render

package
v1.25.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 19, 2022 License: Apache-2.0 Imports: 61 Imported by: 0

Documentation

Overview

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.

Index

Constants

View Source
const (
	AmazonCloudIntegrationNamespace      = "tigera-amazon-cloud-integration"
	AmazonCloudIntegrationComponentName  = "tigera-amazon-cloud-integration"
	AmazonCloudIntegrationCredentialName = "amazon-cloud-integration-credentials"
	AmazonCloudCredentialKeyIdName       = "key-id"
	AmazonCloudCredentialKeySecretName   = "key-secret"
)
View Source
const (
	APIServerSecretKeyName  = "apiserver.key"
	APIServerSecretCertName = "apiserver.crt"
)
View Source
const (
	ComplianceNamespace       = "tigera-compliance"
	ComplianceServiceName     = "compliance"
	ComplianceServerName      = "compliance-server"
	ComplianceControllerName  = "compliance-controller"
	ComplianceSnapshotterName = "compliance-snapshotter"
)
View Source
const (
	ElasticsearchComplianceBenchmarkerUserSecret = "tigera-ee-compliance-benchmarker-elasticsearch-access"
	ElasticsearchComplianceControllerUserSecret  = "tigera-ee-compliance-controller-elasticsearch-access"
	ElasticsearchComplianceReporterUserSecret    = "tigera-ee-compliance-reporter-elasticsearch-access"
	ElasticsearchComplianceSnapshotterUserSecret = "tigera-ee-compliance-snapshotter-elasticsearch-access"
	ElasticsearchComplianceServerUserSecret      = "tigera-ee-compliance-server-elasticsearch-access"
	ElasticsearchCuratorUserSecret               = "tigera-ee-curator-elasticsearch-access"

	ComplianceServerCertSecret = "tigera-compliance-server-tls"
)
View Source
const (
	VoltronDnsName     = "voltron"
	VoltronKeySizeBits = 2048
)

Voltron related constants.

View Source
const (
	CSRClusterRoleName   = "tigera-csr-creator"
	CSRInitContainerName = "key-cert-provisioner"
	CSRCMountPath        = "/certs-share"
)
View Source
const (
	// Manifest object variables
	DexNamespace  = "tigera-dex"
	DexObjectName = "tigera-dex"
	DexPort       = 5556
	// This is the secret containing just a cert that a client should mount in order to trust Dex.
	DexCertSecretName = "tigera-dex-tls-crt"
	// This is the secret that Dex mounts, containing a key and a cert.
	DexTLSSecretName = "tigera-dex-tls"

	// Constants related to Dex configurations
	DexClientId = "tigera-manager"

	// Common name to add to the Dex TLS secret.
	DexCNPattern = "tigera-dex.tigera-dex.svc.%s"
)
View Source
const (
	ClientSecretSecretField = "clientSecret"

	RootCASecretField   = "rootCA"
	OIDCSecretName      = "tigera-oidc-credentials"
	OpenshiftSecretName = "tigera-openshift-credentials"
	LDAPSecretName      = "tigera-ldap-credentials"

	ClientIDSecretField = "clientID"
	BindDNSecretField   = "bindDN"
	BindPWSecretField   = "bindPW"

	// Default claims to use to data from a JWT.
	DefaultGroupsClaim = "groups"
)
View Source
const (
	LogCollectorNamespace                    = "tigera-fluentd"
	FluentdFilterConfigMapName               = "fluentd-filters"
	FluentdFilterFlowName                    = "flow"
	FluentdFilterDNSName                     = "dns"
	S3FluentdSecretName                      = "log-collector-s3-credentials"
	S3KeyIdName                              = "key-id"
	S3KeySecretName                          = "key-secret"
	FluentdPrometheusTLSSecretName           = "tigera-fluentd-prometheus-tls"
	FluentdPrometheusTLSSecretHashAnnotation = "hash.operator.tigera.io/tigera-fluentd-prometheus-tls"
	FluentdMetricsService                    = "fluentd-metrics"
	FluentdMetricsPort                       = "fluentd-metrics-port"

	ElasticsearchLogCollectorUserSecret    = "tigera-fluentd-elasticsearch-access"
	ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access"
	EksLogForwarderSecret                  = "tigera-eks-log-forwarder-secret"
	EksLogForwarderAwsId                   = "aws-id"
	EksLogForwarderAwsKey                  = "aws-key"
	SplunkFluentdTokenSecretName           = "logcollector-splunk-credentials"
	SplunkFluentdSecretTokenKey            = "token"
	SplunkFluentdCertificateSecretName     = "logcollector-splunk-public-certificate"
	SplunkFluentdSecretCertificateKey      = "ca.pem"
	SplunkFluentdSecretsVolName            = "splunk-certificates"
	SplunkFluentdDefaultCertDir            = "/etc/ssl/splunk/"
	SplunkFluentdDefaultCertPath           = SplunkFluentdDefaultCertDir + SplunkFluentdSecretCertificateKey

	PacketCaptureAPIRole        = "packetcapture-api-role"
	PacketCaptureAPIRoleBinding = "packetcapture-api-role-binding"
)
View Source
const (
	GuardianName                   = "tigera-guardian"
	GuardianNamespace              = GuardianName
	GuardianServiceAccountName     = GuardianName
	GuardianClusterRoleName        = GuardianName
	GuardianClusterRoleBindingName = GuardianName
	GuardianDeploymentName         = GuardianName
	GuardianServiceName            = "tigera-guardian"
	GuardianVolumeName             = "tigera-guardian-certs"
	GuardianSecretName             = "tigera-managed-cluster-connection"
)

The names of the components related to the Guardian related rendered objects.

View Source
const (
	IntrusionDetectionNamespace = "tigera-intrusion-detection"

	ElasticsearchIntrusionDetectionUserSecret    = "tigera-ee-intrusion-detection-elasticsearch-access"
	ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access"
	ElasticsearchADJobUserSecret                 = "tigera-ee-ad-job-elasticsearch-access"
	ElasticsearchPerformanceHotspotsUserSecret   = "tigera-ee-performance-hotspots-elasticsearch-access"

	IntrusionDetectionInstallerJobName = "intrusion-detection-es-job-installer"
)
View Source
const (
	ECKOperatorName         = "elastic-operator"
	ECKOperatorNamespace    = "tigera-eck-operator"
	ECKLicenseConfigMapName = "elastic-licensing"

	ElasticsearchNamespace = "tigera-elasticsearch"

	TigeraElasticsearchCertSecret         = "tigera-secure-elasticsearch-cert"
	TigeraElasticsearchInternalCertSecret = "tigera-secure-internal-elasticsearch-cert"

	ElasticsearchName                     = "tigera-secure"
	ElasticsearchServiceName              = "tigera-secure-es-http"
	ESGatewayServiceName                  = "tigera-secure-es-gateway-http"
	ElasticsearchSecureSettingsSecretName = "tigera-elasticsearch-secure-settings"
	ElasticsearchOperatorUserSecret       = "tigera-ee-operator-elasticsearch-access"
	ElasticsearchAdminUserSecret          = "tigera-secure-es-elastic-user"

	KibanaName               = "tigera-secure"
	KibanaNamespace          = "tigera-kibana"
	KibanaPublicCertSecret   = "tigera-secure-es-gateway-http-certs-public"
	KibanaInternalCertSecret = "tigera-secure-kb-http-certs-public"
	TigeraKibanaCertSecret   = "tigera-secure-kibana-cert"
	KibanaDefaultCertPath    = "/etc/ssl/kibana/ca.pem"
	KibanaBasePath           = "tigera-kibana"
	KibanaServiceName        = "tigera-secure-kb-http"
	KibanaDefaultRoute       = "/app/kibana#/dashboards?%s&title=%s"

	DefaultElasticsearchClusterName = "cluster"
	DefaultElasticsearchReplicas    = 0
	DefaultElasticStorageGi         = 10

	EsCuratorName           = "elastic-curator"
	EsCuratorServiceAccount = "tigera-elastic-curator"

	OIDCUsersConfigMapName = "tigera-known-oidc-users"
	OIDCUsersEsSecreteName = "tigera-oidc-users-elasticsearch-credentials"

	ElasticsearchLicenseTypeBasic           ElasticsearchLicenseType = "basic"
	ElasticsearchLicenseTypeEnterprise      ElasticsearchLicenseType = "enterprise"
	ElasticsearchLicenseTypeEnterpriseTrial ElasticsearchLicenseType = "enterprise_trial"
	ElasticsearchLicenseTypeUnknown         ElasticsearchLicenseType = ""

	EsManagerRole        = "es-manager"
	EsManagerRoleBinding = "es-manager"

	KibanaTLSAnnotationHash        = "hash.operator.tigera.io/kb-secrets"
	ElasticsearchTLSHashAnnotation = "hash.operator.tigera.io/es-secrets"

	TimeFilter         = "_g=(time:(from:now-24h,to:now))"
	FlowsDashboardName = "Tigera Secure EE Flow Logs"
)
View Source
const (
	ManagerServiceName               = "tigera-manager"
	ManagerNamespace                 = "tigera-manager"
	ManagerServiceIP                 = "localhost"
	ManagerServiceAccount            = "tigera-manager"
	ManagerClusterRole               = "tigera-manager-role"
	ManagerClusterRoleBinding        = "tigera-manager-binding"
	ManagerTLSSecretName             = "manager-tls"
	ManagerSecretKeyName             = "key"
	ManagerSecretCertName            = "cert"
	ManagerInternalTLSSecretName     = "internal-manager-tls"
	ManagerInternalTLSSecretCertName = "internal-manager-tls-cert"
	ManagerInternalSecretKeyName     = "key"
	ManagerInternalSecretCertName    = "cert"

	ManagerUserSettings = "user-settings"

	ElasticsearchManagerUserSecret   = "tigera-ee-manager-elasticsearch-access"
	TlsSecretHashAnnotation          = "hash.operator.tigera.io/tls-secret"
	ManagerInternalTLSHashAnnotation = "hash.operator.tigera.io/internal-tls-secret"

	KibanaTLSHashAnnotation         = "hash.operator.tigera.io/kibana-secrets"
	ElasticsearchUserHashAnnotation = "hash.operator.tigera.io/elasticsearch-user"

	PrometheusTLSSecretName = "calico-node-prometheus-tls"
)
View Source
const (
	VoltronName                 = "tigera-voltron"
	VoltronTunnelSecretName     = "tigera-management-cluster-connection"
	VoltronTunnelSecretCertName = "cert"
	VoltronTunnelSecretKeyName  = "key"
)

ManagementClusterConnection configuration constants

View Source
const (
	BirdTemplatesConfigMapName = "bird-templates"

	NodeCertHashAnnotation = "hash.operator.tigera.io/node-cert"

	CSRLabelCalicoSystem        = "calico-system"
	BGPLayoutConfigMapName      = "bgp-layout"
	BGPLayoutConfigMapKey       = "earlyNetworkConfiguration"
	BGPLayoutVolumeName         = "bgp-layout"
	BGPLayoutPath               = "/etc/calico/early-networking.yaml"
	K8sSvcEndpointConfigMapName = "kubernetes-services-endpoint"

	CalicoNodeMetricsService          = "calico-node-metrics"
	NodePrometheusTLSServerSecret     = "calico-node-prometheus-server-tls"
	NodePrometheusTLSServerAnnotation = "hash.operator.tigera.io/calico-node-prometheus-server-tls"
	PrometheusCABundle                = "tigera-prometheus-metrics-ca-bundle"
	PrometheusCABundleAnnotation      = "hash.operator.tigera.io/tigera-prometheus-metrics-ca-bundle"
)
View Source
const (
	PacketCaptureContainerName          = "tigera-packetcapture-server"
	PacketCaptureName                   = "tigera-packetcapture"
	PacketCaptureNamespace              = PacketCaptureName
	PacketCaptureServiceAccountName     = PacketCaptureName
	PacketCaptureClusterRoleName        = PacketCaptureName
	PacketCaptureClusterRoleBindingName = PacketCaptureName
	PacketCaptureDeploymentName         = PacketCaptureName
	PacketCaptureServiceName            = PacketCaptureName

	PacketCaptureCertSecret        = "tigera-packetcapture-server-tls"
	PacketCaptureTLSHashAnnotation = "hash.operator.tigera.io/packetcapture-certificate"
)

The names of the components related to the PacketCapture APIs related rendered objects.

