README
¶
Kubernetes Resource Type Metadata
This package contains per-resource-type metadata used by ConfigHub's Kubernetes functions. When adding support for new CRDs or custom resource types, update the relevant files described below.
Files to update
public/configkit/k8skit/immutable_fields.go
Maps resource types to field paths that cannot be changed after creation (require delete + recreate). Sources of truth for immutability:
- Built-in K8s types:
pkg/apis/*/validation/validation.goin the Kubernetes source - ACK CRDs:
is_immutable: trueingenerator.yaml, orx-kubernetes-validationsrules withself == oldSelf - Other CRDs: look for "immutable", "cannot be updated", or "cannot be changed" in CRD field descriptions, and for immutability checks in controller reconciliation code
public/configkit/k8skit/merge_keys.go
Maps resource types to strategic merge patch keys for array fields. These determine how list items are matched during merges (e.g., containers matched by name). Sources:
- Built-in K8s types:
x-kubernetes-patch-merge-keyin the Kubernetes OpenAPI/Swagger spec, orpatchMergeKeystruct tags in Go types - CRDs:
x-kubernetes-list-map-keysandx-kubernetes-list-type: mapin the CRD schema
Pod-spec merge keys shared across workloads are in PodSpecMergeKeyFields; per-type prefixes are in WorkloadMergeKeyFields.
reference_fields.go
Maps resource types to fields that reference other Kubernetes resources. This enables cross-resource dependency tracking. The Target field uses group/version/Kind format.
- ACK CRDs: references follow the
spec.<field>Ref.from.namepattern (single) orspec.<field>Refs.*.from.name(list) - Other CRDs: look for fields named
*Ref,*SecretName,*ServiceAccountName,*ConfigMapRef, etc.
public/configkit/k8skit/cluster_resource_types.go
Lists cluster-scoped (non-namespaced) resource types. Check the scope field in a CRD's spec. Most CRDs are Namespaced; only add types here if scope: Cluster.
Resource type format
All resource types use group/version/Kind format throughout:
v1/Pod # core API (no group)
apps/v1/Deployment # grouped API
eks.services.k8s.aws/v1alpha1/Cluster # CRD
Adding a new controller's types
- Read the CRD YAML files and controller source code
- Check
scope:for cluster-scoped types and add tocluster_resource_types.go - Search for immutability markers and add to
public/configkit/k8skit/immutable_fields.go - Check for strategic merge keys and add to
public/configkit/k8skit/merge_keys.go - Identify cross-resource reference fields and add to
reference_fields.go - Run
make build-funcexec && make test-publicto verify
Documentation
¶
Index ¶
- Constants
- Variables
- func DecryptResponse(privateKey *ecdh.PrivateKey, encryptedJSON []byte) ([]byte, error)
- func GenerateKubecontextFunction(fArgs handler.FunctionImplementationArguments) (gaby.Container, any, error)
- func GetGenerateKubecontextSignature() api.FunctionSignature
- func InitAccess() error
- func InitSchemaFinder() error
- func RegisterFunctions(rp *k8skit.K8sResourceProviderType, fh handler.FunctionRegistry)
- type EncryptedResponse
- type PathReference
- type ResourceQuantityComparison
- type SchemaFinder
- type SchemaInfo
Constants ¶
View Source
const ( // AnnotationGenerateKubecontext must be set to "allow" on the ServiceAccount // for the function to issue a token. AnnotationGenerateKubecontext = "confighub.com/generate-kubecontext" // AnnotationAccessTTL controls the token lifetime. AnnotationAccessTTL = "confighub.com/access-ttl" // AnnotationAccessMaxTTL caps user-requested TTL overrides. AnnotationAccessMaxTTL = "confighub.com/access-max-ttl" // AnnotationKubernetesAPIEndpoint is the external API server endpoint to use in the // generated kubeconfig. Required, since the function will not be able to determine it // itself from inside the cluster. AnnotationKubernetesAPIEndpoint = "confighub.com/kubernetes-api-endpoint" )
View Source
const AttributeNameAnnotationValue = api.AttributeName("annotation-value")
View Source
const AttributeNameLabelValue = api.AttributeName("label-value")
View Source
const AttributeNameNamespaceNameReference = api.AttributeName("namespace-name-reference")
Variables ¶
View Source
