Documentation
¶
Index ¶
- Constants
- func GenerateServiceAccountMappings(scopeMap map[Scope]map[string]WSAResource) (map[Scope]ServiceAccountName, map[ServiceAccountName]map[string]WSAResource, ...)
- func IsOctopusManaged(labels map[string]string) bool
- type AgentName
- type DimensionIndex
- type Engine
- type GlobalVocabulary
- type GroupedDimensions
- type InMemoryEngine
- func (i *InMemoryEngine) CleanupServiceAccounts(ctx context.Context, deletingResource WSAResource) (ctrl.Result, error)
- func (i *InMemoryEngine) GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)
- func (i *InMemoryEngine) GetTargetNamespaces() []string
- func (i *InMemoryEngine) Reconcile(ctx context.Context) error
- func (i *InMemoryEngine) ReconcileResource(ctx context.Context, resource WSAResource) error
- type Namespace
- type NamespaceDiscovery
- type NamespaceDiscoveryService
- type ResourceManagement
- type ResourceManagementService
- func (r ResourceManagementService) EnsureRoleBindings(ctx context.Context, resources []WSAResource, ...) error
- func (r ResourceManagementService) EnsureRoles(ctx context.Context, resources []WSAResource) (map[string]rbacv1.Role, error)
- func (r ResourceManagementService) EnsureServiceAccounts(ctx context.Context, serviceAccounts []*corev1.ServiceAccount, ...) error
- func (r ResourceManagementService) GarbageCollectServiceAccounts(ctx context.Context, expectedServiceAccounts *set.Set[string], ...) (ctrl.Result, error)
- func (r ResourceManagementService) GetClusterRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.ClusterRoleBinding], error)
- func (r ResourceManagementService) GetClusterRoles(ctx context.Context) (iter.Seq[*rbacv1.ClusterRole], error)
- func (r ResourceManagementService) GetClusterWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.ClusterWorkloadServiceAccount], error)
- func (r ResourceManagementService) GetRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.RoleBinding], error)
- func (r ResourceManagementService) GetRoles(ctx context.Context) (iter.Seq[*rbacv1.Role], error)
- func (r ResourceManagementService) GetServiceAccounts(ctx context.Context) (iter.Seq[*corev1.ServiceAccount], error)
- func (r ResourceManagementService) GetWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.WorkloadServiceAccount], error)
- func (r ResourceManagementService) IsServiceAccountInUse(ctx context.Context, saName string, targetNamespaces *set.Set[string]) (bool, []string, error)
- type Scope
- type ScopeComputation
- type ScopeComputationService
- func (s ScopeComputationService) ComputeScopesForWSAs(wsaList []WSAResource) (map[Scope]map[string]WSAResource, GlobalVocabulary)
- func (s ScopeComputationService) GenerateServiceAccountMappings(scopeMap map[Scope]map[string]WSAResource) (map[Scope]ServiceAccountName, map[ServiceAccountName]map[string]WSAResource, ...)
- func (s ScopeComputationService) GetScopeToSA() map[Scope]ServiceAccountName
- func (s ScopeComputationService) GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)
- type ServiceAccountName
- type WSAResource
Constants ¶
View Source
const ( MetadataNamespace = "agent.octopus.com" PermissionsKey = MetadataNamespace + "/permissions" ProjectKey = MetadataNamespace + "/project" EnvironmentKey = MetadataNamespace + "/environment" TenantKey = MetadataNamespace + "/tenant" StepKey = MetadataNamespace + "/step" SpaceKey = MetadataNamespace + "/space" // ManagedByLabel is the standard Kubernetes label for tracking resource ownership ManagedByLabel = "app.kubernetes.io/managed-by" // ManagedByValue is the value set on the managed-by label for resources created by this controller ManagedByValue = "octopus-permissions-controller" )
Constants for metadata keys (used in both labels and annotations)
View Source
const WildcardValue = "*"
Variables ¶
This section is empty.
Functions ¶
func GenerateServiceAccountMappings ¶
func GenerateServiceAccountMappings( scopeMap map[Scope]map[string]WSAResource, ) ( map[Scope]ServiceAccountName, map[ServiceAccountName]map[string]WSAResource, map[string][]string, []*v1.ServiceAccount, )
GenerateServiceAccountMappings processes the scope map and generates the required mappings for service account creation and management.
func IsOctopusManaged ¶
IsOctopusManaged checks if a resource is managed by the Octopus controller
Types ¶
type DimensionIndex ¶
type DimensionIndex int
const ( ProjectIndex DimensionIndex = iota EnvironmentIndex TenantIndex StepIndex SpaceIndex MaxDimensionIndex // Must be last - used for various looping through dimensions )
type Engine ¶
type Engine interface {
ResourceManagement
NamespaceDiscovery
ScopeComputation
Reconcile(ctx context.Context) error
ReconcileResource(ctx context.Context, resource WSAResource) error
CleanupServiceAccounts(ctx context.Context, deletingResource WSAResource) (ctrl.Result, error)
}
type GlobalVocabulary ¶
type GlobalVocabulary [MaxDimensionIndex]*set.Set[string]
GlobalVocabulary holds the set of known values for each dimension Indexes correspond to DimensionIndex constants e.g. ProjectIndex holds the set of known projects from all WSAs
func NewGlobalVocabulary ¶
func NewGlobalVocabulary() GlobalVocabulary
func (*GlobalVocabulary) GetKnownScopeCombination ¶
func (v *GlobalVocabulary) GetKnownScopeCombination(scope Scope) Scope
type GroupedDimensions ¶
type GroupedDimensions struct {
Projects []string
Environments []string
Tenants []string
Steps []string
Spaces []string
}
GroupedDimensions holds collected dimension values for a group of scopes
type InMemoryEngine ¶
type InMemoryEngine struct {
ScopeComputation
ResourceManagement
NamespaceDiscovery
// contains filtered or unexported fields
}
func NewInMemoryEngine ¶
func (*InMemoryEngine) CleanupServiceAccounts ¶
func (i *InMemoryEngine) CleanupServiceAccounts( ctx context.Context, deletingResource WSAResource, ) (ctrl.Result, error)
CleanupServiceAccounts performs smart cleanup of ServiceAccounts when a WSA/cWSA is deleted. It recomputes what ServiceAccounts are needed by all remaining resources and deletes only those that are no longer needed by any resource. The deletingResource parameter should be the resource being deleted (so it can be excluded from the calculation).
func (*InMemoryEngine) GetServiceAccountForScope ¶
func (i *InMemoryEngine) GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)
GetServiceAccountForScope retrieves the service account for a given scope with proper locking. This method shadows the embedded ScopeComputation.GetServiceAccountForScope to ensure thread-safe access to the in-memory maps.
func (*InMemoryEngine) GetTargetNamespaces ¶
func (i *InMemoryEngine) GetTargetNamespaces() []string
func (*InMemoryEngine) ReconcileResource ¶
func (i *InMemoryEngine) ReconcileResource(ctx context.Context, resource WSAResource) error
ReconcileResource performs an incremental reconciliation for a single WorkloadServiceAccount or ClusterWorkloadServiceAccount. This should be called during normal reconcile loops when a specific resource changes.
type NamespaceDiscovery ¶
type NamespaceDiscoveryService ¶
func (NamespaceDiscoveryService) DiscoverTargetNamespaces ¶
func (NamespaceDiscoveryService) GetTargetNamespaces ¶
func (nds NamespaceDiscoveryService) GetTargetNamespaces() []string
type ResourceManagement ¶
type ResourceManagement interface {
GetWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.WorkloadServiceAccount], error)
GetClusterWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.ClusterWorkloadServiceAccount], error)
GetServiceAccounts(ctx context.Context) (iter.Seq[*corev1.ServiceAccount], error)
GetRoles(ctx context.Context) (iter.Seq[*rbacv1.Role], error)
GetClusterRoles(ctx context.Context) (iter.Seq[*rbacv1.ClusterRole], error)
GetRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.RoleBinding], error)
GetClusterRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.ClusterRoleBinding], error)
EnsureRoles(ctx context.Context, resources []WSAResource) (map[string]rbacv1.Role, error)
EnsureServiceAccounts(
ctx context.Context, serviceAccounts []*corev1.ServiceAccount, targetNamespaces []string,
) error
EnsureRoleBindings(
ctx context.Context, resources []WSAResource, createdRoles map[string]rbacv1.Role,
wsaToServiceAccounts map[string][]string, targetNamespaces []string,
) error
GarbageCollectServiceAccounts(
ctx context.Context, expectedServiceAccounts *set.Set[string], targetNamespaces *set.Set[string],
) (ctrl.Result, error)
}
ResourceManagement defines the interface for creating and managing Kubernetes resources
type ResourceManagementService ¶
type ResourceManagementService struct {
// contains filtered or unexported fields
}
func NewResourceManagementService ¶
func NewResourceManagementService(newClient client.Client) ResourceManagementService
func NewResourceManagementServiceWithScheme ¶
func NewResourceManagementServiceWithScheme(newClient client.Client, scheme *runtime.Scheme) ResourceManagementService
func (ResourceManagementService) EnsureRoleBindings ¶
func (r ResourceManagementService) EnsureRoleBindings( ctx context.Context, resources []WSAResource, createdRoles map[string]rbacv1.Role, wsaToServiceAccounts map[string][]string, targetNamespaces []string, ) error
EnsureRoleBindings creates role bindings to connect service accounts with roles for all WSAs
func (ResourceManagementService) EnsureRoles ¶
func (r ResourceManagementService) EnsureRoles( ctx context.Context, resources []WSAResource, ) (map[string]rbacv1.Role, error)
func (ResourceManagementService) EnsureServiceAccounts ¶
func (r ResourceManagementService) EnsureServiceAccounts( ctx context.Context, serviceAccounts []*corev1.ServiceAccount, targetNamespaces []string, ) error
EnsureServiceAccounts creates service accounts for all scopes in all target namespaces
func (ResourceManagementService) GarbageCollectServiceAccounts ¶
func (r ResourceManagementService) GarbageCollectServiceAccounts( ctx context.Context, expectedServiceAccounts *set.Set[string], targetNamespaces *set.Set[string], ) (ctrl.Result, error)
GarbageCollectServiceAccounts deletes ServiceAccounts that are managed by this controller but are no longer needed (not in the expectedServiceAccounts set or in out-of-scope namespaces). Returns ctrl.Result with RequeueAfter set when ServiceAccounts are still in use by pods.
func (ResourceManagementService) GetClusterRoleBindings ¶
func (r ResourceManagementService) GetClusterRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.ClusterRoleBinding], error)
func (ResourceManagementService) GetClusterRoles ¶
func (r ResourceManagementService) GetClusterRoles(ctx context.Context) (iter.Seq[*rbacv1.ClusterRole], error)
func (ResourceManagementService) GetClusterWorkloadServiceAccounts ¶
func (r ResourceManagementService) GetClusterWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.ClusterWorkloadServiceAccount], error)
func (ResourceManagementService) GetRoleBindings ¶
func (r ResourceManagementService) GetRoleBindings(ctx context.Context) (iter.Seq[*rbacv1.RoleBinding], error)
func (ResourceManagementService) GetServiceAccounts ¶
func (r ResourceManagementService) GetServiceAccounts(ctx context.Context) (iter.Seq[*corev1.ServiceAccount], error)
func (ResourceManagementService) GetWorkloadServiceAccounts ¶
func (r ResourceManagementService) GetWorkloadServiceAccounts(ctx context.Context) (iter.Seq[*v1beta1.WorkloadServiceAccount], error)
func (ResourceManagementService) IsServiceAccountInUse ¶
func (r ResourceManagementService) IsServiceAccountInUse( ctx context.Context, saName string, targetNamespaces *set.Set[string], ) (bool, []string, error)
IsServiceAccountInUse checks if any pods in the target namespaces are currently using the specified ServiceAccount. It returns true if any pods in Running, Pending, or Terminating state are using the SA, along with the names of those pods for logging purposes.
type ScopeComputation ¶
type ScopeComputation interface {
GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)
ComputeScopesForWSAs(wsaList []WSAResource) (map[Scope]map[string]WSAResource, GlobalVocabulary)
GenerateServiceAccountMappings(scopeMap map[Scope]map[string]WSAResource) (
map[Scope]ServiceAccountName,
map[ServiceAccountName]map[string]WSAResource,
map[string][]string,
[]*corev1.ServiceAccount,
)
GetScopeToSA() map[Scope]ServiceAccountName
}
ScopeComputation defines the interface for computing scopes and service account mappings
type ScopeComputationService ¶
type ScopeComputationService struct {
// contains filtered or unexported fields
}
func NewScopeComputationService ¶
func NewScopeComputationService( vocabulary *GlobalVocabulary, scopeToSA map[Scope]ServiceAccountName, ) ScopeComputationService
func (ScopeComputationService) ComputeScopesForWSAs ¶
func (s ScopeComputationService) ComputeScopesForWSAs(wsaList []WSAResource) (map[Scope]map[string]WSAResource, GlobalVocabulary)
func (ScopeComputationService) GenerateServiceAccountMappings ¶
func (s ScopeComputationService) GenerateServiceAccountMappings(scopeMap map[Scope]map[string]WSAResource) (map[Scope]ServiceAccountName, map[ServiceAccountName]map[string]WSAResource, map[string][]string, []*corev1.ServiceAccount)
func (ScopeComputationService) GetScopeToSA ¶
func (s ScopeComputationService) GetScopeToSA() map[Scope]ServiceAccountName
GetScopeToSA returns the current scope to service account mapping
func (ScopeComputationService) GetServiceAccountForScope ¶
func (s ScopeComputationService) GetServiceAccountForScope(scope Scope) (ServiceAccountName, error)
type ServiceAccountName ¶
type ServiceAccountName string
type WSAResource ¶
type WSAResource interface {
// GetName returns the resource name
GetName() string
// GetNamespace returns the namespace (empty string for cluster-scoped resources)
GetNamespace() string
// GetScope returns the scope configuration
GetScope() v1beta1.WorkloadServiceAccountScope
// GetPermissionRules returns inline permission rules
GetPermissionRules() []rbacv1.PolicyRule
// GetRoles returns role references (only for namespace-scoped WSA)
GetRoles() []rbacv1.RoleRef
// GetClusterRoles returns cluster role references
GetClusterRoles() []rbacv1.RoleRef
// IsClusterScoped returns true if this is a cluster-scoped resource
IsClusterScoped() bool
// GetOwnerObject returns the underlying WSA or CWSA object for owner references
GetOwnerObject() interface{}
}
WSAResource is an internal interface that abstracts over both WorkloadServiceAccount and ClusterWorkloadServiceAccount to allow unified processing
func NewClusterWSAResource ¶
func NewClusterWSAResource(cwsa *v1beta1.ClusterWorkloadServiceAccount) WSAResource
NewClusterWSAResource creates a WSAResource from a ClusterWorkloadServiceAccount
func NewWSAResource ¶
func NewWSAResource(wsa *v1beta1.WorkloadServiceAccount) WSAResource
NewWSAResource creates a WSAResource from a WorkloadServiceAccount
Source Files
Click to show internal directories.
Click to hide internal directories.