View Source
const (
	TyphaServiceName              = "calico-typha"
	TyphaPortName                 = "calico-typha"
	TyphaK8sAppName               = "calico-typha"
	TyphaServiceAccountName       = "calico-typha"
	AppLabelName                  = "k8s-app"
	TyphaPort               int32 = 5473
	TyphaCAHashAnnotation         = "hash.operator.tigera.io/typha-ca"
	TyphaCertHashAnnotation       = "hash.operator.tigera.io/typha-cert"
)
View Source
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"

Variables

View Source
var (
	NodeTLSSecretName = "node-certs"
	TLSSecretCertName = "cert.crt"
	TLSSecretKeyName  = "key.key"
)
View Source
var (
	CommonName               = "common-name"
	URISAN                   = "uri-san"
	TyphaCommonName          = "typha-server"
	FelixCommonName          = "typha-client"
	NodePriorityClassName    = "system-node-critical"
	ClusterPriorityClassName = "system-cluster-critical"
)
View Source
var (
	TyphaTLSSecretName   = "typha-certs"
	TyphaCAConfigMapName = "typha-ca"
	TyphaCABundleName    = "caBundle"
)

Functions

func CSRClusterRoleBinding added in v1.22.0

func CSRClusterRoleBinding(name, namespace string) *rbacv1.ClusterRoleBinding

CSRClusterRoleBinding returns a role binding with the necessary permissions to create certificate signing requests.

func CertificateVolumeSource added in v1.25.1

func CertificateVolumeSource(certificateManagement *operatorv1.CertificateManagement, secretName string) corev1.VolumeSource

func CreateCSRInitContainer added in v1.14.0

func CreateCSRInitContainer(
	certificateManagement *operatorv1.CertificateManagement,
	image string,
	mountName string,
	commonName string,
	keyName string,
	certName string,
	dnsNames []string,
	appNameLabel string) corev1.Container

CreateCSRInitContainer creates an init container that can be added to a pod spec in order to create a CSR for its TLS certificates. It uses the provided params and the k8s downward api to be able to specify certificate subject information.

func CreateCertificateConfigMap added in v1.25.1

func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap

CreateCertificateConfigMap is a convenience method for creating a configmap that contains only a ca or cert to trust.

func CreateCertificateSecret added in v1.18.0

func CreateCertificateSecret(caPem []byte, secretName string, namespace string) *corev1.Secret

CreateCertificateSecret is a convenience method for creating a secret that contains only a ca or cert to trust.

func CreateDexClientSecret added in v1.12.0

func CreateDexClientSecret() *corev1.Secret

func CreateDexTLSSecret added in v1.12.0

func CreateDexTLSSecret(dexCommonName string) *corev1.Secret

func CreateNamespace added in v1.22.0

func CreateNamespace(name string, provider operatorv1.Provider) *corev1.Namespace

func GetIPv4Pool added in v1.2.0

func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv4Pool returns the IPv4 IPPool in an instalation, or nil if one can't be found.

func GetIPv6Pool added in v1.2.0

func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv6Pool returns the IPv6 IPPool in an instalation, or nil if one can't be found.

func GetTigeraSecurityGroupEnvVariables added in v1.8.0

func GetTigeraSecurityGroupEnvVariables(aci *operatorv1.AmazonCloudIntegration) []corev1.EnvVar

func NewDexKeyValidatorConfig added in v1.12.0

func NewDexKeyValidatorConfig(
	authentication *oprv1.Authentication,
	idpSecret *corev1.Secret,
	certSecret *corev1.Secret,
	clusterDomain string) authentication.KeyValidatorConfig

func ProjectCalicoApiServerServiceName added in v1.25.0

func ProjectCalicoApiServerServiceName(v operatorv1.ProductVariant) string

func ProjectCalicoApiServerTLSSecretName added in v1.25.0

func ProjectCalicoApiServerTLSSecretName(v operatorv1.ProductVariant) string

The following functions are helpers for determining resource names based on the configured product variant.

func ResolveCSRInitImage added in v1.14.0

func ResolveCSRInitImage(inst *operatorv1.InstallationSpec, is *operatorv1.ImageSet) (string, error)

ResolveCsrInitImage resolves the image needed for the CSR init image taking into account the specified ImageSet

func SetClusterCriticalPod added in v1.22.0

func SetClusterCriticalPod(t *corev1.PodTemplateSpec)

func SetTestLogger

func SetTestLogger(l logr.Logger)

Types

type APIServerConfiguration added in v1.25.0

type APIServerConfiguration struct {
	K8SServiceEndpoint          k8sapi.ServiceEndpoint
	Installation                *operatorv1.InstallationSpec
	ForceHostNetwork            bool
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	AmazonCloudIntegration      *operatorv1.AmazonCloudIntegration
	TLSKeyPair                  *corev1.Secret
	PullSecrets                 []*corev1.Secret
	Openshift                   bool
	TunnelCASecret              *corev1.Secret
	ClusterDomain               string
}

APIServerConfiguration contains all the config information needed to render the component.

type AWSSGSetupConfiguration added in v1.25.0

type AWSSGSetupConfiguration struct {
	PullSecrets  []corev1.LocalObjectReference
	Installation *operatorv1.InstallationSpec
}

AWSSGSetupConfiguration contains all the config information needed to render the component.

type AmazonCloudIntegrationConfiguration added in v1.25.0

type AmazonCloudIntegrationConfiguration struct {
	AmazonCloudIntegration *operatorv1.AmazonCloudIntegration
	Installation           *operatorv1.InstallationSpec
	Credentials            *AmazonCredential
	PullSecrets            []*corev1.Secret
	Openshift              bool
}

AmazonCloudIntegrationConfiguration contains all the config information needed to render the component.

type AmazonCredential added in v1.8.0

type AmazonCredential struct {
	KeyId     []byte
	KeySecret []byte
}

func ConvertSecretToCredential added in v1.8.0

func ConvertSecretToCredential(s *corev1.Secret) (*AmazonCredential, error)

type ComplianceConfiguration added in v1.25.0

type ComplianceConfiguration struct {
	ESSecrets                   []*corev1.Secret
	ManagerInternalTLSSecret    *corev1.Secret
	Installation                *operatorv1.InstallationSpec
	ComplianceServerCertSecret  *corev1.Secret
	ESClusterConfig             *relasticsearch.ClusterConfig
	PullSecrets                 []*corev1.Secret
	Openshift                   bool
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	KeyValidatorConfig          authentication.KeyValidatorConfig
	ClusterDomain               string
	HasNoLicense                bool
}

ComplianceConfiguration contains all the config information needed to render the component.

type Component

type Component interface {
	// ResolveImages should call components.GetReference for all images that the Component
	// needs, passing 'is' to the GetReference call and if there are any errors those
	// are returned. It is valid to pass nil for 'is' as GetReference accepts the value.
	// ResolveImages must be called before Objects is called for the component.
	ResolveImages(is *operatorv1.ImageSet) error

	// Objects returns the lists of objects in this component that should be created and/or deleted during
	// rendering.
	Objects() (objsToCreate, objsToDelete []client.Object)

	// Ready returns true if the component is ready to be created.
	Ready() bool

	// SupportedOSTypes returns operating systems that is supported of the components returned by the Objects() function.
	// The "componentHandler" converts the returned OSTypes to a node selectors for the "kubernetes.io/os" label on client.Objects
	// that create pods. Return OSTypeAny means that no node selector should be set for the "kubernetes.io/os" label.
	SupportedOSType() rmeta.OSType
}

func APIServer

func APIServer(cfg *APIServerConfiguration) (Component, error)

func AWSSecurityGroupSetup added in v1.0.0

func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)

func AmazonCloudIntegration added in v1.8.0

func AmazonCloudIntegration(cfg *AmazonCloudIntegrationConfiguration) (Component, error)

func Compliance

func Compliance(cfg *ComplianceConfiguration) (Component, error)

func Dex added in v1.12.0

func Fluentd added in v1.0.0

func Fluentd(cfg *FluentdConfiguration) Component

func Guardian added in v1.2.0

func Guardian(cfg *GuardianConfiguration) Component

func IntrusionDetection

func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component

func LogStorage added in v1.4.0

func LogStorage(cfg *ElasticsearchConfiguration) Component

LogStorage renders the components necessary for kibana and elasticsearch

func Manager added in v1.0.0

func Manager(cfg *ManagerConfiguration) (Component, error)

func Namespaces

func Namespaces(cfg *NamespaceConfiguration) Component

func NewPassthrough added in v1.22.0

func NewPassthrough(objs ...client.Object) Component

func Node

func Node(cfg *NodeConfiguration) Component

Node creates the node daemonset and other resources for the daemonset to operate normally.

func PacketCaptureAPI added in v1.21.0

func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component

func Typha added in v1.0.0

func Typha(cfg *TyphaConfiguration) Component

Typha creates the typha daemonset and other resources for the daemonset to operate normally.

func Windows added in v1.23.0

func Windows(
	cr *operatorv1.InstallationSpec,
) Component

type DexComponentConfiguration added in v1.25.0

type DexComponentConfiguration struct {
	PullSecrets   []*corev1.Secret
	Openshift     bool
	Installation  *operatorv1.InstallationSpec
	DexConfig     DexConfig
	ClusterDomain string
	DeleteDex     bool
}

DexComponentConfiguration contains all the config information needed to render the component.

type DexConfig added in v1.12.0

type DexConfig interface {
	Connector() map[string]interface{}
	CreateCertSecret() *corev1.Secret
	RedirectURIs() []string
	authentication.KeyValidatorConfig
}

DexConfig is a config for DexIdP itself.

func NewDexConfig added in v1.12.0

func NewDexConfig(
	certificateManagement *oprv1.CertificateManagement,
	authentication *oprv1.Authentication,
	tlsSecret *corev1.Secret,
	dexSecret *corev1.Secret,
	idpSecret *corev1.Secret,
	clusterDomain string) DexConfig

Create a new DexConfig.

type DexKeyValidatorConfig added in v1.12.0

type DexKeyValidatorConfig struct {
	// contains filtered or unexported fields
}

func (DexKeyValidatorConfig) BaseURL added in v1.18.0

func (d DexKeyValidatorConfig) BaseURL() string

func (DexKeyValidatorConfig) ClientID added in v1.18.0

func (d DexKeyValidatorConfig) ClientID() string

func (DexKeyValidatorConfig) ClientSecret added in v1.18.0

func (d DexKeyValidatorConfig) ClientSecret() []byte

func (DexKeyValidatorConfig) Issuer added in v1.18.0

func (d DexKeyValidatorConfig) Issuer() string

func (DexKeyValidatorConfig) RedirectURIs added in v1.18.0

func (d DexKeyValidatorConfig) RedirectURIs() []string

func (DexKeyValidatorConfig) RequestedScopes added in v1.18.0

func (d DexKeyValidatorConfig) RequestedScopes() []string

func (*DexKeyValidatorConfig) RequiredAnnotations added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string

RequiredAnnotations returns the annotations that are relevant for a validator config.

func (DexKeyValidatorConfig) RequiredConfigMaps added in v1.18.0

func (d DexKeyValidatorConfig) RequiredConfigMaps(namespace string) []*corev1.ConfigMap

func (*DexKeyValidatorConfig) RequiredEnv added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar

Append variables that are necessary for using the dex authenticator.

func (DexKeyValidatorConfig) RequiredSecrets added in v1.12.0

func (d DexKeyValidatorConfig) RequiredSecrets(namespace string) []*corev1.Secret

func (*DexKeyValidatorConfig) RequiredVolumeMounts added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount

AppendDexVolumeMount adds mount for ubi base image trusted cert location

func (*DexKeyValidatorConfig) RequiredVolumes added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume

Add volume for Dex TLS secret.

func (DexKeyValidatorConfig) UsernameClaim added in v1.18.0

func (d DexKeyValidatorConfig) UsernameClaim() string

type DexRelyingPartyConfig added in v1.12.0

type DexRelyingPartyConfig interface {
	// JWKSURI returns the endpoint for public keys
	JWKSURI() string
	// TokenURI returns the endpoint for exchanging tokens
	TokenURI() string
	// UserInfoURI returns the endpoint for user info.
	UserInfoURI() string
	// ClientSecret returns the secret for Dex' auth endpoint
	ClientSecret() []byte
	// BaseURL returns the address where the Manager UI can be found. Ex: https://example.org
	RequestedScopes() []string
	// UsernameClaim returns the part of the JWT that represents a unique username.
	UsernameClaim() string
	BaseURL() string
	authentication.KeyValidatorConfig
}

DexRelyingPartyConfig is a config for relying parties / applications that use Dex as their IdP.

func NewDexRelyingPartyConfig added in v1.12.0

func NewDexRelyingPartyConfig(
	authentication *oprv1.Authentication,
	certSecret *corev1.Secret,
	dexSecret *corev1.Secret,
	clusterDomain string) DexRelyingPartyConfig

type EksCloudwatchLogConfig added in v1.0.0

type EksCloudwatchLogConfig struct {
	AwsId         []byte
	AwsKey        []byte
	AwsRegion     string
	GroupName     string
	StreamPrefix  string
	FetchInterval int32
}

type ElasticsearchConfiguration added in v1.25.0

type ElasticsearchConfiguration struct {
	LogStorage                  *operatorv1.LogStorage
	Installation                *operatorv1.InstallationSpec
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	Elasticsearch               *esv1.Elasticsearch
	Kibana                      *kbv1.Kibana
	ClusterConfig               *relasticsearch.ClusterConfig
	ElasticsearchSecrets        []*corev1.Secret
	KibanaCertSecret            *corev1.Secret
	KibanaInternalCertSecret    *corev1.Secret
	PullSecrets                 []*corev1.Secret
	Provider                    operatorv1.Provider
	CuratorSecrets              []*corev1.Secret
	ESService                   *corev1.Service
	KbService                   *corev1.Service
	ClusterDomain               string
	DexCfg                      DexRelyingPartyConfig
	BaseURL                     string // BaseUrl is where the manager is reachable, for setting Kibana publicBaseUrl
	ElasticLicenseType          ElasticsearchLicenseType
}

ElasticsearchConfiguration contains all the config information needed to render the component.

type ElasticsearchLicenseType added in v1.14.0

type ElasticsearchLicenseType string

type FluentdConfiguration added in v1.25.0

type FluentdConfiguration struct {
	LogCollector    *operatorv1.LogCollector
	ESSecrets       []*corev1.Secret
	ESClusterConfig *relasticsearch.ClusterConfig
	S3Credential    *S3Credential
	SplkCredential  *SplunkCredential
	Filters         *FluentdFilters
	EKSConfig       *EksCloudwatchLogConfig
	PullSecrets     []*corev1.Secret
	Installation    *operatorv1.InstallationSpec
	ClusterDomain   string
	OSType          rmeta.OSType
	TLS             *corev1.Secret
	TrustedBundle   *corev1.ConfigMap
}

FluentdConfiguration contains all the config information needed to render the component.

type FluentdFilters added in v1.0.0

type FluentdFilters struct {
	Flow string
	DNS  string
}

type GuardianComponent added in v1.2.0

type GuardianComponent struct {
	// contains filtered or unexported fields
}

func (*GuardianComponent) Objects added in v1.2.0

func (c *GuardianComponent) Objects() ([]client.Object, []client.Object)

func (*GuardianComponent) Ready added in v1.2.0

func (c *GuardianComponent) Ready() bool

func (*GuardianComponent) ResolveImages added in v1.14.0

func (c *GuardianComponent) ResolveImages(is *operatorv1.ImageSet) error

func (*GuardianComponent) SupportedOSType added in v1.11.0

func (c *GuardianComponent) SupportedOSType() rmeta.OSType

type GuardianConfiguration added in v1.25.0

type GuardianConfiguration struct {
	URL                  string
	PullSecrets          []*corev1.Secret
	Openshift            bool
	Installation         *operatorv1.InstallationSpec
	TunnelSecret         *corev1.Secret
	PacketCaptureSecret  *corev1.Secret
	PrometheusCertSecret *corev1.Secret
}

GuardianConfiguration contains all the config information needed to render the component.

