Documentation ¶
Overview ¶
This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.
Index ¶
- Constants
- Variables
- func ApiServerServiceAccountName(v operatorv1.ProductVariant) string
- func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap
- func CreateCertificateSecret(caPem []byte, secretName string, namespace string) *corev1.Secret
- func CreateDexClientSecret() *corev1.Secret
- func CreateElasticsearchKeystoreSecret() *corev1.Secret
- func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard) *corev1.Namespace
- func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
- func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
- func GetTigeraSecurityGroupEnvVariables(aci *operatorv1.AmazonCloudIntegration) []corev1.EnvVar
- func NewDexKeyValidatorConfig(authentication *oprv1.Authentication, idpSecret *corev1.Secret, ...) authentication.KeyValidatorConfig
- func ProjectCalicoApiServerServiceName(v operatorv1.ProductVariant) string
- func ProjectCalicoApiServerTLSSecretName(v operatorv1.ProductVariant) string
- func SetClusterCriticalPod(t *corev1.PodTemplateSpec)
- func SetTestLogger(l logr.Logger)
- type APIServerConfiguration
- type AWSSGSetupConfiguration
- type AmazonCloudIntegrationConfiguration
- type AmazonCredential
- type CSIConfiguration
- type ComplianceConfiguration
- type Component
- func APIServer(cfg *APIServerConfiguration) (Component, error)
- func APIServerPolicy(cfg *APIServerConfiguration) Component
- func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)
- func AmazonCloudIntegration(cfg *AmazonCloudIntegrationConfiguration) (Component, error)
- func CSI(cfg *CSIConfiguration) Component
- func Compliance(cfg *ComplianceConfiguration) (Component, error)
- func Dex(cfg *DexComponentConfiguration) Component
- func Fluentd(cfg *FluentdConfiguration) Component
- func Guardian(cfg *GuardianConfiguration) Component
- func GuardianPolicy(cfg *GuardianConfiguration) (Component, error)
- func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component
- func LogStorage(cfg *ElasticsearchConfiguration) Component
- func Manager(cfg *ManagerConfiguration) (Component, error)
- func Namespaces(cfg *NamespaceConfiguration) Component
- func NewPassthrough(objs ...client.Object) Component
- func Node(cfg *NodeConfiguration) Component
- func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component
- func PacketCaptureAPIPolicy(cfg *PacketCaptureApiConfiguration) Component
- func Typha(cfg *TyphaConfiguration) Component
- func Windows(cfg *WindowsConfig) Component
- type DexComponentConfiguration
- type DexConfig
- type DexKeyValidatorConfig
- func (d DexKeyValidatorConfig) BaseURL() string
- func (d DexKeyValidatorConfig) ClientID() string
- func (d DexKeyValidatorConfig) ClientSecret() []byte
- func (d DexKeyValidatorConfig) Issuer() string
- func (d DexKeyValidatorConfig) RedirectURIs() []string
- func (d DexKeyValidatorConfig) RequestedScopes() []string
- func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string
- func (d DexKeyValidatorConfig) RequiredConfigMaps(string) []*corev1.ConfigMap
- func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar
- func (d DexKeyValidatorConfig) RequiredSecrets(namespace string) []*corev1.Secret
- func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount
- func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume
- func (d DexKeyValidatorConfig) UsernameClaim() string
- type EksCloudwatchLogConfig
- type ElasticsearchConfiguration
- type ElasticsearchLicenseType
- type FluentdConfiguration
- type FluentdFilters
- type GuardianComponent
- type GuardianConfiguration
- type IntrusionDetectionConfiguration
- type ManagerConfiguration
- type NamespaceConfiguration
- type NodeConfiguration
- type PacketCaptureApiConfiguration
- type PodSecurityStandard
- type Renderer
- type S3Credential
- type SplunkCredential
- type TyphaConfiguration
- type TyphaNodeTLS
- type WindowsConfig
Constants ¶
const ( AmazonCloudIntegrationNamespace = "tigera-amazon-cloud-integration" AmazonCloudIntegrationComponentName = "tigera-amazon-cloud-integration" AmazonCloudIntegrationCredentialName = "amazon-cloud-integration-credentials" AmazonCloudCredentialKeyIdName = "key-id" AmazonCloudCredentialKeySecretName = "key-secret" )
const ( APIServerPort = 5443 APIServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "cnx-apiserver-access" )
const ( QueryServerPort = 8080 QueryserverNamespace = "tigera-system" QueryserverServiceName = "tigera-api" // Use the same API server container name for both OSS and Enterprise. APIServerContainerName = "calico-apiserver" TigeraAPIServerQueryServerContainerName = "tigera-queryserver" )
const ( ComplianceNamespace = "tigera-compliance" ComplianceServiceName = "compliance" ComplianceServerName = "compliance-server" ComplianceControllerName = "compliance-controller" ComplianceSnapshotterName = "compliance-snapshotter" ComplianceReporterName = "compliance-reporter" ComplianceBenchmarkerName = "compliance-benchmarker" ComplianceServerSAName = "tigera-compliance-server" ComplianceAccessPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "compliance-access" ComplianceServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + ComplianceServerName )
const ( ElasticsearchComplianceBenchmarkerUserSecret = "tigera-ee-compliance-benchmarker-elasticsearch-access" ElasticsearchComplianceControllerUserSecret = "tigera-ee-compliance-controller-elasticsearch-access" ElasticsearchComplianceReporterUserSecret = "tigera-ee-compliance-reporter-elasticsearch-access" ElasticsearchComplianceSnapshotterUserSecret = "tigera-ee-compliance-snapshotter-elasticsearch-access" ElasticsearchComplianceServerUserSecret = "tigera-ee-compliance-server-elasticsearch-access" ElasticsearchCuratorUserSecret = "tigera-ee-curator-elasticsearch-access" ComplianceServerCertSecret = "tigera-compliance-server-tls" )
const ( CSIDriverName = "csi.tigera.io" CSITolerationControlPlaneKey = "node-role.kubernetes.io/control-plane" CSITolerationMasterKey = "node-role.kubernetes.io/master" CSITolerationOperator = "Exists" CSIDaemonSetName = "csi-node-driver" CSIDaemonSetNamespace = "calico-system" CSIContainerName = "calico-csi" CSIRegistrarContainerName = "csi-node-driver-registrar" )
const ( DexNamespace = "tigera-dex" DexObjectName = "tigera-dex" DexPort = 5556 DexTLSSecretName = "tigera-dex-tls" DexClientId = "tigera-manager" DexPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "allow-tigera-dex" )
const ( ClientSecretSecretField = "clientSecret" RootCASecretField = "rootCA" OIDCSecretName = "tigera-oidc-credentials" OpenshiftSecretName = "tigera-openshift-credentials" LDAPSecretName = "tigera-ldap-credentials" ClientIDSecretField = "clientID" BindDNSecretField = "bindDN" BindPWSecretField = "bindPW" // Default claims to use to data from a JWT. DefaultGroupsClaim = "groups" )
const ( LogCollectorNamespace = "tigera-fluentd" FluentdFilterConfigMapName = "fluentd-filters" FluentdFilterFlowName = "flow" FluentdFilterDNSName = "dns" S3FluentdSecretName = "log-collector-s3-credentials" S3KeyIdName = "key-id" S3KeySecretName = "key-secret" FluentdPrometheusTLSSecretName = "tigera-fluentd-prometheus-tls" FluentdMetricsService = "fluentd-metrics" FluentdMetricsPortName = "fluentd-metrics-port" FluentdMetricsPort = 9081 FluentdPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "allow-fluentd-node" ElasticsearchLogCollectorUserSecret = "tigera-fluentd-elasticsearch-access" ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access" EksLogForwarderSecret = "tigera-eks-log-forwarder-secret" EksLogForwarderAwsId = "aws-id" EksLogForwarderAwsKey = "aws-key" SplunkFluentdTokenSecretName = "logcollector-splunk-credentials" SplunkFluentdSecretTokenKey = "token" SplunkFluentdCertificateSecretName = "logcollector-splunk-public-certificate" SplunkFluentdSecretCertificateKey = "ca.pem" SplunkFluentdSecretsVolName = "splunk-certificates" SplunkFluentdDefaultCertDir = "/etc/ssl/splunk/" SplunkFluentdDefaultCertPath = SplunkFluentdDefaultCertDir + SplunkFluentdSecretCertificateKey SysLogPublicCADir = "/etc/pki/tls/certs/" SysLogPublicCertKey = "ca-bundle.crt" SysLogPublicCAPath = SysLogPublicCADir + SysLogPublicCertKey SyslogCAConfigMapName = "syslog-ca" FluentdNodeName = "fluentd-node" PacketCaptureAPIRole = "packetcapture-api-role" PacketCaptureAPIRoleBinding = "packetcapture-api-role-binding" )
const ( GuardianName = "tigera-guardian" GuardianNamespace = GuardianName GuardianServiceAccountName = GuardianName GuardianClusterRoleName = GuardianName GuardianClusterRoleBindingName = GuardianName GuardianDeploymentName = GuardianName GuardianPodSecurityPolicyName = GuardianName GuardianServiceName = "tigera-guardian" GuardianVolumeName = "tigera-guardian-certs" GuardianSecretName = "tigera-managed-cluster-connection" GuardianTargetPort = 8080 GuardianPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "guardian-access" )
The names of the components related to the Guardian related rendered objects.
