controllers

package
v1.23.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 27, 2025 License: Apache-2.0 Imports: 78 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// RepoSyncClusterScopeClusterRoleName is the name of the ClusterRole with
	// cluster-scoped read permissions for the namespace reconciler.
	// e.g. configsync.gke.io:ns-reconciler:cluster-scope
	RepoSyncClusterScopeClusterRoleName = configsync.GroupName + ":" + core.NsReconcilerPrefix + ":cluster-scope"
	// RepoSyncBaseClusterRoleName is the namespace reconciler permissions name.
	// e.g. configsync.gke.io:ns-reconciler
	RepoSyncBaseClusterRoleName = configsync.GroupName + ":" + core.NsReconcilerPrefix
	// RootSyncBaseClusterRoleName is the root reconciler base ClusterRole name.
	// e.g. configsync.gke.io:root-reconciler
	RootSyncBaseClusterRoleName = configsync.GroupName + ":" + core.RootReconcilerPrefix
	// RepoSyncClusterScopeClusterRoleBindingName is the name of the default
	// ClusterRoleBinding created for RepoSync objects. This contains basic
	// cluster-scoped permissions for RepoSync reconcilers
	// (e.g. CustomResourceDefinition watch).
	RepoSyncClusterScopeClusterRoleBindingName = RepoSyncClusterScopeClusterRoleName
	// RepoSyncBaseRoleBindingName is the name of the default RoleBinding created
	// for RepoSync objects. This contains basic namespace-scoped permissions
	// for RepoSync reconcilers
	// (e.g. RepoSync status update).
	RepoSyncBaseRoleBindingName = RepoSyncBaseClusterRoleName
	// RootSyncLegacyClusterRoleBindingName is the name of the legacy ClusterRoleBinding created
	// for RootSync objects. It is always bound to cluster-admin.
	RootSyncLegacyClusterRoleBindingName = RootSyncBaseClusterRoleName
	// RootSyncBaseClusterRoleBindingName is the name of the default ClusterRoleBinding created
	// for RootSync objects. This contains basic permissions for RootSync reconcilers
	// (e.g. RootSync status update).
	RootSyncBaseClusterRoleBindingName = RootSyncBaseClusterRoleName + "-base"
)
View Source 
const (
	// GitSecretConfigKeySSH is the key at which an ssh cert is stored
	GitSecretConfigKeySSH = "ssh"
	// GitSecretConfigKeyCookieFile is the key at which the git cookiefile is stored
	GitSecretConfigKeyCookieFile = "cookie_file"
	// GitSecretConfigKeyToken is the key at which a token's value is stored
	GitSecretConfigKeyToken = "token"
	// GitSecretConfigKeyTokenUsername is the key at which a token's username is stored
	GitSecretConfigKeyTokenUsername = "username"

	// GitSecretGithubAppPrivateKey is the key at which the githubapp private key is stored
	GitSecretGithubAppPrivateKey = "github-app-private-key"
	// GitSecretGithubAppInstallationID is the key at which the githubapp installation id is stored
	GitSecretGithubAppInstallationID = "github-app-installation-id"
	// GitSecretGithubAppApplicationID is the key at which the githubapp app id is stored
	GitSecretGithubAppApplicationID = reconcilermanager.GitSecretGithubAppApplicationID
	// GitSecretGithubAppClientID is the key at which the githubapp client id is stored
	GitSecretGithubAppClientID = reconcilermanager.GitSecretGithubAppClientID
	// GitSecretGithubAppBaseURL is the key at which the optional githubapp base url is stored
	GitSecretGithubAppBaseURL = "github-app-base-url"
)

Git secret configmap key names

View Source 
const (
	// HelmSecretKeyPassword is the key at which a token's value is stored
	HelmSecretKeyPassword = "password"
	// HelmSecretKeyUsername is the key at which a token's username is stored
	HelmSecretKeyUsername = "username"
)

Helm secret data key names

View Source 
const (
	// OperationCreate is the create operation
	OperationCreate = Operation("create")
	// OperationUpdate is the update operation
	OperationUpdate = Operation("update")
	// OperationPatch is the patch operation
	OperationPatch = Operation("patch")
	// OperationDelete is the delete operation
	OperationDelete = Operation("delete")
	// OperationGet is the get operation
	OperationGet = Operation("get")
	// OperationList is the list operation
	OperationList = Operation("list")
	// OperationWatch is the watch operation
	OperationWatch = Operation("watch")
)
View Source 
const (

	// GitSyncRepo represents the environment variable key for specifying the Git repository to sync.
	GitSyncRepo = "GITSYNC_REPO"

	// GitSyncDepth represents the environment variable key for setting the depth of the Git clone, truncating history to a specific number of commits.
	GitSyncDepth = "GITSYNC_DEPTH"

	// GitSSLCAInfo represents the environment variable key for SSL certificates.
	GitSSLCAInfo = "GIT_SSL_CAINFO"

	// GitSyncKnownHosts represents the environment variable key for GIT_KNOWN_HOSTS.
	GitSyncKnownHosts = "GITSYNC_SSH_KNOWN_HOSTS"
	// GitSSLNoVerify represents the environment variable key for GIT_SSL_NO_VERIFY.
	GitSSLNoVerify = "GIT_SSL_NO_VERIFY"

	// GithubAppBaseURL is an optional parameter to override the GitHub api endpoint
	GithubAppBaseURL = "GITSYNC_GITHUB_BASE_URL"
	// GithubAppPrivateKey is the private key used for GitHub App authentication
	GithubAppPrivateKey = "GITSYNC_GITHUB_APP_PRIVATE_KEY"
	// GithubAppClientID is the client id used for GitHub App authentication
	GithubAppClientID = "GITSYNC_GITHUB_APP_CLIENT_ID"
	// GithubAppApplicationID is the app id used for GitHub App authentication
	GithubAppApplicationID = "GITSYNC_GITHUB_APP_APPLICATION_ID"
	// GithubAppInstallationID is the installation id used for GitHub App authentication
	GithubAppInstallationID = "GITSYNC_GITHUB_APP_INSTALLATION_ID"

	// DefaultSyncRev is the default git revision.
	DefaultSyncRev = "HEAD"
	// DefaultSyncBranch is the default git branch.
	DefaultSyncBranch = "master"
	// DefaultSyncDir is the default sync directory.
	DefaultSyncDir = "."
	// DefaultSyncWaitSecs is the default wait seconds.
	DefaultSyncWaitSecs = 15
	// SyncDepthNoRev is the default git depth if syncing with default sync revision (`HEAD`).
	SyncDepthNoRev = "1"
	// SyncDepthRev is the default git depth if syncing with a specific sync revision (tag or hash).
	SyncDepthRev = "500"
	// KnownHostsKey is the key for known_hosts information
	KnownHostsKey = "known_hosts"
)
View Source 
const (
	// ReconcilerTemplateConfigMapKey is the key used to specify the reconciler
	// deployment template in the "reconciler-manager-cm" ConfigMap.
	// Defined in configmap manifests/templates/reconciler-manager-configmap.yaml
	ReconcilerTemplateConfigMapKey = "deployment.yaml"

	// ReconcilerTemplateConfigMapName is the name of the ConfigMap used to
	// specify the reconciler deployment template.
	// Defined in configmap manifests/templates/reconciler-manager-configmap.yaml
	ReconcilerTemplateConfigMapName = "reconciler-manager-cm"
)
View Source 
const (
	// RootReconcilerType defines the type for a root reconciler
	RootReconcilerType = ReconcilerType("root")
	// NamespaceReconcilerType defines the type for a namespace reconciler
	NamespaceReconcilerType = ReconcilerType("namespace")
)
View Source 
const CACertPath = "/etc/ca-cert"

CACertPath is the path where the certificate is mounted.

View Source 
const CACertSecretKey = "cert"

CACertSecretKey is the name of the key in the Secret's data map whose value holds the CA cert

View Source 
const CACertVolume = "ca-cert"

CACertVolume is the volume name of the CA certificate.

View Source 
const (
	// GCPSAAnnotationKey is used to annotate the following service accounts:
	// 1) the RepoSync/RootSync controller SA when
	// spec.git.auth: gcpserviceaccount is used with Workload Identity enabled on a
	// GKE cluster.
	// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
	// 2) the `default` SA in the `config-management-monitoring` namespace, which
	// is used by the `otel-collector` Deployment. Adding this annotation allows
	// the `otel-collector` Deployment to impersonate GCP service accounts to
	// export metrics to Cloud Monitoring and Cloud Monarch on a GKE cluster with
	// Workload Identity eanbled.
	GCPSAAnnotationKey = "iam.gke.io/gcp-service-account"
)
View Source 
const GitCredentialVolume = "git-creds"

GitCredentialVolume is the volume name of the git credentials.

View Source 
const HelmCredentialVolume = "helm-creds"

HelmCredentialVolume is the volume name of the git credentials.

View Source 
const (

	// OtelSALoggerName defines the logger name for OtelSAReconciler
	OtelSALoggerName = "OtelSA"
)

Variables

This section is empty.

Functions

func BuildFWICredsContent 

func BuildFWICredsContent(workloadIdentityPool, identityProvider, gsaEmail string, authType configsync.AuthType) (string, error)

BuildFWICredsContent generates the Fleet WI credentials content in a JSON string.

func CreateOrUpdate 

func CreateOrUpdate(ctx context.Context, c client.Client, obj client.Object, f controllerutil.MutateFn) (controllerutil.OperationResult, error)

CreateOrUpdate creates or updates the given object in the Kubernetes cluster. The object's desired state must be reconciled with the existing state inside the passed in callback MutateFn.

The MutateFn is called regardless of creating or updating an object.

Returns the executed operation and an error.

Similar to controllerutil.CreateOrUpdate, except it returns ObjectOperationError when possible, with added context for error handling.

func EnableAskpassSidecar 

func EnableAskpassSidecar(sourceType configsync.SourceType, auth configsync.AuthType) bool

EnableAskpassSidecar indicates whether the gcenode-askpass-sidecar container is enabled.

func GetSecretKeys 

func GetSecretKeys(ctx context.Context, c client.Client, sRef types.NamespacedName) map[string]bool

GetSecretKeys returns the keys that are contained in the Secret.

func ManagedByLabel 

func ManagedByLabel() map[string]string

ManagedByLabel is a uniform label that is applied to all resources which are managed by reconciler-manager.

func ManagedObjectLabelMap 

func ManagedObjectLabelMap(syncKind string, rsRef types.NamespacedName) map[string]string

ManagedObjectLabelMap returns the standard labels applied to objects related to a RootSync/RepoSync that are created by reconciler-manager.

func PollingPeriod 

func PollingPeriod(envName string, defaultValue time.Duration) time.Duration

PollingPeriod parses the polling duration from the environment variable. If the variable is not present, it returns the default value.

func ReconcilerContainerLogLevelDefaults 

func ReconcilerContainerLogLevelDefaults() map[string]v1beta1.ContainerLogLevelOverride

ReconcilerContainerLogLevelDefaults are the default log level to use for the reconciler deployment containers. All containers default value are 0 except git-sync/otel-agent which default value is 5

func ReconcilerContainerResourceDefaults 

func ReconcilerContainerResourceDefaults() map[string]v1beta1.ContainerResourcesSpec

ReconcilerContainerResourceDefaults are the default resources to use for the reconciler deployment containers. These defaults should be high enough to work for most users our of the box, with a moderately high number of resource objects (e.g. 1k).

func ReconcilerContainerResourceDefaultsForAutopilot 

func ReconcilerContainerResourceDefaultsForAutopilot() map[string]v1beta1.ContainerResourcesSpec

ReconcilerContainerResourceDefaultsForAutopilot are the default resources to use on GKE Autopilot clusters for the reconciler deployment. On Autopilot, limits are set to requests and bursting is not allowed, so requests need to be high enough to work for most users our of the box, with a moderately high number of resource objects (e.g. 1k).

func ReconcilerResourceName 

func ReconcilerResourceName(reconcilerName, resourceName string) string

ReconcilerResourceName returns resource name in the format <reconciler-name>-<resource-name>.

func SkipForAuth 

func SkipForAuth(auth configsync.AuthType) bool

SkipForAuth returns true if the passed auth is either 'none' or 'gcenode', 'gcpserviceaccount', or 'k8sserviceaccount'.

Types

type CRDController 

type CRDController struct {
	// contains filtered or unexported fields
}

CRDController keeps track of CRDReconcileFuncs and calls them when the CRD changes. Only one reconciler is allowed per GroupKind.

func (*CRDController) DeleteReconciler 

func (s *CRDController) DeleteReconciler(gk schema.GroupKind)

DeleteReconciler removes the reconciler for the specified CRD.

func (*CRDController) Reconcile 

func (s *CRDController) Reconcile(ctx context.Context, gk schema.GroupKind, crd *apiextensionsv1.CustomResourceDefinition) error

Reconcile calls the CRDReconcileFunc registered for this CRD by GroupKind.

func (*CRDController) SetReconciler 

func (s *CRDController) SetReconciler(gk schema.GroupKind, crdHandler CRDReconcileFunc)

SetReconciler sets the reconciler for the specified CRD. The reconciler will be called when the CRD becomes established. If the reconciler errors, it will be retried with backoff until success. A new reconciler will replace any old reconciler set with the same GroupKind.

type CRDMetaController 

type CRDMetaController struct {
	*LoggingController
	// contains filtered or unexported fields
}

CRDMetaController watches CRDs and delegates reconciliation to a CRDControllerManager.

func NewCRDMetaController 

func NewCRDMetaController(
	delegate *CRDController,
	cache cache.Cache,
	mapper utilwatch.ResettableRESTMapper,
	log logr.Logger,
) *CRDMetaController

NewCRDMetaController constructs a new CRDMetaController.

func (*CRDMetaController) Reconcile 

func (r *CRDMetaController) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)

Reconcile checks if the CRD exists and delegates to the CRDController to reconcile the update.

Reconcile also handles auto-discovery and auto-invalidation of custom resources by calling Reset on the RESTMapper, as needed.

func (*CRDMetaController) Register 

func (r *CRDMetaController) Register(mgr controllerruntime.Manager) error

Register the CRDMetaController with the ReconcilerManager.

type CRDReconcileFunc 

type CRDReconcileFunc func(context.Context, *apiextensionsv1.CustomResourceDefinition) error

CRDReconcileFunc is called by the CRDMetaController to handle CRD updates.

type Controller 

type Controller interface {
	reconcile.Reconciler
	// Register the controller with the controller-manager.
	// Register may be called before or after the controller-manager is started.
	Register(mgr controllerruntime.Manager, watchFleetMembership bool) error
}

Controller implements Reconciler, but can also self-register with SetupWithManager

type LoggingController 

type LoggingController struct {
	// contains filtered or unexported fields
}

LoggingController is a parent class for a controller that logs. The logger can be stored in the context with contextual values.

Use lc.logger(ctx) to retrieve the logger. Use ctx = lc.setLoggerValues(ctx, key, value) to add key/value pairs.

func NewLoggingController 

func NewLoggingController(log logr.Logger) *LoggingController

NewLoggingController constructs a new LoggingController

func (*LoggingController) Logger 

func (lc *LoggingController) Logger(ctx context.Context) logr.Logger

Logger returns a logr.Logger, either from the context or from reconcilerBase.log.

func (*LoggingController) SetLoggerValues 

func (lc *LoggingController) SetLoggerValues(ctx context.Context, keysAndValues ...interface{}) context.Context

SetLoggerValues sets key/value pairs on the logger stored in the context. If not initially present, the default logger is added to the context. See logr.Logger.WithValues for more details about how values work.

type NoRetryError 

type NoRetryError struct {
	Cause error
}

NoRetryError is an error that should not immediately trigger a reconcile retry.

func NewNoRetryError 

func NewNoRetryError(cause error) *NoRetryError

NewNoRetryError constructs a new NewNoRetryError

func (*NoRetryError) Error 

func (n *NoRetryError) Error() string

Error returns the error message

func (*NoRetryError) Unwrap 

func (n *NoRetryError) Unwrap() error

Unwrap returns the cause of this NoRetryError

type ObjectOperationError 

type ObjectOperationError struct {
	// ID of the managed object
	ID core.ID
	// Operation attempted on the managed object
	Operation Operation
	// Cause of the operation failure
	Cause error
}

ObjectOperationError is an error from the reconciler-manager regarding failure to perform an operation on a managed Kubernetes resource or resource object.

func NewObjectOperationError 

func NewObjectOperationError(err error, obj client.Object, op Operation) *ObjectOperationError

NewObjectOperationError constructs a new ObjectOperationError

func NewObjectOperationErrorForList 

func NewObjectOperationErrorForList(err error, objList client.ObjectList, op Operation) *ObjectOperationError

NewObjectOperationErrorForList constructs a new ObjectOperationError for a list of objects with the same resource.

func NewObjectOperationErrorForListWithNamespace 

func NewObjectOperationErrorForListWithNamespace(err error, objList client.ObjectList, op Operation, namespace string) *ObjectOperationError

NewObjectOperationErrorForListWithNamespace constructs a new ObjectOperationError for a list of objects with the same resource and namespace.

func NewObjectOperationErrorWithID 

func NewObjectOperationErrorWithID(err error, id core.ID, op Operation) *ObjectOperationError

NewObjectOperationErrorWithID constructs a new ObjectOperationError with a specific ID.

func NewObjectOperationErrorWithKey 

func NewObjectOperationErrorWithKey(err error, obj client.Object, op Operation, objKey client.ObjectKey) *ObjectOperationError

NewObjectOperationErrorWithKey constructs a new ObjectOperationError and overrides the Object's key with the specified ObjectKey. This is useful if you don't know whether the Object's key will be populated.

func (*ObjectOperationError) Error 

func (ooe *ObjectOperationError) Error() string

Error returns the error string

func (*ObjectOperationError) Unwrap 

func (ooe *ObjectOperationError) Unwrap() error

Unwrap returns the cause of the error, to allow type checking with errors.Is and errors.As.

type ObjectReconcileError 

type ObjectReconcileError struct {
	// ID of the managed object
	ID core.ID
	// Status of the managed object
	Status kstatus.Status
	// Cause of the operation failure
	Cause error
}

ObjectReconcileError is an error from the status of a managed resource object

func NewObjectReconcileError 

func NewObjectReconcileError(err error, obj client.Object, status kstatus.Status) *ObjectReconcileError

NewObjectReconcileError constructs a new ObjectReconcileError

func NewObjectReconcileErrorWithID 

func NewObjectReconcileErrorWithID(err error, id core.ID, status kstatus.Status) *ObjectReconcileError

NewObjectReconcileErrorWithID constructs a new ObjectReconcileError with the specified ID.

func (*ObjectReconcileError) Error 

func (oripe *ObjectReconcileError) Error() string

Error returns the error string

func (*ObjectReconcileError) Unwrap 

func (oripe *ObjectReconcileError) Unwrap() error

Unwrap returns the cause of the error, to allow type checking with errors.Is and errors.As.

type Operation 

type Operation string

Operation performed on a Kubernetes resource or object

type OtelReconciler 

type OtelReconciler struct {
	// contains filtered or unexported fields
}

OtelReconciler reconciles OpenTelemetry ConfigMaps.

func NewOtelReconciler 

func NewOtelReconciler(client client.Client, log logr.Logger, credentialProvider auth.CredentialProvider) *OtelReconciler

NewOtelReconciler returns a new OtelReconciler.

func (*OtelReconciler) Reconcile 

func (r *OtelReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)

Reconcile the otel ConfigMap and update the Deployment annotation.

func (*OtelReconciler) Register 

func (r *OtelReconciler) Register(mgr controllerruntime.Manager) error

Register otel controller with reconciler-manager.

type OtelSAReconciler 

type OtelSAReconciler struct {
	// contains filtered or unexported fields
}

OtelSAReconciler reconciles the default service account under the config-management-monitoring namespace.

func NewOtelSAReconciler 

func NewOtelSAReconciler(clusterName string, client client.Client, log logr.Logger) *OtelSAReconciler

NewOtelSAReconciler returns a new OtelSAReconciler.

func (*OtelSAReconciler) Reconcile 

func (r *OtelSAReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)

Reconcile reconciles the default service account under the config-management-monitoring namespace and updates the Deployment annotation. This triggers the `otel-collector` Deployment to restart in the event of an annotation update.

func (*OtelSAReconciler) Register 

func (r *OtelSAReconciler) Register(mgr controllerruntime.Manager) error

Register otel Service Account controller with reconciler-manager.

type ReconcilerType 

type ReconcilerType string

ReconcilerType defines the type of a reconciler

type RepoSyncReconciler 

type RepoSyncReconciler struct {
	// contains filtered or unexported fields
}

RepoSyncReconciler reconciles a RepoSync object.

func NewRepoSyncReconciler 

func NewRepoSyncReconciler(clusterName string, reconcilerPollingPeriod, hydrationPollingPeriod time.Duration, client client.Client, watcher client.WithWatch, dynamicClient dynamic.Interface, log logr.Logger, scheme *runtime.Scheme) *RepoSyncReconciler

NewRepoSyncReconciler returns a new RepoSyncReconciler.

func (*RepoSyncReconciler) Reconcile 

func (r *RepoSyncReconciler) Reconcile(ctx context.Context, req controllerruntime.Request) (controllerruntime.Result, error)

Reconcile the RepoSync resource.

func (*RepoSyncReconciler) Register 

func (r *RepoSyncReconciler) Register(mgr controllerruntime.Manager, watchFleetMembership bool) error

Register RepoSync controller with reconciler-manager.

type RootSyncReconciler 

type RootSyncReconciler struct {
	// contains filtered or unexported fields
}

RootSyncReconciler reconciles a RootSync object

func NewRootSyncReconciler 

func NewRootSyncReconciler(clusterName string, reconcilerPollingPeriod, hydrationPollingPeriod time.Duration, client client.Client, watcher client.WithWatch, dynamicClient dynamic.Interface, log logr.Logger, scheme *runtime.Scheme) *RootSyncReconciler

NewRootSyncReconciler returns a new RootSyncReconciler.

func (*RootSyncReconciler) Reconcile 

func (r *RootSyncReconciler) Reconcile(ctx context.Context, req controllerruntime.Request) (controllerruntime.Result, error)

Reconcile the RootSync resource.

func (*RootSyncReconciler) Register 

func (r *RootSyncReconciler) Register(mgr controllerruntime.Manager, watchFleetMembership bool) error

Register RootSync controller with reconciler-manager.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.