Documentation
¶
Index ¶
Constants ¶
View Source
const ( EnvNameSSHAuthSock = "SSH_AUTH_SOCK" EnvNameSSHKnownHosts = "SSH_KNOWN_HOSTS" EnvNameAWSAccessKey = "AWS_ACCESS_KEY_ID" EnvNameAWSSecretKey = "AWS_SECRET_ACCESS_KEY" EnvNameAWSSessionToken = "AWS_SESSION_TOKEN" EnvNameAWSRegion = "AWS_REGION" EnvNameAWSB64EcodedCredentials = "AWS_B64ENCODED_CREDENTIALS" EnvNameHCloudToken = "HCLOUD_TOKEN" EnvNameRobotUser = "ROBOT_USER" EnvNameRobotPassword = "ROBOT_PASSWORD" EnvNameKubeconfig = "KUBECONFIG" )
Environment variable names.
View Source
const ( FlagNameDebug = "debug" FlagNameKubeAidVersion = "kubeaid-version" FlagNameManagementClusterName = "management-cluster-name" FlagNameManagementClusterNameDefaultValue = "kubeaid-bootstrapper" FlagNameConfigsDirectory = "configs-directory" FlagNameConfigsDirectoryDefaultValue = "outputs/configs" FlagNameSkipMonitoringSetup = "skip-monitoring-setup" FlagNameSkipPRWorkflow = "skip-pr-workflow" FlagNameSkipClusterctlMove = "skip-clusterctl-move" FlagNameAWSAccessKeyID = "aws-access-key-id" FlagNameAWSSecretAccessKey = "aws-secret-access-key" FlagNameAWSSessionToken = "aws-session-token" FlagNameAWSRegion = "aws-region" FlagNameAMIID = "ami-id" FlagNameAzureClientSecret = "azure-client-secret" FlagNameNewImageOffer = "new-image-offer" FlagNameHetznerAPIToken = "hetzner-cloud-api-token" FlagNameHetznerRobotUsername = "hetzner-robot-username" FlagNameHetznerRobotPassword = "hetzner-robot-password" FlagNameNewImageName = "new-image-name" FlagNameNewImagePath = "new-image-path" FlagNameNewK8sVersion = "new-k8s-version" FlagNameOSSize = "os-size" FlagNameZFSPoolSize = "zfs-pool-size" )
CLI flags.
View Source
const ( KubeAPIServerFlagAuditPolicyFile = "audit-policy-file" KubeAPIServerFlagAuditLogPath = "audit-log-path" // AuthenticationConfiguration delivery (k8s 1.30+). The OIDC // block in cluster.apiServer.oidc is rendered into this YAML // file and kube-apiserver is pointed at it via the // --authentication-config flag. The legacy --oidc-* flags are // no longer emitted. KubeAPIServerFlagAuthenticationConfig = "authentication-config" KubeAPIServerAuthenticationConfigPath = "/etc/kubernetes/auth-config.yaml" // Obmondo's central Keycloak for SRE access. Trust is added // to customer kube-apiservers as a SECOND jwt: entry in the // AuthenticationConfiguration when obmondo.monitoring is on, // so Obmondo SRE users can kubectl into a customer cluster // without the customer issuing them an account in their own // Keycloak. One-way: customer's Keycloak is unaware of // Obmondo's, no IdP federation. ObmondoKeycloakIssuerURL = "https://keycloak.obmondo.com/realms/obmondo" )
Kube API server CLI flags.
View Source
const ( CloudProviderAWS = "aws" CloudProviderHetzner = "hetzner" CloudProviderAzure = "azure" CloudProviderBareMetal = "bare-metal" CloudProviderLocal = "local" )
Cloud providers.
View Source
const ( DiskTypeHDD = "HDD" DiskTypeSSD = "SSD" DiskTypeNVMe = "NVMe" DiskTypeUnknown = "Unknown" )
Disk types.
View Source
const ( ZFSPoolDefaultSize = (ZFSVolumeSizeContainerImages + ZFSVolumeSizePodLogs + ZFSVolumeSizePodEphemeralVolumes) + 20 // = 220 GB. ZFSVolumeSizeContainerImages = 100 ZFSVolumeSizePodLogs = 50 ZFSVolumeSizePodEphemeralVolumes = 50 )
ZFS.
View Source
const ( ReleaseNameArgoCD = "argocd" ArgoCDProjectKubeAid = "kubeaid" ArgoCDRoleKubeAidAgent = "kubeaid-agent" // Apps. ArgoCDAppArgoCD = "argocd" ArgoCDAppRoot = "root" ArgoCDAppSealedSecrets = "sealed-secrets" ArgoCDAppCapiCluster = "capi-cluster" ArgoCDAppHetznerRobot = "hetzner-robot" ArgoCDAppClusterAutoscaler = "cluster-autoscaler" ArgoCDAppVelero = "velero" ArgoCDAppKubePrometheus = "kube-prometheus" ArgoCDExternalSnapshotter = "external-snapshotter" ArgoCDAppCilium = "cilium" ArgoCDAppAzureDiskCSIDriver = "azuredisk-csi-driver" ArgoCDAppHCloudCSIDriver = "hcloud-csi-driver" ArgoCDAppRookCeph = "rook-ceph" ArgoCDAppLocalPVProvisioner = "localpv-provisioner" ArgoCDAppCCMHCloud = "ccm-hcloud" ArgoCDAppCCMHetzner = "ccm-hetzner" ArgoCDAppTraefik = "traefik" ArgoCDProjectRolePolicyFmt = "p, proj:%s:%s, %s, %s, %s/*, %s" // Inputs: project-name, role-name, resource, action, project-name, effect ArgoCDLabelKeyManagedBy = "kubeaid.io/managed-by" ArgoCDRBACEffectAllow = "allow" ArgoCDRBACEffectDeny = "deny" ArgoCDProjectRoleSecretName = "argocd-project-role-kubeaid-agent" )
ArgoCD.
View Source
const ( ReleaseNameSealedSecrets = "sealed-secrets" SealedSecretsControllerName = ReleaseNameSealedSecrets + "-controller" CRONJobNameBackupSealedSecrets = "backup-sealed-secrets" )
Sealed Secrets.
View Source
const ( BlobContainerNameOIDCProvider = "oidc-provider" AzureBlobNameOpenIDConfiguration = ".well-known/openid-configuration" AzureBlobNameJWKSDocument = "openid/v1/jwks" // Grants full access to manage all resources, but does not allow you to assign roles in Azure // RBAC, manage assignments in Azure Blueprints, or share image galleries. AzureRoleIDContributor = "b24988ac-6180-42a0-ab88-20f7382dd24c" // Provides full access to Azure Storage blob containers and data, including assigning POSIX // access control. AzureRoleIDStorageBlobDataOwner = "b7e6dc6d-f1e8-4753-8033-0f276bb0955b" AzureResponseStatusCodeResourceAlreadyExists = 409 )
Azure
View Source
const ( HetznerModeBareMetal = "bare-metal" HetznerModeHCloud = "hcloud" HetznerModeHybrid = "hybrid" HetznerRobotWebServiceAPI = "https://robot-ws.your-server.de" HetznerNetworkCIDR = "10.0.0.0/16" HCloudServersSubnetCIDR = "10.0.0.0/24" HetznerVSwitchSubnetCIDR = "10.0.1.0/24" HetznerVSwitchGatewayIP = "10.0.1.0" HCloudServerTypeCAX11 = "cax11" HCloudServerImageUbuntu2404 = "ubuntu-24.04" HCloudLocationHel1 = "hel1" HCloudLocationFsn1 = "fsn1" HCloudLocationNbg1 = "nbg1" HCloudLocationAsh = "ash" HCloudLBTypeLB11 = "lb11" // Hetzner Bare Metal Server (HBMS) OS installation via Hetzner Robot (HRobot). HRobotResetTypeHardware = "hw" // Pinned to the latest Ubuntu LTS so that every new HBMS receives current security patches. // Bump this constant when a newer LTS becomes available in the HRobot catalogue. HBMSInstallDistributionLatestUbuntu = "Ubuntu 24.04 LTS base" HBMSOSInstallationPollInterval = 20 * time.Second HBMSOSInstallationMaxWaitTime = 12 * time.Minute )
Hetzner
View Source
const ( // Namespaces. NamespaceArgoCD = "argocd" NamespaceObmondo = "obmondo" NamespaceVelero = "velero" NamespaceSealedSecrets = "sealed-secrets" NamespaceCrossPlane = "crossplane" NamespaceCilium = "cilium" NamespaceCiliumTest = "cilium-test" NamespaceKeycloak = "keycloakx" NamespaceCloudNativePG = "cnpg-operator" NamespaceNetBird = "netbird" NamespaceTraefik = "traefik" NamespaceKubeSystem = "kube-system" // SecretNameCloudCredentials is the Secret the HCloud Cloud // Controller Manager, HCloud CSI driver, and Cluster Autoscaler // all read for their Hetzner API token. kubeaid-cli pre-creates it // directly on the main cluster during bootstrap so the CCM can // start before sealed-secrets-controller is up — see // pkg/core/hcloud_credentials.go for the chicken-and-egg this // breaks. The same SealedSecret is also rendered into // kubeaid-config so the cluster state remains declaratively // captured for DR. SecretNameCloudCredentials = "cloud-credentials" // keycloakx Service inside NamespaceKeycloak. kubeaid-cli // port-forwards to this Service during bootstrap to call the // admin API, mirroring the existing argocd-server pattern. ServiceNameKeycloakx = "keycloakx-http" ServicePortKeycloakx = 80 // ArgoCDAppKeycloakx is the name of the keycloakx ArgoCD App // kubeaid-cli waits for Healthy before calling the admin API. ArgoCDAppKeycloakx = "keycloakx" // ArgoCDAppNetbird is the name of the netbird ArgoCD App. ArgoCDAppNetbird = "netbird" // ArgoCDAppCertManager is the name of the cert-manager ArgoCD App. ArgoCDAppCertManager = "cert-manager" // ArgoCDAppCloudNativePG is the name of the cloudnative-pg // (CNPG) ArgoCD App. It installs the operator + the // postgresql.cnpg.io/v1 Cluster/Pooler CRDs that keycloakx // (in managed mode, for keycloak-pgsql) and netbird (for // netbird-pgsql) both instantiate during their own sync, so // the bootstrap syncs it ahead of those apps. ArgoCDAppCloudNativePG = "cloudnative-pg" // Keycloak admin Secret keys. Names match what the keycloakx // chart's pre-install hook reads. SecretNameKeycloakAdmin = "keycloak-admin" SecretKeyKeycloakUsername = "username" SecretKeyKeycloakPassword = "KEYCLOAK_PASSWORD" KeycloakAdminUsername = "admin" // netbird Secret. Holds every plaintext credential the NetBird // Helm chart envFroms: the OIDC client ID/secret pair pointing // at the netbird-backend Keycloak client, the symmetric AES key // the Mgmt server uses to encrypt its datastore, the Relay // shared secret, and the static turn user/password Coturn and // Mgmt agree on. kubeaid-cli read-or-generates each random key // against the cluster-side Secret so re-runs don't drift. SecretNameNetBird = "netbird" SecretKeyNetBirdIDPClientID = "idpClientID" SecretKeyNetBirdIDPMgmtID = "idpClientMgmtID" SecretKeyNetBirdIDPMgmtSecret = "idpClientMgmtSecret" SecretKeyNetBirdIDPSAUser = "idpServiceAccountUser" SecretKeyNetBirdDatastoreKey = "datastoreEncryptionKey" SecretKeyNetBirdRelayPassword = "relayPassword" SecretKeyNetBirdStunServer = "stunServer" SecretKeyNetBirdTurnServer = "turnServer" SecretKeyNetBirdTurnUser = "turnServerUser" SecretKeyNetBirdTurnPassword = "turnServerPassword" SecretKeyNetBirdPostgresDSN = "postgresDSN" NetBirdClientID = "netbird-client" NetBirdBackendClientID = "netbird-backend" // netbird-turn-credentials Secret. Coturn server reads this for // its own TURN auth via existingSecret in the chart values; the // password must match SecretKeyNetBirdTurnPassword above so // Mgmt's hand-back to clients lines up with what Coturn actually // authenticates against. SecretNameNetBirdTurnCredentials = "netbird-turn-credentials" SecretKeyNetBirdTurnCredsUser = "username" SecretKeyNetBirdTurnCredsPwd = "password" // 32 bytes -> 256-bit AES key after base64 decode. Matches the // length of NetBird Mgmt's datastoreEncryptionKey field. NetBirdDatastoreKeyByteLen = 32 // Service Accounts. ServiceAccountCAPZ = "capz-manager" ServiceAccountASO = "azureserviceoperator-default" ServiceAccountVelero = "velero" ServiceAccountSealedSecrets = "sealed-secrets" )
View Source
const ( ClusterTypeManagement = "management" ClusterTypeMain = "main" ClusterTypeVPN = "vpn" ClusterTypeWorkload = "workload" // Keycloak modes for cluster.type=vpn clusters. // managed: kubeaid-cli installs Keycloak via the keycloakx // chart on this cluster, generates the admin // password, and runs the gocloak realm reconciler. // external: operator's existing Keycloak; kubeaid-cli only // configures kube-apiserver / NetBird Mgmt to trust // it. The realm + clients must be set up by hand // (see argocd-helm-charts/netbird/README.md, "Keycloak // realm prerequisites") before bootstrap. KeycloakModeManaged = "managed" KeycloakModeExternal = "external" )
Cluster types.
View Source
const ( RepoURLObmondoKubeAid = "https://github.com/Obmondo/KubeAid" // Public HTTPS URL for KubeAid — used by ArgoCD (read-only, no deploy key needed). KubeAidPublicHTTPSURL = "https://github.com/Obmondo/KubeAid.git" // GitHub API URL for listing KubeAid releases (used to pick latest-1). KubeAidReleasesAPIURL = "https://api.github.com/repos/Obmondo/KubeAid/releases" // Local docker image tag kubeaid-cli builds on first // buildKubePrometheus invocation. Holds the small jsonnet // toolchain (jsonnet, jb, gojsontoyaml) that runs build.sh // without requiring those binaries on the host. Tag is // stable; the image is built from the embedded Dockerfile in // pkg/core, so docker layer caching makes repeat builds free. KubePromBuilderImage = "kubeaid-cli/kube-prom-builder:latest" GzippedFilenameSuffix = ".gz" )
Miscellaneous.
View Source
const ( OneDay = 24 * time.Hour OneMonth = 30 * OneDay )
Time durations
View Source
const ( CommitAuthorName = "KubeAid CLI" CommitAuthorEmail = "info@obmondo.com" )
Git related.
View Source
const ( DockerSocketPath = "/var/run/docker.sock" DockerDefaultNetworkName = "default" )
Docker related.
View Source
const ( K3sReleasesAPIURL = "https://api.github.com/repos/k3s-io/k3s/releases/latest" // CGroup v1 support has been dropped from K8s version v1.35. // REFER : https://www.sysdig.com/blog/kubernetes-1-35-whats-new#changes-in-kubernetes-135-that-may-break-things. MaxCGroupV1CompatibleK3sVersion = "v1.34.5-k3s1" )
K3s related.
View Source
const ( MinSupportedK8sVersion = "v1.30" // // Whatever is the latest K8s version, that becomes the max supported K8s version. // We get the latest K8s version from the K8s release API. K8sReleaseAPIURL = "https://dl.k8s.io/release/stable.txt" // URL pattern for fetching the latest patch of a specific minor version. // Use fmt.Sprintf with the minor version number, e.g. fmt.Sprintf(K8sStableMinorURLFmt, 34) // yields "https://dl.k8s.io/release/stable-1.34.txt". K8sStableMinorURLFmt = "https://dl.k8s.io/release/stable-1.%d.txt" // CGroup v1 support has been dropped from K8s version v1.35. // REFER : https://www.sysdig.com/blog/kubernetes-1-35-whats-new#changes-in-kubernetes-135-that-may-break-things. MaxCGroupV1CompatibleK8sVersion = "v1.34" // For the Bare Metal provider though, the story is a bit different. // We're using KubeOne v1.12. And you can see the K8s versions officially supported by KubeOne // here : https://docs.kubermatic.com/kubeone/v1.12/architecture/compatibility/supported-versions. // That range becomes the range of K8s version supported by KubeAid CLI. // NOTE : We need update this range manually, when upgrading KubeOne. MinKubeOneSupportedK8sVersion = "v1.32" MaxKubeOneSupportedK8sVersion = "v1.34" )
K8s version related
View Source
const ( TemplateNameKubePrometheusArgoCDApp = "argocd-apps/templates/kube-prometheus.yaml.tmpl" TemplateNameKubePrometheusVars = "cluster-vars.jsonnet.tmpl" )
For KubePrometheus.
View Source
const CEPHNodeMinSize = 50 // GB.
View Source
const HighSpeedNICThreshold = 5000 // GBPS.
View Source
const KubeOneConfigTemlateName = "kubeone/kubeone-cluster.yaml.tmpl"
View Source
const OSDefaultSize = 50 // GB.
View Source
const PEMBlockTypeOpenSSHPrivateKey = "OPENSSH PRIVATE KEY"
View Source
const TempDirectory = "/tmp/kubeaid-core"
View Source
const TemplateNameK3DConfig = "templates/k3d.config.yaml.tmpl"
View Source
const TemplateNameStoragePlanExecutor = "templates/storage-plan-executor.sh.tmpl"
Variables ¶
View Source
var ( OutputsDirectory = "outputs" OutputLogsDirectory = path.Join(OutputsDirectory, "logs") OutputPathKnownHostsFile = path.Join(TempDirectory, "known_hosts") OutputPathManagementClusterK3DConfig = path.Join(OutputsDirectory, "k3d.config.yaml") OutputPathManagementClusterHostKubeconfig = path.Join( OutputsDirectory, "kubeconfigs/clusters/management/host.yaml", ) OutputPathManagementClusterContainerKubeconfig = path.Join( OutputsDirectory, "kubeconfigs/clusters/management/container.yaml", ) OutputPathMainClusterKubeconfig = path.Join(OutputsDirectory, "kubeconfigs/clusters/main.yaml") OutputPathJWKSDocument = path.Join( OutputsDirectory, "workload-identity/openid-provider/jwks.json", ) )
Output paths.
View Source
var ( CommonNonSecretTemplateNames = []string{ "kubeaid-bootstrap-script.general.yaml.tmpl", "argocd-apps/templates/argocd.yaml.tmpl", "argocd-apps/values-argocd.yaml.tmpl", "argocd-apps/Chart.yaml", "argocd-apps/templates/root.yaml.tmpl", "argocd-apps/templates/cert-manager.yaml.tmpl", "argocd-apps/values-cert-manager.yaml.tmpl", "argocd-apps/templates/sealed-secrets.yaml.tmpl", "argocd-apps/values-sealed-secrets.yaml.tmpl", "argocd-apps/templates/secrets.yaml.tmpl", } CommonSecretTemplateNames = []string{ "sealed-secrets/argocd/repo-kubeaid-config.yaml.tmpl", } KubeaidDeployKeySecretTemplateName = "sealed-secrets/argocd/repo-kubeaid.yaml.tmpl" )
Common template names.
View Source
var ( AWSSpecificNonSecretTemplateNames = []string{ "argocd-apps/templates/ccm-aws.yaml.tmpl", "argocd-apps/values-ccm-aws.yaml.tmpl", "argocd-apps/templates/cluster-autoscaler.yaml.tmpl", "argocd-apps/values-cluster-autoscaler.yaml.tmpl", "argocd-apps/templates/external-snapshotter.yaml.tmpl", } AWSSpecificSecretTemplateNames = []string{ "sealed-secrets/capi-cluster/cloud-credentials.yaml.tmpl", } AWSDisasterRecoverySpecificNonSecretTemplateNames = []string{ "argocd-apps/templates/kube2iam.yaml.tmpl", "argocd-apps/values-kube2iam.yaml.tmpl", "argocd-apps/templates/velero.yaml.tmpl", "argocd-apps/values-velero.yaml.tmpl", "argocd-apps/templates/k8s-configs.yaml.tmpl", "k8s-configs/sealed-secrets.namespace.yaml.tmpl", "k8s-configs/velero.namespace.yaml.tmpl", } )
AWS specific template names.
View Source
var ( TemplateNameOpenIDConfig = "templates/openid-configuration.json.tmpl" AzureSpecificNonSecretTemplateNames = []string{ "argocd-apps/templates/crossplane.yaml.tmpl", "argocd-apps/values-crossplane.yaml.tmpl", "argocd-apps/templates/crossplane-providers-and-functions.yaml.tmpl", "argocd-apps/values-crossplane-providers-and-functions.yaml.tmpl", "argocd-apps/templates/crossplane-compositions.yaml.tmpl", "argocd-apps/values-crossplane-compositions.yaml.tmpl", "argocd-apps/templates/infrastructure.yaml.tmpl", "infrastructure/azure/workload-identity-infrastructure.yaml.tmpl", "argocd-apps/templates/ccm-azure.yaml.tmpl", "argocd-apps/values-ccm-azure.yaml.tmpl", "argocd-apps/templates/azuredisk-csi-driver.yaml.tmpl", "argocd-apps/values-azuredisk-csi-driver.yaml.tmpl", "argocd-apps/templates/azure-workload-identity-webhook.yaml.tmpl", "argocd-apps/values-azure-workload-identity-webhook.yaml.tmpl", "argocd-apps/templates/cluster-autoscaler.yaml.tmpl", "argocd-apps/values-cluster-autoscaler.yaml.tmpl", "argocd-apps/templates/external-snapshotter.yaml.tmpl", } AzureSpecificSecretTemplateNames = []string{ "sealed-secrets/crossplane/azure-credentials.yaml.tmpl", "sealed-secrets/capi-cluster/service-account-issuer-keys.yaml.tmpl", } AzureDisasterRecoverySpecificNonSecretTemplateNames = []string{ "infrastructure/azure/disaster-recovery-infrastructure.yaml.tmpl", "argocd-apps/templates/velero.yaml.tmpl", "argocd-apps/values-velero.yaml.tmpl", } AzureDisasterRecoverySpecificSecretTemplateNames = []string{ "sealed-secrets/sealed-secrets/backup-sealed-secrets-pod-env.yaml.tmpl", } )
Azure specific template names.
View Source
var ( CommonHetznerSpecificSecretTemplateNames = []string{ "sealed-secrets/kube-system/cloud-credentials.yaml.tmpl", "sealed-secrets/capi-cluster/cloud-credentials.yaml.tmpl", } HCloudSpecificNonSecretTemplateNames = []string{ "argocd-apps/templates/ccm-hcloud.yaml.tmpl", "argocd-apps/values-ccm-hcloud.yaml.tmpl", "argocd-apps/templates/hcloud-csi-driver.yaml.tmpl", "argocd-apps/values-hcloud-csi-driver.yaml.tmpl", "argocd-apps/templates/cluster-autoscaler.yaml.tmpl", "argocd-apps/values-cluster-autoscaler.yaml.tmpl", } HetznerBareMetalSpecificNonSecretTemplateNames = []string{ "argocd-apps/templates/ccm-hetzner.yaml.tmpl", "argocd-apps/values-ccm-hetzner.yaml.tmpl", "argocd-apps/templates/rook-ceph.yaml.tmpl", "argocd-apps/values-rook-ceph.yaml.tmpl", } HetznerBareMetalSpecificSecretTemplateNames = []string{ "sealed-secrets/capi-cluster/hetzner-ssh-keypair.yaml.tmpl", } )
Hetzner specific template names.
View Source
var ( // For Teleport Kube Agent component. // NOTE : When we'll have support for provisioning gateway cluster running Netbird, // Teleport will be removed. Kept in its own slice so it's gated // independently of kubeaid-agent. TeleportKubeAgentNonSecretTemplateNames = []string{ "argocd-apps/templates/teleport-kube-agent.yaml.tmpl", "argocd-apps/values-teleport-kube-agent.yaml.tmpl", } TeleportKubeAgentSecretTemplateNames = []string{ "sealed-secrets/obmondo/teleport-kube-agent-join-token.yaml.tmpl", } // For KubeAid Agent. Included whenever obmondo.monitoring is true. KubeAidAgentNonSecretTemplateNames = []string{ "argocd-apps/templates/kubeaid-agent.yaml.tmpl", "argocd-apps/values-kubeaid-agent.yaml.tmpl", } // mTLS client cert issued by Obmondo. The same cert+key pair is rendered // into two namespaces — obmondo for kubeaid-agent (Obmondo API auth) and // monitoring for kube-prometheus Alertmanager (pushing alerts to // Obmondo's alert-receiver). Included whenever obmondo.monitoring is true. ObmondoClientCertSecretTemplateNames = []string{ "sealed-secrets/obmondo/obmondo-clientcert.yaml.tmpl", "sealed-secrets/monitoring/obmondo-clientcert.yaml.tmpl", } // Alertmanager's main config Secret, with the runtime alertmanager.yaml // routing alerts to Obmondo's alert receiver. Included whenever // obmondo.monitoring is true. AlertmanagerMainSecretTemplateName = "sealed-secrets/monitoring/alertmanager-main.yaml.tmpl" )
Obmondo customer specific template names.
View Source
var ( TemplateNameAWSGeneralConfig = "templates/aws/general.config.yaml.tmpl" TemplateNameAWSSecretsConfig = "templates/aws/secrets.config.yaml.tmpl" TemplateNameAzureGeneralConfig = "templates/azure/general.config.yaml.tmpl" TemplateNameAzureSecretsConfig = "templates/azure/secrets.config.yaml.tmpl" TemplateNameHetznerHCloudGeneralConfig = "templates/hetzner/hcloud/general.config.yaml.tmpl" TemplateNameHetznerHCloudSecretsConfig = "templates/hetzner/hcloud/secrets.config.yaml.tmpl" TemplateNameHetznerBareMetalGeneralConfig = "templates/hetzner/bare-metal/general.config.yaml.tmpl" TemplateNameHetznerBareMetalSecretsConfig = "templates/hetzner/bare-metal/secrets.config.yaml.tmpl" TemplateNameHetznerHybridGeneralConfig = "templates/hetzner/hybrid/general.config.yaml.tmpl" TemplateNameHetznerHybridSecretsConfig = "templates/hetzner/hybrid/secrets.config.yaml.tmpl" TemplateNameBareMetalGeneralConfig = "templates/bare-metal/general.config.yaml.tmpl" TemplateNameBareMetalSecretsConfig = "templates/bare-metal/secrets.config.yaml.tmpl" TemplateNameLocalGeneralConfig = "templates/local/general.config.yaml.tmpl" TemplateNameLocalSecretsConfig = "templates/local/secrets.config.yaml.tmpl" )
Config template names.
View Source
var BareMetalSpecificNonSecretTemplateNames = []string{ KubeOneConfigTemlateName, "argocd-apps/templates/cilium.yaml.tmpl", "argocd-apps/values-cilium.yaml.tmpl", "argocd-apps/templates/localpv-provisioner.yaml.tmpl", "argocd-apps/values-localpv-provisioner.yaml.tmpl", }
View Source
var CloudNativePGTemplateNames = []string{
"argocd-apps/templates/cloudnative-pg.yaml.tmpl",
"argocd-apps/values-cloudnative-pg.yaml.tmpl",
}
CloudNativePG operator. Provides the Cluster CRD that the keycloakx chart (when managed Keycloak is enabled) and the netbird chart both instantiate — for keycloak-pgsql and netbird-pgsql respectively.
View Source
var (
CommonCloudSpecificNonSecretTemplateNames = []string{
"argocd-apps/templates/cilium.yaml.tmpl",
"argocd-apps/values-cilium.yaml.tmpl",
"argocd-apps/templates/cluster-api-operator.yaml.tmpl",
"argocd-apps/values-cluster-api-operator.yaml.tmpl",
"argocd-apps/templates/capi-cluster.yaml.tmpl",
"argocd-apps/values-capi-cluster.yaml.tmpl",
}
)
Common template names (for clusters being provisioned in any of the supported cloud providers).
View Source
var HCloudARMLocations = []string{ HCloudLocationHel1, HCloudLocationFsn1, HCloudLocationNbg1, HCloudLocationAsh, }
HCloudARMLocations lists HCloud datacenters that stock ARM (cax-series) servers, in the order kubeaid-cli should try when placing the NAT gateway. Hetzner's ARM stock fluctuates per datacenter; placement returns resource_unavailable when the chosen DC is briefly out — fall through to the next.
View Source
var KeycloakManagedNonSecretTemplateNames = []string{
"argocd-apps/templates/keycloakx.yaml.tmpl",
"argocd-apps/values-keycloakx.yaml.tmpl",
}
Managed-Keycloak template names. Included only when cluster.type=vpn AND cluster.keycloak.mode=managed — kubeaid-cli installs Keycloak via the keycloakx Helm chart on this cluster. Backed by CNPG Postgres; ingress exposes cluster.keycloak.dns publicly so kubelogin and end-users can reach the realm endpoints. Sync-order 20.
View Source
var KeycloakManagedSecretTemplateNames = []string{
"sealed-secrets/keycloakx/keycloak-admin.yaml.tmpl",
}
Managed-Keycloak SealedSecrets — only when kubeaid-cli installs Keycloak itself. Seeds Keycloak's initial admin password (consumed by the keycloakx chart's pre-install hook).
View Source
var KubernetesKubePrometheusVersionCompatibilityMatrix = map[string][]string{
"v1.32": {"v0.16.0"},
"v1.33": {"v0.16.0", "v0.17.0"},
"v1.34": {"v0.16.0", "v0.17.0"},
"v1.35": {"v0.17.0"},
}
Kubernetes -> KubePrometheus compatibility matrix. This makes it easy to select a default KubePrometheus version for a given K8s version. REFER : https://github.com/prometheus-operator/kube-prometheus?tab=readme-ov-file#compatibility.
View Source
var NetBirdNonSecretTemplateNames = []string{
"argocd-apps/templates/netbird.yaml.tmpl",
"argocd-apps/values-netbird.yaml.tmpl",
}
NetBird Mgmt + Signal + Relay + Dashboard + Coturn — the full VPN mesh stack. Sync-order 25 keeps it after cnpg (so the netbird-pgsql Cluster CR the chart's kubeaid-addons subdep instantiates can land), traefik (so its ingressClassName resolves), and keycloakx when managed (so the realm + OIDC clients the post-sync gocloak reconcile creates exist before NetBird Mgmt does its first OIDC handshake).
View Source
var NetBirdOperatorTemplateNames = []string{
"argocd-apps/templates/netbird-operator.yaml.tmpl",
"argocd-apps/values-netbird-operator.yaml.tmpl",
}
NetBird Kubernetes Operator. Rendered on workload clusters that opted into Keycloak login (cluster.type=workload AND cluster.keycloak set) so the cluster has the operator + CRDs available for operator-applied NBSetupKey / NBPolicy resources. Values overlay is intentionally empty — wiring (managementURL, API key) is the operator's responsibility post-bootstrap. Sync-order 10 — early, so the CRDs land before any operator-applied NB* resource.
View Source
var NetBirdSecretTemplateNames = []string{
"sealed-secrets/netbird/netbird.yaml.tmpl",
"sealed-secrets/netbird/netbird-turn-credentials.yaml.tmpl",
}
VPN-cluster NetBird SealedSecrets — both modes.
- netbird: holds every credential the NetBird Helm chart's envFromSecret block references — OIDC client IDs/secret, datastoreEncryptionKey, relayPassword, stun/turn server URLs, turn user/password. kubeaid-cli pre-generates the random keys and read-or-generates them on re-runs so the same value stays put across bootstraps. The OIDC client secret is the same plaintext ReconcileNetBird passes to Keycloak when managed, or read from secrets.yaml when external (operator supplies the value out-of-band).
- netbird-turn-credentials: Coturn server reads this for its own TURN auth. Password matches the netbird Secret's turnServerPassword so Mgmt's hand-back to clients lines up.
View Source
var TraefikTemplateNames = []string{
"argocd-apps/templates/traefik.yaml.tmpl",
"argocd-apps/values-traefik.yaml.tmpl",
}
Traefik. The ingress controller in front of NetBird Mgmt (and Keycloak when managed); cert-manager's http01 solver also targets its ingressClassName (see values-cert-manager.yaml.tmpl). Sync-order 15 keeps it ahead of any chart that creates Ingress objects.
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.