render

package
v1.32.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 25, 2024 License: Apache-2.0 Imports: 59 Imported by: 0

Documentation

Overview

This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.

Index

Constants

View Source
const (
	AmazonCloudIntegrationNamespace      = "tigera-amazon-cloud-integration"
	AmazonCloudIntegrationComponentName  = "tigera-amazon-cloud-integration"
	AmazonCloudIntegrationCredentialName = "amazon-cloud-integration-credentials"
	AmazonCloudCredentialKeyIdName       = "key-id"
	AmazonCloudCredentialKeySecretName   = "key-secret"
)
View Source
const (
	APIServerPort       = 5443
	APIServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "cnx-apiserver-access"
)
View Source
const (
	QueryServerPort        = 8080
	QueryserverNamespace   = "tigera-system"
	QueryserverServiceName = "tigera-api"

	// Use the same API server container name for both OSS and Enterprise.
	APIServerContainerName                  = "calico-apiserver"
	TigeraAPIServerQueryServerContainerName = "tigera-queryserver"

	APIServerSecretsRBACName = "tigera-extension-apiserver-secrets-access"
)
View Source
const (
	ComplianceNamespace        = "tigera-compliance"
	ComplianceServiceName      = "compliance"
	ComplianceServerName       = "compliance-server"
	ComplianceControllerName   = "compliance-controller"
	ComplianceSnapshotterName  = "compliance-snapshotter"
	ComplianceReporterName     = "compliance-reporter"
	ComplianceBenchmarkerName  = "compliance-benchmarker"
	ComplianceAccessPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "compliance-access"
	ComplianceServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + ComplianceServerName

	// ServiceAccount names.
	ComplianceServerServiceAccount      = "tigera-compliance-server"
	ComplianceSnapshotterServiceAccount = "tigera-compliance-snapshotter"
	ComplianceBenchmarkerServiceAccount = "tigera-compliance-benchmarker"
	ComplianceReporterServiceAccount    = "tigera-compliance-reporter"
	ComplianceControllerServiceAccount  = "tigera-compliance-controller"
)
View Source
const (
	ElasticsearchComplianceBenchmarkerUserSecret = "tigera-ee-compliance-benchmarker-elasticsearch-access"
	ElasticsearchComplianceControllerUserSecret  = "tigera-ee-compliance-controller-elasticsearch-access"
	ElasticsearchComplianceReporterUserSecret    = "tigera-ee-compliance-reporter-elasticsearch-access"
	ElasticsearchComplianceSnapshotterUserSecret = "tigera-ee-compliance-snapshotter-elasticsearch-access"
	ElasticsearchComplianceServerUserSecret      = "tigera-ee-compliance-server-elasticsearch-access"
	ElasticsearchCuratorUserSecret               = "tigera-ee-curator-elasticsearch-access"

	ComplianceServerCertSecret  = "tigera-compliance-server-tls"
	ComplianceSnapshotterSecret = "tigera-compliance-snapshotter-tls"
	ComplianceBenchmarkerSecret = "tigera-compliance-benchmarker-tls"
	ComplianceControllerSecret  = "tigera-compliance-controller-tls"
	ComplianceReporterSecret    = "tigera-compliance-reporter-tls"
)
View Source
const (
	CSIDriverName             = "csi.tigera.io"
	CSIDaemonSetName          = "csi-node-driver"
	CSIDaemonSetNamespace     = "calico-system"
	CSIContainerName          = "calico-csi"
	CSIRegistrarContainerName = "csi-node-driver-registrar"
)
View Source
const (
	DexNamespace             = "tigera-dex"
	DexObjectName            = "tigera-dex"
	DexPodSecurityPolicyName = "tigera-dex"
	DexPort                  = 5556
	DexTLSSecretName         = "tigera-dex-tls"
	DexClientId              = "tigera-manager"
	DexPolicyName            = networkpolicy.TigeraComponentPolicyPrefix + "allow-tigera-dex"
)
View Source
const (
	ClientSecretSecretField = "clientSecret"

	RootCASecretField   = "rootCA"
	OIDCSecretName      = "tigera-oidc-credentials"
	OpenshiftSecretName = "tigera-openshift-credentials"
	LDAPSecretName      = "tigera-ldap-credentials"

	ClientIDSecretField = "clientID"
	BindDNSecretField   = "bindDN"
	BindPWSecretField   = "bindPW"

	// Default claims to use to data from a JWT.
	DefaultGroupsClaim = "groups"
)
View Source
const (
	LogCollectorNamespace      = "tigera-fluentd"
	FluentdFilterConfigMapName = "fluentd-filters"
	FluentdFilterFlowName      = "flow"
	FluentdFilterDNSName       = "dns"
	S3FluentdSecretName        = "log-collector-s3-credentials"
	S3KeyIdName                = "key-id"
	S3KeySecretName            = "key-secret"

	// FluentdPrometheusTLSSecretName is the name of the secret containing the key pair fluentd presents to identify itself.
	// Somewhat confusingly, this is named the prometheus TLS key pair because that was the first
	// use-case for this credential. However, it is used on all TLS connections served by fluentd.
	FluentdPrometheusTLSSecretName = "tigera-fluentd-prometheus-tls"
	FluentdMetricsService          = "fluentd-metrics"
	FluentdMetricsServiceWindows   = "fluentd-metrics-windows"
	FluentdMetricsPortName         = "fluentd-metrics-port"
	FluentdMetricsPort             = 9081
	FluentdPolicyName              = networkpolicy.TigeraComponentPolicyPrefix + "allow-fluentd-node"

	ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access"
	EksLogForwarderSecret                  = "tigera-eks-log-forwarder-secret"
	EksLogForwarderAwsId                   = "aws-id"
	EksLogForwarderAwsKey                  = "aws-key"
	SplunkFluentdTokenSecretName           = "logcollector-splunk-credentials"
	SplunkFluentdSecretTokenKey            = "token"
	SplunkFluentdCertificateSecretName     = "logcollector-splunk-public-certificate"
	SplunkFluentdSecretCertificateKey      = "ca.pem"
	SplunkFluentdSecretsVolName            = "splunk-certificates"
	SplunkFluentdDefaultCertDir            = "/etc/pki/splunk/"
	SplunkFluentdDefaultCertPath           = SplunkFluentdDefaultCertDir + SplunkFluentdSecretCertificateKey
	SysLogPublicCADir                      = "/etc/pki/tls/certs/"
	SysLogPublicCertKey                    = "ca-bundle.crt"
	SysLogPublicCAPath                     = SysLogPublicCADir + SysLogPublicCertKey
	SyslogCAConfigMapName                  = "syslog-ca"

	// Constants for Linseed token volume mounting in managed clusters.
	LinseedTokenVolumeName = "linseed-token"
	LinseedTokenKey        = "token"
	LinseedTokenSubPath    = "token"
	LinseedTokenSecret     = "%s-tigera-linseed-token"
	LinseedVolumeMountPath = "/var/run/secrets/tigera.io/linseed/"
	LinseedTokenPath       = "/var/run/secrets/tigera.io/linseed/token"

	FluentdNodeName = "fluentd-node"

	EKSLogForwarderName          = "eks-log-forwarder"
	EKSLogForwarderTLSSecretName = "tigera-eks-log-forwarder-tls"

	PacketCaptureAPIRole        = "packetcapture-api-role"
	PacketCaptureAPIRoleBinding = "packetcapture-api-role-binding"
)
View Source
const (
	GuardianName                   = "tigera-guardian"
	GuardianNamespace              = GuardianName
	GuardianServiceAccountName     = GuardianName
	GuardianClusterRoleName        = GuardianName
	GuardianClusterRoleBindingName = GuardianName
	GuardianDeploymentName         = GuardianName
	GuardianPodSecurityPolicyName  = GuardianName
	GuardianServiceName            = "tigera-guardian"
	GuardianVolumeName             = "tigera-guardian-certs"
	GuardianSecretName             = "tigera-managed-cluster-connection"
	GuardianTargetPort             = 8080
	GuardianPolicyName             = networkpolicy.TigeraComponentPolicyPrefix + "guardian-access"
)

The names of the components related to the Guardian related rendered objects.

View Source
const (
	IntrusionDetectionNamespace = "tigera-intrusion-detection"
	IntrusionDetectionName      = "intrusion-detection-controller"

	ElasticsearchIntrusionDetectionUserSecret    = "tigera-ee-intrusion-detection-elasticsearch-access"
	ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access"
	ElasticsearchPerformanceHotspotsUserSecret   = "tigera-ee-performance-hotspots-elasticsearch-access"

	IntrusionDetectionInstallerJobName     = "intrusion-detection-es-job-installer"
	IntrusionDetectionControllerName       = "intrusion-detection-controller"
	IntrusionDetectionControllerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + IntrusionDetectionControllerName
	IntrusionDetectionInstallerPolicyName  = networkpolicy.TigeraComponentPolicyPrefix + "intrusion-detection-elastic"

	ADAPIObjectName                 = "anomaly-detection-api"
	ADAPIPodSecurityPolicyName      = "anomaly-detection-api"
	IntrusionDetectionTLSSecretName = "intrusion-detection-tls"
	DPITLSSecretName                = "deep-packet-inspection-tls"
	ADAPIPolicyName                 = networkpolicy.TigeraComponentPolicyPrefix + ADAPIObjectName

	ADPersistentVolumeClaimName = "tigera-anomaly-detection"
	ADJobPodTemplateBaseName    = "tigera.io.detectors"

	ADDetectorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + adDetectorName
)
View Source
const (
	ECKOperatorName         = "elastic-operator"
	ECKOperatorNamespace    = "tigera-eck-operator"
	ECKLicenseConfigMapName = "elastic-licensing"
	ECKOperatorPolicyName   = networkpolicy.TigeraComponentPolicyPrefix + "elastic-operator-access"
	ECKEnterpriseTrial      = "eck-trial-license"

	ElasticsearchObjectName = "tigera-elasticsearch"
	ElasticsearchNamespace  = ElasticsearchObjectName

	// TigeraLinseedSecret is the name of the secret that holds the TLS key pair mounted into Linseed.
	// The secret contains server key and certificate.
	TigeraLinseedSecret = "tigera-secure-linseed-cert"

	// TigeraLinseedSecretsClusterRole is the name of the ClusterRole used to make RoleBindings in namespaces where Linseed
	// needs to be able to manipulate secrets
	TigeraLinseedSecretsClusterRole = "tigera-linseed-secrets"

	// TigeraLinseedTokenSecret is the name of the secret that holds the access token signing key for Linseed.
	TigeraLinseedTokenSecret = "tigera-secure-linseed-token-tls"

	// TigeraElasticsearchGatewaySecret is the TLS key pair that is mounted by Elasticsearch gateway.
	TigeraElasticsearchGatewaySecret = "tigera-secure-elasticsearch-cert"

	// TigeraElasticsearchInternalCertSecret is the TLS key pair that is mounted by the Elasticsearch pods.
	TigeraElasticsearchInternalCertSecret = "tigera-secure-internal-elasticsearch-cert"

	// TigeraKibanaCertSecret is the TLS key pair that is mounted by the Kibana pods.
	TigeraKibanaCertSecret = "tigera-secure-kibana-cert"

	// Linseed vars.
	LinseedServiceName = "tigera-linseed"

