistrant

type ClusterRegistrant interface {
	/*
		EnsureRemoteNamespace ensures that the specified remoteNamespace exists on the remote cluster being registered.
	*/
	EnsureRemoteNamespace(
		ctx context.Context,
		remoteClientCfg clientcmd.ClientConfig,
		remoteNamespace string,
	) error

	/*
		EnsureRemoteServiceAccount takes an instance of a remote config, and ensure a ServiceAccount exists on the
		remote cluster, in the namespace specified.

		This `ServiceAccount` can then be used and/or referenced by `CreateRemoteAccessToken` below for the remainder
		of the registration workflow
	*/
	EnsureRemoteServiceAccount(
		ctx context.Context,
		remoteClientCfg clientcmd.ClientConfig,
		opts Options,
	) (*corev1.ServiceAccount, error)

	/*
		DeleteRemoteServiceAccount deletes the ServiceAccount created by EnsureRemoteServiceAccount, if it exists.
	*/
	DeleteRemoteServiceAccount(
		ctx context.Context,
		remoteClientCfg clientcmd.ClientConfig,
		opts Options,
	) error

	/*
		CreateRemoteAccessToken takes an instance of a remote config, and a reference to an existing `ServiceAccount`,
		and attempts to bind the given `RBAC` objects to said `ServiceAccount`, in the specified cluster.

		The function will then return the `ServiceAccount` token,
	*/
	CreateRemoteAccessToken(
		ctx context.Context,
		remoteClientCfg clientcmd.ClientConfig,
		sa client.ObjectKey,
		opts Options,
	) (token string, err error)

	/*
		DeleteRemoteAccessResources deletes the Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings created from
		CreateRemoteAccessToken.
	*/
	DeleteRemoteAccessResources(
		ctx context.Context,
		remoteClientCfg clientcmd.ClientConfig,
		opts Options,
	) error

	/*
		RegisterClusterWithToken takes an instance of the remote config, as well as a `BearerToken` and creates a
		kubeconfig secret on the local cluster, in the specified namespace.
	*/
	RegisterClusterWithToken(
		ctx context.Context,
		masterClusterCfg *rest.Config,
		remoteClientCfg clientcmd.ClientConfig,
		token string,
		opts Options,
	) error

	/*
		DeregisterClusterWithToken deletes all resources created by RegisterClusterWithToken.
	*/
	DeregisterCluster(
		ctx context.Context,
		masterClusterCfg *rest.Config,
		opts Options,
	) error
}

Standard Cluster Registrant (one who registers) interface.

This component is responsible for registering a "remote" kubernetes cluster to a "management" cluster. As the "management" cluster is not present in the interface itself, it is defined by the config used to build the registrant instance.

func DefaultRegistrant

func DefaultRegistrant(context, apiServerAddress string) (ClusterRegistrant, error)

DefaultRegistrant provider function. This function will create a `ClusterRegistrant` using the current kubeconfig, and the specified context. It will build all of the dependencies from the available `ClientConfig`.

The apiServerAddress parameter is optional. When passed in, it will overwrite the Api Server endpoint in the kubeconfig before it is written. This is primarily useful when running multi cluster KinD environments on a mac as the local IP needs to be re-written to `host.docker.internal` so that the local instance knows to hit localhost.

Meant to be used in tandem with RegisterClusterFromConfig above. They are exposed separately so the `Registrant` may be mocked for the function above.

func NewClusterRegistrant

NewClusterRegistrant returns an implementation of ClusterRegistrant.

localAPIServerAddress is optional. When passed in, it will overwrite the Api Server endpoint in the kubeconfig before it is written. This is primarily useful when running multi cluster KinD environments on a mac as the local IP needs to be re-written to `host.docker.internal` so that the local instance knows to hit localhost.

type Options

type Options struct {

	// Name by which the cluster will be identified. Must not contain '.'
	// If left empty will return error
	ClusterName string

	// Namespace to write namespaced resources to in the management cluster.
	// If left empty will return error
	Namespace string

	// Name of the remote cluster Kubeconfig Context.
	// We need to explicitly pass this because of this open issue: https://github.com/kubernetes/client-go/issues/735
	RemoteCtx string

	// Namespace to write namespaced resources to in the remote cluster.
	// If left empty will return error
	RemoteNamespace string

	// The Cluster Domain used by the Kubernetes DNS Service.
	// Defaults to 'cluster.local'
	// Read more: https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/
	ClusterDomain string

	RegistrationMetadata RegistrationMetadata

	RbacOptions RbacOptions

	// Set to true if the remote cluster no longer exists (e.g. was deleted).
	// If true, deregistration will not attempt to delete registration resources on the remote cluster.
	RemoteClusterDeleted bool
}

type RbacOptions

type RbacOptions struct {
	// A list of roles to bind the New kubeconfig token to
	// Any Roles in this list will be Upserted by the registrant, prior to binding
	Roles []*k8s_rbac_types.Role

	// A list of cluster roles to bind the New kubeconfig token to
	// Any ClusterRoles in this list will be Upserted by the registrant, prior to binding
	ClusterRoles []*k8s_rbac_types.ClusterRole