const ( IntrusionDetectionNamespace = "tigera-intrusion-detection" IntrusionDetectionName = "intrusion-detection-controller" ElasticsearchIntrusionDetectionUserSecret = "tigera-ee-intrusion-detection-elasticsearch-access" ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access" ElasticsearchADJobUserSecret = "tigera-ee-ad-job-elasticsearch-access" ElasticsearchPerformanceHotspotsUserSecret = "tigera-ee-performance-hotspots-elasticsearch-access" IntrusionDetectionInstallerJobName = "intrusion-detection-es-job-installer" IntrusionDetectionControllerName = "intrusion-detection-controller" IntrusionDetectionControllerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + IntrusionDetectionControllerName IntrusionDetectionInstallerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "intrusion-detection-elastic" ADAPIObjectName = "anomaly-detection-api" ADAPIObjectPortName = "anomaly-detection-api-https" ADAPITLSSecretName = "anomaly-detection-api-tls" ADAPIExpectedServiceName = "anomaly-detection-api.tigera-intrusion-detection.svc" ADAPIPolicyName = networkpolicy.TigeraComponentPolicyPrefix + ADAPIObjectName ADPersistentVolumeClaimName = "tigera-anomaly-detection" DefaultAnomalyDetectionPVRequestSizeGi = "10Gi" ADJobPodTemplateBaseName = "tigera.io.detectors" ADDetectorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + adDetectorName ADResourceGroup = "detectors.tigera.io" ADDetectorsModelResourceName = "models" ADLogTypeMetaDataResourceName = "metadata" )
const ( ECKOperatorName = "elastic-operator" ECKOperatorNamespace = "tigera-eck-operator" ECKLicenseConfigMapName = "elastic-licensing" ECKOperatorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elastic-operator-access" ECKEnterpriseTrial = "eck-trial-license" ElasticsearchNamespace = "tigera-elasticsearch" // TigeraElasticsearchGatewaySecret is the TLS key pair that is mounted by Elasticsearch gateway. TigeraElasticsearchGatewaySecret = "tigera-secure-elasticsearch-cert" // TigeraElasticsearchInternalCertSecret is the TLS key pair that is mounted by the Elasticsearch pods. TigeraElasticsearchInternalCertSecret = "tigera-secure-internal-elasticsearch-cert" // TigeraKibanaCertSecret is the TLS key pair that is mounted by the Kibana pods. TigeraKibanaCertSecret = "tigera-secure-kibana-cert" ElasticsearchName = "tigera-secure" ElasticsearchServiceName = "tigera-secure-es-http" ESGatewayServiceName = "tigera-secure-es-gateway-http" ElasticsearchDefaultPort = 9200 ElasticsearchInternalPort = 9300 ElasticsearchOperatorUserSecret = "tigera-ee-operator-elasticsearch-access" ElasticsearchAdminUserSecret = "tigera-secure-es-elastic-user" ElasticsearchPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-access" ElasticsearchInternalPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-internal" KibanaName = "tigera-secure" KibanaNamespace = "tigera-kibana" KibanaBasePath = "tigera-kibana" KibanaServiceName = "tigera-secure-kb-http" KibanaDefaultRoute = "/app/kibana#/dashboards?%s&title=%s" KibanaPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "kibana-access" KibanaPort = 5601 DefaultElasticsearchClusterName = "cluster" DefaultElasticsearchReplicas = 0 DefaultElasticStorageGi = 10 EsCuratorName = "elastic-curator" EsCuratorServiceAccount = "tigera-elastic-curator" EsCuratorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "allow-elastic-curator" OIDCUsersConfigMapName = "tigera-known-oidc-users" OIDCUsersEsSecreteName = "tigera-oidc-users-elasticsearch-credentials" ElasticsearchLicenseTypeBasic ElasticsearchLicenseType = "basic" ElasticsearchLicenseTypeEnterprise ElasticsearchLicenseType = "enterprise" ElasticsearchLicenseTypeEnterpriseTrial ElasticsearchLicenseType = "enterprise_trial" ElasticsearchLicenseTypeUnknown ElasticsearchLicenseType = "" EsManagerRole = "es-manager" EsManagerRoleBinding = "es-manager" KibanaTLSAnnotationHash = "hash.operator.tigera.io/kb-secrets" ElasticsearchTLSHashAnnotation = "hash.operator.tigera.io/es-secrets" TimeFilter = "_g=(time:(from:now-24h,to:now))" FlowsDashboardName = "Tigera Secure EE Flow Logs" )
const ( // ElasticsearchKeystoreSecret Currently only used when FIPS mode is enabled, we need to initialize the keystore with a password. ElasticsearchKeystoreSecret = "tigera-secure-elasticsearch-keystore" ElasticsearchKeystoreEnvName = "KEYSTORE_PASSWORD" ElasticsearchKeystoreHashAnnotation = "hash.operator.tigera.io/keystore-password" )
const ( ManagerServiceName = "tigera-manager" ManagerDeploymentName = "tigera-manager" ManagerNamespace = "tigera-manager" ManagerServiceIP = "localhost" ManagerServiceAccount = "tigera-manager" ManagerClusterRole = "tigera-manager-role" ManagerClusterRoleBinding = "tigera-manager-binding" ManagerTLSSecretName = "manager-tls" ManagerInternalTLSSecretName = "internal-manager-tls" ManagerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "manager-access" ManagerClusterSettings = "cluster-settings" ManagerUserSettings = "user-settings" ManagerClusterSettingsLayerTigera = "cluster-settings.layer.tigera-infrastructure" ManagerClusterSettingsViewDefault = "cluster-settings.view.default" ElasticsearchManagerUserSecret = "tigera-ee-manager-elasticsearch-access" TlsSecretHashAnnotation = "hash.operator.tigera.io/tls-secret" KibanaTLSHashAnnotation = "hash.operator.tigera.io/kibana-secrets" ElasticsearchUserHashAnnotation = "hash.operator.tigera.io/elasticsearch-user" )
const ( VoltronName = "tigera-voltron" VoltronTunnelSecretName = "tigera-management-cluster-connection" )
ManagementClusterConnection configuration constants
const ( PSSPrivileged = "privileged" PSSBaseline = "baseline" PSSRestricted = "restricted" )
const ( BirdTemplatesConfigMapName = "bird-templates" CSRLabelCalicoSystem = "calico-system" BGPLayoutConfigMapName = "bgp-layout" BGPLayoutConfigMapKey = "earlyNetworkConfiguration" BGPLayoutVolumeName = "bgp-layout" BGPLayoutPath = "/etc/calico/early-networking.yaml" K8sSvcEndpointConfigMapName = "kubernetes-services-endpoint" NodeFinalizer = "tigera.io/cni-protector" CalicoNodeMetricsService = "calico-node-metrics" NodePrometheusTLSServerSecret = "calico-node-prometheus-server-tls" CalicoNodeObjectName = "calico-node" )
const ( PacketCaptureContainerName = "tigera-packetcapture-server" PacketCaptureName = "tigera-packetcapture" PacketCaptureNamespace = PacketCaptureName PacketCaptureServiceAccountName = PacketCaptureName PacketCaptureClusterRoleName = PacketCaptureName PacketCaptureClusterRoleBindingName = PacketCaptureName PacketCaptureDeploymentName = PacketCaptureName PacketCaptureServiceName = PacketCaptureName PacketCapturePolicyName = networkpolicy.TigeraComponentPolicyPrefix + PacketCaptureName PacketCapturePort = 8444 PacketCaptureCertSecret = "tigera-packetcapture-server-tls" )
The names of the components related to the PacketCapture APIs related rendered objects.
const ( TyphaServiceName = "calico-typha" TyphaPortName = "calico-typha" TyphaK8sAppName = "calico-typha" TyphaServiceAccountName = "calico-typha" AppLabelName = "k8s-app" TyphaPort int32 = 5473 TyphaContainerName = "calico-typha" )
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"
Variables ¶
var ( CommonName = "common-name" URISAN = "uri-san" TyphaCommonName = "typha-server" FelixCommonName = "typha-client" NodePriorityClassName = "system-node-critical" ClusterPriorityClassName = "system-cluster-critical" )
var ( TyphaTLSSecretName = "typha-certs" TyphaCAConfigMapName = "typha-ca" TyphaCABundleName = "caBundle" )
var ComplianceBenchmarkerSourceEntityRule = networkpolicy.CreateSourceEntityRule(ComplianceNamespace, ComplianceBenchmarkerName)
var ComplianceControllerSourceEntityRule = networkpolicy.CreateSourceEntityRule(ComplianceNamespace, ComplianceControllerName)
var ComplianceReporterSourceEntityRule = networkpolicy.CreateSourceEntityRule(ComplianceNamespace, ComplianceReporterName)
var ComplianceServerEntityRule = networkpolicy.CreateEntityRule(ComplianceNamespace, ComplianceServerName, complianceServerPort)
var ComplianceServerSourceEntityRule = networkpolicy.CreateSourceEntityRule(ComplianceNamespace, ComplianceServerName)
var ComplianceSnapshotterSourceEntityRule = networkpolicy.CreateSourceEntityRule(ComplianceNamespace, ComplianceSnapshotterName)
var DexEntityRule = networkpolicy.CreateEntityRule(DexNamespace, DexObjectName, DexPort)
var ECKOperatorSourceEntityRule = networkpolicy.CreateSourceEntityRule(ECKOperatorNamespace, ECKOperatorName)
var EKSLogForwarderEntityRule = networkpolicy.CreateSourceEntityRule(LogCollectorNamespace, eksLogForwarderName)
var ESCuratorSourceEntityRule = networkpolicy.CreateSourceEntityRule(ElasticsearchNamespace, EsCuratorName)
var ElasticsearchEntityRule = v3.EntityRule{ NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace), Selector: ElasticsearchSelector, Ports: []numorstring.Port{{MinPort: ElasticsearchDefaultPort, MaxPort: ElasticsearchDefaultPort}}, }
var ElasticsearchSelector = fmt.Sprintf("elasticsearch.k8s.elastic.co/cluster-name == '%s'", ElasticsearchName)
var FluentdSourceEntityRule = v3.EntityRule{ NamespaceSelector: fmt.Sprintf("name == '%s'", LogCollectorNamespace), Selector: networkpolicy.KubernetesAppSelector(FluentdNodeName, fluentdNodeWindowsName), }
var GuardianEntityRule = networkpolicy.CreateEntityRule(GuardianNamespace, GuardianDeploymentName, GuardianTargetPort)
var GuardianServiceSelectorEntityRule = networkpolicy.CreateServiceSelectorEntityRule(GuardianNamespace, GuardianName)
var GuardianSourceEntityRule = networkpolicy.CreateSourceEntityRule(GuardianNamespace, GuardianDeploymentName)
var InternalElasticsearchEntityRule = v3.EntityRule{ NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace), Selector: ElasticsearchSelector, Ports: []numorstring.Port{{MinPort: ElasticsearchInternalPort, MaxPort: ElasticsearchInternalPort}}, }
var IntrusionDetectionInstallerSourceEntityRule = v3.EntityRule{ NamespaceSelector: intrusionDetectionNamespaceSelector, Selector: fmt.Sprintf("job-name == '%s'", IntrusionDetectionInstallerJobName), }
var IntrusionDetectionSourceEntityRule = v3.EntityRule{ NamespaceSelector: intrusionDetectionNamespaceSelector, Selector: fmt.Sprintf("k8s-app == '%s'", IntrusionDetectionControllerName), }
var KibanaEntityRule = networkpolicy.CreateEntityRule(KibanaNamespace, KibanaName, KibanaPort)
var KibanaSourceEntityRule = networkpolicy.CreateSourceEntityRule(KibanaNamespace, KibanaName)
var ManagerEntityRule = networkpolicy.CreateEntityRule(ManagerNamespace, ManagerDeploymentName, managerPort)
var ManagerSourceEntityRule = networkpolicy.CreateSourceEntityRule(ManagerNamespace, ManagerDeploymentName)
var (
NodeTLSSecretName = "node-certs"
)
var PacketCaptureEntityRule = networkpolicy.CreateEntityRule(PacketCaptureNamespace, PacketCaptureDeploymentName, PacketCapturePort)
var PacketCaptureSourceEntityRule = networkpolicy.CreateSourceEntityRule(PacketCaptureNamespace, PacketCaptureDeploymentName)
var TigeraAPIServerEntityRule = v3.EntityRule{ Services: &v3.ServiceMatch{ Namespace: QueryserverNamespace, Name: QueryserverServiceName, }, }
Functions ¶
func ApiServerServiceAccountName ¶ added in v1.26.0
func ApiServerServiceAccountName(v operatorv1.ProductVariant) string
func CreateCertificateConfigMap ¶ added in v1.25.1
func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap
CreateCertificateConfigMap is a convenience method for creating a configmap that contains only a ca or cert to trust.
func CreateCertificateSecret ¶ added in v1.18.0
CreateCertificateSecret is a convenience method for creating a secret that contains only a ca or cert to trust.
func CreateDexClientSecret ¶ added in v1.12.0
func CreateElasticsearchKeystoreSecret ¶ added in v1.28.2
CreateElasticsearchKeystoreSecret creates a secret to be used for initializing the keystore on Elasticsearch.
func CreateNamespace ¶ added in v1.22.0
func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard) *corev1.Namespace
func GetIPv4Pool ¶ added in v1.2.0
func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
GetIPv4Pool returns the IPv4 IPPool in an installation, or nil if one can't be found.
func GetIPv6Pool ¶ added in v1.2.0
func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
GetIPv6Pool returns the IPv6 IPPool in an installation, or nil if one can't be found.
func GetTigeraSecurityGroupEnvVariables ¶ added in v1.8.0
func GetTigeraSecurityGroupEnvVariables(aci *operatorv1.AmazonCloudIntegration) []corev1.EnvVar
func NewDexKeyValidatorConfig ¶ added in v1.12.0
func NewDexKeyValidatorConfig( authentication *oprv1.Authentication, idpSecret *corev1.Secret, clusterDomain string) authentication.KeyValidatorConfig
func ProjectCalicoApiServerServiceName ¶ added in v1.25.0
func ProjectCalicoApiServerServiceName(v operatorv1.ProductVariant) string
func ProjectCalicoApiServerTLSSecretName ¶ added in v1.25.0
func ProjectCalicoApiServerTLSSecretName(v operatorv1.ProductVariant) string
The following functions are helpers for determining resource names based on the configured product variant.
func SetClusterCriticalPod ¶ added in v1.22.0
func SetClusterCriticalPod(t *corev1.PodTemplateSpec)
func SetTestLogger ¶
Types ¶
type APIServerConfiguration ¶ added in v1.25.0
type APIServerConfiguration struct { K8SServiceEndpoint k8sapi.ServiceEndpoint Installation *operatorv1.InstallationSpec APIServer *operatorv1.APIServerSpec ForceHostNetwork bool ManagementCluster *operatorv1.ManagementCluster ManagementClusterConnection *operatorv1.ManagementClusterConnection AmazonCloudIntegration *operatorv1.AmazonCloudIntegration TLSKeyPair certificatemanagement.KeyPairInterface PullSecrets []*corev1.Secret Openshift bool TunnelCASecret certificatemanagement.KeyPairInterface // Whether or not the cluster supports pod security policies. UsePSP bool }
APIServerConfiguration contains all the config information needed to render the component.
type AWSSGSetupConfiguration ¶ added in v1.25.0
type AWSSGSetupConfiguration struct { PullSecrets []corev1.LocalObjectReference Installation *operatorv1.InstallationSpec }
AWSSGSetupConfiguration contains all the config information needed to render the component.
type AmazonCloudIntegrationConfiguration ¶ added in v1.25.0
type AmazonCloudIntegrationConfiguration struct { AmazonCloudIntegration *operatorv1.AmazonCloudIntegration Installation *operatorv1.InstallationSpec Credentials *AmazonCredential PullSecrets []*corev1.Secret Openshift bool }
AmazonCloudIntegrationConfiguration contains all the config information needed to render the component.
type AmazonCredential ¶ added in v1.8.0
func ConvertSecretToCredential ¶ added in v1.8.0
func ConvertSecretToCredential(s *corev1.Secret) (*AmazonCredential, error)
type CSIConfiguration ¶ added in v1.28.0
type CSIConfiguration struct { Installation *operatorv1.InstallationSpec Terminating bool Openshift bool UsePSP bool }
type ComplianceConfiguration ¶ added in v1.25.0
type ComplianceConfiguration struct { ESSecrets []*corev1.Secret TrustedBundle certificatemanagement.TrustedBundle Installation *operatorv1.InstallationSpec ComplianceServerCertSecret certificatemanagement.KeyPairInterface ESClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool ManagementCluster *operatorv1.ManagementCluster ManagementClusterConnection *operatorv1.ManagementClusterConnection KeyValidatorConfig authentication.KeyValidatorConfig ClusterDomain string HasNoLicense bool // Whether or not the cluster supports pod security policies. UsePSP bool }
ComplianceConfiguration contains all the config information needed to render the component.
type Component ¶
type Component interface { // ResolveImages should call components.GetReference for all images that the Component // needs, passing 'is' to the GetReference call and if there are any errors those // are returned. It is valid to pass nil for 'is' as GetReference accepts the value. // ResolveImages must be called before Objects is called for the component. ResolveImages(is *operatorv1.ImageSet) error // Objects returns the lists of objects in this component that should be created and/or deleted during // rendering. Objects() (objsToCreate, objsToDelete []client.Object) // Ready returns true if the component is ready to be created. Ready() bool // SupportedOSTypes returns operating systems that is supported of the components returned by the Objects() function. // The "componentHandler" converts the returned OSTypes to a node selectors for the "kubernetes.io/os" label on client.Objects // that create pods. Return OSTypeAny means that no node selector should be set for the "kubernetes.io/os" label. SupportedOSType() rmeta.OSType }
func APIServer ¶
func APIServer(cfg *APIServerConfiguration) (Component, error)
func APIServerPolicy ¶ added in v1.28.0
func APIServerPolicy(cfg *APIServerConfiguration) Component
func AWSSecurityGroupSetup ¶ added in v1.0.0
func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)
func AmazonCloudIntegration ¶ added in v1.8.0
func AmazonCloudIntegration(cfg *AmazonCloudIntegrationConfiguration) (Component, error)
func CSI ¶ added in v1.28.0
func CSI(cfg *CSIConfiguration) Component
func Compliance ¶
func Compliance(cfg *ComplianceConfiguration) (Component, error)
func Dex ¶ added in v1.12.0
func Dex(cfg *DexComponentConfiguration) Component
func Fluentd ¶ added in v1.0.0
func Fluentd(cfg *FluentdConfiguration) Component
func Guardian ¶ added in v1.2.0
func Guardian(cfg *GuardianConfiguration) Component
func GuardianPolicy ¶ added in v1.28.0
func GuardianPolicy(cfg *GuardianConfiguration) (Component, error)
func IntrusionDetection ¶
func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component
func LogStorage ¶ added in v1.4.0
func LogStorage(cfg *ElasticsearchConfiguration) Component
LogStorage renders the components necessary for kibana and elasticsearch
func Manager ¶ added in v1.0.0
func Manager(cfg *ManagerConfiguration) (Component, error)
func Namespaces ¶
func Namespaces(cfg *NamespaceConfiguration) Component
func NewPassthrough ¶ added in v1.22.0
func Node ¶
func Node(cfg *NodeConfiguration) Component
Node creates the node daemonset and other resources for the daemonset to operate normally.
func PacketCaptureAPI ¶ added in v1.21.0
func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component
func PacketCaptureAPIPolicy ¶ added in v1.28.0
func PacketCaptureAPIPolicy(cfg *PacketCaptureApiConfiguration) Component
func Typha ¶ added in v1.0.0
func Typha(cfg *TyphaConfiguration) Component
Typha creates the typha daemonset and other resources for the daemonset to operate normally.
func Windows ¶ added in v1.23.0
func Windows( cfg *WindowsConfig, ) Component
type DexComponentConfiguration ¶ added in v1.25.0
type DexComponentConfiguration struct { PullSecrets []*corev1.Secret Openshift bool Installation *operatorv1.InstallationSpec DexConfig DexConfig ClusterDomain string DeleteDex bool TLSKeyPair certificatemanagement.KeyPairInterface }
DexComponentConfiguration contains all the config information needed to render the component.
type DexConfig ¶ added in v1.12.0
type DexConfig interface { Connector() map[string]interface{} RedirectURIs() []string // RequiredVolumeMounts returns volume mounts that the KeyValidatorConfig implementation requires. RequiredVolumeMounts() []corev1.VolumeMount // RequiredVolumes returns volumes that the KeyValidatorConfig implementation requires. RequiredVolumes() []corev1.Volume authentication.KeyValidatorConfig }
DexConfig is a config for DexIdP itself.
func NewDexConfig ¶ added in v1.12.0
func NewDexConfig( certificateManagement *oprv1.CertificateManagement, authentication *oprv1.Authentication, dexSecret *corev1.Secret, idpSecret *corev1.Secret, clusterDomain string) DexConfig
Create a new DexConfig.
type DexKeyValidatorConfig ¶ added in v1.12.0
type DexKeyValidatorConfig struct {
// contains filtered or unexported fields
}
func (DexKeyValidatorConfig) BaseURL ¶ added in v1.18.0
func (d DexKeyValidatorConfig) BaseURL() string
func (DexKeyValidatorConfig) ClientID ¶ added in v1.18.0
func (d DexKeyValidatorConfig) ClientID() string
func (DexKeyValidatorConfig) ClientSecret ¶ added in v1.18.0
func (d DexKeyValidatorConfig) ClientSecret() []byte
func (DexKeyValidatorConfig) Issuer ¶ added in v1.18.0
func (d DexKeyValidatorConfig) Issuer() string
func (DexKeyValidatorConfig) RedirectURIs ¶ added in v1.18.0
func (d DexKeyValidatorConfig) RedirectURIs() []string
func (DexKeyValidatorConfig) RequestedScopes ¶ added in v1.18.0
func (d DexKeyValidatorConfig) RequestedScopes() []string
func (*DexKeyValidatorConfig) RequiredAnnotations ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string
RequiredAnnotations returns the annotations that are relevant for a validator config.
func (DexKeyValidatorConfig) RequiredConfigMaps ¶ added in v1.18.0
func (*DexKeyValidatorConfig) RequiredEnv ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar
Append variables that are necessary for using the dex authenticator.
func (DexKeyValidatorConfig) RequiredSecrets ¶ added in v1.12.0
func (*DexKeyValidatorConfig) RequiredVolumeMounts ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount
func (*DexKeyValidatorConfig) RequiredVolumes ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume
func (DexKeyValidatorConfig) UsernameClaim ¶ added in v1.18.0
func (d DexKeyValidatorConfig) UsernameClaim() string
type EksCloudwatchLogConfig ¶ added in v1.0.0
type ElasticsearchConfiguration ¶ added in v1.25.0
type ElasticsearchConfiguration struct { LogStorage *operatorv1.LogStorage Installation *operatorv1.InstallationSpec ManagementCluster *operatorv1.ManagementCluster ManagementClusterConnection *operatorv1.ManagementClusterConnection Elasticsearch *esv1.Elasticsearch Kibana *kbv1.Kibana ClusterConfig *relasticsearch.ClusterConfig ElasticsearchUserSecret *corev1.Secret ElasticsearchKeyPair certificatemanagement.KeyPairInterface KibanaKeyPair certificatemanagement.KeyPairInterface PullSecrets []*corev1.Secret Provider operatorv1.Provider CuratorSecrets []*corev1.Secret ESService *corev1.Service KbService *corev1.Service ClusterDomain string BaseURL string // BaseUrl is where the manager is reachable, for setting Kibana publicBaseUrl ElasticLicenseType ElasticsearchLicenseType TrustedBundle certificatemanagement.TrustedBundle UnusedTLSSecret *corev1.Secret ApplyTrial bool KeyStoreSecret *corev1.Secret // Whether or not the cluster supports pod security policies. UsePSP bool }
ElasticsearchConfiguration contains all the config information needed to render the component.
type ElasticsearchLicenseType ¶ added in v1.14.0
type ElasticsearchLicenseType string
type FluentdConfiguration ¶ added in v1.25.0
type FluentdConfiguration struct { LogCollector *operatorv1.LogCollector ESSecrets []*corev1.Secret ESClusterConfig *relasticsearch.ClusterConfig S3Credential *S3Credential SplkCredential *SplunkCredential Filters *FluentdFilters EKSConfig *EksCloudwatchLogConfig PullSecrets []*corev1.Secret Installation *operatorv1.InstallationSpec ClusterDomain string OSType rmeta.OSType MetricsServerTLS certificatemanagement.KeyPairInterface TrustedBundle certificatemanagement.TrustedBundle ManagedCluster bool // Whether or not the cluster supports pod security policies. UsePSP bool // Whether to use User provided certificate or not. UseSyslogCertificate bool }
FluentdConfiguration contains all the config information needed to render the component.
type FluentdFilters ¶ added in v1.0.0
type GuardianComponent ¶ added in v1.2.0
type GuardianComponent struct {
// contains filtered or unexported fields
}
func (*GuardianComponent) Objects ¶ added in v1.2.0
func (c *GuardianComponent) Objects() ([]client.Object, []client.Object)
func (*GuardianComponent) Ready ¶ added in v1.2.0
func (c *GuardianComponent) Ready() bool
func (*GuardianComponent) ResolveImages ¶ added in v1.14.0
func (c *GuardianComponent) ResolveImages(is *operatorv1.ImageSet) error
func (*GuardianComponent) SupportedOSType ¶ added in v1.11.0
func (c *GuardianComponent) SupportedOSType() rmeta.OSType
type GuardianConfiguration ¶ added in v1.25.0
type GuardianConfiguration struct { URL string PullSecrets []*corev1.Secret Openshift bool Installation *operatorv1.InstallationSpec TunnelSecret *corev1.Secret TrustedCertBundle certificatemanagement.TrustedBundle TunnelCAType operatorv1.CAType // Whether or not the cluster supports pod security policies. UsePSP bool }
GuardianConfiguration contains all the config information needed to render the component.
type IntrusionDetectionConfiguration ¶ added in v1.25.0
type IntrusionDetectionConfiguration struct { IntrusionDetection operatorv1.IntrusionDetection LogCollector *operatorv1.LogCollector ESSecrets []*corev1.Secret Installation *operatorv1.InstallationSpec ESClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool ClusterDomain string ESLicenseType ElasticsearchLicenseType ManagedCluster bool // PVC fields Spec fields are immutable, set to true when an existing AD PVC // is not found as to avoid update failures. ShouldRenderADPVC bool HasNoLicense bool TrustedCertBundle certificatemanagement.TrustedBundle ADAPIServerCertSecret certificatemanagement.KeyPairInterface // Whether or not the cluster supports pod security policies. UsePSP bool }
IntrusionDetectionConfiguration contains all the config information needed to render the component.
type ManagerConfiguration ¶ added in v1.25.0
type ManagerConfiguration struct { KeyValidatorConfig authentication.KeyValidatorConfig ESSecrets []*corev1.Secret TrustedCertBundle certificatemanagement.TrustedBundle ESClusterConfig *relasticsearch.ClusterConfig TLSKeyPair certificatemanagement.KeyPairInterface PullSecrets []*corev1.Secret Openshift bool Installation *operatorv1.InstallationSpec ManagementCluster *operatorv1.ManagementCluster TunnelSecret certificatemanagement.KeyPairInterface InternalTrafficSecret certificatemanagement.KeyPairInterface ClusterDomain string ESLicenseType ElasticsearchLicenseType Replicas *int32 Compliance *operatorv1.Compliance ComplianceLicenseActive bool // Whether or not the cluster supports pod security policies. UsePSP bool }
ManagerConfiguration contains all the config information needed to render the component.
type NamespaceConfiguration ¶ added in v1.25.0
type NamespaceConfiguration struct { Installation *operatorv1.InstallationSpec PullSecrets []*corev1.Secret Terminating bool }
NamespaceConfiguration contains all the config information needed to render the component.
type NodeConfiguration ¶ added in v1.22.0
type NodeConfiguration struct { K8sServiceEp k8sapi.ServiceEndpoint Installation *operatorv1.InstallationSpec TLS *TyphaNodeTLS ClusterDomain string // Optional fields. AmazonCloudIntegration *operatorv1.AmazonCloudIntegration LogCollector *operatorv1.LogCollector MigrateNamespaces bool NodeAppArmorProfile string BirdTemplates map[string]string NodeReporterMetricsPort int // Indicates node is being terminated, so remove most resources but // leave RBAC and SA to allow any CNI plugin calls to continue to function // For details on why this is needed see 'Node and Installation finalizer' in the core_controller. Terminating bool PrometheusServerTLS certificatemanagement.KeyPairInterface // BGPLayouts is returned by the rendering code after modifying its namespace // so that it can be deployed into the cluster. // TODO: The controller should pass the contents, the renderer should build its own // configmap, rather than this "copy" semantic. BGPLayouts *corev1.ConfigMap // The health port that Felix should bind to. The controller reads FelixConfiguration // and sets this. FelixHealthPort int // The bindMode read from the default BGPConfiguration. Used to trigger rolling updates // should this value change. BindMode string // Whether or not the cluster supports pod security policies. UsePSP bool }
NodeConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/node on a cluster.
type PacketCaptureApiConfiguration ¶ added in v1.25.0
type PacketCaptureApiConfiguration struct { PullSecrets []*corev1.Secret Openshift bool Installation *operatorv1.InstallationSpec KeyValidatorConfig authentication.KeyValidatorConfig ServerCertSecret certificatemanagement.KeyPairInterface TrustedBundle certificatemanagement.TrustedBundle ClusterDomain string ManagementClusterConnection *operatorv1.ManagementClusterConnection }
PacketCaptureApiConfiguration contains all the config information needed to render the component.
type PodSecurityStandard ¶ added in v1.28.0
type PodSecurityStandard string
type Renderer ¶
type Renderer interface {
Render() []Component
}
A Renderer is capable of generating components to be installed on the cluster.
type S3Credential ¶ added in v1.0.0
type SplunkCredential ¶ added in v1.4.0
type TyphaConfiguration ¶ added in v1.22.0
type TyphaConfiguration struct { K8sServiceEp k8sapi.ServiceEndpoint Installation *operatorv1.InstallationSpec TLS *TyphaNodeTLS AmazonCloudIntegration *operatorv1.AmazonCloudIntegration MigrateNamespaces bool ClusterDomain string // The health port that Felix is bound to. We configure Typha to bind to the port // that is one less. FelixHealthPort int // Whether or not the cluster supports pod security policies. UsePSP bool }
TyphaConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/typha on a cluster.
type TyphaNodeTLS ¶ added in v1.0.0
type TyphaNodeTLS struct { TrustedBundle certificatemanagement.TrustedBundle TyphaSecret certificatemanagement.KeyPairInterface TyphaCommonName string TyphaURISAN string NodeSecret certificatemanagement.KeyPairInterface NodeCommonName string NodeURISAN string }
TyphaNodeTLS holds configuration for Node and Typha to establish TLS.
type WindowsConfig ¶ added in v1.26.0
type WindowsConfig struct { Installation *operatorv1.InstallationSpec Terminating bool }
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
THIS IS A GENERATED FILE, PLEASE DO NOT EDIT.
|
THIS IS A GENERATED FILE, PLEASE DO NOT EDIT. |
common
|
|
intrusiondetection
|
|
logstorage
|
|