render

package
v1.35.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 7, 2024 License: Apache-2.0 Imports: 59 Imported by: 0

Documentation

Overview

This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.

Index

Constants

View Source
const (
	APIServerPort       = 5443
	APIServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "cnx-apiserver-access"
)
View Source
const (
	QueryServerPort        = 8080
	QueryserverNamespace   = "tigera-system"
	QueryserverServiceName = "tigera-api"

	// Use the same API server container name for both OSS and Enterprise.
	APIServerContainerName                  = "calico-apiserver"
	APIServerK8sAppName                     = "calico-apiserver"
	TigeraAPIServerQueryServerContainerName = "tigera-queryserver"

	APIServerSecretsRBACName                        = "tigera-extension-apiserver-secrets-access"
	MultiTenantManagedClustersAccessClusterRoleName = "tigera-managed-cluster-access"
)
View Source
const (
	ComplianceNamespace                                       = "tigera-compliance"
	ComplianceServiceName                                     = "compliance"
	ComplianceServerName                                      = "compliance-server"
	ComplianceControllerName                                  = "compliance-controller"
	ComplianceSnapshotterName                                 = "compliance-snapshotter"
	ComplianceReporterName                                    = "compliance-reporter"
	ComplianceBenchmarkerName                                 = "compliance-benchmarker"
	ComplianceAccessPolicyName                                = networkpolicy.TigeraComponentPolicyPrefix + "compliance-access"
	ComplianceServerPolicyName                                = networkpolicy.TigeraComponentPolicyPrefix + ComplianceServerName
	MultiTenantComplianceManagedClustersAccessRoleBindingName = "compliance-server-managed-cluster-access"

	// ServiceAccount names.
	ComplianceServerServiceAccount      = "tigera-compliance-server"
	ComplianceSnapshotterServiceAccount = "tigera-compliance-snapshotter"
	ComplianceBenchmarkerServiceAccount = "tigera-compliance-benchmarker"
	ComplianceReporterServiceAccount    = "tigera-compliance-reporter"
	ComplianceControllerServiceAccount  = "tigera-compliance-controller"
)
View Source
const (
	ElasticsearchCuratorUserSecret = "tigera-ee-curator-elasticsearch-access"

	ComplianceServerCertSecret  = "tigera-compliance-server-tls"
	ComplianceSnapshotterSecret = "tigera-compliance-snapshotter-tls"
	ComplianceBenchmarkerSecret = "tigera-compliance-benchmarker-tls"
	ComplianceControllerSecret  = "tigera-compliance-controller-tls"
	ComplianceReporterSecret    = "tigera-compliance-reporter-tls"
)
View Source
const (
	CSIDriverName             = "csi.tigera.io"
	CSIDaemonSetName          = "csi-node-driver"
	CSIDaemonSetNamespace     = "calico-system"
	CSIContainerName          = "calico-csi"
	CSIRegistrarContainerName = "csi-node-driver-registrar"
)
View Source
const (
	DexNamespace     = "tigera-dex"
	DexObjectName    = "tigera-dex"
	DexPort          = 5556
	DexTLSSecretName = "tigera-dex-tls"
	DexClientId      = "tigera-manager"
	DexPolicyName    = networkpolicy.TigeraComponentPolicyPrefix + "allow-tigera-dex"
)
View Source
const (
	ClientSecretSecretField = "clientSecret"

	RootCASecretField   = "rootCA"
	OIDCSecretName      = "tigera-oidc-credentials"
	OpenshiftSecretName = "tigera-openshift-credentials"
	LDAPSecretName      = "tigera-ldap-credentials"

	ClientIDSecretField = "clientID"
	BindDNSecretField   = "bindDN"
	BindPWSecretField   = "bindPW"

	// Default claims to use to data from a JWT.
	DefaultGroupsClaim = "groups"
)
View Source
const (
	// OperatorCompleteFinalizer is applied by the core controller as part of Installation defaulting to ensure it can
	// clean up resources if the Installation is ever deleted. This Finalizer is only removed after all operator
	// finalization logic has completed.
	OperatorCompleteFinalizer = "tigera.io/operator-cleanup"

	// APIServerFinalizer is added to the Installation by the API server controller when installing the API server so that
	// Calico CNI resources are not removed until the API server controller has had time to properly tear down pods.
	APIServerFinalizer = "operator.tigera.io/apiserver-controller"

	// InstallationControllerFinalizer is added to the Installation by the core Installation controller when installing Calico
	// so that Calico CNI resources are not removed until calico-kube-controllers has had time to properly be torn down.
	InstallationControllerFinalizer = "operator.tigera.io/installation-controller"
)
View Source
const (
	LogCollectorNamespace      = "tigera-fluentd"
	FluentdFilterConfigMapName = "fluentd-filters"
	FluentdFilterFlowName      = "flow"
	FluentdFilterDNSName       = "dns"
	S3FluentdSecretName        = "log-collector-s3-credentials"
	S3KeyIdName                = "key-id"
	S3KeySecretName            = "key-secret"

	// FluentdPrometheusTLSSecretName is the name of the secret containing the key pair fluentd presents to identify itself.
	// Somewhat confusingly, this is named the prometheus TLS key pair because that was the first
	// use-case for this credential. However, it is used on all TLS connections served by fluentd.
	FluentdPrometheusTLSSecretName = "tigera-fluentd-prometheus-tls"
	FluentdMetricsService          = "fluentd-metrics"
	FluentdMetricsServiceWindows   = "fluentd-metrics-windows"
	FluentdMetricsPortName         = "fluentd-metrics-port"
	FluentdMetricsPort             = 9081
	FluentdPolicyName              = networkpolicy.TigeraComponentPolicyPrefix + "allow-fluentd-node"

	ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access"
	EksLogForwarderSecret                  = "tigera-eks-log-forwarder-secret"
	EksLogForwarderAwsId                   = "aws-id"
	EksLogForwarderAwsKey                  = "aws-key"
	SplunkFluentdTokenSecretName           = "logcollector-splunk-credentials"
	SplunkFluentdSecretTokenKey            = "token"
	SplunkFluentdSecretCertificateKey      = "ca.pem"
	SysLogPublicCADir                      = "/etc/pki/tls/certs/"
	SysLogPublicCertKey                    = "ca-bundle.crt"
	SysLogPublicCAPath                     = SysLogPublicCADir + SysLogPublicCertKey
	SyslogCAConfigMapName                  = "syslog-ca"

	// Constants for Linseed token volume mounting in managed clusters.
	LinseedTokenVolumeName = "linseed-token"
	LinseedTokenKey        = "token"
	LinseedTokenSubPath    = "token"
	LinseedTokenSecret     = "%s-tigera-linseed-token"
	LinseedVolumeMountPath = "/var/run/secrets/tigera.io/linseed/"
	LinseedTokenPath       = "/var/run/secrets/tigera.io/linseed/token"

	FluentdNodeName = "fluentd-node"

	EKSLogForwarderName          = "eks-log-forwarder"
	EKSLogForwarderTLSSecretName = "tigera-eks-log-forwarder-tls"

	PacketCaptureAPIRole        = "packetcapture-api-role"
	PacketCaptureAPIRoleBinding = "packetcapture-api-role-binding"
)
View Source
const (
	GuardianName                   = "tigera-guardian"
	GuardianNamespace              = GuardianName
	GuardianServiceAccountName     = GuardianName
	GuardianClusterRoleName        = GuardianName
	GuardianClusterRoleBindingName = GuardianName
	GuardianDeploymentName         = GuardianName
	GuardianServiceName            = "tigera-guardian"
	GuardianVolumeName             = "tigera-guardian-certs"
	GuardianSecretName             = "tigera-managed-cluster-connection"
	GuardianTargetPort             = 8080
	GuardianPolicyName             = networkpolicy.TigeraComponentPolicyPrefix + "guardian-access"
)

The names of the components related to the Guardian related rendered objects.

View Source
const (
	IntrusionDetectionNamespace = "tigera-intrusion-detection"
	IntrusionDetectionName      = "intrusion-detection-controller"

	ElasticsearchIntrusionDetectionUserSecret    = "tigera-ee-intrusion-detection-elasticsearch-access"
	ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access"
	ElasticsearchPerformanceHotspotsUserSecret   = "tigera-ee-performance-hotspots-elasticsearch-access"

	IntrusionDetectionInstallerJobName                     = "intrusion-detection-es-job-installer"
	IntrusionDetectionControllerName                       = "intrusion-detection-controller"
	IntrusionDetectionControllerPolicyName                 = networkpolicy.TigeraComponentPolicyPrefix + IntrusionDetectionControllerName
	IntrusionDetectionInstallerPolicyName                  = networkpolicy.TigeraComponentPolicyPrefix + "intrusion-detection-elastic"
	MultiTenantManagedClustersAccessClusterRoleBindingName = "tigera-intrusion-detection-managed-cluster-access"

	ADAPIObjectName                 = "anomaly-detection-api"
	IntrusionDetectionTLSSecretName = "intrusion-detection-tls"
	DPITLSSecretName                = "deep-packet-inspection-tls"
	ADAPIPolicyName                 = networkpolicy.TigeraComponentPolicyPrefix + ADAPIObjectName

	ADPersistentVolumeClaimName = "tigera-anomaly-detection"
	ADJobPodTemplateBaseName    = "tigera.io.detectors"

	ADDetectorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + adDetectorName
)
View Source
const (
	ElasticsearchObjectName = "tigera-elasticsearch"
	ElasticsearchNamespace  = ElasticsearchObjectName

	// TigeraLinseedSecret is the name of the secret that holds the TLS key pair mounted into Linseed.
	// The secret contains server key and certificate.
	TigeraLinseedSecret = "tigera-secure-linseed-cert"

	// TigeraLinseedSecretsClusterRole is the name of the ClusterRole used to make RoleBindings in namespaces where Linseed
	// needs to be able to manipulate secrets
	TigeraLinseedSecretsClusterRole = "tigera-linseed-secrets"

	// TigeraLinseedTokenSecret is the name of the secret that holds the access token signing key for Linseed.
	TigeraLinseedTokenSecret = "tigera-secure-linseed-token-tls"

	// TigeraElasticsearchGatewaySecret is the TLS key pair that is mounted by Elasticsearch gateway.
	TigeraElasticsearchGatewaySecret = "tigera-secure-elasticsearch-cert"

	// TigeraElasticsearchInternalCertSecret is the TLS key pair that is mounted by the Elasticsearch pods.
	TigeraElasticsearchInternalCertSecret = "tigera-secure-internal-elasticsearch-cert"

	// Linseed vars.
	LinseedServiceName = "tigera-linseed"

	ElasticsearchName               = "tigera-secure"
	ElasticsearchServiceName        = "tigera-secure-es-http"
	ESGatewayServiceName            = "tigera-secure-es-gateway-http"
	ElasticsearchDefaultPort        = 9200
	ElasticsearchInternalPort       = 9300
	ElasticsearchAdminUserSecret    = "tigera-secure-es-elastic-user"
	ElasticsearchLinseedUserSecret  = "tigera-ee-linseed-elasticsearch-user-secret"
	ElasticsearchPolicyName         = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-access"
	ElasticsearchInternalPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-internal"

	KibanaBasePath = "tigera-kibana"

	DefaultElasticsearchClusterName = "cluster"
	DefaultElasticsearchReplicas    = 0
	DefaultElasticStorageGi         = 10

	ESCuratorName           = "elastic-curator"
	EsCuratorServiceAccount = "tigera-elastic-curator"
	EsCuratorPolicyName     = networkpolicy.TigeraComponentPolicyPrefix + "allow-elastic-curator"

	OIDCUsersConfigMapName = "tigera-known-oidc-users"
	OIDCUsersESSecretName  = "tigera-oidc-users-elasticsearch-credentials"

	ElasticsearchLicenseTypeBasic           ElasticsearchLicenseType = "basic"
	ElasticsearchLicenseTypeEnterprise      ElasticsearchLicenseType = "enterprise"
	ElasticsearchLicenseTypeEnterpriseTrial ElasticsearchLicenseType = "enterprise_trial"
	ElasticsearchLicenseTypeUnknown         ElasticsearchLicenseType = ""

	EsManagerRole        = "es-manager"
	EsManagerRoleBinding = "es-manager"

	ElasticsearchTLSHashAnnotation = "hash.operator.tigera.io/es-secrets"
)
View Source
const (
	// ElasticsearchKeystoreSecret Currently only used when FIPS mode is enabled, we need to initialize the keystore with a password.
	ElasticsearchKeystoreSecret         = "tigera-secure-elasticsearch-keystore"
	ElasticsearchKeystoreEnvName        = "KEYSTORE_PASSWORD"
	ElasticsearchKeystoreHashAnnotation = "hash.operator.tigera.io/keystore-password"
)
View Source
const (
	// Volume that is added by ECK and is overridden if certificate management is used.
	CSRVolumeNameHTTP = "elastic-internal-http-certificates"
	// Volume that is added by ECK and is overridden if certificate management is used.
	CSRVolumeNameTransport = "elastic-internal-transport-certificates"
	// Volume name that is added by ECK for the purpose of mounting certs.
	CAVolumeName = "elasticsearch-certs"
)

Certificate management constants.

View Source
const (
	ManagerServiceName           = "tigera-manager"
	ManagerDeploymentName        = "tigera-manager"
	ManagerNamespace             = "tigera-manager"
	ManagerServiceAccount        = "tigera-manager"
	ManagerClusterRole           = "tigera-manager-role"
	ManagerClusterRoleBinding    = "tigera-manager-binding"
	ManagerTLSSecretName         = "manager-tls"
	ManagerInternalTLSSecretName = "internal-manager-tls"
	ManagerPolicyName            = networkpolicy.TigeraComponentPolicyPrefix + "manager-access"

	// The name of the TLS certificate used by Voltron to authenticate connections from managed
	// cluster clients talking to Linseed.
	VoltronLinseedTLS        = "tigera-voltron-linseed-tls"
	VoltronLinseedPublicCert = "tigera-voltron-linseed-certs-public"

	ManagerClusterSettings            = "cluster-settings"
	ManagerUserSettings               = "user-settings"
	ManagerClusterSettingsLayerTigera = "cluster-settings.layer.tigera-infrastructure"
	ManagerClusterSettingsViewDefault = "cluster-settings.view.default"

	ElasticsearchManagerUserSecret                                = "tigera-ee-manager-elasticsearch-access"
	TlsSecretHashAnnotation                                       = "hash.operator.tigera.io/tls-secret"
	KibanaTLSHashAnnotation                                       = "hash.operator.tigera.io/kibana-secrets"
	ElasticsearchUserHashAnnotation                               = "hash.operator.tigera.io/elasticsearch-user"
	ManagerMultiTenantManagedClustersAccessClusterRoleBindingName = "tigera-manager-managed-cluster-access"
)
View Source
const (
	VoltronName             = "tigera-voltron"
	VoltronTunnelSecretName = "tigera-management-cluster-connection"
)

ManagementClusterConnection configuration constants

View Source
const (
	PSSPrivileged = "privileged"
	PSSBaseline   = "baseline"
	PSSRestricted = "restricted"
)
View Source
const (
	BirdTemplatesConfigMapName = "bird-templates"

	BPFOperatorAnnotation = "operator.tigera.io/bpfEnabled"

	BGPLayoutConfigMapName      = "bgp-layout"
	BGPLayoutConfigMapKey       = "earlyNetworkConfiguration"
	BGPLayoutVolumeName         = "bgp-layout"
	BGPLayoutPath               = "/etc/calico/early-networking.yaml"
	K8sSvcEndpointConfigMapName = "kubernetes-services-endpoint"

	CNIFinalizer = "tigera.io/cni-protector"

	CalicoNodeMetricsService      = "calico-node-metrics"
	NodePrometheusTLSServerSecret = "calico-node-prometheus-server-tls"
	CalicoNodeObjectName          = "calico-node"
	CalicoCNIPluginObjectName     = "calico-cni-plugin"
	BPFVolumeName                 = "bpffs"
)
View Source
const (
	PacketCaptureContainerName          = "tigera-packetcapture-server"
	PacketCaptureName                   = "tigera-packetcapture"
	PacketCaptureNamespace              = PacketCaptureName
	PacketCaptureServiceAccountName     = PacketCaptureName
	PacketCaptureClusterRoleName        = PacketCaptureName
	PacketCaptureClusterRoleBindingName = PacketCaptureName
	PacketCaptureDeploymentName         = PacketCaptureName
	PacketCaptureServiceName            = PacketCaptureName
	PacketCapturePolicyName             = networkpolicy.TigeraComponentPolicyPrefix + PacketCaptureName
	PacketCapturePort                   = 8444
	PacketCaptureServerCert             = "tigera-packetcapture-server-tls"
)

The names of the components related to the PacketCapture APIs related rendered objects.