	// List of roles which will be bound to by the created role bindings
	// The Roles upserted from the above list will automatically appended
	RoleBindings []client.ObjectKey

	// List of cluster roles which will be bound to by the created cluster role bindings
	// The ClusterRoles upserted from the above list will automatically appended to the list
	ClusterRoleBindings []client.ObjectKey
}

type RegistrationMetadata added in v0.7.17

type RegistrationMetadata struct {
	// Metadata about the provider for cloud hosted k8s clusters.
	ProviderInfo *v1alpha1.KubernetesClusterSpec_ProviderInfo

	// Labels to add to registration output resources (KubernetesCluster and Secret).
	ResourceLabels map[string]string

	// The set of PolicyRules for Roles created on the remote cluster upon registration.
	RolePolicyRules []*v1alpha1.PolicyRule

	// The set of PolicyRules for the cluster roles created on the remote cluster upon registration.
	ClusterRolePolicyRules []*v1alpha1.PolicyRule
}

Optional additional metadata to persist to registration output resources.

type RegistrationOptions

type RegistrationOptions struct {
	// Management kubeconfig
	KubeCfg clientcmd.ClientConfig

	// Remote kubeconfig
	RemoteKubeCfg clientcmd.ClientConfig

	// Remote context name
	// We need to explicitly pass this because of this open issue: https://github.com/kubernetes/client-go/issues/735
	RemoteCtx string

	// localAPIServerAddress is optional. When passed in, it will overwrite the Api Server endpoint in
	//	the kubeconfig before it is written. This is primarily useful when running multi cluster KinD environments
	//	on a mac as  the local IP needs to be re-written to `host.docker.internal` so that the local instance
	//	knows to hit localhost.
	APIServerAddress string

	// Name by which the cluster will be identified. Must not contain '.'
	// If left empty will return error
	ClusterName string

	// Namespace to write namespaced resources to in the "master" and "remote" clusters
	// If left empty will return error
	Namespace string

	// Namespace to write namespaced resources to in the "master" and "remote" clusters
	// If left empty will return error
	RemoteNamespace string

	// The Cluster Domain used by the Kubernetes DNS Service in the registered cluster.
	// Defaults to 'cluster.local'
	// Read more: https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/
	ClusterDomain string

	// A list of roles to bind the New kubeconfig token to
	// Any Roles in this list will be Upserted by the registrant, prior to binding
	Roles []*k8s_rbac_types.Role

	// A list of cluster roles to bind the New kubeconfig token to
	// Any ClusterRoles in this list will be Upserted by the registrant, prior to binding
	ClusterRoles []*k8s_rbac_types.ClusterRole

	// List of roles which will be bound to by the created role bindings
	// The Roles upserted from the above list will automatically appended
	RoleBindings []client.ObjectKey

	// List of cluster roles which will be bound to by the created cluster role bindings
	// The ClusterRoles upserted from the above list will automatically appended to the list
	ClusterRoleBindings []client.ObjectKey

	// Set of labels to include on the registration output resources, currently consisting of KubernetesCluster and Secret.
	ResourceLabels map[string]string

	// Set to true if the remote cluster no longer exists (e.g. was deleted).
	// If true, deregistration will not attempt to delete registration resources on the remote cluster.
	RemoteClusterDeleted bool
}

Options for registering and deregistering a cluster

func (RegistrationOptions) DeregisterCluster added in v0.7.17

func (opts RegistrationOptions) DeregisterCluster(
	ctx context.Context,
) error

DeregisterCluster deregisters a cluster by cleaning up the resources created when RegisterCluster is invoked. This entails:

  1. Deleting the ServiceAccount on the remote cluster.
  2. Deleting the remote Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings associated with the ServiceAccount.
  3. Deletes the secret containing the kubeconfig for the remote cluster.

func (RegistrationOptions) RegisterCluster

func (opts RegistrationOptions) RegisterCluster(
	ctx context.Context,
) error

RegisterCluster is meant to be a helper function to easily "register" a remote cluster. Currently this entails:

  1. Creating a `ServiceAccount` on the remote cluster.
  2. Binding RBAC `Roles/ClusterRoles` to said `ServiceAccount`
  3. And finally creating a kubeconfig `Secret` with the BearerToken of the remote `ServiceAccount`

func (RegistrationOptions) RegisterProviderCluster added in v0.7.17

func (opts RegistrationOptions) RegisterProviderCluster(
	ctx context.Context,
	providerInfo *v1alpha1.KubernetesClusterSpec_ProviderInfo,
) error

RegisterProviderCluster augments RegisterCluster functionality with additional metadata to persist to the resulting KubernetesCluster object. ProviderInfo contains cloud provider metadata.

Directories

Path Synopsis
mocks
Package mock_internal is a generated GoMock package.
Package mock_internal is a generated GoMock package.
Package mock_clientcmd is a generated GoMock package.
Package mock_clientcmd is a generated GoMock package.
Package mock_register is a generated GoMock package.
Package mock_register is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL