Documentation
¶
Index ¶
- Constants
- Variables
- func CipherSuites(securityProfile *configv1.TLSSecurityProfile) []string
- func ControllerOwnerRef(obj client.Object) *metav1.OwnerReference
- func CopyStringMap(source map[string]string) map[string]string
- func FeatureGateConfigMap(ctx context.Context, c client.Reader, ns string) (*corev1.ConfigMap, error)
- func FeatureGatesFromConfigMap(ctx context.Context, c client.Reader, ns string) ([]string, error)
- func KMSEncryptedObjects() []string
- func MinTLSVersion(securityProfile *configv1.TLSSecurityProfile) string
- func OpenSSLToIANACipherSuites(ciphers []string) []string
- func ParseFeatureGates(cm *corev1.ConfigMap) (*configv1.FeatureGate, error)
- func SerializeAuditPolicy(policy *auditv1.Policy) ([]byte, error)
- type AdditionalAnnotations
- type AdditionalLabels
- type LivenessProbes
- type OwnerRef
- type ReadinessProbes
- type ResourceOverrides
- type ResourcesSpec
- type Scheduling
- type SecurityContextSpec
- type StartupProbes
Constants ¶
View Source
const ( // NeedManagementKASAccessLabel is used by network policies // to prevent any pod which doesn't contain the label from accessing the management cluster KAS. NeedManagementKASAccessLabel = "hypershift.openshift.io/need-management-kas-access" // NeedMetricsServerAccessLabel is used by network policies // to allow egress communication to the metrics server on the management cluster. NeedMetricsServerAccessLabel = "hypershift.openshift.io/need-metrics-server-access" // EtcdPriorityClass is for etcd pods. EtcdPriorityClass = "hypershift-etcd" // APICriticalPriorityClass is for pods that are required for API calls and // resource admission to succeed. This includes pods like kube-apiserver, // aggregated API servers, and webhooks. APICriticalPriorityClass = "hypershift-api-critical" // DefaultPriorityClass is for pods in the Hypershift control plane that are // not API critical but still need elevated priority. DefaultPriorityClass = "hypershift-control-plane" DefaultServiceAccountIssuer = "https://kubernetes.default.svc" DefaultImageRegistryHostname = "image-registry.openshift-image-registry.svc:5000" DefaultAdvertiseIPv4Address = "172.20.0.1" DefaultAdvertiseIPv6Address = "fd00::1" DefaultEtcdURL = "https://etcd-client:2379" // KASSVCLBAzurePort is needed because for Azure we currently hardcode 7443 for the SVC LB as 6443 collides with public LB rule for the management cluster. // https://bugzilla.redhat.com/show_bug.cgi?id=2060650 // TODO(alberto): explore exposing multiple Azure frontend IPs on the load balancer. KASSVCLBAzurePort = 7443 KASSVCPort = 6443 KASPodDefaultPort = 6443 KASSVCIBMCloudPort = 2040 DefaultServiceNodePortRange = "30000-32767" DefaultSecurityContextUser = 1001 RecommendedLeaseDuration = "137s" RecommendedRenewDeadline = "107s" RecommendedRetryPeriod = "26s" KCMRecommendedRenewDeadline = "12s" KCMRecommendedRetryPeriod = "3s" DefaultIngressDomainEnvVar = "DEFAULT_INGRESS_DOMAIN" EnableCVOManagementClusterMetricsAccessEnvVar = "ENABLE_CVO_MANAGEMENT_CLUSTER_METRICS_ACCESS" EnableEtcdRecoveryEnvVar = "ENABLE_ETCD_RECOVERY" AuditWebhookService = "audit-webhook" // DefaultMachineNetwork is the default network CIDR for the machine network. DefaultMachineNetwork = "10.0.0.0/16" // Constants related to supported OCP versions. ConfigMapVersionsKey = "supported-versions" ConfigMapServerVersionKey = "server-version" SupportedVersionsLabel = "hypershift.openshift.io/supported-versions" DefaultReleaseStream = "4-stable-multi" // Constants related to HyperShift operator image. HypershiftImageBase = "quay.io/hypershift/hypershift-operator" HypershiftImageTag = "latest" )
View Source
