Documentation
¶
Index ¶
Constants ¶
const ( APLName = "application-layer" RoleName = "application-layer" ApplicationLayerDaemonsetName = "l7-log-collector" L7CollectorContainerName = "l7-collector" L7CollectorSocksVolumeName = "l7-collector-socks" ProxyContainerName = "envoy-proxy" EnvoyLogsVolumeName = "envoy-logs" EnvoyConfigMapName = "envoy-config" EnvoyConfigMapKey = "envoy-config.yaml" FelixSync = "felix-sync" DikastesSyncVolumeName = "dikastes-sync" DikastesContainerName = "dikastes" WAFConfigVolumeName = "tigera-waf-config" WAFConfigVolumePath = "/etc/waf" DefaultCoreRulesetVolumeName = "coreruleset-default" DefaultCoreRulesetVolumePath = "/etc/waf/coreruleset" WAFRulesetConfigMapName = "tigera-waf-config" DefaultCoreRuleset = "coreruleset-default" WAFConfigHashAnnotation = "hash.operator.tigera.io/tigera-waf-config" CalicoLogsVolumeName = "var-log-calico" CalicologsVolumePath = "/var/log/calico" )
const ( // WAFWebhookServerTLSSecretName is the serving-cert Secret for the in-process // WAF admission webhook, issued for the WAFWebhookServiceName DNS name and // mounted into calico-kube-controllers. WAFWebhookServerTLSSecretName = "calico-kube-controllers-waf-webhook-tls" // WAFWebhookServiceName fronts the WAF SecLang validating admission webhook. // The webhook is served in-process by the calico-kube-controllers Pod (see // tigera/calico-private kube-controllers applicationlayer manager), so this // Service selects the kube-controllers Pod rather than a dedicated // Deployment. The webhook serving certificate is issued for this Service's // DNS name and mounted into kube-controllers (see pkg/render/kubecontrollers). WAFWebhookServiceName = "tigera-waf-webhook" // WAFWebhookContainerPort is the in-process webhook server port on the // calico-kube-controllers Pod (controller-runtime webhook server). Must match // the port the kube-controllers applicationlayer manager listens on. Shared // with pkg/render/kubecontrollers (container port + NetworkPolicy ingress). WAFWebhookContainerPort = int32(9443) )
Variables ¶
This section is empty.
Functions ¶
func ApplicationLayer ¶
func WAFAdmissionWebhookComponents ¶
WAFAdmissionWebhookComponents returns the objects required to expose the WAF SecLang validating admission webhook: a Service fronting the calico-kube-controllers Pod and the ValidatingWebhookConfiguration that points at it. The webhook itself runs in-process inside calico-kube-controllers — no separate Deployment, ServiceAccount, or ClusterRole; it reuses the kube-controllers ServiceAccount and ClusterRole (RBAC is rendered in pkg/render/kubecontrollers). The caller passes caBundle — the PEM of the CA that issued the webhook serving cert (the operator CA), so the apiserver can verify the in-process webhook endpoint.
The caller is responsible for invoking this only when the gateway-addons license feature is present and the GatewayAPI WAF extension is enabled.
Types ¶
type Config ¶
type Config struct {
// Required config.
PullSecrets []*corev1.Secret
Installation *operatorv1.InstallationSpec
OsType rmeta.OSType
// Optional config for WAF.
PerHostWAFEnabled bool
WAFRulesetConfigMap *corev1.ConfigMap
DefaultCoreRulesetConfigMap *corev1.ConfigMap
// Optional config for L7 logs.
PerHostLogsEnabled bool
LogRequestsPerInterval *int64
LogIntervalSeconds *int64
// Optional config for ALP
PerHostALPEnabled bool
// Optional config for SidecarInjection
SidecarInjectionEnabled bool
// envoy user-configurable overrides
UseRemoteAddressXFF bool
NumTrustedHopsXFF int32
ApplicationLayer *operatorv1.ApplicationLayer
// contains filtered or unexported fields
}
Config contains all the config information ApplicationLayer needs to render component.
Source Files
Directories