Documentation ¶
Overview ¶
This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.
Index ¶
- Constants
- Variables
- func AnnotationHash(i interface{}) string
- func CopySecrets(ns string, oSecrets ...*v1.Secret) []*v1.Secret
- func CreateOperatorTLSSecret(ca *crypto.CA, secretName string, secretKeyName string, secretCertName string, ...) (*v1.Secret, error)
- func ElasticsearchContainerDecorate(c corev1.Container, cluster, secret string) corev1.Container
- func ElasticsearchContainerDecorateENVVars(c corev1.Container, cluster, esUserSecretName string) corev1.Container
- func ElasticsearchContainerDecorateIndexCreator(c corev1.Container, replicas, shards int) corev1.Container
- func ElasticsearchContainerDecorateVolumeMounts(c corev1.Container) corev1.Container
- func ElasticsearchDefaultVolume() corev1.Volume
- func ElasticsearchDefaultVolumeMount() corev1.VolumeMount
- func ElasticsearchPodSpecDecorate(p corev1.PodSpec) corev1.PodSpec
- func GetIPv4Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
- func GetIPv6Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
- func KubeControllers(cr *operator.Installation) *kubeControllersComponent
- func OperatorNamespace() string
- func ParseEndpoint(endpoint string) (string, string, string, error)
- func ParseHostPort(hostport string) (string, string, error)
- func SetTestLogger(l logr.Logger)
- type Annotatable
- type Component
- func APIServer(installation *operator.Installation, tlsKeyPair *corev1.Secret, ...) (Component, error)
- func AWSSecurityGroupSetup(ps []corev1.LocalObjectReference, installcr *operator.Installation) (Component, error)
- func Compliance(esSecrets []*corev1.Secret, installation *operatorv1.Installation, ...) (Component, error)
- func ConfigMaps(cms []*corev1.ConfigMap) Component
- func Fluentd(lc *operatorv1.LogCollector, esSecrets []*corev1.Secret, ...) Component
- func Guardian(url string, pullSecrets []*corev1.Secret, openshift bool, ...) Component
- func IntrusionDetection(esSecrets []*corev1.Secret, kibanaCertSecret *corev1.Secret, ...) Component
- func LogStorage(logStorage *operatorv1.LogStorage, installation *operatorv1.Installation, ...) Component
- func Manager(cr *operator.Manager, esSecrets []*corev1.Secret, ...) (Component, error)
- func Namespaces(cr *operator.Installation, openshift bool, pullSecrets []*corev1.Secret) Component
- func Node(cr *operator.Installation, p operator.Provider, nc NetworkConfig, ...) Component
- func PriorityClassDefinitions(cr *operator.Installation) Component
- func Secrets(secrets []*corev1.Secret) Component
- func Typha(cr *operator.Installation, p operator.Provider, tnTLS *TyphaNodeTLS, ...) Component
- type EksCloudwatchLogConfig
- type ElasticsearchClusterConfig
- type FluentdFilters
- type GuardianComponent
- type NetworkConfig
- type Renderer
- type S3Credential
- type SplunkCredential
- type TyphaNodeTLS
Constants ¶
const ( APIServerNamespace = "tigera-system" APIServerTLSSecretName = "tigera-apiserver-certs" APIServerSecretKeyName = "apiserver.key" APIServerSecretCertName = "apiserver.crt" )
const ( Optional = true DefaultCertificateDuration = 100 * 365 * 24 * time.Hour )
const ( ComplianceNamespace = "tigera-compliance" ComplianceServerName = "compliance-server" ComplianceControllerName = "compliance-controller" ComplianceSnapshotterName = "compliance-snapshotter" )
const ( ElasticsearchComplianceBenchmarkerUserSecret = "tigera-ee-compliance-benchmarker-elasticsearch-access" ElasticsearchComplianceControllerUserSecret = "tigera-ee-compliance-controller-elasticsearch-access" ElasticsearchComplianceReporterUserSecret = "tigera-ee-compliance-reporter-elasticsearch-access" ElasticsearchComplianceSnapshotterUserSecret = "tigera-ee-compliance-snapshotter-elasticsearch-access" ElasticsearchComplianceServerUserSecret = "tigera-ee-compliance-server-elasticsearch-access" ElasticsearchCuratorUserSecret = "tigera-ee-curator-elasticsearch-access" ComplianceServerCertSecret = "tigera-compliance-server-tls" ComplianceServerCertName = "tls.crt" ComplianceServerKeyName = "tls.key" )
const ( CNICalico = "calico" CNINone = "none" )
const ( ElasticsearchDefaultCertDir = "/etc/ssl/elastic/" ElasticsearchDefaultCertPath = ElasticsearchDefaultCertDir + "ca.pem" TigeraElasticsearchCertSecret = "tigera-secure-elasticsearch-cert" ElasticsearchPublicCertSecret = "tigera-secure-es-http-certs-public" )
const ( LogCollectorNamespace = "tigera-fluentd" FluentdFilterConfigMapName = "fluentd-filters" FluentdFilterFlowName = "flow" FluentdFilterDNSName = "dns" S3FluentdSecretName = "log-collector-s3-credentials" S3KeyIdName = "key-id" S3KeySecretName = "key-secret" ElasticsearchLogCollectorUserSecret = "tigera-fluentd-elasticsearch-access" ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access" EksLogForwarderSecret = "tigera-eks-log-forwarder-secret" EksLogForwarderAwsId = "aws-id" EksLogForwarderAwsKey = "aws-key" SplunkFluentdTokenSecretName = "logcollector-splunk-credentials" SplunkFluentdSecretTokenKey = "token" SplunkFluentdCertificateSecretName = "logcollector-splunk-public-certificate" SplunkFluentdSecretCertificateKey = "ca.pem" SplunkFluentdSecretsVolName = "splunk-certificates" SplunkFluentdDefaultCertDir = "/etc/ssl/splunk/" SplunkFluentdDefaultCertPath = SplunkFluentdDefaultCertDir + SplunkFluentdSecretCertificateKey )
const ( GuardianName = "tigera-guardian" GuardianNamespace = GuardianName GuardianServiceAccountName = GuardianName GuardianClusterRoleName = GuardianName GuardianClusterRoleBindingName = GuardianName GuardianDeploymentName = GuardianName GuardianServiceName = "tigera-guardian" GuardianVolumeName = "tigera-guardian-certs" GuardianSecretName = "tigera-managed-cluster-connection" )
The names of the components related to the Guardian related rendered objects.
const ( IntrusionDetectionNamespace = "tigera-intrusion-detection" ElasticsearchIntrusionDetectionUserSecret = "tigera-ee-intrusion-detection-elasticsearch-access" ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access" IntrusionDetectionInstallerJobName = "intrusion-detection-es-job-installer" )
const ( ECKOperatorName = "elastic-operator" ECKOperatorNamespace = "tigera-eck-operator" ECKWebhookSecretName = "elastic-webhook-server-cert" ECKWebhookName = "elastic-webhook-server" ECKEnterpriseTrial = "eck-trial-license" ECKWebhookConfiguration = "elastic-webhook.k8s.elastic.co" ElasticsearchStorageClass = "tigera-elasticsearch" ElasticsearchNamespace = "tigera-elasticsearch" ElasticsearchHTTPURL = "tigera-secure-es-http.tigera-elasticsearch.svc" ElasticsearchHTTPSEndpoint = "https://tigera-secure-es-http.tigera-elasticsearch.svc:9200" ElasticsearchName = "tigera-secure" ElasticsearchConfigMapName = "tigera-secure-elasticsearch" ElasticsearchServiceName = "tigera-secure-es-http" KibanaHTTPURL = "tigera-secure-kb-http.tigera-kibana.svc" KibanaHTTPSEndpoint = "https://tigera-secure-kb-http.tigera-kibana.svc:5601" KibanaName = "tigera-secure" KibanaNamespace = "tigera-kibana" KibanaPublicCertSecret = "tigera-secure-kb-http-certs-public" TigeraKibanaCertSecret = "tigera-secure-kibana-cert" KibanaDefaultCertPath = "/etc/ssl/kibana/ca.pem" KibanaBasePath = "tigera-kibana" KibanaServiceName = "tigera-secure-kb-http" DefaultElasticsearchClusterName = "cluster" DefaultElasticsearchReplicas = 0 LogStorageFinalizer = "tigera.io/eck-cleanup" EsCuratorName = "elastic-curator" )
const ( ManagerNamespace = "tigera-manager" ManagerTLSSecretName = "manager-tls" ManagerSecretKeyName = "key" ManagerSecretCertName = "cert" ManagerOIDCConfig = "tigera-manager-oidc-config" ManagerOIDCWellknownURI = "/usr/share/nginx/html/.well-known" ManagerOIDCJwksURI = "/usr/share/nginx/html/discovery" ElasticsearchManagerUserSecret = "tigera-ee-manager-elasticsearch-access" )
const ( VoltronName = "tigera-voltron" VoltronTunnelSecretName = "tigera-management-cluster-connection" )
ManagementClusterConnection configuration constants
const ( TyphaServiceName = "calico-typha" TyphaPortName = "calico-typha" TyphaK8sAppName = "calico-typha" TyphaServiceAccountName = "calico-typha" AppLabelName = "k8s-app" TyphaPort int32 = 5473 )
const ( VoltronDnsName = "voltron" VoltronKeySizeBits = 2048 )
Voltron related constants.
const (
BirdTemplatesConfigMapName = "bird-templates"
)
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"
const (
TigeraPrometheusNamespace = "tigera-prometheus"
)
Variables ¶
var ( TyphaCAConfigMapName = "typha-ca" TyphaCABundleName = "caBundle" TyphaTLSSecretName = "typha-certs" NodeTLSSecretName = "node-certs" TLSSecretCertName = "cert.crt" TLSSecretKeyName = "key.key" CommonName = "common-name" URISAN = "uri-san" )
Functions ¶
func AnnotationHash ¶ added in v1.0.0
func AnnotationHash(i interface{}) string
AnnotationHash is to generate a hash that can be included in a Deployment or DaemonSet to trigger a restart/rolling update when a ConfigMap or Secret is updated.
func CreateOperatorTLSSecret ¶ added in v1.4.0
func CreateOperatorTLSSecret( ca *crypto.CA, secretName string, secretKeyName string, secretCertName string, dur time.Duration, cef []crypto.CertificateExtensionFunc, hostnames ...string, ) (*v1.Secret, error)
CreateOperatorTLSSecret Creates a new TLS secret with the information passed
ca: The ca to use for creating the Cert/Key pair. If nil then a self-signed CA will be created secretName: The name of the secret. secretKeyName: The name of the data field that will contain the key. secretCertName: The name of the data field that will contain the cert. dur: How long the certificate will be valid. hostnames: The first will be used as the CN, and the rest as SANs. If no hostnames are provided then "localhost" will be used.
func ElasticsearchContainerDecorate ¶ added in v1.0.0
func ElasticsearchContainerDecorateENVVars ¶ added in v1.0.0
func ElasticsearchContainerDecorateIndexCreator ¶ added in v1.0.2
func ElasticsearchContainerDecorateVolumeMounts ¶ added in v1.0.0
func ElasticsearchDefaultVolume ¶ added in v1.0.0
func ElasticsearchDefaultVolumeMount ¶ added in v1.0.0
func ElasticsearchDefaultVolumeMount() corev1.VolumeMount
func ElasticsearchPodSpecDecorate ¶ added in v1.0.0
func GetIPv4Pool ¶ added in v1.2.0
func GetIPv4Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
GetIPv4Pool returns the IPv4 IPPool in an instalation, or nil if one can't be found.
func GetIPv6Pool ¶ added in v1.2.0
func GetIPv6Pool(cn *operator.CalicoNetworkSpec) *operator.IPPool
GetIPv6Pool returns the IPv6 IPPool in an instalation, or nil if one can't be found.
func KubeControllers ¶
func KubeControllers(cr *operator.Installation) *kubeControllersComponent
func OperatorNamespace ¶ added in v1.0.0
func OperatorNamespace() string
func ParseEndpoint ¶
ParseEndpoint parses an endpoint of the form scheme://host:port and returns the components.
func SetTestLogger ¶
Types ¶
type Annotatable ¶ added in v1.2.0
func ElasticsearchDecorateAnnotations ¶ added in v1.2.0
func ElasticsearchDecorateAnnotations(obj Annotatable, config *ElasticsearchClusterConfig, secrets []*corev1.Secret) Annotatable
type Component ¶
type Component interface { // Objects returns the lists of objects in this component that should be created and/or deleted during // rendering. Objects() (objsToCreate, objsToDelete []runtime.Object) // Ready returns true if the component is ready to be created. Ready() bool }
func AWSSecurityGroupSetup ¶ added in v1.0.0
func AWSSecurityGroupSetup(ps []corev1.LocalObjectReference, installcr *operator.Installation) (Component, error)
func Compliance ¶
func Compliance( esSecrets []*corev1.Secret, installation *operatorv1.Installation, complianceServerCertSecret *corev1.Secret, esClusterConfig *ElasticsearchClusterConfig, pullSecrets []*corev1.Secret, openshift bool, ) (Component, error)
func ConfigMaps ¶ added in v1.0.0
func Fluentd ¶ added in v1.0.0
func Fluentd( lc *operatorv1.LogCollector, esSecrets []*corev1.Secret, esClusterConfig *ElasticsearchClusterConfig, s3C *S3Credential, spC *SplunkCredential, f *FluentdFilters, eksConfig *EksCloudwatchLogConfig, pullSecrets []*corev1.Secret, installation *operatorv1.Installation, ) Component
func Guardian ¶ added in v1.2.0
func Guardian( url string, pullSecrets []*corev1.Secret, openshift bool, installation *operatorv1.Installation, tunnelSecret *corev1.Secret, ) Component
func IntrusionDetection ¶
func LogStorage ¶ added in v1.4.0
func LogStorage( logStorage *operatorv1.LogStorage, installation *operatorv1.Installation, elasticsearch *esv1.Elasticsearch, kibana *kbv1.Kibana, clusterConfig *ElasticsearchClusterConfig, elasticsearchSecrets []*corev1.Secret, kibanaSecrets []*corev1.Secret, createWebhookSecret bool, pullSecrets []*corev1.Secret, provider operatorv1.Provider, curatorSecrets []*corev1.Secret, esService *corev1.Service, kbService *corev1.Service, clusterDNS string, applyTrial bool) Component
Elasticsearch renders the
func Manager ¶ added in v1.0.0
func Manager( cr *operator.Manager, esSecrets []*corev1.Secret, kibanaSecrets []*corev1.Secret, complianceServerCertSecret *corev1.Secret, esClusterConfig *ElasticsearchClusterConfig, tlsKeyPair *corev1.Secret, pullSecrets []*corev1.Secret, openshift bool, installation *operator.Installation, oidcConfig *corev1.ConfigMap, management bool, tunnelSecret *corev1.Secret, ) (Component, error)
func Namespaces ¶
func Node ¶
func Node(cr *operator.Installation, p operator.Provider, nc NetworkConfig, bt map[string]string, tnTLS *TyphaNodeTLS, migrate bool) Component
Node creates the node daemonset and other resources for the daemonset to operate normally.
func PriorityClassDefinitions ¶
func PriorityClassDefinitions(cr *operator.Installation) Component
func Typha ¶ added in v1.0.0
func Typha(cr *operator.Installation, p operator.Provider, tnTLS *TyphaNodeTLS, migrationNeeded bool) Component
Typha creates the typha daemonset and other resources for the daemonset to operate normally.
type EksCloudwatchLogConfig ¶ added in v1.0.0
type ElasticsearchClusterConfig ¶ added in v1.2.0
type ElasticsearchClusterConfig struct {
// contains filtered or unexported fields
}
func NewElasticsearchClusterConfig ¶ added in v1.2.0
func NewElasticsearchClusterConfig(clusterName string, replicas int, shards int) *ElasticsearchClusterConfig
func NewElasticsearchClusterConfigFromConfigMap ¶ added in v1.2.0
func NewElasticsearchClusterConfigFromConfigMap(configMap *corev1.ConfigMap) (*ElasticsearchClusterConfig, error)
func (ElasticsearchClusterConfig) Annotation ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) Annotation() string
func (ElasticsearchClusterConfig) ClusterName ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) ClusterName() string
func (ElasticsearchClusterConfig) ConfigMap ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) ConfigMap() *corev1.ConfigMap
func (ElasticsearchClusterConfig) Replicas ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) Replicas() int
func (ElasticsearchClusterConfig) Shards ¶ added in v1.2.0
func (c ElasticsearchClusterConfig) Shards() int
type FluentdFilters ¶ added in v1.0.0
type GuardianComponent ¶ added in v1.2.0
type GuardianComponent struct {
// contains filtered or unexported fields
}
func (*GuardianComponent) Objects ¶ added in v1.2.0
func (c *GuardianComponent) Objects() ([]runtime.Object, []runtime.Object)
func (*GuardianComponent) Ready ¶ added in v1.2.0
func (c *GuardianComponent) Ready() bool
type NetworkConfig ¶ added in v1.0.0
type NetworkConfig struct { CNI string NodenameFileOptional bool IPPools []operatorv1.IPPool }
type Renderer ¶
type Renderer interface {
Render() []Component
}
A Renderer is capable of generating components to be installed on the cluster.
func Calico ¶
func Calico( cr *operator.Installation, pullSecrets []*corev1.Secret, typhaNodeTLS *TyphaNodeTLS, bt map[string]string, p operator.Provider, nc NetworkConfig, up bool, ) (Renderer, error)
type S3Credential ¶ added in v1.0.0
type SplunkCredential ¶ added in v1.4.0
Source Files ¶
- apiserver.go
- aws-securitygroup-setup.go
- common.go
- compliance.go
- config.go
- configmap.go
- elasticsearch_decorator.go
- elasticsearchclusterconfig.go
- fluentd.go
- guardian.go
- intrusion_detection.go
- kube-controllers.go
- logstorage.go
- manager.go
- namespaces.go
- node.go
- priority_class.go
- render.go
- secrets.go
- typha.go
- voltron_secret.go