	ElasticsearchName               = "tigera-secure"
	ElasticsearchServiceName        = "tigera-secure-es-http"
	ESGatewayServiceName            = "tigera-secure-es-gateway-http"
	ElasticsearchDefaultPort        = 9200
	ElasticsearchInternalPort       = 9300
	ElasticsearchAdminUserSecret    = "tigera-secure-es-elastic-user"
	ElasticsearchLinseedUserSecret  = "tigera-ee-linseed-elasticsearch-user-secret"
	ElasticsearchPolicyName         = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-access"
	ElasticsearchInternalPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-internal"

	KibanaName         = "tigera-secure"
	KibanaObjectName   = "tigera-kibana"
	KibanaNamespace    = KibanaObjectName
	KibanaBasePath     = KibanaObjectName
	KibanaServiceName  = "tigera-secure-kb-http"
	KibanaDefaultRoute = "/app/kibana#/dashboards?%s&title=%s"
	KibanaPolicyName   = networkpolicy.TigeraComponentPolicyPrefix + "kibana-access"
	KibanaPort         = 5601

	DefaultElasticsearchClusterName = "cluster"
	DefaultElasticsearchReplicas    = 0
	DefaultElasticStorageGi         = 10

	ESCuratorName           = "elastic-curator"
	EsCuratorServiceAccount = "tigera-elastic-curator"
	EsCuratorPolicyName     = networkpolicy.TigeraComponentPolicyPrefix + "allow-elastic-curator"

	OIDCUsersConfigMapName = "tigera-known-oidc-users"
	OIDCUsersESSecretName  = "tigera-oidc-users-elasticsearch-credentials"

	ElasticsearchLicenseTypeBasic           ElasticsearchLicenseType = "basic"
	ElasticsearchLicenseTypeEnterprise      ElasticsearchLicenseType = "enterprise"
	ElasticsearchLicenseTypeEnterpriseTrial ElasticsearchLicenseType = "enterprise_trial"
	ElasticsearchLicenseTypeUnknown         ElasticsearchLicenseType = ""

	EsManagerRole        = "es-manager"
	EsManagerRoleBinding = "es-manager"

	KibanaTLSAnnotationHash        = "hash.operator.tigera.io/kb-secrets"
	ElasticsearchTLSHashAnnotation = "hash.operator.tigera.io/es-secrets"

	TimeFilter         = "_g=(time:(from:now-24h,to:now))"
	FlowsDashboardName = "Tigera Secure EE Flow Logs"
)
View Source
const (
	// ElasticsearchKeystoreSecret Currently only used when FIPS mode is enabled, we need to initialize the keystore with a password.
	ElasticsearchKeystoreSecret         = "tigera-secure-elasticsearch-keystore"
	ElasticsearchKeystoreEnvName        = "KEYSTORE_PASSWORD"
	ElasticsearchKeystoreHashAnnotation = "hash.operator.tigera.io/keystore-password"
)
View Source
const (
	ManagerServiceName           = "tigera-manager"
	ManagerDeploymentName        = "tigera-manager"
	ManagerNamespace             = "tigera-manager"
	ManagerServiceAccount        = "tigera-manager"
	ManagerClusterRole           = "tigera-manager-role"
	ManagerClusterRoleBinding    = "tigera-manager-binding"
	ManagerTLSSecretName         = "manager-tls"
	ManagerInternalTLSSecretName = "internal-manager-tls"
	ManagerPolicyName            = networkpolicy.TigeraComponentPolicyPrefix + "manager-access"

	// The name of the TLS certificate used by Voltron to authenticate connections from managed
	// cluster clients talking to Linseed.
	VoltronLinseedTLS        = "tigera-voltron-linseed-tls"
	VoltronLinseedPublicCert = "tigera-voltron-linseed-certs-public"

	ManagerClusterSettings            = "cluster-settings"
	ManagerUserSettings               = "user-settings"
	ManagerClusterSettingsLayerTigera = "cluster-settings.layer.tigera-infrastructure"
	ManagerClusterSettingsViewDefault = "cluster-settings.view.default"

	ElasticsearchManagerUserSecret  = "tigera-ee-manager-elasticsearch-access"
	TlsSecretHashAnnotation         = "hash.operator.tigera.io/tls-secret"
	KibanaTLSHashAnnotation         = "hash.operator.tigera.io/kibana-secrets"
	ElasticsearchUserHashAnnotation = "hash.operator.tigera.io/elasticsearch-user"
)
View Source
const (
	VoltronName             = "tigera-voltron"
	VoltronTunnelSecretName = "tigera-management-cluster-connection"
)

ManagementClusterConnection configuration constants

View Source
const (
	PSSPrivileged = "privileged"
	PSSBaseline   = "baseline"
	PSSRestricted = "restricted"
)
View Source
const (
	BirdTemplatesConfigMapName = "bird-templates"

	CSRLabelCalicoSystem        = "calico-system"
	BGPLayoutConfigMapName      = "bgp-layout"
	BGPLayoutConfigMapKey       = "earlyNetworkConfiguration"
	BGPLayoutVolumeName         = "bgp-layout"
	BGPLayoutPath               = "/etc/calico/early-networking.yaml"
	K8sSvcEndpointConfigMapName = "kubernetes-services-endpoint"

	NodeFinalizer = "tigera.io/cni-protector"

	CalicoNodeMetricsService      = "calico-node-metrics"
	NodePrometheusTLSServerSecret = "calico-node-prometheus-server-tls"
	CalicoNodeObjectName          = "calico-node"
	CalicoCNIPluginObjectName     = "calico-cni-plugin"
)
View Source
const (
	PacketCaptureContainerName          = "tigera-packetcapture-server"
	PacketCaptureName                   = "tigera-packetcapture"
	PacketCaptureNamespace              = PacketCaptureName
	PacketCaptureServiceAccountName     = PacketCaptureName
	PacketCaptureClusterRoleName        = PacketCaptureName
	PacketCaptureClusterRoleBindingName = PacketCaptureName
	PacketCaptureDeploymentName         = PacketCaptureName
	PacketCaptureServiceName            = PacketCaptureName
	PacketCapturePodSecurityPolicyName  = PacketCaptureName
	PacketCapturePolicyName             = networkpolicy.TigeraComponentPolicyPrefix + PacketCaptureName
	PacketCapturePort                   = 8444
	PacketCaptureServerCert             = "tigera-packetcapture-server-tls"
)

The names of the components related to the PacketCapture APIs related rendered objects.