View Source
const (
	ElasticsearchPolicyRecommendationUserSecret = "tigera-ee-policy-recommendation-elasticsearch-access"

	PolicyRecommendationName       = "tigera-policy-recommendation"
	PolicyRecommendationNamespace  = PolicyRecommendationName
	PolicyRecommendationPolicyName = networkpolicy.TigeraComponentPolicyPrefix + PolicyRecommendationName

	PolicyRecommendationTLSSecretName                                   = "policy-recommendation-tls"
	PolicyRecommendationMultiTenantManagedClustersAccessRoleBindingName = "tigera-policy-recommendation-managed-cluster-access"
)

The names of the components related to the PolicyRecommendation APIs related rendered objects.

View Source
const (
	TyphaServiceName              = "calico-typha"
	TyphaPortName                 = "calico-typha"
	TyphaK8sAppName               = "calico-typha"
	TyphaServiceAccountName       = "calico-typha"
	AppLabelName                  = "k8s-app"
	TyphaPort               int32 = 5473
	TyphaMetricsName              = "calico-typha-metrics"

	TyphaContainerName = "calico-typha"
)
View Source
const (
	WindowsNodeObjectName     = "calico-node-windows"
	WindowsNodeMetricsService = "calico-node-metrics-windows"
)
View Source
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"

Variables

View Source
var (
	ElasticsearchSelector   = fmt.Sprintf("elasticsearch.k8s.elastic.co/cluster-name == '%s'", ElasticsearchName)
	ElasticsearchEntityRule = v3.EntityRule{
		NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace),
		Selector:          ElasticsearchSelector,
		Ports:             []numorstring.Port{{MinPort: ElasticsearchDefaultPort, MaxPort: ElasticsearchDefaultPort}},
	}
)
View Source
var (
	SourceKibanaEntityRule      = networkpolicy.CreateSourceEntityRule("tigera-kibana", "tigera-secure")
	ECKOperatorSourceEntityRule = networkpolicy.CreateSourceEntityRule("tigera-eck-operator", "elastic-operator")
)
View Source
var (
	CommonName               = "common-name"
	URISAN                   = "uri-san"
	TyphaCommonName          = "typha-server"
	FelixCommonName          = "typha-client"
	NodePriorityClassName    = "system-node-critical"
	ClusterPriorityClassName = "system-cluster-critical"
)
View Source
var (
	TyphaTLSSecretName   = "typha-certs"
	TyphaCAConfigMapName = "typha-ca"
	TyphaCABundleName    = "caBundle"
)
View Source
var FluentdSourceEntityRule = v3.EntityRule{
	NamespaceSelector: fmt.Sprintf("name == '%s'", LogCollectorNamespace),
	Selector:          networkpolicy.KubernetesAppSelector(FluentdNodeName, fluentdNodeWindowsName),
}
View Source
var InternalElasticsearchEntityRule = v3.EntityRule{
	NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace),
	Selector:          ElasticsearchSelector,
	Ports:             []numorstring.Port{{MinPort: ElasticsearchInternalPort, MaxPort: ElasticsearchInternalPort}},
}
View Source
var IntrusionDetectionInstallerSourceEntityRule = v3.EntityRule{
	NamespaceSelector: intrusionDetectionNamespaceSelector,
	Selector:          fmt.Sprintf("job-name == '%s'", IntrusionDetectionInstallerJobName),
}
View Source
var (
	IntrusionDetectionSourceEntityRule = v3.EntityRule{
		NamespaceSelector: intrusionDetectionNamespaceSelector,
		Selector:          fmt.Sprintf("k8s-app == '%s'", IntrusionDetectionControllerName),
	}
)

Register secret/certs that need Server and Client Key usage

View Source
var (
	NodeTLSSecretName = "node-certs"
)
View Source
var TigeraAPIServerEntityRule = v3.EntityRule{
	Services: &v3.ServiceMatch{
		Namespace: QueryserverNamespace,
		Name:      QueryserverServiceName,
	},
}

Functions

func APIServerServiceAccountName added in v1.30.0

func APIServerServiceAccountName(v operatorv1.ProductVariant) string

func CNIPluginFinalizedObjects added in v1.34.1

func CNIPluginFinalizedObjects() []client.Object

CNIPluginFinalizedObjects returns a list of objects that use the CNIFinalizer that should be removed only after the CNI plugin is removed.

func CreateCertificateConfigMap added in v1.25.1

func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap

CreateCertificateConfigMap is a convenience method for creating a configmap that contains only a ca or cert to trust.

func CreateCertificateSecret added in v1.18.0

func CreateCertificateSecret(caPem []byte, secretName string, namespace string) *corev1.Secret

CreateCertificateSecret is a convenience method for creating a secret that contains only a ca or cert to trust.

func CreateDexClientSecret added in v1.12.0

func CreateDexClientSecret() *corev1.Secret

func CreateElasticsearchKeystoreSecret added in v1.28.2

func CreateElasticsearchKeystoreSecret() *corev1.Secret

CreateElasticsearchKeystoreSecret creates a secret to be used for initializing the keystore on Elasticsearch.

func CreateNamespace added in v1.22.0

func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard) *corev1.Namespace

func DefaultWindowsCNIDirectories added in v1.32.0

func DefaultWindowsCNIDirectories(installation operatorv1.InstallationSpec) (string, string, string)

DefaultWindowsCNIDirectories returns the CNI binary, network config and log directories and the CNI conf filename for the configured platform. FIXME: populate with known default for other providers

func GetIPv4Pool added in v1.2.0

func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv4Pool returns the IPv4 IPPool in an installation, or nil if one can't be found.

func GetIPv6Pool added in v1.2.0

func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv6Pool returns the IPv6 IPPool in an installation, or nil if one can't be found.

func GetLinseedTokenPath added in v1.30.0

func GetLinseedTokenPath(managedCluster bool) string

func ImagePullPolicy added in v1.31.0

func ImagePullPolicy() corev1.PullPolicy

ImagePullPolicy returns the image pull policy to use for all components.

