kubecertagent

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2020 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Overview

Package kubecertagent provides controllers that ensure a set of pods (the kube-cert-agent), is colocated with the Kubernetes controller manager so that Pinniped can access its signing keys.

Note: the controllers use a filter that accepts all pods that look like the controller manager or an agent pod, across any add/update/delete event. Each of the controllers only care about a subset of these events in reality, but the liberal filter implementation serves as an MVP.

Index

Constants

View Source 
const (
	// ControllerManagerNamespace is the assumed namespace of the kube-controller-manager pod(s).
	ControllerManagerNamespace = "kube-system"
)

Variables

This section is empty.

Functions

func NewAnnotaterController 

func NewAnnotaterController(
	agentPodConfig *AgentPodConfig,
	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
	clock clock.Clock,
	k8sClient kubernetes.Interface,
	pinnipedAPIClient pinnipedclientset.Interface,
	kubeSystemPodInformer corev1informers.PodInformer,
	agentPodInformer corev1informers.PodInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
) controllerlib.Controller

NewAnnotaterController returns a controller that updates agent pods with the path to the kube API's certificate and key.

This controller will add annotations to agent pods with the best-guess paths to the kube API's certificate and key.

It also is tasked with updating the CredentialIssuer, located via the provided credentialIssuerLocationConfig, with any errors that it encounters.

func NewCreaterController 

func NewCreaterController(
	agentPodConfig *AgentPodConfig,
	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
	credentialIssuerLabels map[string]string,
	clock clock.Clock,
	k8sClient kubernetes.Interface,
	pinnipedAPIClient pinnipedclientset.Interface,
	kubeSystemPodInformer corev1informers.PodInformer,
	agentPodInformer corev1informers.PodInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
	withInitialEvent pinnipedcontroller.WithInitialEventOptionFunc,
) controllerlib.Controller

NewCreaterController returns a controller that creates new kube-cert-agent pods for every known kube-controller-manager pod.

It also is tasked with updating the CredentialIssuer, located via the provided credentialIssuerLocationConfig, with any errors that it encounters.

func NewDeleterController 

func NewDeleterController(
	agentPodConfig *AgentPodConfig,
	k8sClient kubernetes.Interface,
	kubeSystemPodInformer corev1informers.PodInformer,
	agentPodInformer corev1informers.PodInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
) controllerlib.Controller

NewDeleterController returns a controller that deletes any kube-cert-agent pods that are out of sync with the known kube-controller-manager pods.

func NewExecerController 

func NewExecerController(
	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
	dynamicCertProvider dynamiccert.Provider,
	podCommandExecutor PodCommandExecutor,
	pinnipedAPIClient pinnipedclientset.Interface,
	clock clock.Clock,
	agentPodInformer corev1informers.PodInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
) controllerlib.Controller

NewExecerController returns a controllerlib.Controller that listens for agent pods with proper cert/key path annotations and execs into them to get the cert/key material. It sets the retrieved key material in a provided dynamicCertProvider.

It also is tasked with updating the CredentialIssuer, located via the provided credentialIssuerLocationConfig, with any errors that it encounters.

Types

type AgentPodConfig 

type AgentPodConfig struct {
	// The namespace in which agent pods will be created.
	Namespace string

	// The container image used for the agent pods.
	ContainerImage string

	// The name prefix for each of the agent pods.
	PodNamePrefix string

	// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
	// ImagePullSecrets on the kube-cert-agent pods.
	ContainerImagePullSecrets []string

	// Additional labels that should be added to every agent pod during creation.
	AdditionalLabels map[string]string
}

func (*AgentPodConfig) AgentSelector added in v0.2.0 

func (c *AgentPodConfig) AgentSelector() labels.Selector

func (*AgentPodConfig) Labels 

func (c *AgentPodConfig) Labels() map[string]string

type CredentialIssuerLocationConfig added in v0.2.0 

type CredentialIssuerLocationConfig struct {
	// The namespace in which the CredentialIssuer should be created/updated.
	Namespace string

	// The resource name for the CredentialIssuer to be created/updated.
	Name string
}

type PodCommandExecutor 

type PodCommandExecutor interface {
	Exec(podNamespace string, podName string, commandAndArgs ...string) (stdoutResult string, err error)
}

PodCommandExecutor can exec a command in a pod located via namespace and name.

func NewPodCommandExecutor 

func NewPodCommandExecutor(kubeConfig *restclient.Config, kubeClient kubernetes.Interface) PodCommandExecutor

NewPodCommandExecutor returns a PodCommandExecutor that will interact with a pod via the provided kubeConfig and corresponding kubeClient.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.