var CRDReferenceFields = map[api.ResourceType][]PathReference{ api.ResourceType("argoproj.io/v1alpha1/Application"): { {Path: "spec.project", Target: "argoproj.io/v1alpha1/AppProject"}, }, api.ResourceType("argoproj.io/v1alpha1/Rollout"): { {Path: "spec.strategy.blueGreen.activeService", Target: "v1/Service"}, {Path: "spec.strategy.blueGreen.previewService", Target: "v1/Service"}, {Path: "spec.strategy.canary.canaryService", Target: "v1/Service"}, {Path: "spec.strategy.canary.stableService", Target: "v1/Service"}, {Path: "spec.strategy.canary.pingPongService", Target: "v1/Service"}, {Path: "spec.strategy.canary.trafficRouting.istio.virtualService.name", Target: "networking.istio.io/v1/VirtualService"}, {Path: "spec.strategy.canary.trafficRouting.istio.destinationRule.name", Target: "networking.istio.io/v1/DestinationRule"}, }, api.ResourceType("cert-manager.io/v1/Certificate"): { {Path: "spec.issuerRef.name", Target: "cert-manager.io/v1/Issuer"}, {Path: "spec.secretName", Target: "v1/Secret"}, }, api.ResourceType("cert-manager.io/v1/Issuer"): { {Path: "spec.ca.secretName", Target: "v1/Secret"}, {Path: "spec.acme.solvers.*.http01.ingress.podTemplate.spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.vault.auth.kubernetes.serviceAccountRef.name", Target: "v1/ServiceAccount"}, {Path: "spec.vault.auth.clientCertificate.secretName", Target: "v1/Secret"}, }, api.ResourceType("cert-manager.io/v1/ClusterIssuer"): { {Path: "spec.ca.secretName", Target: "v1/Secret"}, {Path: "spec.acme.solvers.*.http01.ingress.podTemplate.spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.vault.auth.kubernetes.serviceAccountRef.name", Target: "v1/ServiceAccount"}, {Path: "spec.vault.auth.clientCertificate.secretName", Target: "v1/Secret"}, }, api.ResourceType("kustomize.toolkit.fluxcd.io/v1/Kustomization"): { {Path: "spec.sourceRef.name", Target: "source.toolkit.fluxcd.io/v1/GitRepository"}, {Path: "spec.decryption.secretRef.name", Target: "v1/Secret"}, {Path: "spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.kubeConfig.secretRef.name", Target: "v1/Secret"}, }, api.ResourceType("helm.toolkit.fluxcd.io/v2/HelmRelease"): { {Path: "spec.chart.spec.sourceRef.name", Target: "source.toolkit.fluxcd.io/v1/HelmRepository"}, {Path: "spec.chartRef.name", Target: "source.toolkit.fluxcd.io/v1/HelmChart"}, {Path: "spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.kubeConfig.secretRef.name", Target: "v1/Secret"}, {Path: "spec.valuesFrom.*.name", Target: "v1/ConfigMap"}, }, api.ResourceType("source.toolkit.fluxcd.io/v1/GitRepository"): { {Path: "spec.secretRef.name", Target: "v1/Secret"}, }, api.ResourceType("source.toolkit.fluxcd.io/v1/HelmRepository"): { {Path: "spec.secretRef.name", Target: "v1/Secret"}, }, api.ResourceType("source.toolkit.fluxcd.io/v1/HelmChart"): { {Path: "spec.sourceRef.name", Target: "source.toolkit.fluxcd.io/v1/HelmRepository"}, {Path: "spec.valuesFiles.*.name", Target: "v1/ConfigMap"}, }, api.ResourceType("source.toolkit.fluxcd.io/v1beta2/OCIRepository"): { {Path: "spec.secretRef.name", Target: "v1/Secret"}, {Path: "spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.certSecretRef.name", Target: "v1/Secret"}, }, api.ResourceType("source.toolkit.fluxcd.io/v1beta2/Bucket"): { {Path: "spec.secretRef.name", Target: "v1/Secret"}, }, api.ResourceType("notification.toolkit.fluxcd.io/v1beta3/Provider"): { {Path: "spec.secretRef.name", Target: "v1/Secret"}, {Path: "spec.certSecretRef.name", Target: "v1/Secret"}, }, api.ResourceType("notification.toolkit.fluxcd.io/v1beta3/Alert"): { {Path: "spec.providerRef.name", Target: "notification.toolkit.fluxcd.io/v1beta3/Provider"}, }, api.ResourceType("image.toolkit.fluxcd.io/v1beta2/ImageRepository"): { {Path: "spec.secretRef.name", Target: "v1/Secret"}, {Path: "spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.certSecretRef.name", Target: "v1/Secret"}, }, api.ResourceType("image.toolkit.fluxcd.io/v1beta2/ImagePolicy"): { {Path: "spec.imageRepositoryRef.name", Target: "image.toolkit.fluxcd.io/v1beta2/ImageRepository"}, }, api.ResourceType("image.toolkit.fluxcd.io/v1beta2/ImageUpdateAutomation"): { {Path: "spec.sourceRef.name", Target: "source.toolkit.fluxcd.io/v1/GitRepository"}, }, api.ResourceType("external-secrets.io/v1beta1/ExternalSecret"): { {Path: "spec.secretStoreRef.name", Target: "external-secrets.io/v1beta1/SecretStore"}, {Path: "spec.target.name", Target: "v1/Secret"}, {Path: "spec.data.*.sourceRef.storeRef.name", Target: "external-secrets.io/v1beta1/SecretStore"}, {Path: "spec.dataFrom.*.sourceRef.storeRef.name", Target: "external-secrets.io/v1beta1/SecretStore"}, {Path: "spec.target.template.templateFrom.*.configMap.name", Target: "v1/ConfigMap"}, {Path: "spec.target.template.templateFrom.*.secret.name", Target: "v1/Secret"}, }, api.ResourceType("external-secrets.io/v1beta1/SecretStore"): { {Path: "spec.provider.kubernetes.auth.serviceAccount.name", Target: "v1/ServiceAccount"}, }, api.ResourceType("external-secrets.io/v1beta1/ClusterSecretStore"): { {Path: "spec.provider.kubernetes.auth.serviceAccount.name", Target: "v1/ServiceAccount"}, }, api.ResourceType("networking.istio.io/v1/VirtualService"): { {Path: "spec.http.*.route.*.destination.host", Target: "v1/Service"}, {Path: "spec.http.*.mirror.host", Target: "v1/Service"}, {Path: "spec.http.*.mirrors.*.destination.host", Target: "v1/Service"}, {Path: "spec.tcp.*.route.*.destination.host", Target: "v1/Service"}, {Path: "spec.tls.*.route.*.destination.host", Target: "v1/Service"}, }, api.ResourceType("networking.istio.io/v1/DestinationRule"): { {Path: "spec.host", Target: "v1/Service"}, }, api.ResourceType("networking.istio.io/v1/Gateway"): { {Path: "spec.servers.*.tls.credentialName", Target: "v1/Secret"}, }, api.ResourceType("gateway.networking.k8s.io/v1/Gateway"): { {Path: "spec.gatewayClassName", Target: "gateway.networking.k8s.io/v1/GatewayClass"}, {Path: "spec.listeners.*.tls.certificateRefs.*.name", Target: "v1/Secret"}, }, api.ResourceType("gateway.networking.k8s.io/v1/HTTPRoute"): { {Path: "spec.rules.*.backendRefs.*.name", Target: "v1/Service"}, {Path: "spec.rules.*.filters.*.requestMirror.backendRef.name", Target: "v1/Service"}, }, api.ResourceType("gateway.networking.k8s.io/v1/GRPCRoute"): { {Path: "spec.rules.*.backendRefs.*.name", Target: "v1/Service"}, }, api.ResourceType("gateway.networking.k8s.io/v1alpha2/TCPRoute"): { {Path: "spec.rules.*.backendRefs.*.name", Target: "v1/Service"}, }, api.ResourceType("gateway.networking.k8s.io/v1alpha2/UDPRoute"): { {Path: "spec.rules.*.backendRefs.*.name", Target: "v1/Service"}, }, api.ResourceType("traefik.io/v1alpha1/IngressRoute"): { {Path: "spec.tls.secretName", Target: "v1/Secret"}, {Path: "spec.routes.*.services.*.name", Target: "v1/Service"}, {Path: "spec.routes.*.middlewares.*.name", Target: "traefik.io/v1alpha1/Middleware"}, }, api.ResourceType("traefik.io/v1alpha1/IngressRouteTCP"): { {Path: "spec.tls.secretName", Target: "v1/Secret"}, {Path: "spec.routes.*.services.*.name", Target: "v1/Service"}, }, api.ResourceType("traefik.io/v1alpha1/IngressRouteUDP"): { {Path: "spec.routes.*.services.*.name", Target: "v1/Service"}, }, api.ResourceType("projectcontour.io/v1/HTTPProxy"): { {Path: "spec.virtualhost.tls.secretName", Target: "v1/Secret"}, {Path: "spec.routes.*.services.*.name", Target: "v1/Service"}, {Path: "spec.includes.*.name", Target: "projectcontour.io/v1/HTTPProxy"}, }, api.ResourceType("projectcontour.io/v1/TLSCertificateDelegation"): { {Path: "spec.delegations.*.secretName", Target: "v1/Secret"}, }, api.ResourceType("monitoring.coreos.com/v1/Prometheus"): { {Path: "spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.serviceName", Target: "v1/Service"}, {Path: "spec.alerting.alertmanagers.*.name", Target: "v1/Service"}, }, api.ResourceType("monitoring.coreos.com/v1/Alertmanager"): { {Path: "spec.serviceAccountName", Target: "v1/ServiceAccount"}, {Path: "spec.configSecret", Target: "v1/Secret"}, }, api.ResourceType("apiextensions.crossplane.io/v1/Composition"): { {Path: "spec.compositeTypeRef.kind", Target: "apiextensions.crossplane.io/v1/CompositeResourceDefinition"}, }, api.ResourceType("pkg.crossplane.io/v1/Provider"): { {Path: "spec.runtimeConfigRef.name", Target: "pkg.crossplane.io/v1beta1/DeploymentRuntimeConfig"}, }, api.ResourceType("argoproj.io/v1alpha1/CronWorkflow"): { {Path: "spec.workflowSpec.serviceAccountName", Target: "v1/ServiceAccount"}, }, api.ResourceType("argoproj.io/v1alpha1/Workflow"): { {Path: "spec.serviceAccountName", Target: "v1/ServiceAccount"}, }, api.ResourceType("argoproj.io/v1alpha1/ApplicationSet"): { {Path: "spec.generators.*.plugin.configMapRef.name", Target: "v1/ConfigMap"}, {Path: "spec.generators.*.matrix.generators.*.plugin.configMapRef.name", Target: "v1/ConfigMap"}, {Path: "spec.generators.*.merge.generators.*.plugin.configMapRef.name", Target: "v1/ConfigMap"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/DHCPOptions"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.vpcRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/InternetGateway"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.routeTableRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/RouteTable"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/NATGateway"): { {Path: "spec.subnetRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, {Path: "spec.allocationRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/ElasticIPAddress"}, {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/NetworkACL"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.subnetRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/RouteTable"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.routes.*.gatewayRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/InternetGateway"}, {Path: "spec.routes.*.natGatewayRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/NATGateway"}, {Path: "spec.routes.*.transitGatewayRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/TransitGateway"}, {Path: "spec.routes.*.vpcEndpointRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPCEndpoint"}, {Path: "spec.routes.*.vpcPeeringConnectionRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPCPeeringConnection"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/SecurityGroup"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.ingressRules.*.groupRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, {Path: "spec.egressRules.*.groupRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/Subnet"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.routeTableRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/RouteTable"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/TransitGatewayVPCAttachment"): { {Path: "spec.transitGatewayRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/TransitGateway"}, {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.subnetRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/VPCEndpoint"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.subnetRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, {Path: "spec.securityGroupRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, {Path: "spec.routeTableRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/RouteTable"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/VPCPeeringConnection"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, {Path: "spec.peerVPCRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, }, api.ResourceType("ec2.services.k8s.aws/v1alpha1/Instance"): { {Path: "spec.subnetRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, {Path: "spec.launchTemplate.launchTemplateRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/LaunchTemplate"}, }, api.ResourceType("eks.services.k8s.aws/v1alpha1/AccessEntry"): { {Path: "spec.clusterRef.from.name", Target: "eks.services.k8s.aws/v1alpha1/Cluster"}, }, api.ResourceType("eks.services.k8s.aws/v1alpha1/Addon"): { {Path: "spec.clusterRef.from.name", Target: "eks.services.k8s.aws/v1alpha1/Cluster"}, {Path: "spec.serviceAccountRoleRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Role"}, }, api.ResourceType("eks.services.k8s.aws/v1alpha1/Cluster"): { {Path: "spec.roleRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Role"}, {Path: "spec.resourcesVPCConfig.subnetRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, {Path: "spec.resourcesVPCConfig.securityGroupRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, }, api.ResourceType("eks.services.k8s.aws/v1alpha1/FargateProfile"): { {Path: "spec.clusterRef.from.name", Target: "eks.services.k8s.aws/v1alpha1/Cluster"}, {Path: "spec.podExecutionRoleRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Role"}, {Path: "spec.subnetRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, }, api.ResourceType("eks.services.k8s.aws/v1alpha1/IdentityProviderConfig"): { {Path: "spec.clusterRef.from.name", Target: "eks.services.k8s.aws/v1alpha1/Cluster"}, }, api.ResourceType("eks.services.k8s.aws/v1alpha1/Nodegroup"): { {Path: "spec.clusterRef.from.name", Target: "eks.services.k8s.aws/v1alpha1/Cluster"}, {Path: "spec.nodeRoleRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Role"}, {Path: "spec.subnetRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, {Path: "spec.remoteAccess.sourceSecurityGroupRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, }, api.ResourceType("eks.services.k8s.aws/v1alpha1/PodIdentityAssociation"): { {Path: "spec.clusterRef.from.name", Target: "eks.services.k8s.aws/v1alpha1/Cluster"}, {Path: "spec.roleRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Role"}, }, api.ResourceType("elbv2.services.k8s.aws/v1alpha1/Listener"): { {Path: "spec.loadBalancerRef.from.name", Target: "elbv2.services.k8s.aws/v1alpha1/LoadBalancer"}, {Path: "spec.defaultActions.*.targetGroupRef.from.name", Target: "elbv2.services.k8s.aws/v1alpha1/TargetGroup"}, {Path: "spec.defaultActions.*.forwardConfig.targetGroups.*.targetGroupRef.from.name", Target: "elbv2.services.k8s.aws/v1alpha1/TargetGroup"}, }, api.ResourceType("elbv2.services.k8s.aws/v1alpha1/LoadBalancer"): { {Path: "spec.subnetRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, {Path: "spec.securityGroupRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, }, api.ResourceType("elbv2.services.k8s.aws/v1alpha1/Rule"): { {Path: "spec.listenerRef.from.name", Target: "elbv2.services.k8s.aws/v1alpha1/Listener"}, {Path: "spec.actions.*.targetGroupRef.from.name", Target: "elbv2.services.k8s.aws/v1alpha1/TargetGroup"}, {Path: "spec.actions.*.forwardConfig.targetGroups.*.targetGroupRef.from.name", Target: "elbv2.services.k8s.aws/v1alpha1/TargetGroup"}, }, api.ResourceType("elbv2.services.k8s.aws/v1alpha1/TargetGroup"): { {Path: "spec.vpcRef.from.name", Target: "ec2.services.k8s.aws/v1alpha1/VPC"}, }, api.ResourceType("iam.services.k8s.aws/v1alpha1/InstanceProfile"): { {Path: "spec.roleRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Role"}, }, api.ResourceType("iam.services.k8s.aws/v1alpha1/Group"): { {Path: "spec.policyRefs.*.from.name", Target: "iam.services.k8s.aws/v1alpha1/Policy"}, }, api.ResourceType("iam.services.k8s.aws/v1alpha1/Role"): { {Path: "spec.policyRefs.*.from.name", Target: "iam.services.k8s.aws/v1alpha1/Policy"}, {Path: "spec.permissionsBoundaryRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Policy"}, }, api.ResourceType("iam.services.k8s.aws/v1alpha1/User"): { {Path: "spec.policyRefs.*.from.name", Target: "iam.services.k8s.aws/v1alpha1/Policy"}, {Path: "spec.permissionsBoundaryRef.from.name", Target: "iam.services.k8s.aws/v1alpha1/Policy"}, }, api.ResourceType("rds.services.k8s.aws/v1alpha1/DBCluster"): { {Path: "spec.dbClusterParameterGroupRef.from.name", Target: "rds.services.k8s.aws/v1alpha1/DBClusterParameterGroup"}, {Path: "spec.dbSubnetGroupRef.from.name", Target: "rds.services.k8s.aws/v1alpha1/DBSubnetGroup"}, {Path: "spec.vpcSecurityGroupRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, }, api.ResourceType("rds.services.k8s.aws/v1alpha1/DBClusterEndpoint"): { {Path: "spec.dbClusterIdentifierRef.from.name", Target: "rds.services.k8s.aws/v1alpha1/DBCluster"}, }, api.ResourceType("rds.services.k8s.aws/v1alpha1/DBClusterSnapshot"): { {Path: "spec.dbClusterIdentifierRef.from.name", Target: "rds.services.k8s.aws/v1alpha1/DBCluster"}, }, api.ResourceType("rds.services.k8s.aws/v1alpha1/DBInstance"): { {Path: "spec.dbParameterGroupRef.from.name", Target: "rds.services.k8s.aws/v1alpha1/DBParameterGroup"}, {Path: "spec.dbSubnetGroupRef.from.name", Target: "rds.services.k8s.aws/v1alpha1/DBSubnetGroup"}, {Path: "spec.vpcSecurityGroupRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/SecurityGroup"}, }, api.ResourceType("rds.services.k8s.aws/v1alpha1/DBSnapshot"): { {Path: "spec.dbInstanceIdentifierRef.from.name", Target: "rds.services.k8s.aws/v1alpha1/DBInstance"}, }, api.ResourceType("rds.services.k8s.aws/v1alpha1/DBSubnetGroup"): { {Path: "spec.subnetRefs.*.from.name", Target: "ec2.services.k8s.aws/v1alpha1/Subnet"}, }, }
CRDReferenceFields maps resource types to their cross-resource reference fields. These extend the kustomize NameReferenceFieldSpecs with CRD-specific references.
Paths use gaby dot syntax: dot-separated, * for array wildcard. ResourceTypes use group/version/kind format.
Only spec fields are included (not status). Deeply nested pod-spec references (env, envFrom, volumes, etc.) that follow the same pattern as built-in workloads are omitted since they are handled by the workload pod-spec traversal.
Functions ¶
func DecryptResponse ¶ added in v0.1.26
func DecryptResponse(privateKey *ecdh.PrivateKey, encryptedJSON []byte) ([]byte, error)
DecryptResponse decrypts an EncryptedResponse using the caller's private key. This is used by the CLI plugin.
func GenerateKubecontextFunction ¶ added in v0.1.26
func GenerateKubecontextFunction(fArgs handler.FunctionImplementationArguments) (gaby.Container, any, error)
GenerateKubecontextFunction is the function implementation.
func GetGenerateKubecontextSignature ¶ added in v0.1.26
func GetGenerateKubecontextSignature() api.FunctionSignature
GetGenerateKubecontextSignature returns the function signature.
func InitAccess ¶ added in v0.1.26
func InitAccess() error
InitAccess initializes the Kubernetes client for token requests. It tries in-cluster config first, then falls back to kubeconfig.
func InitSchemaFinder ¶
func InitSchemaFinder() error
func RegisterFunctions ¶
func RegisterFunctions(rp *k8skit.K8sResourceProviderType, fh handler.FunctionRegistry)
RegisterFunctions registers all Kubernetes functions onto the provided FunctionHandler using the given registrar's resource provider.
Types ¶
type EncryptedResponse ¶ added in v0.1.26
type EncryptedResponse struct {
PublicKey string `json:"publicKey"` // Worker's ephemeral public key (base64)
Nonce string `json:"nonce"` // AES-GCM nonce (base64)
Ciphertext string `json:"ciphertext"` // Encrypted kubeconfig (base64)
}
EncryptedResponse is the JSON structure returned in function output.
type PathReference ¶
type PathReference struct {
Path string
Target api.ResourceType
}
PathReference describes a field path that references another resource, and the ResourceType of the resource it refers to.
type ResourceQuantityComparison ¶
type ResourceQuantityComparison struct {
// contains filtered or unexported fields
}
ResourceQuantityComparison implements CustomStringComparator for Kubernetes resource quantities
func NewResourceQuantityComparison ¶
func NewResourceQuantityComparison() *ResourceQuantityComparison
NewResourceQuantityComparison creates a new ResourceQuantityComparison instance
func (*ResourceQuantityComparison) Evaluate ¶
func (r *ResourceQuantityComparison) Evaluate(expr *api.RelationalExpression, value string) (bool, error)
Evaluate implements CustomStringComparator.Evaluate
func (*ResourceQuantityComparison) MatchesPath ¶
func (r *ResourceQuantityComparison) MatchesPath(path string) bool
MatchesPath implements CustomStringComparator.MatchesPath
type SchemaFinder ¶
type SchemaFinder struct {
// contains filtered or unexported fields
}
func NewSchemaFinder ¶
func NewSchemaFinder() (*SchemaFinder, error)
func (*SchemaFinder) LookupPath ¶
func (e *SchemaFinder) LookupPath(gvkString, fieldPath string) (*SchemaInfo, error)
type SchemaInfo ¶
type SchemaInfo struct {
Description string
}
func LookupPath ¶
func LookupPath(gvkString, fieldPath string) (*SchemaInfo, error)
Source Files
Click to show internal directories.
Click to hide internal directories.