Documentation
¶
Index ¶
- Constants
- func BuildCloudflaredDeployment(gw *gwapiv1.Gateway, secretName string) *appsv1.Deployment
- func CheckReferenceGrant(ctx context.Context, c client.Client, ...) (bool, error)
- func CheckRouteAttachment(ctx context.Context, c client.Client, gw *gwapiv1.Gateway, ...) (bool, error)
- func DeploymentName(gwName string) string
- func EnsureTunnelSecret(ctx context.Context, c client.Client, gw *gwapiv1.Gateway) ([]byte, bool, error)
- func GetBackendTLSConfig(ctx context.Context, c client.Client, serviceNS, serviceName string) (*cf.OriginRequestConfig, error)
- func IsPermanent(err error) bool
- func PatchAccessPolicyStatus(ctx context.Context, c client.Client, ...) error
- func PatchGRPCRouteStatus(ctx context.Context, c client.Client, route *gwapiv1.GRPCRoute, ...) error
- func PatchGatewayClassStatus(ctx context.Context, c client.Client, gc *gwapiv1.GatewayClass, accepted bool) error
- func PatchGatewayStatus(ctx context.Context, c client.Client, gw *gwapiv1.Gateway, tunnelID string, ...) error
- func PatchHTTPRouteStatus(ctx context.Context, c client.Client, route *gwapiv1.HTTPRoute, ...) error
- func PatchTCPRouteStatus(ctx context.Context, c client.Client, route *gwapiv1alpha2.TCPRoute, ...) error
- func PatchTLSRouteStatus(ctx context.Context, c client.Client, route *gwapiv1alpha2.TLSRoute, ...) error
- func StoreTunnelToken(ctx context.Context, c client.Client, namespace, secretName, token string) error
- func TunnelSecretName(gwName string) string
- type ControllerError
- type GatewayReconciler
- type ListenerRouteCount
Constants ¶
const ContainerImage = "cloudflare/cloudflared:2024.12.2"
ContainerImage is the cloudflared container image used in the tunnel deployment.
const (
ControllerName = "jan0ski.net/cloudflared-gateway"
)
Variables ¶
This section is empty.
Functions ¶
func BuildCloudflaredDeployment ¶
func BuildCloudflaredDeployment(gw *gwapiv1.Gateway, secretName string) *appsv1.Deployment
BuildCloudflaredDeployment creates the cloudflared Deployment spec for a Gateway. The tunnel token is read from the referenced Secret.
func CheckReferenceGrant ¶
func CheckReferenceGrant(ctx context.Context, c client.Client, fromNS, fromKind, toNS, toKind, toName string) (bool, error)
CheckReferenceGrant checks if a cross-namespace reference is permitted by a ReferenceGrant in the target namespace.
Returns true if a ReferenceGrant exists in toNS that allows references from fromNS/fromKind to toKind/toName.
func CheckRouteAttachment ¶
func CheckRouteAttachment(ctx context.Context, c client.Client, gw *gwapiv1.Gateway, routeNS, routeKind string) (bool, error)
CheckRouteAttachment checks whether a route in the given namespace with the given kind is allowed to attach to the Gateway based on its listener configuration.
func DeploymentName ¶
DeploymentName returns the cloudflared Deployment name for a Gateway.
func EnsureTunnelSecret ¶
func EnsureTunnelSecret(ctx context.Context, c client.Client, gw *gwapiv1.Gateway) ([]byte, bool, error)
EnsureTunnelSecret ensures a K8s Secret exists with a valid 32-byte tunnel secret. Returns the secret bytes, whether the secret was regenerated, and any error.
func GetBackendTLSConfig ¶
func GetBackendTLSConfig(ctx context.Context, c client.Client, serviceNS, serviceName string) (*cf.OriginRequestConfig, error)
GetBackendTLSConfig looks up a BackendTLSPolicy targeting the given service and returns the corresponding Cloudflare OriginRequestConfig.
If no matching policy is found, it returns noTLSVerify: true for backward compatibility with the previous hardcoded behavior.
func IsPermanent ¶
IsPermanent returns true if the error should not be retried. Only configuration errors are permanent.
func PatchAccessPolicyStatus ¶
func PatchAccessPolicyStatus(ctx context.Context, c client.Client, policy *cfv1alpha1.CloudflareAccessPolicy, accepted bool) error
PatchAccessPolicyStatus sets Accepted and Programmed conditions on a CloudflareAccessPolicy.
func PatchGRPCRouteStatus ¶
func PatchGRPCRouteStatus(ctx context.Context, c client.Client, route *gwapiv1.GRPCRoute, gwName, gwNS string, accepted bool) error
PatchGRPCRouteStatus sets the Accepted condition for a specific parentRef on a GRPCRoute.
func PatchGatewayClassStatus ¶
func PatchGatewayClassStatus(ctx context.Context, c client.Client, gc *gwapiv1.GatewayClass, accepted bool) error
PatchGatewayClassStatus sets the Accepted condition on a GatewayClass.
func PatchGatewayStatus ¶
func PatchGatewayStatus(ctx context.Context, c client.Client, gw *gwapiv1.Gateway, tunnelID string, listenerCounts []ListenerRouteCount) error
PatchGatewayStatus sets Accepted+Programmed conditions and listener statuses.
func PatchHTTPRouteStatus ¶
func PatchHTTPRouteStatus(ctx context.Context, c client.Client, route *gwapiv1.HTTPRoute, gwName, gwNS string, accepted bool) error
PatchHTTPRouteStatus sets the Accepted condition for a specific parentRef on an HTTPRoute.
func PatchTCPRouteStatus ¶
func PatchTCPRouteStatus(ctx context.Context, c client.Client, route *gwapiv1alpha2.TCPRoute, gwName, gwNS string, accepted bool) error
PatchTCPRouteStatus sets the Accepted condition for a specific parentRef on a TCPRoute.
func PatchTLSRouteStatus ¶
func PatchTLSRouteStatus(ctx context.Context, c client.Client, route *gwapiv1alpha2.TLSRoute, gwName, gwNS string, accepted bool) error
PatchTLSRouteStatus sets the Accepted condition for a specific parentRef on a TLSRoute.
func StoreTunnelToken ¶
func StoreTunnelToken(ctx context.Context, c client.Client, namespace, secretName, token string) error
StoreTunnelToken stores the assembled tunnel token in the Secret's stringData. Uses stringData to avoid double-encoding.
func TunnelSecretName ¶
TunnelSecretName returns the K8s Secret name for a Gateway's tunnel secret.
Types ¶
type ControllerError ¶
type ControllerError struct {
// contains filtered or unexported fields
}
ControllerError is a categorized error for reconciliation.
func CloudflareError ¶
func CloudflareError(err error) *ControllerError
func ConfigError ¶
func ConfigError(msg string) *ControllerError
func FinalizerError ¶
func FinalizerError(err error) *ControllerError
func KubeError ¶
func KubeError(err error) *ControllerError
func (*ControllerError) Error ¶
func (e *ControllerError) Error() string
func (*ControllerError) Unwrap ¶
func (e *ControllerError) Unwrap() error
type GatewayReconciler ¶
type GatewayReconciler struct {
Client client.Client
CloudflareClient cloudflare.APIClient
ControllerName gwapiv1.GatewayController
}
GatewayReconciler reconciles Gateway resources to create and manage Cloudflare Tunnels.
func (*GatewayReconciler) Reconcile ¶
func (r *GatewayReconciler) Reconcile(ctx context.Context, req reconcile.Request) (reconcile.Result, error)
Reconcile is the error-policy wrapper. Permanent errors are logged and not retried; retriable errors are returned so controller-runtime requeues with exponential backoff.
func (*GatewayReconciler) SetupWithManager ¶
func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error
SetupWithManager registers the controller with the manager and configures watches. CloudflareClient and ControllerName must be set before calling this method.
type ListenerRouteCount ¶
type ListenerRouteCount struct {
Name gwapiv1.SectionName
Protocol gwapiv1.ProtocolType
Count int32
}
ListenerRouteCount tracks the number of attached routes per listener.
Source Files