type IntrusionDetectionConfiguration added in v1.25.0

type IntrusionDetectionConfiguration struct {
	LogCollector             *operatorv1.LogCollector
	ESSecrets                []*corev1.Secret
	KibanaCertSecret         *corev1.Secret
	Installation             *operatorv1.InstallationSpec
	ESClusterConfig          *relasticsearch.ClusterConfig
	PullSecrets              []*corev1.Secret
	Openshift                bool
	ClusterDomain            string
	ESLicenseType            ElasticsearchLicenseType
	ManagedCluster           bool
	HasNoLicense             bool
	ManagerInternalTLSSecret *corev1.Secret
}

IntrusionDetectionConfiguration contains all the config information needed to render the component.

type ManagerConfiguration added in v1.25.0

type ManagerConfiguration struct {
	KeyValidatorConfig            authentication.KeyValidatorConfig
	ESSecrets                     []*corev1.Secret
	KibanaSecrets                 []*corev1.Secret
	ComplianceServerCertSecret    *corev1.Secret
	PacketCaptureServerCertSecret *corev1.Secret
	PrometheusCertSecret          *corev1.Secret
	ESClusterConfig               *relasticsearch.ClusterConfig
	TLSKeyPair                    *corev1.Secret
	PullSecrets                   []*corev1.Secret
	Openshift                     bool
	Installation                  *operatorv1.InstallationSpec
	ManagementCluster             *operatorv1.ManagementCluster
	TunnelSecret                  *corev1.Secret
	InternalTrafficSecret         *corev1.Secret
	ClusterDomain                 string
	ESLicenseType                 ElasticsearchLicenseType
	Replicas                      *int32
}

ManagerConfiguration contains all the config information needed to render the component.

type NamespaceConfiguration added in v1.25.0

type NamespaceConfiguration struct {
	Installation *operatorv1.InstallationSpec
	PullSecrets  []*corev1.Secret
}

NamespaceConfiguration contains all the config information needed to render the component.

type NodeConfiguration added in v1.22.0

type NodeConfiguration struct {
	K8sServiceEp  k8sapi.ServiceEndpoint
	Installation  *operatorv1.InstallationSpec
	TLS           *TyphaNodeTLS
	ClusterDomain string

	// Optional fields.
	AmazonCloudIntegration  *operatorv1.AmazonCloudIntegration
	LogCollector            *operatorv1.LogCollector
	MigrateNamespaces       bool
	NodeAppArmorProfile     string
	BirdTemplates           map[string]string
	NodeReporterMetricsPort int

	PrometheusServerTLS       *corev1.Secret
	PrometheusMetricsCABundle *corev1.ConfigMap

	// BGPLayouts is returned by the rendering code after modifying its namespace
	// so that it can be deployed into the cluster.
	// TODO: The controller should pass the contents, the renderer should build its own
	// configmap, rather than this "copy" semantic.
	BGPLayouts *corev1.ConfigMap
}

NodeConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/node on a cluster.

type PacketCaptureApiConfiguration added in v1.25.0

type PacketCaptureApiConfiguration struct {
	PullSecrets        []*corev1.Secret
	Openshift          bool
	Installation       *operatorv1.InstallationSpec
	KeyValidatorConfig authentication.KeyValidatorConfig
	ServerCertSecret   *corev1.Secret
	ClusterDomain      string
}

PacketCaptureApiConfiguration contains all the config information needed to render the component.

type Renderer

type Renderer interface {
	Render() []Component
}

A Renderer is capable of generating components to be installed on the cluster.

type S3Credential added in v1.0.0

type S3Credential struct {
	KeyId     []byte
	KeySecret []byte
}

type SplunkCredential added in v1.4.0

type SplunkCredential struct {
	Token       []byte
	Certificate []byte
}

type TyphaConfiguration added in v1.22.0

type TyphaConfiguration struct {
	K8sServiceEp           k8sapi.ServiceEndpoint
	Installation           *operatorv1.InstallationSpec
	TLS                    *TyphaNodeTLS
	AmazonCloudIntegration *operatorv1.AmazonCloudIntegration
	MigrateNamespaces      bool
	ClusterDomain          string
}

TyphaConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/typha on a cluster.

type TyphaNodeTLS added in v1.0.0

type TyphaNodeTLS struct {
	CAConfigMap *corev1.ConfigMap
	TyphaSecret *corev1.Secret
	NodeSecret  *corev1.Secret
}

TyphaNodeTLS holds configuration for Node and Typha to establish TLS.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL