Documentation ¶
Overview ¶
The code in this file renders the necessary components for a managed cluster to be able to communicate with the elasticsearch in it's management cluster
This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.
Index ¶
- Constants
- Variables
- func AnnotationHash(i interface{}) string
- func ElasticsearchContainerDecorate(c corev1.Container, cluster, secret string) corev1.Container
- func ElasticsearchContainerDecorateENVVars(c corev1.Container, cluster, esUserSecretName string) corev1.Container
- func ElasticsearchContainerDecorateIndexCreator(c corev1.Container, replicas, shards int) corev1.Container
- func ElasticsearchContainerDecorateVolumeMounts(c corev1.Container) corev1.Container
- func ElasticsearchDefaultVolume() corev1.Volume
- func ElasticsearchDefaultVolumeMount() corev1.VolumeMount
- func ElasticsearchPodSpecDecorate(p corev1.PodSpec) corev1.PodSpec
- func GetIPv4Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
- func GetIPv6Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
- func KubeControllers(cr *operator.Installation) *kubeControllersComponent
- func OperatorNamespace() string
- func ParseEndpoint(endpoint string) (string, string, string, error)
- func ParseHostPort(hostport string) (string, string, error)
- func ReplaceImagePath(image, imagepath string) string
- func SetTestLogger(l logr.Logger)
- type Annotatable
- type Component
- func APIServer(installation *operator.Installation, tlsKeyPair *corev1.Secret, ...) (Component, error)
- func AWSSecurityGroupSetup(ps []corev1.LocalObjectReference, installcr *operator.Installation) (Component, error)
- func Compliance(esSecrets []*corev1.Secret, installation *operatorv1.Installation, ...) (Component, error)
- func ConfigMaps(cms []*corev1.ConfigMap) Component
- func CustomResourceDefinitions(cr *operator.Installation) Component
- func ElasticCurator(logStorage operatorv1.LogStorage, esSecrets, pullSecrets []*corev1.Secret, ...) Component
- func Elasticsearch(logStorage *operatorv1.LogStorage, clusterConfig *ElasticsearchClusterConfig, ...) (Component, error)
- func ElasticsearchManaged(clusterDNS string, provider operatorv1.Provider) Component
- func ElasticsearchSecrets(esPublicCertSecret *corev1.Secret, kibanaPublicCertSecret *corev1.Secret) Component
- func Fluentd(lc *operatorv1.LogCollector, esSecrets []*corev1.Secret, ...) Component
- func Guardian(url string, pullSecrets []*corev1.Secret, openshift bool, ...) Component
- func IntrusionDetection(esSecrets []*corev1.Secret, kibanaCertSecret *corev1.Secret, ...) Component
- func Manager(cr *operator.Manager, esSecrets []*corev1.Secret, ...) (Component, error)
- func Namespaces(cr *operator.Installation, openshift bool, pullSecrets []*corev1.Secret) Component
- func Node(cr *operator.Installation, p operator.Provider, nc NetworkConfig, ...) Component
- func PriorityClassDefinitions(cr *operator.Installation) Component
- func Secrets(secrets []*corev1.Secret) Component
- func Typha(cr *operator.Installation, p operator.Provider, tnTLS *TyphaNodeTLS, ...) Component
- type EksCloudwatchLogConfig
- type ElasticsearchClusterConfig
- type FluentdFilters
- type GuardianComponent
- type NetworkConfig
- type Renderer
- type S3Credential
- type TyphaNodeTLS
Constants ¶
const ( APIServerNamespace = "tigera-system" APIServerTLSSecretName = "tigera-apiserver-certs" APIServerSecretKeyName = "apiserver.key" APIServerSecretCertName = "apiserver.crt" )
const ( Optional = true DefaultCertificateDuration = 100 * 365 * 24 * time.Hour )
const ( ElasticsearchComplianceBenchmarkerUserSecret = "tigera-ee-compliance-benchmarker-elasticsearch-access" ElasticsearchComplianceControllerUserSecret = "tigera-ee-compliance-controller-elasticsearch-access" ElasticsearchComplianceReporterUserSecret = "tigera-ee-compliance-reporter-elasticsearch-access" ElasticsearchComplianceSnapshotterUserSecret = "tigera-ee-compliance-snapshotter-elasticsearch-access" ElasticsearchComplianceServerUserSecret = "tigera-ee-compliance-server-elasticsearch-access" ElasticsearchCuratorUserSecret = "tigera-ee-curator-elasticsearch-access" ComplianceServerCertSecret = "tigera-compliance-server-tls" ComplianceServerCertName = "tls.crt" ComplianceServerKeyName = "tls.key" )
const ( CNICalico = "calico" CNINone = "none" )
const ( ECKOperatorName = "elastic-operator" ECKOperatorNamespace = "tigera-eck-operator" ECKWebhookSecretName = "webhook-server-secret" ElasticsearchStorageClass = "tigera-elasticsearch" ElasticsearchNamespace = "tigera-elasticsearch" ElasticsearchHTTPURL = "tigera-secure-es-http.tigera-elasticsearch.svc" ElasticsearchHTTPSEndpoint = "https://tigera-secure-es-http.tigera-elasticsearch.svc:9200" ElasticsearchName = "tigera-secure" ElasticsearchConfigMapName = "tigera-secure-elasticsearch" KibanaHTTPURL = "tigera-secure-kb-http.tigera-kibana.svc" KibanaHTTPSEndpoint = "https://tigera-secure-kb-http.tigera-kibana.svc:5601" KibanaName = "tigera-secure" KibanaNamespace = "tigera-kibana" KibanaPublicCertSecret = "tigera-secure-kb-http-certs-public" TigeraKibanaCertSecret = "tigera-secure-kibana-cert" KibanaDefaultCertPath = "/etc/ssl/kibana/ca.pem" KibanaBasePath = "tigera-kibana" DefaultElasticsearchClusterName = "cluster" DefaultElasticsearchReplicas = 0 )
const ( ElasticsearchDefaultCertDir = "/etc/ssl/elastic/" ElasticsearchDefaultCertPath = ElasticsearchDefaultCertDir + "ca.pem" TigeraElasticsearchCertSecret = "tigera-secure-elasticsearch-cert" ElasticsearchPublicCertSecret = "tigera-secure-es-http-certs-public" )
const ( LogCollectorNamespace = "tigera-fluentd" FluentdFilterConfigMapName = "fluentd-filters" FluentdFilterFlowName = "flow" FluentdFilterDNSName = "dns" S3FluentdSecretName = "log-collector-s3-credentials" S3KeyIdName = "key-id" S3KeySecretName = "key-secret" ElasticsearchLogCollectorUserSecret = "tigera-fluentd-elasticsearch-access" ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access" EksLogForwarderSecret = "tigera-eks-log-forwarder-secret" EksLogForwarderAwsId = "aws-id" EksLogForwarderAwsKey = "aws-key" )
const ( GuardianName = "tigera-guardian" GuardianNamespace = GuardianName GuardianServiceAccountName = GuardianName GuardianClusterRoleName = GuardianName GuardianClusterRoleBindingName = GuardianName GuardianDeploymentName = GuardianName GuardianServiceName = "tigera-guardian" GuardianVolumeName = "tigera-guardian-certs" GuardianSecretName = "tigera-managed-cluster-connection" )
The names of the components related to the Guardian related rendered objects.
const ( CalicoRegistry = "docker.io/" TigeraRegistry = "quay.io/" K8sGcrRegistry = "gcr.io/" ECKRegistry = "docker.elastic.co/" )
Default registries for Calico and Tigera.
const ( NodeImageNameCalico = "calico/node:" + components.VersionCalicoNode CNIImageName = "calico/cni:" + components.VersionCalicoCNI TyphaImageNameCalico = "calico/typha:" + components.VersionCalicoTypha KubeControllersImageNameCalico = "calico/kube-controllers:" + components.VersionCalicoKubeControllers FlexVolumeImageName = "calico/pod2daemon-flexvol:" + components.VersionFlexVolume )
This section contains images used when installing open-source Calico.
const ( // Overrides for Calico. NodeImageNameTigera = "tigera/cnx-node:" + components.VersionTigeraNode TyphaImageNameTigera = "tigera/typha:" + components.VersionTigeraTypha KubeControllersImageNameTigera = "tigera/kube-controllers:" + components.VersionTigeraKubeControllers // API server images. APIServerImageName = "tigera/cnx-apiserver:" + components.VersionAPIServer QueryServerImageName = "tigera/cnx-queryserver:" + components.VersionQueryServer // Logging FluentdImageName = "tigera/fluentd:" + components.VersionFluentd // Compliance images. ComplianceControllerImage = "tigera/compliance-controller:" + components.VersionComplianceController ComplianceReporterImage = "tigera/compliance-reporter:" + components.VersionComplianceReporter ComplianceServerImage = "tigera/compliance-server:" + components.VersionComplianceServer ComplianceSnapshotterImage = "tigera/compliance-snapshotter:" + components.VersionComplianceSnapshotter ComplianceBenchmarkerImage = "tigera/compliance-benchmarker:" + components.VersionComplianceBenchmarker // Intrusion detection images. IntrusionDetectionControllerImageName = "tigera/intrusion-detection-controller:" + components.VersionIntrusionDetectionController IntrusionDetectionJobInstallerImageName = "tigera/intrusion-detection-job-installer:" + components.VersionIntrusionDetectionJobInstaller // Manager images. ManagerImageName = "tigera/cnx-manager:" + components.VersionManager ManagerProxyImageName = "tigera/voltron:" + components.VersionManagerProxy ManagerEsProxyImageName = "tigera/es-proxy:" + components.VersionManagerEsProxy KibanaImageName = "tigera/kibana:" + components.VersionKibana ECKOperatorImageName = "eck/eck-operator:" + components.VersionECKOperator ECKElasticsearchImageName = "elasticsearch/elasticsearch:" + components.VersionECKElasticsearch EsCuratorImageName = "tigera/es-curator:" + components.VersionEsCurator // Multicluster tunnel image. GuardianImageName = "tigera/guardian:" + components.VersionGuardian )
This section contains images used when installing Tigera Secure.
const ( IntrusionDetectionNamespace = "tigera-intrusion-detection" ElasticsearchIntrusionDetectionUserSecret = "tigera-ee-intrusion-detection-elasticsearch-access" ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access" IntrusionDetectionInstallerJobName = "intrusion-detection-es-job-installer" )
const ( ManagerNamespace = "tigera-manager" ManagerTLSSecretName = "manager-tls" ManagerSecretKeyName = "key" ManagerSecretCertName = "cert" ManagerOIDCConfig = "tigera-manager-oidc-config" ManagerOIDCWellknownURI = "/usr/share/nginx/html/.well-known" ManagerOIDCJwksURI = "/usr/share/nginx/html/discovery" ElasticsearchManagerUserSecret = "tigera-ee-manager-elasticsearch-access" )
const ( VoltronName = "tigera-voltron" VoltronTunnelSecretName = "tigera-management-cluster-connection" )
ManagementClusterConnection configuration constants
const ( TyphaServiceName = "calico-typha" TyphaPortName = "calico-typha" TyphaK8sAppName = "calico-typha" TyphaServiceAccountName = "calico-typha" AppLabelName = "k8s-app" TyphaPort int32 = 5473 )
const ( VoltronDnsName = "voltron" VoltronKeySizeBits = 2048 )
Voltron related constants.
const (
BirdTemplatesConfigMapName = "bird-templates"
)
const (
ComplianceNamespace = "tigera-compliance"
)
const ElasticsearchServiceName = "tigera-secure-es-http"
const (
// The version is supplied by the renderer.
OperatorInitImageName = "tigera/operator-init:"
)
This section contains images used for utility operator functions.
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"
const (
TigeraPrometheusNamespace = "tigera-prometheus"
)
Variables ¶
var ( TyphaCAConfigMapName = "typha-ca" TyphaCABundleName = "caBundle" TyphaTLSSecretName = "typha-certs" NodeTLSSecretName = "node-certs" TLSSecretCertName = "cert.crt" TLSSecretKeyName = "key.key" CommonName = "common-name" URISAN = "uri-san" )
var (
EsCuratorName = "elastic-curator"
)
Functions ¶
func AnnotationHash ¶ added in v1.0.0
func AnnotationHash(i interface{}) string
AnnotationHash is to generate a hash that can be included in a Deployment or DaemonSet to trigger a restart/rolling update when a ConfigMap or Secret is updated.
func ElasticsearchContainerDecorate ¶ added in v1.0.0
func ElasticsearchContainerDecorateENVVars ¶ added in v1.0.0
func ElasticsearchContainerDecorateIndexCreator ¶ added in v1.0.2
func ElasticsearchContainerDecorateVolumeMounts ¶ added in v1.0.0
func ElasticsearchDefaultVolume ¶ added in v1.0.0
func ElasticsearchDefaultVolumeMount ¶ added in v1.0.0
func ElasticsearchDefaultVolumeMount() corev1.VolumeMount
func ElasticsearchPodSpecDecorate ¶ added in v1.0.0
func GetIPv4Pool ¶ added in v1.2.0
func GetIPv4Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
GetIPv4Pool returns the IPv4 IPPool in an instalation, or nil if one can't be found.
func GetIPv6Pool ¶ added in v1.2.0
func GetIPv6Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
GetIPv6Pool returns the IPv6 IPPool in an instalation, or nil if one can't be found.
func KubeControllers ¶
func KubeControllers(cr *operator.Installation) *kubeControllersComponent
func OperatorNamespace ¶ added in v1.0.0
func OperatorNamespace() string
func ParseEndpoint ¶
ParseEndpoint parses an endpoint of the form scheme://host:port and returns the components.
func ReplaceImagePath ¶ added in v1.0.7
func SetTestLogger ¶
Types ¶
type Annotatable ¶ added in v1.2.0
func ElasticsearchDecorateAnnotations ¶ added in v1.2.0
func ElasticsearchDecorateAnnotations(obj Annotatable, config *ElasticsearchClusterConfig, secrets []*corev1.Secret) Annotatable
type Component ¶
type Component interface { // Objects returns all objects this component contains. Objects() []runtime.Object // Ready returns true if the component is ready to be created. Ready() bool }
func AWSSecurityGroupSetup ¶ added in v1.0.0
func AWSSecurityGroupSetup(ps []corev1.LocalObjectReference, installcr *operator.Installation) (Component, error)
func Compliance ¶
func Compliance( esSecrets []*corev1.Secret, installation *operatorv1.Installation, complianceServerCertSecret *corev1.Secret, esClusterConfig *ElasticsearchClusterConfig, pullSecrets []*corev1.Secret, openshift bool, ) (Component, error)
func ConfigMaps ¶ added in v1.0.0
func CustomResourceDefinitions ¶
func CustomResourceDefinitions(cr *operator.Installation) Component
func ElasticCurator ¶ added in v1.0.0
func ElasticCurator(logStorage operatorv1.LogStorage, esSecrets, pullSecrets []*corev1.Secret, installcr *operatorv1.Installation, clusterName string) Component
func Elasticsearch ¶ added in v1.0.0
func Elasticsearch( logStorage *operatorv1.LogStorage, clusterConfig *ElasticsearchClusterConfig, esCertSecret *corev1.Secret, kibanaCertSecret *corev1.Secret, createWebhookSecret bool, pullSecrets []*corev1.Secret, provider operatorv1.Provider, installcr *operatorv1.Installation) (Component, error)
func ElasticsearchManaged ¶ added in v1.2.0
func ElasticsearchManaged(clusterDNS string, provider operatorv1.Provider) Component
func ElasticsearchSecrets ¶ added in v1.0.0
func Fluentd ¶ added in v1.0.0
func Fluentd( lc *operatorv1.LogCollector, esSecrets []*corev1.Secret, esClusterConfig *ElasticsearchClusterConfig, s3C *S3Credential, f *FluentdFilters, eksConfig *EksCloudwatchLogConfig, pullSecrets []*corev1.Secret, installation *operatorv1.Installation, ) Component
func Guardian ¶ added in v1.2.0
func Guardian( url string, pullSecrets []*corev1.Secret, openshift bool, installation *operatorv1.Installation, tunnelSecret *corev1.Secret, ) Component
func IntrusionDetection ¶
func Manager ¶ added in v1.0.0
func Manager( cr *operator.Manager, esSecrets []*corev1.Secret, kibanaSecrets []*corev1.Secret, complianceServerCertSecret *corev1.Secret, esClusterConfig *ElasticsearchClusterConfig, tlsKeyPair *corev1.Secret, pullSecrets []*corev1.Secret, openshift bool, installation *operator.Installation, oidcConfig *corev1.ConfigMap, management bool, tunnelSecret *corev1.Secret, ) (Component, error)
func Namespaces ¶
func Node ¶
func Node(cr *operator.Installation, p operator.Provider, nc NetworkConfig, bt map[string]string, tnTLS *TyphaNodeTLS, migrate bool) Component
Node creates the node daemonset and other resources for the daemonset to operate normally.
func PriorityClassDefinitions ¶
func PriorityClassDefinitions(cr *operator.Installation) Component
func Typha ¶ added in v1.0.0
func Typha(cr *operator.Installation, p operator.Provider, tnTLS *TyphaNodeTLS, migrationNeeded bool) Component
Typha creates the typha daemonset and other resources for the daemonset to operate normally.
type EksCloudwatchLogConfig ¶ added in v1.0.0
type ElasticsearchClusterConfig ¶ added in v1.2.0
type ElasticsearchClusterConfig struct {
// contains filtered or unexported fields
}
func NewElasticsearchClusterConfig ¶ added in v1.2.0
func NewElasticsearchClusterConfig(clusterName string, replicas int, shards int) *ElasticsearchClusterConfig
func NewElasticsearchClusterConfigFromConfigMap ¶ added in v1.2.0
func NewElasticsearchClusterConfigFromConfigMap(configMap *corev1.ConfigMap) (*ElasticsearchClusterConfig, error)
func (ElasticsearchClusterConfig) Annotation ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) Annotation() string
func (ElasticsearchClusterConfig) ClusterName ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) ClusterName() string
func (ElasticsearchClusterConfig) ConfigMap ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) ConfigMap() *corev1.ConfigMap
func (ElasticsearchClusterConfig) Replicas ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) Replicas() int
func (ElasticsearchClusterConfig) Shards ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) Shards() int
type FluentdFilters ¶ added in v1.0.0
type GuardianComponent ¶ added in v1.2.0
type GuardianComponent struct {
// contains filtered or unexported fields
}
func (*GuardianComponent) Objects ¶ added in v1.2.0
func (c *GuardianComponent) Objects() []runtime.Object
func (*GuardianComponent) Ready ¶ added in v1.2.0
func (c *GuardianComponent) Ready() bool
type NetworkConfig ¶ added in v1.0.0
type NetworkConfig struct { CNI string NodenameFileOptional bool IPPools []operatorv1.IPPool }
type Renderer ¶
type Renderer interface {
Render() []Component
}
A Renderer is capable of generating components to be installed on the cluster.
func Calico ¶
func Calico( cr *operator.Installation, pullSecrets []*corev1.Secret, typhaNodeTLS *TyphaNodeTLS, bt map[string]string, p operator.Provider, nc NetworkConfig, up bool, ) (Renderer, error)
type S3Credential ¶ added in v1.0.0
Source Files ¶
- apiserver.go
- aws-securitygroup-setup.go
- common.go
- compliance.go
- config.go
- configmap.go
- crds.go
- elastic_curator.go
- elasticsearch.go
- elasticsearch_decorator.go
- elasticsearch_managed.go
- elasticsearch_secrets.go
- elasticsearchclusterconfig.go
- fluentd.go
- guardian.go
- images.go
- intrusion_detection.go
- kube-controllers.go
- manager.go
- namespaces.go
- node.go
- priority_class.go
- render.go
- secrets.go
- typha.go
- voltron_secret.go