View Source
const (
	ElasticsearchPolicyRecommendationUserSecret = "tigera-ee-policy-recommendation-elasticsearch-access"

	PolicyRecommendationName                  = "tigera-policy-recommendation"
	PolicyRecommendationNamespace             = PolicyRecommendationName
	PolicyRecommendationPodSecurityPolicyName = PolicyRecommendationName
	PolicyRecommendationPolicyName            = networkpolicy.TigeraComponentPolicyPrefix + PolicyRecommendationName

	PolicyRecommendationTLSSecretName = "policy-recommendation-tls"
)

The names of the components related to the PolicyRecommendation APIs related rendered objects.

View Source
const (
	TyphaServiceName              = "calico-typha"
	TyphaPortName                 = "calico-typha"
	TyphaK8sAppName               = "calico-typha"
	TyphaServiceAccountName       = "calico-typha"
	AppLabelName                  = "k8s-app"
	TyphaPort               int32 = 5473

	TyphaContainerName = "calico-typha"
)
View Source
const (
	WindowsNodeObjectName     = "calico-node-windows"
	WindowsNodeMetricsService = "calico-node-metrics-windows"
)
View Source
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"

Variables

View Source
var (
	ElasticsearchSelector   = fmt.Sprintf("elasticsearch.k8s.elastic.co/cluster-name == '%s'", ElasticsearchName)
	ElasticsearchEntityRule = v3.EntityRule{
		NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace),
		Selector:          ElasticsearchSelector,
		Ports:             []numorstring.Port{{MinPort: ElasticsearchDefaultPort, MaxPort: ElasticsearchDefaultPort}},
	}
)
View Source
var (
	CommonName               = "common-name"
	URISAN                   = "uri-san"
	TyphaCommonName          = "typha-server"
	FelixCommonName          = "typha-client"
	NodePriorityClassName    = "system-node-critical"
	ClusterPriorityClassName = "system-cluster-critical"
)
View Source
var (
	TyphaTLSSecretName   = "typha-certs"
	TyphaCAConfigMapName = "typha-ca"
	TyphaCABundleName    = "caBundle"
)
View Source
var FluentdSourceEntityRule = v3.EntityRule{
	NamespaceSelector: fmt.Sprintf("name == '%s'", LogCollectorNamespace),
	Selector:          networkpolicy.KubernetesAppSelector(FluentdNodeName, fluentdNodeWindowsName),
}
View Source
var InternalElasticsearchEntityRule = v3.EntityRule{
	NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace),
	Selector:          ElasticsearchSelector,
	Ports:             []numorstring.Port{{MinPort: ElasticsearchInternalPort, MaxPort: ElasticsearchInternalPort}},
}
View Source
var IntrusionDetectionInstallerSourceEntityRule = v3.EntityRule{
	NamespaceSelector: intrusionDetectionNamespaceSelector,
	Selector:          fmt.Sprintf("job-name == '%s'", IntrusionDetectionInstallerJobName),
}
View Source
var (
	IntrusionDetectionSourceEntityRule = v3.EntityRule{
		NamespaceSelector: intrusionDetectionNamespaceSelector,
		Selector:          fmt.Sprintf("k8s-app == '%s'", IntrusionDetectionControllerName),
	}
)

Register secret/certs that need Server and Client Key usage

View Source
var (
	NodeTLSSecretName = "node-certs"
)
View Source
var TigeraAPIServerEntityRule = v3.EntityRule{
	Services: &v3.ServiceMatch{
		Namespace: QueryserverNamespace,
		Name:      QueryserverServiceName,
	},
}

Functions

func APIServerServiceAccountName added in v1.30.0

func APIServerServiceAccountName(v operatorv1.ProductVariant) string

func CreateCertificateConfigMap added in v1.25.1

func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap

CreateCertificateConfigMap is a convenience method for creating a configmap that contains only a ca or cert to trust.

func CreateCertificateSecret added in v1.18.0

func CreateCertificateSecret(caPem []byte, secretName string, namespace string) *corev1.Secret

CreateCertificateSecret is a convenience method for creating a secret that contains only a ca or cert to trust.

func CreateDexClientSecret added in v1.12.0

func CreateDexClientSecret() *corev1.Secret

func CreateElasticsearchKeystoreSecret added in v1.28.2

func CreateElasticsearchKeystoreSecret() *corev1.Secret

CreateElasticsearchKeystoreSecret creates a secret to be used for initializing the keystore on Elasticsearch.

func CreateNamespace added in v1.22.0

func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard) *corev1.Namespace

func DefaultWindowsCNIDirectories added in v1.32.0

func DefaultWindowsCNIDirectories(installation operatorv1.InstallationSpec) (string, string, string)

DefaultWindowsCNIDirectories returns the CNI binary, network config and log directories and the CNI conf filename for the configured platform. FIXME: populate with known default for other providers

func GetIPv4Pool added in v1.2.0

func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv4Pool returns the IPv4 IPPool in an installation, or nil if one can't be found.

func GetIPv6Pool added in v1.2.0

func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv6Pool returns the IPv6 IPPool in an installation, or nil if one can't be found.

func GetLinseedTokenPath added in v1.30.0

func GetLinseedTokenPath(managedCluster bool) string

func GetTigeraSecurityGroupEnvVariables added in v1.8.0

func GetTigeraSecurityGroupEnvVariables(aci *operatorv1.AmazonCloudIntegration) []corev1.EnvVar

func ImagePullPolicy added in v1.31.0

func ImagePullPolicy() corev1.PullPolicy

ImagePullPolicy returns the image pull policy to use for all components.

func NewDexKeyValidatorConfig added in v1.12.0

func NewDexKeyValidatorConfig(
	authentication *oprv1.Authentication,
	idpSecret *corev1.Secret,
	clusterDomain string) authentication.KeyValidatorConfig

func ProjectCalicoAPIServerServiceName added in v1.30.0

func ProjectCalicoAPIServerServiceName(v operatorv1.ProductVariant) string

func ProjectCalicoAPIServerTLSSecretName added in v1.30.0

func ProjectCalicoAPIServerTLSSecretName(v operatorv1.ProductVariant) string

The following functions are helpers for determining resource names based on the configured product variant.

func SetClusterCriticalPod added in v1.22.0

func SetClusterCriticalPod(t *corev1.PodTemplateSpec)

func SetTestLogger

func SetTestLogger(l logr.Logger)

Types

type APIServerConfiguration added in v1.25.0

type APIServerConfiguration struct {
	K8SServiceEndpoint          k8sapi.ServiceEndpoint
	Installation                *operatorv1.InstallationSpec
	APIServer                   *operatorv1.APIServerSpec
	ForceHostNetwork            bool
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	AmazonCloudIntegration      *operatorv1.AmazonCloudIntegration
	TLSKeyPair                  certificatemanagement.KeyPairInterface
	PullSecrets                 []*corev1.Secret
	Openshift                   bool
	TrustedBundle               certificatemanagement.TrustedBundle
	MultiTenant                 bool

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

APIServerConfiguration contains all the config information needed to render the component.

type AWSSGSetupConfiguration added in v1.25.0

type AWSSGSetupConfiguration struct {
	PullSecrets  []corev1.LocalObjectReference
	Installation *operatorv1.InstallationSpec
}

AWSSGSetupConfiguration contains all the config information needed to render the component.

type AmazonCloudIntegrationConfiguration added in v1.25.0

type AmazonCloudIntegrationConfiguration struct {
	AmazonCloudIntegration *operatorv1.AmazonCloudIntegration
	Installation           *operatorv1.InstallationSpec
	Credentials            *AmazonCredential
	PullSecrets            []*corev1.Secret
	TrustedBundle          certificatemanagement.TrustedBundle
}

AmazonCloudIntegrationConfiguration contains all the config information needed to render the component.

type AmazonCredential added in v1.8.0

type AmazonCredential struct {
	KeyId     []byte
	KeySecret []byte
}

func ConvertSecretToCredential added in v1.8.0

func ConvertSecretToCredential(s *corev1.Secret) (*AmazonCredential, error)

type CSIConfiguration added in v1.28.0

type CSIConfiguration struct {
	Installation *operatorv1.InstallationSpec
	Terminating  bool
	UsePSP       bool
	OpenShift    bool
}

type ComplianceConfiguration added in v1.25.0

type ComplianceConfiguration struct {
	ESSecrets                   []*corev1.Secret
	Installation                *operatorv1.InstallationSpec
	ESClusterConfig             *relasticsearch.ClusterConfig
	PullSecrets                 []*corev1.Secret
	Openshift                   bool
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	KeyValidatorConfig          authentication.KeyValidatorConfig
	ClusterDomain               string
	HasNoLicense                bool

	// Trusted certificate bundle for all compliance pods.
	TrustedBundle certificatemanagement.TrustedBundle

	// Key pairs used for mTLS.
	ServerKeyPair      certificatemanagement.KeyPairInterface
	BenchmarkerKeyPair certificatemanagement.KeyPairInterface
	ReporterKeyPair    certificatemanagement.KeyPairInterface
	SnapshotterKeyPair certificatemanagement.KeyPairInterface
	ControllerKeyPair  certificatemanagement.KeyPairInterface

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

ComplianceConfiguration contains all the config information needed to render the component.

type Component

type Component interface {
	// ResolveImages should call components.GetReference for all images that the Component
	// needs, passing 'is' to the GetReference call and if there are any errors those
	// are returned. It is valid to pass nil for 'is' as GetReference accepts the value.
	// ResolveImages must be called before Objects is called for the component.
	ResolveImages(is *operatorv1.ImageSet) error

	// Objects returns the lists of objects in this component that should be created and/or deleted during
	// rendering.
	Objects() (objsToCreate, objsToDelete []client.Object)

	// Ready returns true if the component is ready to be created.
	Ready() bool

	// SupportedOSTypes returns operating systems that is supported of the components returned by the Objects() function.
	// The "componentHandler" converts the returned OSTypes to a node selectors for the "kubernetes.io/os" label on client.Objects
	// that create pods. Return OSTypeAny means that no node selector should be set for the "kubernetes.io/os" label.
	SupportedOSType() rmeta.OSType
}

func APIServer

func APIServer(cfg *APIServerConfiguration) (Component, error)

func APIServerPolicy added in v1.28.0

func APIServerPolicy(cfg *APIServerConfiguration) Component

func AWSSecurityGroupSetup added in v1.0.0

func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)

func AmazonCloudIntegration added in v1.8.0

func AmazonCloudIntegration(cfg *AmazonCloudIntegrationConfiguration) Component

func CSI added in v1.28.0

func CSI(cfg *CSIConfiguration) Component

func Compliance

func Compliance(cfg *ComplianceConfiguration) (Component, error)

func Dex added in v1.12.0

func Fluentd added in v1.0.0

func Fluentd(cfg *FluentdConfiguration) Component

func Guardian added in v1.2.0

func Guardian(cfg *GuardianConfiguration) Component

func GuardianPolicy added in v1.28.0

func GuardianPolicy(cfg *GuardianConfiguration) (Component, error)

func IntrusionDetection

func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component

func LogStorage added in v1.4.0

func LogStorage(cfg *ElasticsearchConfiguration) Component

LogStorage renders the components necessary for kibana and elasticsearch

func Manager added in v1.0.0

func Manager(cfg *ManagerConfiguration) (Component, error)

Manager returns a component for rendering namespaced manager resources.

func Namespaces

func Namespaces(cfg *NamespaceConfiguration) Component

func NewDeletionPassthrough added in v1.29.1

func NewDeletionPassthrough(objs ...client.Object) Component

func NewManagedClusterLogStorage added in v1.32.0

func NewManagedClusterLogStorage(cfg *ManagedClusterLogStorageConfiguration) Component

NewManagedClusterLogStorage returns a component for managed cluster log storage resources.

func NewPassthrough added in v1.22.0

func NewPassthrough(objs ...client.Object) Component

func Node

func Node(cfg *NodeConfiguration) Component

Node creates the node daemonset and other resources for the daemonset to operate normally.

func PacketCaptureAPI added in v1.21.0

func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component

func PacketCaptureAPIPolicy added in v1.28.0

func PacketCaptureAPIPolicy(cfg *PacketCaptureApiConfiguration) Component

func PolicyRecommendation added in v1.30.0

func PolicyRecommendation(cfg *PolicyRecommendationConfiguration) Component

func Typha added in v1.0.0

func Typha(cfg *TyphaConfiguration) Component

Typha creates the typha daemonset and other resources for the daemonset to operate normally.

func Windows added in v1.23.0

func Windows(
	cfg *WindowsConfiguration,
) Component

type DexComponentConfiguration added in v1.25.0

type DexComponentConfiguration struct {
	PullSecrets   []*corev1.Secret
	Openshift     bool
	Installation  *operatorv1.InstallationSpec
	DexConfig     DexConfig
	ClusterDomain string
	DeleteDex     bool
	TLSKeyPair    certificatemanagement.KeyPairInterface
	TrustedBundle certificatemanagement.TrustedBundle

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

DexComponentConfiguration contains all the config information needed to render the component.

type DexConfig added in v1.12.0

type DexConfig interface {
	Connector() map[string]interface{}
	RedirectURIs() []string
	// RequiredVolumeMounts returns volume mounts that the KeyValidatorConfig implementation requires.
	RequiredVolumeMounts() []corev1.VolumeMount
	// RequiredVolumes returns volumes that the KeyValidatorConfig implementation requires.
	RequiredVolumes() []corev1.Volume
	authentication.KeyValidatorConfig
}

DexConfig is a config for DexIdP itself.

func NewDexConfig added in v1.12.0

func NewDexConfig(
	certificateManagement *oprv1.CertificateManagement,
	authentication *oprv1.Authentication,
	dexSecret *corev1.Secret,
	idpSecret *corev1.Secret,
	clusterDomain string) DexConfig

Create a new DexConfig.

type DexKeyValidatorConfig added in v1.12.0

type DexKeyValidatorConfig struct {
	// contains filtered or unexported fields
}

func (DexKeyValidatorConfig) BaseURL added in v1.18.0

func (d DexKeyValidatorConfig) BaseURL() string

func (DexKeyValidatorConfig) ClientID added in v1.18.0

func (d DexKeyValidatorConfig) ClientID() string

func (DexKeyValidatorConfig) ClientSecret added in v1.18.0

func (d DexKeyValidatorConfig) ClientSecret() []byte

func (DexKeyValidatorConfig) Issuer added in v1.18.0

func (d DexKeyValidatorConfig) Issuer() string

func (DexKeyValidatorConfig) RedirectURIs added in v1.18.0

func (d DexKeyValidatorConfig) RedirectURIs() []string

func (DexKeyValidatorConfig) RequestedScopes added in v1.18.0

func (d DexKeyValidatorConfig) RequestedScopes() []string

func (*DexKeyValidatorConfig) RequiredAnnotations added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string

RequiredAnnotations returns the annotations that are relevant for a validator config.

func (DexKeyValidatorConfig) RequiredConfigMaps added in v1.18.0

func (d DexKeyValidatorConfig) RequiredConfigMaps(string) []*corev1.ConfigMap

func (*DexKeyValidatorConfig) RequiredEnv added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar

Append variables that are necessary for using the dex authenticator.

func (DexKeyValidatorConfig) RequiredSecrets added in v1.12.0

func (d DexKeyValidatorConfig) RequiredSecrets(namespace string) []*corev1.Secret

func (*DexKeyValidatorConfig) RequiredVolumeMounts added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount

func (*DexKeyValidatorConfig) RequiredVolumes added in v1.12.0

func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume

func (DexKeyValidatorConfig) UsernameClaim added in v1.18.0

func (d DexKeyValidatorConfig) UsernameClaim() string

type EksCloudwatchLogConfig added in v1.0.0

type EksCloudwatchLogConfig struct {
	AwsId         []byte
	AwsKey        []byte
	AwsRegion     string
	GroupName     string
	StreamPrefix  string
	FetchInterval int32
}

type ElasticsearchConfiguration added in v1.25.0

type ElasticsearchConfiguration struct {
	LogStorage              *operatorv1.LogStorage
	Installation            *operatorv1.InstallationSpec
	ManagementCluster       *operatorv1.ManagementCluster
	Elasticsearch           *esv1.Elasticsearch
	Kibana                  *kbv1.Kibana
	ClusterConfig           *relasticsearch.ClusterConfig
	ElasticsearchUserSecret *corev1.Secret
	ElasticsearchKeyPair    certificatemanagement.KeyPairInterface
	KibanaKeyPair           certificatemanagement.KeyPairInterface
	PullSecrets             []*corev1.Secret
	Provider                operatorv1.Provider
	CuratorSecrets          []*corev1.Secret
	ESService               *corev1.Service
	KbService               *corev1.Service
	ClusterDomain           string
	BaseURL                 string // BaseUrl is where the manager is reachable, for setting Kibana publicBaseUrl
	ElasticLicenseType      ElasticsearchLicenseType
	TrustedBundle           certificatemanagement.TrustedBundleRO
	UnusedTLSSecret         *corev1.Secret
	ApplyTrial              bool
	KeyStoreSecret          *corev1.Secret
	KibanaEnabled           bool

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

ElasticsearchConfiguration contains all the config information needed to render the component.

type ElasticsearchLicenseType added in v1.14.0

type ElasticsearchLicenseType string

type FluentdConfiguration added in v1.25.0

type FluentdConfiguration struct {
	LogCollector   *operatorv1.LogCollector
	S3Credential   *S3Credential
	SplkCredential *SplunkCredential
	Filters        *FluentdFilters
	// ESClusterConfig is only populated for when EKSConfig
	// is also defined
	ESClusterConfig *relasticsearch.ClusterConfig
	EKSConfig       *EksCloudwatchLogConfig
	PullSecrets     []*corev1.Secret
	Installation    *operatorv1.InstallationSpec
	ClusterDomain   string
	OSType          rmeta.OSType
	FluentdKeyPair  certificatemanagement.KeyPairInterface
	TrustedBundle   certificatemanagement.TrustedBundle
	ManagedCluster  bool

	// Set if running as a multi-tenant management cluster. Configures the management cluster's
	// own fluentd daemonset.
	Tenant *operatorv1.Tenant

	// Whether the cluster supports pod security policies.
	UsePSP bool
	// Whether to use User provided certificate or not.
	UseSyslogCertificate bool

	// EKSLogForwarderKeyPair contains the certificate presented by EKS LogForwarder when communicating with Linseed
	EKSLogForwarderKeyPair certificatemanagement.KeyPairInterface
}

FluentdConfiguration contains all the config information needed to render the component.

type FluentdFilters added in v1.0.0

type FluentdFilters struct {
	Flow string
	DNS  string
}

type GuardianComponent added in v1.2.0

type GuardianComponent struct {
	// contains filtered or unexported fields
}

func (*GuardianComponent) Objects added in v1.2.0

func (c *GuardianComponent) Objects() ([]client.Object, []client.Object)

func (*GuardianComponent) Ready added in v1.2.0

func (c *GuardianComponent) Ready() bool

func (*GuardianComponent) ResolveImages added in v1.14.0

func (c *GuardianComponent) ResolveImages(is *operatorv1.ImageSet) error

func (*GuardianComponent) SupportedOSType added in v1.11.0

func (c *GuardianComponent) SupportedOSType() rmeta.OSType

type GuardianConfiguration added in v1.25.0

type GuardianConfiguration struct {
	URL               string
	PullSecrets       []*corev1.Secret
	Openshift         bool
	Installation      *operatorv1.InstallationSpec
	TunnelSecret      *corev1.Secret
	TrustedCertBundle certificatemanagement.TrustedBundle
	TunnelCAType      operatorv1.CAType

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

GuardianConfiguration contains all the config information needed to render the component.

type IntrusionDetectionConfiguration added in v1.25.0

type IntrusionDetectionConfiguration struct {
	IntrusionDetection operatorv1.IntrusionDetection
	LogCollector       *operatorv1.LogCollector
	ESSecrets          []*corev1.Secret
	Installation       *operatorv1.InstallationSpec
	ESClusterConfig    *relasticsearch.ClusterConfig
	PullSecrets        []*corev1.Secret
	Openshift          bool
	ClusterDomain      string
	ESLicenseType      ElasticsearchLicenseType
	ManagedCluster     bool

	HasNoLicense                 bool
	TrustedCertBundle            certificatemanagement.TrustedBundle
	IntrusionDetectionCertSecret certificatemanagement.KeyPairInterface

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

IntrusionDetectionConfiguration contains all the config information needed to render the component.

type ManagedClusterLogStorageConfiguration added in v1.32.0

type ManagedClusterLogStorageConfiguration struct {
	Installation  *operatorv1.InstallationSpec
	ClusterDomain string
	Provider      operatorv1.Provider
}

ManagedClusterLogStorageConfiguration contains configuration for managed cluster log storage.

type ManagerConfiguration added in v1.25.0

type ManagerConfiguration struct {
	KeyValidatorConfig authentication.KeyValidatorConfig
	ESSecrets          []*corev1.Secret
	ClusterConfig      *relasticsearch.ClusterConfig
	PullSecrets        []*corev1.Secret
	Openshift          bool
	Installation       *operatorv1.InstallationSpec
	ManagementCluster  *operatorv1.ManagementCluster

	// If provided, the KeyPair to used for external connections terminated by Voltron,
	// and connections from the manager pod to Linseed.
	TLSKeyPair certificatemanagement.KeyPairInterface

	// The key pair to use for TLS between Linseed clients in managed clusters and Voltron
	// in the management cluster.
	VoltronLinseedKeyPair certificatemanagement.KeyPairInterface

	// KeyPair used by Voltron as the server certificate when establishing an mTLS tunnel with Guardian.
	TunnelServerCert certificatemanagement.KeyPairInterface

	// TLS KeyPair used by both Voltron and es-proxy, presented by each as part of the mTLS handshake with
	// other services within the cluster. This is used in both management and standalone clusters.
	InternalTLSKeyPair certificatemanagement.KeyPairInterface

	// Certificate bundle used by the manager pod to verify certificates presented
	// by clients as part of mTLS authentication.
	TrustedCertBundle certificatemanagement.TrustedBundleRO

	ClusterDomain           string
	ESLicenseType           ElasticsearchLicenseType
	Replicas                *int32
	Compliance              *operatorv1.Compliance
	ComplianceLicenseActive bool

	// Whether the cluster supports pod security policies.
	UsePSP            bool
	Namespace         string
	TruthNamespace    string
	BindingNamespaces []string

	// Whether or not to run the rendered components in multi-tenant mode.
	Tenant *operatorv1.Tenant
}

ManagerConfiguration contains all the config information needed to render the component.

type NamespaceConfiguration added in v1.25.0

type NamespaceConfiguration struct {
	Installation *operatorv1.InstallationSpec
	PullSecrets  []*corev1.Secret
	Terminating  bool
}

NamespaceConfiguration contains all the config information needed to render the component.

type NodeConfiguration added in v1.22.0

type NodeConfiguration struct {
	K8sServiceEp  k8sapi.ServiceEndpoint
	Installation  *operatorv1.InstallationSpec
	TLS           *TyphaNodeTLS
	ClusterDomain string

	// Optional fields.
	AmazonCloudIntegration  *operatorv1.AmazonCloudIntegration
	LogCollector            *operatorv1.LogCollector
	MigrateNamespaces       bool
	NodeAppArmorProfile     string
	BirdTemplates           map[string]string
	NodeReporterMetricsPort int
	// Indicates node is being terminated, so remove most resources but
	// leave RBAC and SA to allow any CNI plugin calls to continue to function
	// For details on why this is needed see 'Node and Installation finalizer' in the core_controller.
	Terminating         bool
	PrometheusServerTLS certificatemanagement.KeyPairInterface

	// BGPLayouts is returned by the rendering code after modifying its namespace
	// so that it can be deployed into the cluster.
	// TODO: The controller should pass the contents, the renderer should build its own
	// configmap, rather than this "copy" semantic.
	BGPLayouts *corev1.ConfigMap

	// The health port that Felix should bind to. The controller reads FelixConfiguration
	// and sets this.
	FelixHealthPort int

	// The bindMode read from the default BGPConfiguration. Used to trigger rolling updates
	// should this value change.
	BindMode string

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

NodeConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/node on a cluster.

type PacketCaptureApiConfiguration added in v1.25.0

type PacketCaptureApiConfiguration struct {
	PullSecrets                 []*corev1.Secret
	Openshift                   bool
	Installation                *operatorv1.InstallationSpec
	KeyValidatorConfig          authentication.KeyValidatorConfig
	ServerCertSecret            certificatemanagement.KeyPairInterface
	TrustedBundle               certificatemanagement.TrustedBundle
	ClusterDomain               string
	ManagementClusterConnection *operatorv1.ManagementClusterConnection

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

PacketCaptureApiConfiguration contains all the config information needed to render the component.

type PodSecurityStandard added in v1.28.0

type PodSecurityStandard string

type PolicyRecommendationConfiguration added in v1.30.0

type PolicyRecommendationConfiguration struct {
	ClusterDomain                  string
	Installation                   *operatorv1.InstallationSpec
	ManagedCluster                 bool
	Openshift                      bool
	PullSecrets                    []*corev1.Secret
	TrustedBundle                  certificatemanagement.TrustedBundle
	PolicyRecommendationCertSecret certificatemanagement.KeyPairInterface

	// Whether the cluster supports pod security policies.
	UsePSP    bool
	Namespace string

	// Whether or not to run the rendered components in multi-tenant mode.
	Tenant *operatorv1.Tenant
}

PolicyRecommendationConfiguration contains all the config information needed to render the component.

type Renderer

type Renderer interface {
	Render() []Component
}

A Renderer is capable of generating components to be installed on the cluster.

type S3Credential added in v1.0.0

type S3Credential struct {
	KeyId     []byte
	KeySecret []byte
}

type SplunkCredential added in v1.4.0

type SplunkCredential struct {
	Token       []byte
	Certificate []byte
}

type TyphaConfiguration added in v1.22.0

type TyphaConfiguration struct {
	K8sServiceEp           k8sapi.ServiceEndpoint
	Installation           *operatorv1.InstallationSpec
	TLS                    *TyphaNodeTLS
	AmazonCloudIntegration *operatorv1.AmazonCloudIntegration
	MigrateNamespaces      bool
	ClusterDomain          string

	// The health port that Felix is bound to. We configure Typha to bind to the port
	// that is one less.
	FelixHealthPort int

	// Whether the cluster supports pod security policies.
	UsePSP bool
}

TyphaConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/typha on a cluster.

type TyphaNodeTLS added in v1.0.0

type TyphaNodeTLS struct {
	TrustedBundle   certificatemanagement.TrustedBundle
	TyphaSecret     certificatemanagement.KeyPairInterface
	TyphaCommonName string
	TyphaURISAN     string
	NodeSecret      certificatemanagement.KeyPairInterface
	NodeCommonName  string
	NodeURISAN      string
}

TyphaNodeTLS holds configuration for Node and Typha to establish TLS.

type WindowsConfiguration added in v1.32.0

type WindowsConfiguration struct {
	K8sServiceEp            k8sapi.ServiceEndpoint
	K8sDNSServers           []string
	Installation            *operatorv1.InstallationSpec
	ClusterDomain           string
	TLS                     *TyphaNodeTLS
	PrometheusServerTLS     certificatemanagement.KeyPairInterface
	NodeReporterMetricsPort int
	AmazonCloudIntegration  *operatorv1.AmazonCloudIntegration
	VXLANVNI                int
}

Directories

Path Synopsis
THIS IS A GENERATED FILE, PLEASE DO NOT EDIT.
THIS IS A GENERATED FILE, PLEASE DO NOT EDIT.
common
intrusiondetection
dpi
logstorage

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL