Documentation ¶
Index ¶
- Constants
- Variables
- func ConfigFiles(cloudHome, kubeDir string, excludeMatches []string, match string, remove bool) ([]string, error)
- func ProcessResourceFile(ctx context.Context, tools Tools, config string, skipSecrets bool) ([]k8scfg.Resource, error)
- func RewriteConfigFile(ctx context.Context, tools Tools, data string, ...) ([]k8scfg.Resource, error)
- func RewriteCronJobAuth(ctx context.Context, tools Tools, rin k8scfg.Resource, opt *RewriteOptions) ([]k8scfg.ProcessedResource, error)
- func RewriteDeploymentAuth(ctx context.Context, tools Tools, rin k8scfg.Resource, opt *RewriteOptions) ([]k8scfg.ProcessedResource, error)
- func SaveResourceFile(ctx context.Context, tools Tools, saveDir string, sr *k8s.SerializedResource, ...) error
- func SerializeResource(un *unstructured.Unstructured) (*k8s.SerializedResource, error)
- type RewriteOptions
- type RewriteRoutine
- type Tools
Constants ¶
const ( AnnotationRotationEnabled = "qubling.cloud/key-rotation" AnnotationIAMUser = "iam.amazonaws.com/user" AnnotationManagedSecretName = "qubling.cloud/managed-secret-name" //nolint:gosec // this is not a secret AnnotationValueRotationEnabled = "perform" )
const TrashDir = "TRASH"
Variables ¶
var AccessKeyLifetime = 30 * 24 * time.Hour
var ErrSecret = errors.New("SKIP SECRET")
var PhasePrefixes = []string{"storageclass", "namespace", "addon"} // phases that need to run first in this order
var Rewriters = []RewriteRoutine{ RewriteDeploymentAuth, RewriteCronJobAuth, }
Functions ¶
func ConfigFiles ¶
func ConfigFiles( cloudHome, kubeDir string, excludeMatches []string, match string, remove bool, ) ([]string, error)
ConfigFiles returns the names of all the Kubernetes configuration files that match the given glob pattern.
func ProcessResourceFile ¶
func ProcessResourceFile( ctx context.Context, tools Tools, config string, skipSecrets bool, ) ([]k8scfg.Resource, error)
ProcessResourceFile reads the contents of the named resource file and breaks it into individual resources. These are each templated and rewritten and then the result is returned as a slice of Resource objects, which contain the parsed resource and any other options.
Returns an error if any of this fails.
func RewriteConfigFile ¶
func RewriteConfigFile( ctx context.Context, tools Tools, data string, resourceOpt k8scfg.ResourceOptions, rewriters []RewriteRoutine, rewriteOpt *RewriteOptions, ) ([]k8scfg.Resource, error)
RewriteConfigFile applies rewrite routines to the configuration file. The configuration file is parsed into the generic unstructured.Unstructured format. It is passed to each handler in turn to be processed. The processor will then return at least one object (but possibly more if the object needs to generate additional objects in the process), which are then passed on to the next rewrite routines until all rewrite routines have been used to process the objects. This means later routines may run against more than one object per original singular objects.
If any rewrite routine returns an error, the process is immediately halted and only an error is returned.
If all rewrite routines succeed, the results are serialized back into YAML for further processing.
func RewriteCronJobAuth ¶
func RewriteCronJobAuth( ctx context.Context, tools Tools, rin k8scfg.Resource, opt *RewriteOptions, ) ([]k8scfg.ProcessedResource, error)
RewriteCronJobAuth is a RewriteRoutine which looks for the iam.amazonaws.com/user annotation in cronjobs. When found, it finds that user, checks on the status of the managed secret for tracking the access key information for the user, and refreshes that status if needed.
The managed secret either has the name qubling.cloud/managed-secret-name (if present as an annotation on the cronjob) or the name of the user is used as the secret name.
If the associated secret does not exist, an access key is generated, the secret is deployed, and the cronjob is marked for restart.
If the associated secret has an access key that differs from the most recent access key for the IAM user, the access key is rotated, the secret is updated, and the cronjob is marked for restart.
If the key associated with the user is older than AccessKeyLifetime, then the access key for the IAM user is rotated, the secret is updated, and the cronjob is marked for restart.
In all cases where the iam.amazon.com/user annotation is set, the environment for each container in the cronjob's pod template is updated to include an AWS_ACCESS_KEY_ID and an AWS_SECRET_ACCESS_KEY that refer to those values in the managed secret.
func RewriteDeploymentAuth ¶
func RewriteDeploymentAuth( ctx context.Context, tools Tools, rin k8scfg.Resource, opt *RewriteOptions, ) ([]k8scfg.ProcessedResource, error)
RewriteDeploymentAuth is a RewriteRoutine which looks for the iam.amazonaws.com/user annotation in deployments. When found, it finds that user, checks on the status of the managed secret for tracking the access key information for the user, and refreshes that status if needed.
The managed secret either has the name qubling.cloud/managed-secret-name (if present as an annotation on the deployment) or the name of the user is used as the secret name.
If the associated secret does not exist, an access key is generated, the secret is deployed, and the deployment is marked for restart.
If the associated secret has an access key that differs from the most recent access key for the IAM user, the access key is rotated, the secret is updated, and the deployment is marked for restart.
If the key associated with the user is older than AccessKeyLifetime, then the access key for the IAM user is rotated, the secret is updated, and the deployment is marked for restart.
In all cases where the iam.amazon.com/user annotation is set, the environment for each container in the deployment's pod template is updated to include an AWS_ACCESS_KEY_ID and an AWS_SECRET_ACCESS_KEY that refer to those values in the managed secret.
func SaveResourceFile ¶
func SaveResourceFile( ctx context.Context, tools Tools, saveDir string, sr *k8s.SerializedResource, skipSecrets bool, ) error
SaveResourceFile turns a serialized resource into a resource file mounted in the given save directory.
func SerializeResource ¶
func SerializeResource( un *unstructured.Unstructured, ) (*k8s.SerializedResource, error)
SerializeResource turns a resource into JSON bytes ready for application. This works similar to the SerializeResource method of the k8s client, but does not need to talk to the cluster to work. This returns a SerializedResource, but the dynamic resource interface will not be set.
Types ¶
type RewriteOptions ¶
type RewriteOptions struct {
SkipSecrets bool
}
type RewriteRoutine ¶
type RewriteRoutine func(context.Context, Tools, k8scfg.Resource, *RewriteOptions) ([]k8scfg.ProcessedResource, error)