Documentation
¶
Overview ¶
Package kubecertagent provides controllers that ensure a pod (the kube-cert-agent), is co-located with the Kubernetes controller manager so that Pinniped can access its signing keys.
Index ¶
Constants ¶
const ( // ControllerManagerNamespace is the assumed namespace of the kube-controller-manager pod(s). ControllerManagerNamespace = "kube-system" ClusterInfoNamespace = "kube-public" )
Variables ¶
This section is empty.
Functions ¶
func NewAgentController ¶ added in v0.8.0
func NewAgentController( cfg AgentConfig, client *kubeclient.Client, kubeSystemPods corev1informers.PodInformer, agentDeployments appsv1informers.DeploymentInformer, agentPods corev1informers.PodInformer, kubePublicConfigMaps corev1informers.ConfigMapInformer, credentialIssuers configv1alpha1informers.CredentialIssuerInformer, dynamicCertProvider dynamiccert.Private, ) controllerlib.Controller
NewAgentController returns a controller that manages the kube-cert-agent Deployment. It also is tasked with updating the CredentialIssuer with any errors that it encounters.
func NewLegacyPodCleanerController ¶ added in v0.8.0
func NewLegacyPodCleanerController( cfg AgentConfig, client *kubeclient.Client, agentPods corev1informers.PodInformer, log plog.Logger, ) controllerlib.Controller
NewLegacyPodCleanerController returns a controller that cleans up legacy kube-cert-agent Pods created by Pinniped v0.7.0 and below.
Types ¶
type AgentConfig ¶ added in v0.8.0
type AgentConfig struct {
// Namespace in which agent pods will be created.
Namespace string
// ContainerImage specifies the container image used for the agent pods.
ContainerImage string
// NamePrefix will be prefixed to all agent pod names.
NamePrefix string
// ServiceAccountName is the service account under which to run the agent pods.
ServiceAccountName string
// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
// ImagePullSecrets on the kube-cert-agent pods.
ContainerImagePullSecrets []string
// CredentialIssuerName specifies the CredentialIssuer to be created/updated.
CredentialIssuerName string
// Labels to be applied to the CredentialIssuer and agent pods.
Labels map[string]string
// DiscoveryURLOverride is the Kubernetes server endpoint to report in the CredentialIssuer, overriding any
// value discovered in the kube-public/cluster-info ConfigMap.
DiscoveryURLOverride *string
}
AgentConfig is the configuration for the kube-cert-agent controller.
type PodCommandExecutor ¶
type PodCommandExecutor interface {
Exec(ctx context.Context, podNamespace string, podName string, containerName string, commandAndArgs ...string) (stdoutResult string, err error)
}
PodCommandExecutor can exec a command in a pod located via namespace and name.
func NewPodCommandExecutor ¶
func NewPodCommandExecutor(kubeConfig *restclient.Config, kubeClient kubernetes.Interface) PodCommandExecutor
NewPodCommandExecutor returns a PodCommandExecutor that will interact with a pod via the provided kubeConfig and corresponding kubeClient.
Source Files