func KibanaEnabled added in v1.33.0

func KibanaEnabled(tenant *operatorv1.Tenant, installation *operatorv1.InstallationSpec) bool

func LinseedNamespace added in v1.33.0

func LinseedNamespace(tenant *operatorv1.Tenant) string

LinseedNamespace determine the namespace in which Linseed is running. For management and standalone clusters, this is always the tigera-elasticsearch namespace. For multi-tenant management clusters, this is the tenant namespace

func ManagerService added in v1.33.0

func ManagerService(tenant *operatorv1.Tenant) string

ManagerService determine the name of the tigera manager service. For management and standalone clusters, this is always the tigera-manager.tigera-manager namespace. For multi-tenant management clusters, this is a service that resides within the tenant namespace

func NewDexKeyValidatorConfig added in v1.12.0

func NewDexKeyValidatorConfig(
	authentication *oprv1.Authentication,
	idpSecret *corev1.Secret,
	clusterDomain string) authentication.KeyValidatorConfig

func ProcessPodProxies added in v1.35.3

func ProcessPodProxies(podProxies []*httpproxy.Config) []*httpproxy.Config

func ProjectCalicoAPIServerServiceName added in v1.30.0

func ProjectCalicoAPIServerServiceName(v operatorv1.ProductVariant) string

func ProjectCalicoAPIServerTLSSecretName added in v1.30.0

func ProjectCalicoAPIServerTLSSecretName(v operatorv1.ProductVariant) string

The following functions are helpers for determining resource names based on the configured product variant.

func SetClusterCriticalPod added in v1.22.0

func SetClusterCriticalPod(t *corev1.PodTemplateSpec)

func SetTestLogger

func SetTestLogger(l logr.Logger)

Types

type APIServerConfiguration added in v1.25.0

type APIServerConfiguration struct {
	K8SServiceEndpoint          k8sapi.ServiceEndpoint
	Installation                *operatorv1.InstallationSpec
	APIServer                   *operatorv1.APIServerSpec
	ForceHostNetwork            bool
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	TLSKeyPair                  certificatemanagement.KeyPairInterface
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	TrustedBundle               certificatemanagement.TrustedBundle
	MultiTenant                 bool
}

APIServerConfiguration contains all the config information needed to render the component.

type AWSSGSetupConfiguration added in v1.25.0

type AWSSGSetupConfiguration struct {
	PullSecrets  []corev1.LocalObjectReference
	Installation *operatorv1.InstallationSpec
}

AWSSGSetupConfiguration contains all the config information needed to render the component.

type CSIConfiguration added in v1.28.0

type CSIConfiguration struct {
	Installation *operatorv1.InstallationSpec
	Terminating  bool
	OpenShift    bool
}

type ComplianceConfiguration added in v1.25.0

type ComplianceConfiguration struct {
	Installation                *operatorv1.InstallationSpec
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	KeyValidatorConfig          authentication.KeyValidatorConfig
	ClusterDomain               string
	HasNoLicense                bool

	// Trusted certificate bundle for all compliance pods.
	TrustedBundle certificatemanagement.TrustedBundleRO

	// Key pairs used for mTLS.
	ServerKeyPair      certificatemanagement.KeyPairInterface
	BenchmarkerKeyPair certificatemanagement.KeyPairInterface
	ReporterKeyPair    certificatemanagement.KeyPairInterface
	SnapshotterKeyPair certificatemanagement.KeyPairInterface
	ControllerKeyPair  certificatemanagement.KeyPairInterface

	Namespace         string
	BindingNamespaces []string

	// Whether to run the rendered components in multi-tenant, single-tenant, or zero-tenant mode
	Tenant          *operatorv1.Tenant
	ExternalElastic bool
	Compliance      *operatorv1.Compliance
}

ComplianceConfiguration contains all the config information needed to render the component.

type Component

type Component interface {
	// ResolveImages should call components.GetReference for all images that the Component
	// needs, passing 'is' to the GetReference call and if there are any errors those
	// are returned. It is valid to pass nil for 'is' as GetReference accepts the value.
	// ResolveImages must be called before Objects is called for the component.
	ResolveImages(is *operatorv1.ImageSet) error

	// Objects returns the lists of objects in this component that should be created and/or deleted during
	// rendering.
	Objects() (objsToCreate, objsToDelete []client.Object)

	// Ready returns true if the component is ready to be created.
	Ready() bool

	// SupportedOSTypes returns operating systems that is supported of the components returned by the Objects() function.
	// The "componentHandler" converts the returned OSTypes to a node selectors for the "kubernetes.io/os" label on client.Objects
	// that create pods. Return OSTypeAny means that no node selector should be set for the "kubernetes.io/os" label.
	SupportedOSType() rmeta.OSType
}

func APIServer

func APIServer(cfg *APIServerConfiguration) (Component, error)

func APIServerPolicy added in v1.28.0

func APIServerPolicy(cfg *APIServerConfiguration) Component

func AWSSecurityGroupSetup added in v1.0.0

func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)

func CSI added in v1.28.0

func CSI(cfg *CSIConfiguration) Component

func Compliance

func Compliance(cfg *ComplianceConfiguration) (Component, error)

func Dex added in v1.12.0

func Fluentd added in v1.0.0

func Fluentd(cfg *FluentdConfiguration) Component

func Guardian added in v1.2.0

func Guardian(cfg *GuardianConfiguration) Component

func GuardianPolicy added in v1.28.0

func GuardianPolicy(cfg *GuardianConfiguration) (Component, error)

func IntrusionDetection

func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component

func IntrusionDetectionNamespaceComponent added in v1.35.0

func IntrusionDetectionNamespaceComponent(cfg *IntrusionDetectionNamespaceConfiguration) Component

func LogStorage added in v1.4.0

func LogStorage(cfg *ElasticsearchConfiguration) Component

LogStorage renders the components necessary for kibana and elasticsearch

func Manager added in v1.0.0

func Manager(cfg *ManagerConfiguration) (Component, error)

Manager returns a component for rendering namespaced manager resources.

func Namespaces

func Namespaces(cfg *NamespaceConfiguration) Component

func NewDeletionPassthrough added in v1.29.1

func NewDeletionPassthrough(objs ...client.Object) Component

func NewManagedClusterLogStorage added in v1.32.0

func NewManagedClusterLogStorage(cfg *ManagedClusterLogStorageConfiguration) Component

NewManagedClusterLogStorage returns a component for managed cluster log storage resources.

func NewPassthrough added in v1.22.0

func NewPassthrough(objs ...client.Object) Component

func NewPassthroughWithLog added in v1.34.0

func NewPassthroughWithLog(l logr.Logger, objs ...client.Object) Component

func Node

func Node(cfg *NodeConfiguration) Component

Node creates the node daemonset and other resources for the daemonset to operate normally.

func PacketCaptureAPI added in v1.21.0

func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component

func PacketCaptureAPIPolicy added in v1.28.0

func PacketCaptureAPIPolicy(cfg *PacketCaptureApiConfiguration) Component

func PolicyRecommendation added in v1.30.0

func PolicyRecommendation(cfg *PolicyRecommendationConfiguration) Component

func Typha added in v1.0.0

func Typha(cfg *TyphaConfiguration) Component

Typha creates the typha daemonset and other resources for the daemonset to operate normally.

func Windows added in v1.23.0

func Windows(
	cfg *WindowsConfiguration,
) Component

type DexComponentConfiguration added in v1.25.0

type DexComponentConfiguration struct {
	PullSecrets   []*corev1.Secret
	OpenShift     bool
	Installation  *operatorv1.InstallationSpec
	DexConfig     DexConfig
	ClusterDomain string
	DeleteDex     bool
	TLSKeyPair    certificatemanagement.KeyPairInterface
	TrustedBundle certificatemanagement.TrustedBundle

	Authentication *operatorv1.Authentication
}

DexComponentConfiguration contains all the config information needed to render the component.

type DexConfig added in v1.12.0

type DexConfig interface {
	Connector() map[string]interface{}
	RedirectURIs() []string
	// RequiredVolumeMounts returns volume mounts that the KeyValidatorConfig implementation requires.
	RequiredVolumeMounts() []corev1.VolumeMount
	// RequiredVolumes returns volumes that the KeyValidatorConfig implementation requires.
	RequiredVolumes() []corev1.Volume
	authentication.KeyValidatorConfig
}

DexConfig is a config for DexIdP itself.

func NewDexConfig added in v1.12.0

func NewDexConfig(
	certificateManagement *oprv1.CertificateManagement,
	authentication *oprv1.Authentication,
	dexSecret *corev1.Secret,
	idpSecret *corev1.Secret,
	clusterDomain string) DexConfig

Create a new DexConfig.

type DexKeyValidatorConfig added in v1.12.0

type DexKeyValidatorConfig struct {
	// contains filtered or unexported fields
}

func (DexKeyValidatorConfig) BaseURL added in v1.18.0

func (d DexKeyValidatorConfig) BaseURL() string

func (DexKeyValidatorConfig) ClientID added in v1.18.0

func (d DexKeyValidatorConfig) ClientID() string

func (DexKeyValidatorConfig) ClientSecret added in v1.18.0

func (d DexKeyValidatorConfig) ClientSecret() []byte

func (DexKeyValidatorConfig) Issuer added in v1.18.0

func (d DexKeyValidatorConfig) Issuer() string

func (DexKeyValidatorConfig) RedirectURIs added in v1.18.0

func (d DexKeyValidatorConfig) RedirectURIs() []string

func (DexKeyValidatorConfig) RequestedScopes added in v1.18.0

func (d DexKeyValidatorConfig) RequestedScopes() []string

func (*DexKeyValidatorConfig) RequiredAnnotations added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string

RequiredAnnotations returns the annotations that are relevant for a validator config.

func (DexKeyValidatorConfig) RequiredConfigMaps added in v1.18.0

func (d DexKeyValidatorConfig) RequiredConfigMaps(string) []*corev1.ConfigMap

func (*DexKeyValidatorConfig) RequiredEnv added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar

Append variables that are necessary for using the dex authenticator.

func (DexKeyValidatorConfig) RequiredSecrets added in v1.12.0

func (d DexKeyValidatorConfig) RequiredSecrets(namespace string) []*corev1.Secret

func (*DexKeyValidatorConfig) RequiredVolumeMounts added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount

func (*DexKeyValidatorConfig) RequiredVolumes added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume

func (DexKeyValidatorConfig) UsernameClaim added in v1.18.0

func (d DexKeyValidatorConfig) UsernameClaim() string

type EksCloudwatchLogConfig added in v1.0.0

type EksCloudwatchLogConfig struct {
	AwsId         []byte
	AwsKey        []byte
	AwsRegion     string
	GroupName     string
	StreamPrefix  string
	FetchInterval int32
}

type ElasticsearchConfiguration added in v1.25.0

type ElasticsearchConfiguration struct {
	LogStorage              *operatorv1.LogStorage
	Installation            *operatorv1.InstallationSpec
	ManagementCluster       *operatorv1.ManagementCluster
	Elasticsearch           *esv1.Elasticsearch
	ClusterConfig           *relasticsearch.ClusterConfig
	ElasticsearchUserSecret *corev1.Secret
	ElasticsearchKeyPair    certificatemanagement.KeyPairInterface
	PullSecrets             []*corev1.Secret
	Provider                operatorv1.Provider
	CuratorSecrets          []*corev1.Secret
	ESService               *corev1.Service
	ClusterDomain           string
	ElasticLicenseType      ElasticsearchLicenseType
	TrustedBundle           certificatemanagement.TrustedBundleRO
	UnusedTLSSecret         *corev1.Secret
	ApplyTrial              bool
	KeyStoreSecret          *corev1.Secret
}

ElasticsearchConfiguration contains all the config information needed to render the component.

type ElasticsearchLicenseType added in v1.14.0

type ElasticsearchLicenseType string

type FluentdConfiguration added in v1.25.0

type FluentdConfiguration struct {
	LogCollector   *operatorv1.LogCollector
	S3Credential   *S3Credential
	SplkCredential *SplunkCredential
	Filters        *FluentdFilters
	// ESClusterConfig is only populated for when EKSConfig
	// is also defined
	ESClusterConfig *relasticsearch.ClusterConfig
	EKSConfig       *EksCloudwatchLogConfig
	PullSecrets     []*corev1.Secret
	Installation    *operatorv1.InstallationSpec
	ClusterDomain   string
	OSType          rmeta.OSType
	FluentdKeyPair  certificatemanagement.KeyPairInterface
	TrustedBundle   certificatemanagement.TrustedBundle
	ManagedCluster  bool

	// Set if running as a multi-tenant management cluster. Configures the management cluster's
	// own fluentd daemonset.
	Tenant          *operatorv1.Tenant
	ExternalElastic bool

	// Whether to use User provided certificate or not.
	UseSyslogCertificate bool

	// EKSLogForwarderKeyPair contains the certificate presented by EKS LogForwarder when communicating with Linseed
	EKSLogForwarderKeyPair certificatemanagement.KeyPairInterface

	PacketCapture *operatorv1.PacketCaptureAPI
}

FluentdConfiguration contains all the config information needed to render the component.

type FluentdFilters added in v1.0.0

type FluentdFilters struct {
	Flow string
	DNS  string
}

type GuardianComponent added in v1.2.0

type GuardianComponent struct {
	// contains filtered or unexported fields
}

func (*GuardianComponent) Objects added in v1.2.0

func (c *GuardianComponent) Objects() ([]client.Object, []client.Object)

func (*GuardianComponent) Ready added in v1.2.0

func (c *GuardianComponent) Ready() bool

func (*GuardianComponent) ResolveImages added in v1.14.0

func (c *GuardianComponent) ResolveImages(is *operatorv1.ImageSet) error

func (*GuardianComponent) SupportedOSType added in v1.11.0

func (c *GuardianComponent) SupportedOSType() rmeta.OSType

type GuardianConfiguration added in v1.25.0

type GuardianConfiguration struct {
	URL                         string
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	Installation                *operatorv1.InstallationSpec
	TunnelSecret                *corev1.Secret
	TrustedCertBundle           certificatemanagement.TrustedBundle
	TunnelCAType                operatorv1.CAType
	ManagementClusterConnection *operatorv1.ManagementClusterConnection

	// PodProxies represents the resolved proxy configuration for each Guardian pod.
	// If this slice is empty, then resolution has not yet occurred. Pods with no proxy
	// configured are represented with a nil value.
	PodProxies []*httpproxy.Config
}

GuardianConfiguration contains all the config information needed to render the component.

type IntrusionDetectionConfiguration added in v1.25.0

type IntrusionDetectionConfiguration struct {
	IntrusionDetection        *operatorv1.IntrusionDetection
	LogCollector              *operatorv1.LogCollector
	Installation              *operatorv1.InstallationSpec
	PullSecrets               []*corev1.Secret
	OpenShift                 bool
	ClusterDomain             string
	ESLicenseType             ElasticsearchLicenseType
	ManagedCluster            bool
	ManagementCluster         bool
	SyslogForwardingIsEnabled bool

	HasNoLicense                 bool
	TrustedCertBundle            certificatemanagement.TrustedBundleRO
	IntrusionDetectionCertSecret certificatemanagement.KeyPairInterface

	Namespace       string
	BindNamespaces  []string
	Tenant          *operatorv1.Tenant
	ExternalElastic bool
}

IntrusionDetectionConfiguration contains all the config information needed to render the component.

type IntrusionDetectionNamespaceConfiguration added in v1.35.0

type IntrusionDetectionNamespaceConfiguration struct {
	Tenant                    *operatorv1.Tenant
	SyslogForwardingIsEnabled bool
	Namespace                 string
	KubernetesProvider        operatorv1.Provider
	HasNoLicense              bool
}

type ManagedClusterLogStorageConfiguration added in v1.32.0

type ManagedClusterLogStorageConfiguration struct {
	Installation  *operatorv1.InstallationSpec
	ClusterDomain string
	Provider      operatorv1.Provider
}

ManagedClusterLogStorageConfiguration contains configuration for managed cluster log storage.

type ManagerConfiguration added in v1.25.0

type ManagerConfiguration struct {
	VoltronRouteConfig *manager.VoltronRouteConfig

	KeyValidatorConfig authentication.KeyValidatorConfig
	PullSecrets        []*corev1.Secret
	OpenShift          bool
	Installation       *operatorv1.InstallationSpec
	ManagementCluster  *operatorv1.ManagementCluster

	// If provided, the KeyPair to used for external connections terminated by Voltron,
	// and connections from the manager pod to Linseed.
	TLSKeyPair certificatemanagement.KeyPairInterface

	// The key pair to use for TLS between Linseed clients in managed clusters and Voltron
	// in the management cluster.
	VoltronLinseedKeyPair certificatemanagement.KeyPairInterface

	// KeyPair used by Voltron as the server certificate when establishing an mTLS tunnel with Guardian.
	TunnelServerCert certificatemanagement.KeyPairInterface

	// TLS KeyPair used by both Voltron and es-proxy, presented by each as part of the mTLS handshake with
	// other services within the cluster. This is used in both management and standalone clusters.
	InternalTLSKeyPair certificatemanagement.KeyPairInterface

	// Certificate bundle used by the manager pod to verify certificates presented
	// by clients as part of mTLS authentication.
	TrustedCertBundle certificatemanagement.TrustedBundleRO

	ClusterDomain           string
	ESLicenseType           ElasticsearchLicenseType
	Replicas                *int32
	Compliance              *operatorv1.Compliance
	ComplianceLicenseActive bool
	ComplianceNamespace     string

	Namespace         string
	TruthNamespace    string
	BindingNamespaces []string

	// Whether to run the rendered components in multi-tenant, single-tenant, or zero-tenant mode
	Tenant          *operatorv1.Tenant
	ExternalElastic bool

	Manager *operatorv1.Manager
}

ManagerConfiguration contains all the config information needed to render the component.

type NamespaceConfiguration added in v1.25.0

type NamespaceConfiguration struct {
	Installation *operatorv1.InstallationSpec
	PullSecrets  []*corev1.Secret
	Terminating  bool
}

NamespaceConfiguration contains all the config information needed to render the component.

type NodeConfiguration added in v1.22.0

type NodeConfiguration struct {
	K8sServiceEp  k8sapi.ServiceEndpoint
	Installation  *operatorv1.InstallationSpec
	IPPools       []operatorv1.IPPool
	TLS           *TyphaNodeTLS
	ClusterDomain string

	// Optional fields.
	LogCollector            *operatorv1.LogCollector
	MigrateNamespaces       bool
	NodeAppArmorProfile     string
	BirdTemplates           map[string]string
	NodeReporterMetricsPort int

	// CanRemoveCNIFinalizer specifies whether CNI plugin is still needed during uninstall since the CNI plugin and
	// associated RBAC resources are required for pod teardown to succeed. Setting this to true removes
	// the finalizer from the CNI plugin and associated RBAC resources, allowing them to be deleted.
	// For details on why this is needed see 'Node and Installation finalizer' in the core_controller.
	CanRemoveCNIFinalizer bool

	PrometheusServerTLS certificatemanagement.KeyPairInterface

	// BGPLayouts is returned by the rendering code after modifying its namespace
	// so that it can be deployed into the cluster.
	// TODO: The controller should pass the contents, the renderer should build its own
	// configmap, rather than this "copy" semantic.
	BGPLayouts *corev1.ConfigMap

	// The health port that Felix should bind to. The controller reads FelixConfiguration
	// and sets this.
	FelixHealthPort int

	// The bindMode read from the default BGPConfiguration. Used to trigger rolling updates
	// should this value change.
	BindMode string
}

NodeConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/node on a cluster.

type PacketCaptureApiConfiguration added in v1.25.0

type PacketCaptureApiConfiguration struct {
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	Installation                *operatorv1.InstallationSpec
	KeyValidatorConfig          authentication.KeyValidatorConfig
	ServerCertSecret            certificatemanagement.KeyPairInterface
	TrustedBundle               certificatemanagement.TrustedBundle
	ClusterDomain               string
	ManagementClusterConnection *operatorv1.ManagementClusterConnection

	PacketCaptureAPI *operatorv1.PacketCaptureAPI
}

PacketCaptureApiConfiguration contains all the config information needed to render the component.

type PodSecurityStandard added in v1.28.0

type PodSecurityStandard string

type PolicyRecommendationConfiguration added in v1.30.0

type PolicyRecommendationConfiguration struct {
	ClusterDomain                  string
	Installation                   *operatorv1.InstallationSpec
	ManagedCluster                 bool
	OpenShift                      bool
	PullSecrets                    []*corev1.Secret
	TrustedBundle                  certificatemanagement.TrustedBundleRO
	PolicyRecommendationCertSecret certificatemanagement.KeyPairInterface

	Namespace         string
	BindingNamespaces []string

	// Whether or not to run the rendered components in multi-tenant mode.
	Tenant          *operatorv1.Tenant
	ExternalElastic bool

	PolicyRecommendation *operatorv1.PolicyRecommendation
}

PolicyRecommendationConfiguration contains all the config information needed to render the component.

type Renderer

type Renderer interface {
	Render() []Component
}

A Renderer is capable of generating components to be installed on the cluster.

type S3Credential added in v1.0.0

type S3Credential struct {
	KeyId     []byte
	KeySecret []byte
}

type SplunkCredential added in v1.4.0

type SplunkCredential struct {
	Token []byte
}

type TyphaConfiguration added in v1.22.0

type TyphaConfiguration struct {
	K8sServiceEp      k8sapi.ServiceEndpoint
	Installation      *operatorv1.InstallationSpec
	TLS               *TyphaNodeTLS
	MigrateNamespaces bool
	ClusterDomain     string

	// The health port that Felix is bound to. We configure Typha to bind to the port
	// that is one less.
	FelixHealthPort int
}

TyphaConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/typha on a cluster.

type TyphaNodeTLS added in v1.0.0

type TyphaNodeTLS struct {
	TrustedBundle   certificatemanagement.TrustedBundle
	TyphaSecret     certificatemanagement.KeyPairInterface
	TyphaCommonName string
	TyphaURISAN     string
	NodeSecret      certificatemanagement.KeyPairInterface
	NodeCommonName  string
	NodeURISAN      string
}

TyphaNodeTLS holds configuration for Node and Typha to establish TLS.

type WindowsConfiguration added in v1.32.0

type WindowsConfiguration struct {
	K8sServiceEp            k8sapi.ServiceEndpoint
	K8sDNSServers           []string
	Installation            *operatorv1.InstallationSpec
	ClusterDomain           string
	TLS                     *TyphaNodeTLS
	PrometheusServerTLS     certificatemanagement.KeyPairInterface
	NodeReporterMetricsPort int
	VXLANVNI                int
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL