render

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 27, 2020 License: Apache-2.0 Imports: 44 Imported by: 0

Documentation

Overview

This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.

Index

Constants

View Source
const (
	APIServerNamespace      = "tigera-system"
	APIServerTLSSecretName  = "tigera-apiserver-certs"
	APIServerSecretKeyName  = "apiserver.key"
	APIServerSecretCertName = "apiserver.crt"
)
View Source
const (
	Optional                   = true
	DefaultCertificateDuration = 100 * 365 * 24 * time.Hour
)
View Source
const (
	ComplianceNamespace       = "tigera-compliance"
	ComplianceServerName      = "compliance-server"
	ComplianceControllerName  = "compliance-controller"
	ComplianceSnapshotterName = "compliance-snapshotter"
)
View Source
const (
	ElasticsearchComplianceBenchmarkerUserSecret = "tigera-ee-compliance-benchmarker-elasticsearch-access"
	ElasticsearchComplianceControllerUserSecret  = "tigera-ee-compliance-controller-elasticsearch-access"
	ElasticsearchComplianceReporterUserSecret    = "tigera-ee-compliance-reporter-elasticsearch-access"
	ElasticsearchComplianceSnapshotterUserSecret = "tigera-ee-compliance-snapshotter-elasticsearch-access"
	ElasticsearchComplianceServerUserSecret      = "tigera-ee-compliance-server-elasticsearch-access"
	ElasticsearchCuratorUserSecret               = "tigera-ee-curator-elasticsearch-access"

	ComplianceServerCertSecret = "tigera-compliance-server-tls"
	ComplianceServerCertName   = "tls.crt"
	ComplianceServerKeyName    = "tls.key"
)
View Source
const (
	CNICalico = "calico"
	CNINone   = "none"
)
View Source
const (
	ElasticsearchDefaultCertDir   = "/etc/ssl/elastic/"
	ElasticsearchDefaultCertPath  = ElasticsearchDefaultCertDir + "ca.pem"
	TigeraElasticsearchCertSecret = "tigera-secure-elasticsearch-cert"
	ElasticsearchPublicCertSecret = "tigera-secure-es-http-certs-public"
)
View Source
const (
	LogCollectorNamespace      = "tigera-fluentd"
	FluentdFilterConfigMapName = "fluentd-filters"
	FluentdFilterFlowName      = "flow"
	FluentdFilterDNSName       = "dns"
	S3FluentdSecretName        = "log-collector-s3-credentials"
	S3KeyIdName                = "key-id"
	S3KeySecretName            = "key-secret"

	ElasticsearchLogCollectorUserSecret    = "tigera-fluentd-elasticsearch-access"
	ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access"
	EksLogForwarderSecret                  = "tigera-eks-log-forwarder-secret"
	EksLogForwarderAwsId                   = "aws-id"
	EksLogForwarderAwsKey                  = "aws-key"

	SplunkFluentdTokenSecretName       = "logcollector-splunk-credentials"
	SplunkFluentdSecretTokenKey        = "token"
	SplunkFluentdCertificateSecretName = "logcollector-splunk-public-certificate"
	SplunkFluentdSecretCertificateKey  = "ca.pem"
	SplunkFluentdSecretsVolName        = "splunk-certificates"
	SplunkFluentdDefaultCertDir        = "/etc/ssl/splunk/"
	SplunkFluentdDefaultCertPath       = SplunkFluentdDefaultCertDir + SplunkFluentdSecretCertificateKey
)
View Source
const (
	GuardianName                   = "tigera-guardian"
	GuardianNamespace              = GuardianName
	GuardianServiceAccountName     = GuardianName
	GuardianClusterRoleName        = GuardianName
	GuardianClusterRoleBindingName = GuardianName
	GuardianDeploymentName         = GuardianName
	GuardianServiceName            = "tigera-guardian"
	GuardianVolumeName             = "tigera-guardian-certs"
	GuardianSecretName             = "tigera-managed-cluster-connection"
)

The names of the components related to the Guardian related rendered objects.

View Source
const (
	IntrusionDetectionNamespace = "tigera-intrusion-detection"

	ElasticsearchIntrusionDetectionUserSecret    = "tigera-ee-intrusion-detection-elasticsearch-access"
	ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access"

	IntrusionDetectionInstallerJobName = "intrusion-detection-es-job-installer"
)
View Source
const (
	ECKOperatorName         = "elastic-operator"
	ECKOperatorNamespace    = "tigera-eck-operator"
	ECKWebhookSecretName    = "elastic-webhook-server-cert"
	ECKWebhookName          = "elastic-webhook-server"
	ECKEnterpriseTrial      = "eck-trial-license"
	ECKWebhookConfiguration = "elastic-webhook.k8s.elastic.co"

	ElasticsearchStorageClass  = "tigera-elasticsearch"
	ElasticsearchNamespace     = "tigera-elasticsearch"
	ElasticsearchHTTPURL       = "tigera-secure-es-http.tigera-elasticsearch.svc"
	ElasticsearchHTTPSEndpoint = "https://tigera-secure-es-http.tigera-elasticsearch.svc:9200"
	ElasticsearchName          = "tigera-secure"
	ElasticsearchConfigMapName = "tigera-secure-elasticsearch"
	ElasticsearchServiceName   = "tigera-secure-es-http"

	KibanaHTTPURL          = "tigera-secure-kb-http.tigera-kibana.svc"
	KibanaHTTPSEndpoint    = "https://tigera-secure-kb-http.tigera-kibana.svc:5601"
	KibanaName             = "tigera-secure"
	KibanaNamespace        = "tigera-kibana"
	KibanaPublicCertSecret = "tigera-secure-kb-http-certs-public"
	TigeraKibanaCertSecret = "tigera-secure-kibana-cert"
	KibanaDefaultCertPath  = "/etc/ssl/kibana/ca.pem"
	KibanaBasePath         = "tigera-kibana"
	KibanaServiceName      = "tigera-secure-kb-http"

	DefaultElasticsearchClusterName = "cluster"
	DefaultElasticsearchReplicas    = 0

	LogStorageFinalizer = "tigera.io/eck-cleanup"

	EsCuratorName = "elastic-curator"
)
View Source
const (
	ManagerNamespace        = "tigera-manager"
	ManagerTLSSecretName    = "manager-tls"
	ManagerSecretKeyName    = "key"
	ManagerSecretCertName   = "cert"
	ManagerOIDCConfig       = "tigera-manager-oidc-config"
	ManagerOIDCWellknownURI = "/usr/share/nginx/html/.well-known"
	ManagerOIDCJwksURI      = "/usr/share/nginx/html/discovery"

	ElasticsearchManagerUserSecret = "tigera-ee-manager-elasticsearch-access"
)
View Source
const (
	VoltronName             = "tigera-voltron"
	VoltronTunnelSecretName = "tigera-management-cluster-connection"
)

ManagementClusterConnection configuration constants

View Source
const (
	TyphaServiceName              = "calico-typha"
	TyphaPortName                 = "calico-typha"
	TyphaK8sAppName               = "calico-typha"
	TyphaServiceAccountName       = "calico-typha"
	AppLabelName                  = "k8s-app"
	TyphaPort               int32 = 5473
)
View Source
const (
	VoltronDnsName     = "voltron"
	VoltronKeySizeBits = 2048
)

Voltron related constants.

View Source
const (
	BirdTemplatesConfigMapName = "bird-templates"
)
View Source
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"
View Source
const (
	TigeraPrometheusNamespace = "tigera-prometheus"
)

Variables

View Source
var (
	TyphaCAConfigMapName = "typha-ca"
	TyphaCABundleName    = "caBundle"
	TyphaTLSSecretName   = "typha-certs"
	NodeTLSSecretName    = "node-certs"
	TLSSecretCertName    = "cert.crt"
	TLSSecretKeyName     = "key.key"
	CommonName           = "common-name"
	URISAN               = "uri-san"
)

Functions

func AnnotationHash added in v1.0.0

func AnnotationHash(i interface{}) string

AnnotationHash is to generate a hash that can be included in a Deployment or DaemonSet to trigger a restart/rolling update when a ConfigMap or Secret is updated.

func CopySecrets added in v1.4.0

func CopySecrets(ns string, oSecrets ...*v1.Secret) []*v1.Secret

func CreateOperatorTLSSecret added in v1.4.0

func CreateOperatorTLSSecret(
	ca *crypto.CA,
	secretName string,
	secretKeyName string,
	secretCertName string,
	dur time.Duration,
	cef []crypto.CertificateExtensionFunc,
	hostnames ...string,
) (*v1.Secret, error)

CreateOperatorTLSSecret Creates a new TLS secret with the information passed

ca: The ca to use for creating the Cert/Key pair. If nil then a
    self-signed CA will be created
secretName: The name of the secret.
secretKeyName: The name of the data field that will contain the key.
secretCertName: The name of the data field that will contain the cert.
dur: How long the certificate will be valid.
hostnames: The first will be used as the CN, and the rest as SANs. If
  no hostnames are provided then "localhost" will be used.

func ElasticsearchContainerDecorate added in v1.0.0

func ElasticsearchContainerDecorate(c corev1.Container, cluster, secret string) corev1.Container

func ElasticsearchContainerDecorateENVVars added in v1.0.0

func ElasticsearchContainerDecorateENVVars(c corev1.Container, cluster, esUserSecretName string) corev1.Container

func ElasticsearchContainerDecorateIndexCreator added in v1.0.2

func ElasticsearchContainerDecorateIndexCreator(c corev1.Container, replicas, shards int) corev1.Container

func ElasticsearchContainerDecorateVolumeMounts added in v1.0.0

func ElasticsearchContainerDecorateVolumeMounts(c corev1.Container) corev1.Container

func ElasticsearchDefaultVolume added in v1.0.0

func ElasticsearchDefaultVolume() corev1.Volume

func ElasticsearchDefaultVolumeMount added in v1.0.0

func ElasticsearchDefaultVolumeMount() corev1.VolumeMount

func ElasticsearchPodSpecDecorate added in v1.0.0

func ElasticsearchPodSpecDecorate(p corev1.PodSpec) corev1.PodSpec

func GetIPv4Pool added in v1.2.0

func GetIPv4Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool

GetIPv4Pool returns the IPv4 IPPool in an instalation, or nil if one can't be found.

func GetIPv6Pool added in v1.2.0

func GetIPv6Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool

GetIPv6Pool returns the IPv6 IPPool in an instalation, or nil if one can't be found.

func KubeControllers

func KubeControllers(cr *operator.Installation) *kubeControllersComponent

func OperatorNamespace added in v1.0.0

func OperatorNamespace() string

func ParseEndpoint

func ParseEndpoint(endpoint string) (string, string, string, error)

ParseEndpoint parses an endpoint of the form scheme://host:port and returns the components.

func ParseHostPort added in v1.0.0

func ParseHostPort(hostport string) (string, string, error)

func SetTestLogger

func SetTestLogger(l logr.Logger)

Types

type Annotatable added in v1.2.0

type Annotatable interface {
	SetAnnotations(map[string]string)
	GetAnnotations() map[string]string
}

func ElasticsearchDecorateAnnotations added in v1.2.0

func ElasticsearchDecorateAnnotations(obj Annotatable, config *ElasticsearchClusterConfig, secrets []*corev1.Secret) Annotatable

type Component

type Component interface {
	// Objects returns the lists of objects in this component that should be created and/or deleted during
	// rendering.
	Objects() (objsToCreate, objsToDelete []runtime.Object)

	// Ready returns true if the component is ready to be created.
	Ready() bool
}

func APIServer

func APIServer(installation *operator.Installation, tlsKeyPair *corev1.Secret, pullSecrets []*corev1.Secret, openshift bool, enableAdmissionControllerSupport bool) (Component, error)

func AWSSecurityGroupSetup added in v1.0.0

func AWSSecurityGroupSetup(ps []corev1.LocalObjectReference, installcr *operator.Installation) (Component, error)

func Compliance

func Compliance(
	esSecrets []*corev1.Secret,
	installation *operatorv1.Installation,
	complianceServerCertSecret *corev1.Secret,
	esClusterConfig *ElasticsearchClusterConfig,
	pullSecrets []*corev1.Secret,
	openshift bool,
) (Component, error)

func ConfigMaps added in v1.0.0

func ConfigMaps(cms []*corev1.ConfigMap) Component

func Fluentd added in v1.0.0

func Fluentd(
	lc *operatorv1.LogCollector,
	esSecrets []*corev1.Secret,
	esClusterConfig *ElasticsearchClusterConfig,
	s3C *S3Credential,
	spC *SplunkCredential,
	f *FluentdFilters,
	eksConfig *EksCloudwatchLogConfig,

	pullSecrets []*corev1.Secret,
	installation *operatorv1.Installation,
) Component

func Guardian added in v1.2.0

func Guardian(
	url string,
	pullSecrets []*corev1.Secret,
	openshift bool,
	installation *operatorv1.Installation,
	tunnelSecret *corev1.Secret,
) Component

func IntrusionDetection

func IntrusionDetection(
	esSecrets []*corev1.Secret,
	kibanaCertSecret *corev1.Secret,
	installation *operator.Installation,
	esClusterConfig *ElasticsearchClusterConfig,
	pullSecrets []*corev1.Secret,
	openshift bool,
) Component

func LogStorage added in v1.4.0

func LogStorage(
	logStorage *operatorv1.LogStorage,
	installation *operatorv1.Installation,
	elasticsearch *esv1.Elasticsearch,
	kibana *kbv1.Kibana,
	clusterConfig *ElasticsearchClusterConfig,
	elasticsearchSecrets []*corev1.Secret,
	kibanaSecrets []*corev1.Secret,
	createWebhookSecret bool,
	pullSecrets []*corev1.Secret,
	provider operatorv1.Provider,
	curatorSecrets []*corev1.Secret,
	esService *corev1.Service,
	kbService *corev1.Service,
	clusterDNS string,
	applyTrial bool) Component

Elasticsearch renders the

func Manager added in v1.0.0

func Manager(
	cr *operator.Manager,
	esSecrets []*corev1.Secret,
	kibanaSecrets []*corev1.Secret,
	complianceServerCertSecret *corev1.Secret,
	esClusterConfig *ElasticsearchClusterConfig,
	tlsKeyPair *corev1.Secret,
	pullSecrets []*corev1.Secret,
	openshift bool,
	installation *operator.Installation,
	oidcConfig *corev1.ConfigMap,
	management bool,
	tunnelSecret *corev1.Secret,
) (Component, error)

func Namespaces

func Namespaces(cr *operator.Installation, openshift bool, pullSecrets []*corev1.Secret) Component

func Node

func Node(cr *operator.Installation, p operator.Provider, nc NetworkConfig, bt map[string]string, tnTLS *TyphaNodeTLS, migrate bool) Component

Node creates the node daemonset and other resources for the daemonset to operate normally.

func PriorityClassDefinitions

func PriorityClassDefinitions(cr *operator.Installation) Component

func Secrets added in v1.0.0

func Secrets(secrets []*corev1.Secret) Component

func Typha added in v1.0.0

func Typha(cr *operator.Installation, p operator.Provider, tnTLS *TyphaNodeTLS, migrationNeeded bool) Component

Typha creates the typha daemonset and other resources for the daemonset to operate normally.

type EksCloudwatchLogConfig added in v1.0.0

type EksCloudwatchLogConfig struct {
	AwsId         []byte
	AwsKey        []byte
	AwsRegion     string
	GroupName     string
	StreamPrefix  string
	FetchInterval int32
}

type ElasticsearchClusterConfig added in v1.2.0

type ElasticsearchClusterConfig struct {
	// contains filtered or unexported fields
}

func NewElasticsearchClusterConfig added in v1.2.0

func NewElasticsearchClusterConfig(clusterName string, replicas int, shards int) *ElasticsearchClusterConfig

func NewElasticsearchClusterConfigFromConfigMap added in v1.2.0

func NewElasticsearchClusterConfigFromConfigMap(configMap *corev1.ConfigMap) (*ElasticsearchClusterConfig, error)

func (ElasticsearchClusterConfig) Annotation added in v1.2.0

func (c ElasticsearchClusterConfig) Annotation() string

func (ElasticsearchClusterConfig) ClusterName added in v1.2.0

func (c ElasticsearchClusterConfig) ClusterName() string

func (ElasticsearchClusterConfig) ConfigMap added in v1.2.0

func (ElasticsearchClusterConfig) Replicas added in v1.2.0

func (c ElasticsearchClusterConfig) Replicas() int

func (ElasticsearchClusterConfig) Shards added in v1.2.0

func (c ElasticsearchClusterConfig) Shards() int

type FluentdFilters added in v1.0.0

type FluentdFilters struct {
	Flow string
	DNS  string
}

type GuardianComponent added in v1.2.0

type GuardianComponent struct {
	// contains filtered or unexported fields
}

func (*GuardianComponent) Objects added in v1.2.0

func (c *GuardianComponent) Objects() ([]runtime.Object, []runtime.Object)

func (*GuardianComponent) Ready added in v1.2.0

func (c *GuardianComponent) Ready() bool

type NetworkConfig added in v1.0.0

type NetworkConfig struct {
	CNI                  string
	NodenameFileOptional bool
	IPPools              []operatorv1.IPPool
}

type Renderer

type Renderer interface {
	Render() []Component
}

A Renderer is capable of generating components to be installed on the cluster.

func Calico

func Calico(
	cr *operator.Installation,
	pullSecrets []*corev1.Secret,
	typhaNodeTLS *TyphaNodeTLS,
	bt map[string]string,
	p operator.Provider,
	nc NetworkConfig,
	up bool,
) (Renderer, error)

type S3Credential added in v1.0.0

type S3Credential struct {
	KeyId     []byte
	KeySecret []byte
}

type SplunkCredential added in v1.4.0

type SplunkCredential struct {
	Token       []byte
	Certificate []byte
}

type TyphaNodeTLS added in v1.0.0

type TyphaNodeTLS struct {
	CAConfigMap *corev1.ConfigMap
	TyphaSecret *corev1.Secret
	NodeSecret  *corev1.Secret
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL