Documentation
¶
Index ¶
- Constants
- Variables
- func GenerateEncryptionKey() ([]byte, error)
- func GetToken(ctx context.Context, wg *sync.WaitGroup, client client.Client, ...) (string, error)
- func HandlerForBinding(c client.Client) handler.EventHandler
- func HandlerForDecision(c client.Client) handler.EventHandler
- func HandlerForRule(c client.Client) handler.EventHandler
- type Propagator
- type ReplicatedPolicyReconciler
- type RootPolicyReconciler
- type TemplateResolvers
- func (t *TemplateResolvers) GetResolver(replicatedPolicy k8sdepwatches.ObjectIdentifier, ...) (*templates.TemplateResolver, error)
- func (t *TemplateResolvers) GetWatchCount() uint
- func (t *TemplateResolvers) RemoveReplicatedPolicy(replicatedPolicy k8sdepwatches.ObjectIdentifier) error
- func (t *TemplateResolvers) WaitForShutdown()
- type TokenRefreshConfig
Constants ¶
const ( // #nosec G101 EncryptionKeySecret = "policy-encryption-key" IVAnnotation = "policy.open-cluster-management.io/encryption-iv" LastRotatedAnnotation = "policy.open-cluster-management.io/last-rotated" )
const ( TemplateStartDelim = "{{hub" TemplateStopDelim = "hub}}" TriggerUpdateAnnotation = "policy.open-cluster-management.io/trigger-update" )
const ( ParentPolicyIDAnnotation = "policy.open-cluster-management.io/parent-policy-compliance-db-id" PolicyIDAnnotation = "policy.open-cluster-management.io/policy-compliance-db-id" )
const ControllerName string = "policy-propagator"
Variables ¶
var ( ErrRetryable = errors.New("") ErrSAMissing = errors.New("the hubTemplatesOptions.serviceAccountName does not exist") )
Functions ¶
func GenerateEncryptionKey ¶ added in v0.7.0
func GetToken ¶ added in v0.15.0
func GetToken( ctx context.Context, wg *sync.WaitGroup, client client.Client, serviceAccount types.NamespacedName, refreshConfig TokenRefreshConfig, ) (string, error)
GetToken will use the TokenRequest API to get a token for the service account and return a file path to where the token is stored. A new token will be requested and stored in the file before the token expires. If an unrecoverable error occurs during a token refresh, refreshConfig.OnFailedRefresh is called if it's defined.
func HandlerForBinding ¶ added in v0.13.0
func HandlerForBinding(c client.Client) handler.EventHandler
HandlerForBinding maps a PlacementBinding to the targeted RepPolicies that are either directly in its subjects list, or are in a PolicySet which is a subject of this PlacementBinding.
func HandlerForDecision ¶ added in v0.13.0
func HandlerForDecision(c client.Client) handler.EventHandler
HandlerForDecision maps a PlacementDecision to all replicated policies that are in namespace as a decision cluster name. The name of replicated policy is rootpolicy name + namespace which is in Placementbinding subject
func HandlerForRule ¶ added in v0.13.0
func HandlerForRule(c client.Client) handler.EventHandler
HandlerForRule maps a PlacementRule to all replicated policies which are in the namespace as PlacementRule status.decisions. This finds placementBindings, of which placementRef is the placementRule, then collects all rootPolicies in placementBindings. Replicated policies are determined from decisions in the placementRule and a rootPolicy name
Types ¶
type Propagator ¶ added in v0.12.0
type Propagator struct {
client.Client
Scheme *runtime.Scheme
Recorder record.EventRecorder
RootPolicyLocks *sync.Map
ReplicatedPolicyUpdates chan event.GenericEvent
}
type ReplicatedPolicyReconciler ¶ added in v0.12.0
type ReplicatedPolicyReconciler struct {
Propagator
ResourceVersions *sync.Map
DynamicWatcher k8sdepwatches.DynamicWatcher
ComplianceServerCtx *complianceeventsapi.ComplianceServerCtx
TemplateResolvers *TemplateResolvers
}
func (*ReplicatedPolicyReconciler) SetupWithManager ¶ added in v0.12.0
type RootPolicyReconciler ¶ added in v0.12.0
type RootPolicyReconciler struct {
Propagator
}
func (*RootPolicyReconciler) Reconcile ¶ added in v0.12.0
func (r *RootPolicyReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error)
Reconcile handles root policies, sending events to the replicated policy reconciler to ensure that the desired policies are on the correct clusters. It also populates the status of the root policy with placement information.
func (*RootPolicyReconciler) SetupWithManager ¶ added in v0.12.0
func (r *RootPolicyReconciler) SetupWithManager(mgr ctrl.Manager, maxConcurrentReconciles uint16) error
SetupWithManager sets up the controller with the Manager.
type TemplateResolvers ¶ added in v0.15.0
type TemplateResolvers struct {
// A map of service accounts to templateResolverWithCancel. Access to this must leverage globalLock.
TemplateResolvers map[types.NamespacedName]*templateResolverWithCancel
// contains filtered or unexported fields
}
TemplateResolvers handles managing the template resolvers that policies leverage, including the default template resolver. This also handles garbage collection of unused template resolvers except for the default template resolver. This is based on a reference count, so it's important to call RemoveReplicatedPolicy when a replicated policy is deleted. GetResolver handles all other reference count updates. All methods are concurrency safe, however, write lock contention could occur if there are many replicated policies with spec.hubTemplateOptions.serviceAccountName references to service accounts that don't exist since errors encountered instantiating the template resolver are not cached so that it can be retried.
func NewTemplateResolvers ¶ added in v0.15.0
func NewTemplateResolvers( ctx context.Context, kubeconfig *rest.Config, mgrClient client.Client, defaultTemplateResolver *templates.TemplateResolver, replicatedPolicyUpdates chan event.GenericEvent, ) (*TemplateResolvers, source.TypedSource[reconcile.Request])
NewTemplateResolvers instantiates a TemplateResolvers instance and returns a controller-runtime source to trigger reconciles when an object referenced in a template updates. Note that GetResolver should not be called until the controller-runtime manager has started since mgrClient may be used.
func (*TemplateResolvers) GetResolver ¶ added in v0.15.0
func (t *TemplateResolvers) GetResolver( replicatedPolicy k8sdepwatches.ObjectIdentifier, serviceAccount types.NamespacedName, ) (*templates.TemplateResolver, error)
GetResolver will get the template resolver based on the input service account. If defaultSANamespacedName is provided, the default template resolver is returned. All references are updated and if the service account changed for the replicated policy, the watches on the previous template resolver are cleaned up.
func (*TemplateResolvers) GetWatchCount ¶ added in v0.15.0
func (t *TemplateResolvers) GetWatchCount() uint
GetWatchCount returns the total number of watches from all template resolvers.
func (*TemplateResolvers) RemoveReplicatedPolicy ¶ added in v0.15.0
func (t *TemplateResolvers) RemoveReplicatedPolicy(replicatedPolicy k8sdepwatches.ObjectIdentifier) error
RemoveReplicatedPolicy will clean up watches on the current template resolver (service account used in the last call to GetResolver) and if this was the last replicated policy using this template resolver, the template resolver will be cleaned up.
func (*TemplateResolvers) WaitForShutdown ¶ added in v0.15.0
func (t *TemplateResolvers) WaitForShutdown()
WaitForShutdown waits for the context passed to NewTemplateResolvers to complete and then for all goroutines started from TemplateResolvers to end.
type TokenRefreshConfig ¶ added in v0.15.0
type TokenRefreshConfig struct {
// The token lifetime in seconds.
ExpirationSeconds int64
// The minimum refresh minutes before expiration. This must be <= MaxRefreshMins.
MinRefreshMins float64
// The maximum refresh minutes before expiration. This must be >= MinRefreshMins.
MaxRefreshMins float64
// If a token refresh encountered an unrecoverable error, then this is called.
OnFailedRefresh func(error)
}
Source Files