metadata

package

v1.25.0 Latest Latest Go to latest Published: May 8, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/authzed/spicedb-operator

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func GVRMetaNamespaceKeyFunc(gvr schema.GroupVersionResource, obj interface{}) (string, error)
func GVRMetaNamespaceKeyer(gvr schema.GroupVersionResource, key string) string
func GetClusterKeyFromMeta(in any) ([]string, error)
func GetClusterKeyFromMetaForType(credentialType string) cache.IndexFunc
func IndexNameForCredentialType(credType string) string
func LabelKeyForCredentialType(credType string) string
func LabelsForComponent(owner, component string) map[string]string
func MustParseSelector(selector string) labels.Selector
func SelectorForComponent(owner, component string) labels.Selector
func SplitGVRMetaNamespaceKey(key string) (gvr *schema.GroupVersionResource, namespace, name string, err error)

Constants ¶

View Source

const (
	OwningClusterIndex                 = "owning-cluster"
	OwningClusterDatastoreURIIndex     = "owning-cluster-datastore-uri"
	OwningClusterPresharedKeyIndex     = "owning-cluster-preshared-key"
	OwningClusterMigrationSecretsIndex = "owning-cluster-migration-secrets"

	// CredentialType* are the internal credential-role identifiers. They are
	// used to derive per-role label keys and index names; they are not stored
	// directly on Kubernetes objects.
	CredentialTypeDatastoreURI     = "datastore-uri"     // nolint: gosec
	CredentialTypePresharedKey     = "preshared-key"     // nolint: gosec
	CredentialTypeMigrationSecrets = "migration-secrets" // nolint: gosec

	// Per-role label keys. A secret carries exactly the keys for the roles it
	// serves. Key presence (not value) is what the index functions check, so a
	// shared secret can carry all applicable keys simultaneously.
	CredentialTypeDatastoreURILabelKey     = "authzed.com/credential-type-datastore-uri"     // nolint: gosec
	CredentialTypePresharedKeyLabelKey     = "authzed.com/credential-type-preshared-key"     // nolint: gosec
	CredentialTypeMigrationSecretsLabelKey = "authzed.com/credential-type-migration-secrets" // nolint: gosec

	OperatorManagedLabelKey         = "authzed.com/managed-by"
	OperatorManagedLabelValue       = "operator"
	OwnerLabelKey                   = "authzed.com/cluster"
	OwnerAnnotationKeyPrefix        = "authzed.com.cluster-owner/"
	ComponentLabelKey               = "authzed.com/cluster-component"
	ComponentSpiceDBLabelValue      = "spicedb"
	ComponentMigrationJobLabelValue = "migration-job"
	ComponentServiceAccountLabel    = "spicedb-serviceaccount"
	ComponentRoleLabel              = "spicedb-role"
	ComponentServiceLabel           = "spicedb-service"
	ComponentRoleBindingLabel       = "spicedb-rolebinding"
	ComponentPDBLabel               = "spicedb-pdb"
	SpiceDBMigrationRequirementsKey = "authzed.com/spicedb-migration"
	SpiceDBTargetMigrationKey       = "authzed.com/spicedb-target-migration"
	SpiceDBSecretRequirementsKey    = "authzed.com/spicedb-secret" // nolint: gosec
	SpiceDBConfigKey                = "authzed.com/spicedb-configuration"
	FieldManager                    = "spicedb-operator"

	KubernetesNameLabelKey      = "app.kubernetes.io/name"
	KubernetesInstanceLabelKey  = "app.kubernetes.io/instance"
	KubernetesComponentLabelKey = "app.kubernetes.io/component"
	KubernetesVersionLabelKey   = "app.kubernetes.io/version"
)

View Source

const PausedControllerSelectorKey = "authzed.com/controller-paused"

Variables ¶

View Source

var (
	ApplyForceOwned          = metav1.ApplyOptions{FieldManager: FieldManager, Force: true}
	PatchForceOwned          = metav1.PatchOptions{FieldManager: FieldManager, Force: ptr.To(true)}
	ManagedDependentSelector = MustParseSelector(fmt.Sprintf("%s=%s", OperatorManagedLabelKey, OperatorManagedLabelValue))
)

View Source

var NotPausedSelector = MustParseSelector("!" + PausedControllerSelectorKey)

Functions ¶

func GVRMetaNamespaceKeyFunc ¶

func GVRMetaNamespaceKeyFunc(gvr schema.GroupVersionResource, obj interface{}) (string, error)

func GVRMetaNamespaceKeyer ¶

func GVRMetaNamespaceKeyer(gvr schema.GroupVersionResource, key string) string

func GetClusterKeyFromMeta ¶ added in v0.3.0

func GetClusterKeyFromMeta(in any) ([]string, error)

func GetClusterKeyFromMetaForType ¶ added in v1.25.0

func GetClusterKeyFromMetaForType(credentialType string) cache.IndexFunc

GetClusterKeyFromMetaForType returns a cache.IndexFunc that indexes objects by owning cluster, but only for objects that carry the per-role label key for the given credential type. Key presence (not value) is checked, so a single secret can carry multiple role labels and appear in multiple indexes without any handler treating another role's secret as stale.

func IndexNameForCredentialType ¶ added in v1.25.0

func IndexNameForCredentialType(credType string) string

IndexNameForCredentialType maps a credential type to its dedicated index name. The empty string (legacy SecretRef) falls back to OwningClusterIndex.

func LabelKeyForCredentialType ¶ added in v1.25.0

func LabelKeyForCredentialType(credType string) string

LabelKeyForCredentialType returns the per-role label key for the given credential type, or "" for unknown types (including the legacy empty-string SecretRef type).

func LabelsForComponent ¶

func LabelsForComponent(owner, component string) map[string]string

func MustParseSelector ¶

func MustParseSelector(selector string) labels.Selector

func SelectorForComponent ¶

func SelectorForComponent(owner, component string) labels.Selector

func SplitGVRMetaNamespaceKey ¶

func SplitGVRMetaNamespaceKey(key string) (gvr *schema.GroupVersionResource, namespace, name string, err error)

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL