Documentation ¶
Index ¶
- Constants
- Variables
- func Authn(perm string, w http.ResponseWriter, r *http.Request) (string, error)
- func BasicAuthCheck(username, password string) bool
- func BasicAuthzCheck(username, perm string) bool
- func CreateRMDataTask(clusterName, replicaName, taskName string, ...) error
- func FindStandbyClusters(clusterList crv1.PgclusterList) (standbyClusters []string)
- func GetBackrestStorageTypes() []string
- func GetNamespace(clientset kubernetes.Interface, username, requestedNS string) (string, error)
- func GetPasswordType(passwordTypeStr string) (pgpassword.PasswordType, error)
- func Initialize()
- func IsValidPVC(pvcName, ns string) bool
- func IsValidStorageName(name string) bool
- func NamespaceOperatingMode() ns.NamespaceOperatingMode
- func NewCertEnforcer(reqRoutes []string) (*certEnforcer, error)
- func PGClusterListHasStandby(clusterList crv1.PgclusterList) (bool, []string)
- func UserIsPermittedInNamespace(username, requestedNS string) (bool, bool, error)
- func ValidateLabel(labelStr string) (map[string]string, error)
- func ValidateNodeLabel(nodeLabel string) error
- func ValidateQuantity(quantity string) error
- func ValidateResourceRequestLimit(request, limit string, defaultQuantity resource.Quantity) error
- func WriteTLSCert(certPath, keyPath string) error
- type CredentialDetail
Constants ¶
const ( // ErrMessageLimitInvalid indicates that a limit is lower than the request ErrMessageLimitInvalid = `limit %q is lower than the request %q` // ErrMessagePVCSize provides a standard error message when a PVCSize is not // specified to the Kubernetes stnadard ErrMessagePVCSize = `could not parse PVC size "%s": %s (hint: try a value like "1Gi")` // ErrMessageReplicas provides a standard error message when the count of // replicas is incorrect ErrMessageReplicas = `must have at least %d replica(s)` )
const ( // MISC APPLY_POLICY_PERM = "ApplyPolicy" CAT_PERM = "Cat" CLONE_PERM = "Clone" DF_CLUSTER_PERM = "DfCluster" LABEL_PERM = "Label" RELOAD_PERM = "Reload" RESTART_PERM = "Restart" RESTORE_PERM = "Restore" STATUS_PERM = "Status" TEST_CLUSTER_PERM = "TestCluster" VERSION_PERM = "Version" // CREATE CREATE_BACKUP_PERM = "CreateBackup" CREATE_CLUSTER_PERM = "CreateCluster" CREATE_DUMP_PERM = "CreateDump" CREATE_FAILOVER_PERM = "CreateFailover" CREATE_NAMESPACE_PERM = "CreateNamespace" CREATE_PGADMIN_PERM = "CreatePgAdmin" CREATE_PGBOUNCER_PERM = "CreatePgbouncer" CREATE_PGOUSER_PERM = "CreatePgouser" CREATE_PGOROLE_PERM = "CreatePgorole" CREATE_POLICY_PERM = "CreatePolicy" CREATE_SCHEDULE_PERM = "CreateSchedule" CREATE_UPGRADE_PERM = "CreateUpgrade" CREATE_USER_PERM = "CreateUser" // RESTORE RESTORE_DUMP_PERM = "RestoreDump" // DELETE DELETE_BACKUP_PERM = "DeleteBackup" DELETE_CLUSTER_PERM = "DeleteCluster" DELETE_NAMESPACE_PERM = "DeleteNamespace" DELETE_PGADMIN_PERM = "DeletePgAdmin" DELETE_PGBOUNCER_PERM = "DeletePgbouncer" DELETE_PGOROLE_PERM = "DeletePgorole" DELETE_PGOUSER_PERM = "DeletePgouser" DELETE_POLICY_PERM = "DeletePolicy" DELETE_SCHEDULE_PERM = "DeleteSchedule" DELETE_USER_PERM = "DeleteUser" // SHOW SHOW_BACKUP_PERM = "ShowBackup" SHOW_CLUSTER_PERM = "ShowCluster" SHOW_CONFIG_PERM = "ShowConfig" SHOW_NAMESPACE_PERM = "ShowNamespace" SHOW_PGADMIN_PERM = "ShowPgAdmin" SHOW_PGBOUNCER_PERM = "ShowPgBouncer" SHOW_PGOROLE_PERM = "ShowPgorole" SHOW_PGOUSER_PERM = "ShowPgouser" SHOW_POLICY_PERM = "ShowPolicy" SHOW_PVC_PERM = "ShowPVC" SHOW_SCHEDULE_PERM = "ShowSchedule" SHOW_SECRETS_PERM = "ShowSecrets" SHOW_SYSTEM_ACCOUNTS_PERM = "ShowSystemAccounts" SHOW_USER_PERM = "ShowUser" SHOW_WORKFLOW_PERM = "ShowWorkflow" // SCALE SCALE_CLUSTER_PERM = "ScaleCluster" // UPDATE UPDATE_CLUSTER_PERM = "UpdateCluster" UPDATE_NAMESPACE_PERM = "UpdateNamespace" UPDATE_PGBOUNCER_PERM = "UpdatePgBouncer" UPDATE_PGOROLE_PERM = "UpdatePgorole" UPDATE_PGOUSER_PERM = "UpdatePgouser" UPDATE_USER_PERM = "UpdateUser" )
The below constants contains the "apiserver RBAC permissions" -- this was reorganized to make it...slightly more organized as we continue to evole the system
const PGOSecretName = "pgo.tls"
const TreeBranch = "├── "
TreeBranch is for debugging only in this context
const TreeTrunk = "└── "
TreeTrunk is for debugging only in this context
const VERSION_MISMATCH_ERROR = "pgo client and server version mismatch"
Variables ¶
var ( // ErrDBContainerNotFound is an error that indicates that a "database" container // could not be found in a specific pod ErrDBContainerNotFound = errors.New("\"database\" container not found in pod") // ErrLabelInvalid indicates that a label is invalid ErrLabelInvalid = errors.New("invalid label") // ErrPasswordTypeInvalid is used when a string that's not included in // PasswordTypeStrings is used ErrPasswordTypeInvalid = errors.New("invalid password type. choices are (md5, scram-sha-256)") // ErrStandbyNotAllowed contains the error message returned when an API call is not // permitted because it involves a cluster that is in standby mode ErrStandbyNotAllowed = errors.New("Action not permitted because standby mode is enabled") // ErrMethodNotAllowed represents the error that is thrown when a feature is disabled within the // current Operator install ErrMethodNotAllowed = errors.New("This method has is not allowed in the current PostgreSQL " + "Operator installation") )
var ( // Clientset is a client for Kubernetes resources Clientset kubeapi.Interface // RESTConfig holds the REST configuration for a Kube client RESTConfig *rest.Config )
var AuditFlag bool
AuditFlag if set to true will cause auditing to occur in the logs
var BasicAuth bool
BasicAuth comes from the apiserver config
var CRUNCHY_DEBUG bool
var DebugFlag bool
DebugFlag is the debug flag value
var InstallationName string
var MetricsFlag, BadgerFlag bool
MetricsFlag if set to true will cause crunchy-postgres-exporter to be added into new clusters
var PermMap map[string]string
var Pgo config.PgoConfig
var PgoNamespace string
Namespace comes from the apiserver config in this version
var RoleMap map[string]map[string]string
Functions ¶
func Authn ¶
Authn performs HTTP Basic Authentication against a user if "BasicAuth" is set to "true" (which it is by default).
...it also performs Authorization (Authz) against the user that is attempting to authenticate, and as such, to truly "authenticate/authorize," one needs at least a valid Operator User account.
func BasicAuthCheck ¶
func BasicAuthzCheck ¶
func CreateRMDataTask ¶
func FindStandbyClusters ¶
func FindStandbyClusters(clusterList crv1.PgclusterList) (standbyClusters []string)
FindStandbyClusters takes a list of pgcluster structs and returns a slice containing the names of those clusters that are in standby mode as indicated by whether or not the standby prameter in the pgcluster spec is true.
func GetBackrestStorageTypes ¶
func GetBackrestStorageTypes() []string
func GetNamespace ¶
func GetNamespace(clientset kubernetes.Interface, username, requestedNS string) (string, error)
GetNamespace determines if a user has permission for a namespace they are requesting a valid requested namespace is required
func GetPasswordType ¶
func GetPasswordType(passwordTypeStr string) (pgpassword.PasswordType, error)
GetPasswordType returns the enumerated password type based on the string, and an error if it cannot match one
func Initialize ¶
func Initialize()
func IsValidPVC ¶
IsValidPVC determines if a PVC with the name provided exits
func IsValidStorageName ¶
func NamespaceOperatingMode ¶
func NamespaceOperatingMode() ns.NamespaceOperatingMode
NamespaceOperatingMode returns the namespace operating mode for the current Operator installation, which is stored in the "namespaceOperatingMode" variable
func NewCertEnforcer ¶
NewCertEnforcer ensures a certEnforcer is created with skipped routes and validates that the configured routes are allowed
func PGClusterListHasStandby ¶
func PGClusterListHasStandby(clusterList crv1.PgclusterList) (bool, []string)
PGClusterListHasStandby determines if a PgclusterList has any standby clusters, specifically returning "true" if one or more standby clusters exist, along with a slice of strings containing the names of the clusters in standby mode
func UserIsPermittedInNamespace ¶
UserIsPermittedInNamespace returns installation access and user access. Installation access means a namespace belongs to this Operator installation. User access means this user has access to a namespace.
func ValidateLabel ¶
ValidateLabel is derived from a legacy method and validates if the input is a valid Kubernetes label.
A label is composed of a key and value.
The key can either be a name or have an optional prefix that i terminated by a "/", e.g. "prefix/name"
The name must be a valid DNS 1123 value THe prefix must be a valid DNS 1123 subdomain
The value can be validated by machinery provided by Kubenretes ¶
Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
func ValidateNodeLabel ¶
ValidateNodeLabel returns error if node label is invalid based on format
func ValidateQuantity ¶
ValidateQuantity runs the Kubernetes "ParseQuantity" function on a string and determine whether or not it is a valid quantity object. Returns an error if it is invalid, along with the error message.
If it is empty, it returns no error ¶
See: https://github.com/kubernetes/apimachinery/blob/master/pkg/api/resource/quantity.go
func ValidateResourceRequestLimit ¶
ValidateResourceRequestLimit validates that a Kubernetes Requests/Limit pair is valid, both by validating the values are valid quantity values, and then by checking that the limit >= request. This also needs to check against the configured values for a request, which must be provided as a value
func WriteTLSCert ¶
WriteTLSCert is a legacy method that writes the server certificate and key to files from the PGOSecretName secret or generates a new key (writing to both the secret and the expected files