const ( // AROHCPKeyVaultManagedIdentityClientID captures the client ID of the managed identity created on an ARO HCP // management cluster. This managed identity is used to pull secrets and certificates out of Azure Key Vaults in the // management cluster's resource group in Azure. AROHCPKeyVaultManagedIdentityClientID = "ARO_HCP_KEY_VAULT_USER_CLIENT_ID" ManagedAzureCredentialsFilePath = "MANAGED_AZURE_HCP_CREDENTIALS_FILE_PATH" ManagedAzureSecretProviderClassEnvVarKey = "ARO_HCP_SECRET_PROVIDER_CLASS" ManagedAzureCertificateMountPath = "/mnt/certs" ManagedAzureCredentialsMountPathForKMS = "/mnt/kms" ManagedAzureCertificatePath = "/mnt/certs/" ManagedAzureCredentialsPathForKMS = "/mnt/kms/" ManagedAzureSecretsStoreCSIDriver = "secrets-store.csi.k8s.io" ManagedAzureSecretProviderClass = "secretProviderClass" ManagedAzureCPOSecretProviderClassName = "managed-azure-cpo" ManagedAzureCPOSecretStoreVolumeName = "cpo-cert" ManagedAzureCloudProviderSecretProviderClassName = "managed-azure-cloud-provider" ManagedAzureCloudProviderSecretStoreVolumeName = "cloud-provider-cert" ManagedAzureDiskCSISecretStoreProviderClassName = "managed-azure-disk-csi" ManagedAzureFileCSISecretStoreProviderClassName = "managed-azure-file-csi" ManagedAzureImageRegistrySecretStoreProviderClassName = "managed-azure-image-registry" ManagedAzureImageRegistrySecretStoreVolumeName = "image-registry-cert" ManagedAzureIngressSecretStoreProviderClassName = "managed-azure-ingress" ManagedAzureIngressSecretStoreVolumeName = "ingress-cert" ManagedAzureKMSSecretProviderClassName = "managed-azure-kms" ManagedAzureKMSSecretStoreVolumeName = "kms-cert" ManagedAzureNetworkSecretStoreProviderClassName = "managed-azure-network" ManagedAzureNodePoolMgmtSecretProviderClassName = "managed-azure-nodepool-management" ManagedAzureNodePoolMgmtSecretStoreVolumeName = "nodepool-management-cert" // Azure Role Definitions ContributorRoleDefinitionID = "b24988ac-6180-42a0-ab88-20f7382dd24c" CloudProviderRoleDefinitionID = "a1f96423-95ce-4224-ab27-4e3dc72facd4" IngressRoleDefinitionID = "0336e1d3-7a87-462b-b6db-342b63f7802c" CPOCustomRoleDefinitionID = "7d8bb4e4-6fa7-4545-96cf-20fce11b705d" AzureFileRoleDefinitionID = "0d7aedc0-15fd-4a67-a412-efad370c947e" AzureDiskRoleDefinitionID = "5b7237c5-45e1-49d6-bc18-a1f62f400748" NetworkRoleDefinitionID = "be7a6435-15ae-4171-8f30-4a343eff9e8f" ImageRegistryRoleDefinitionID = "8b32b316-c2f5-4ddf-b05b-83dacd2d08b5" CAPZCustomRoleDefinitionID = "Azure Red Hat OpenShift NodePool Management Role" // Azure Components with Control Plane Managed Identities AzureDisk = "azure-disk" AzureFile = "azure-file" CIRO = "ciro" CloudProvider = "cloud-provider" CNCC = "cncc" CPO = "cpo" Ingress = "ingress" NodePoolMgmt = "capz" )
Managed Azure Related Constants
View Source
const ( FeatureGateConfigMapName = "feature-gate" FeatureGateConfigKey = "feature-gate.yaml" )
View Source
const ( // PodSafeToEvictLocalVolumesKey is an annotation used by the CA operator which makes sure // all the pods annotated with it and the picking the desired local volumes that are safe to evict, could be drained properly. PodSafeToEvictLocalVolumesKey = "cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes" // HCCOUser references the user used by the HostedClusterConfigOperator HCCOUser = "hosted-cluster-config" // HCCOUserAgent references the userAgent used by the HostedClusterConfigOperator HCCOUserAgent = "hosted-cluster-config-operator-manager" )
Variables ¶
View Source
var (
Version419 = semver.MustParse("4.19.0")
)
Functions ¶
func CipherSuites ¶
func CipherSuites(securityProfile *configv1.TLSSecurityProfile) []string
func ControllerOwnerRef ¶
func ControllerOwnerRef(obj client.Object) *metav1.OwnerReference
func CopyStringMap ¶ added in v0.1.10
func FeatureGateConfigMap ¶ added in v0.1.58
func FeatureGatesFromConfigMap ¶ added in v0.1.58
func KMSEncryptedObjects ¶ added in v0.1.18
func KMSEncryptedObjects() []string
func MinTLSVersion ¶
func MinTLSVersion(securityProfile *configv1.TLSSecurityProfile) string
func OpenSSLToIANACipherSuites ¶
OpenSSLToIANACipherSuites maps input OpenSSL Cipher Suite names to their IANA counterparts. Unknown ciphers are left out.
func ParseFeatureGates ¶ added in v0.1.58
func ParseFeatureGates(cm *corev1.ConfigMap) (*configv1.FeatureGate, error)
Types ¶
type AdditionalAnnotations ¶
func (AdditionalAnnotations) ApplyTo ¶
func (l AdditionalAnnotations) ApplyTo(podMeta *metav1.ObjectMeta)
type AdditionalLabels ¶
func (AdditionalLabels) ApplyTo ¶
func (l AdditionalLabels) ApplyTo(podMeta *metav1.ObjectMeta)
type LivenessProbes ¶
func (LivenessProbes) ApplyTo ¶
func (p LivenessProbes) ApplyTo(podSpec *corev1.PodSpec)
func (LivenessProbes) ApplyToContainer ¶
func (p LivenessProbes) ApplyToContainer(container string, c *corev1.Container)
type ReadinessProbes ¶
func (ReadinessProbes) ApplyTo ¶
func (p ReadinessProbes) ApplyTo(podSpec *corev1.PodSpec)
func (ReadinessProbes) ApplyToContainer ¶
func (p ReadinessProbes) ApplyToContainer(container string, c *corev1.Container)
type ResourceOverrides ¶
type ResourceOverrides map[string]ResourcesSpec
func (ResourceOverrides) ApplyRequestsTo ¶
func (o ResourceOverrides) ApplyRequestsTo(name string, podSpec *corev1.PodSpec)
type ResourcesSpec ¶
type ResourcesSpec map[string]corev1.ResourceRequirements
func (ResourcesSpec) ApplyRequestsOverrideTo ¶
func (s ResourcesSpec) ApplyRequestsOverrideTo(podSpec *corev1.PodSpec)
func (ResourcesSpec) ApplyTo ¶
func (s ResourcesSpec) ApplyTo(podSpec *corev1.PodSpec)
type Scheduling ¶
type Scheduling struct {
Affinity *corev1.Affinity `json:"affinity,omitempty"`
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
PriorityClass string `json:"priorityClass"`
NodeSelector map[string]string `json:"nodeSelector"`
}
func (*Scheduling) ApplyTo ¶
func (s *Scheduling) ApplyTo(podSpec *corev1.PodSpec)
type SecurityContextSpec ¶
type SecurityContextSpec map[string]corev1.SecurityContext
func (SecurityContextSpec) ApplyTo ¶
func (s SecurityContextSpec) ApplyTo(podSpec *corev1.PodSpec)
func (SecurityContextSpec) ApplyToContainer ¶
func (s SecurityContextSpec) ApplyToContainer(name string, c *corev1.Container)
type StartupProbes ¶ added in v0.1.55
func (StartupProbes) ApplyTo ¶ added in v0.1.55
func (p StartupProbes) ApplyTo(podSpec *corev1.PodSpec)
func (StartupProbes) ApplyToContainer ¶ added in v0.1.55
func (p StartupProbes) ApplyToContainer(container string, c *corev1.Container)
Source Files
Click to show internal directories.
Click to hide internal directories.