Documentation
¶
Index ¶
- Constants
- Variables
- func GatewayAPICRDs(provider operatorv1.Provider, scheme *runtime.Scheme) (essentialCRDs, optionalCRDs []client.Object, err error)
- func GatewayAPIImplementationComponent(cfg *GatewayAPIImplementationConfig) (render.Component, error)
- func GatewayNamespaceRoleBinding(namespace string) *rbacv1.RoleBinding
- func GatewayNamespaceServiceAccount(namespace string) *corev1.ServiceAccount
- func K8SGatewayAPICRDs(provider operatorv1.Provider, scheme *runtime.Scheme) (essentialCRDs, optionalCRDs []client.Object, err error)
- type GatewayAPIImplementationConfig
- type GatewayAPIImplementationConfigInterface
Constants ¶
View Source
const ( ReleaseName = "tigera-gateway-api" ControllerName = "gateway.envoyproxy.io/gatewayclass-controller" GatewayClassName = "tigera-gateway-class" DeploymentNamespace = common.CalicoNamespace ControllerPolicyName = networkpolicy.CalicoComponentPolicyPrefix + "envoy-gateway" EnvoyGatewayPolicySelector = "k8s-app == '" + GatewayControllerLabel + "' || k8s-app == '" + GatewayCertgenLabel + "'" )
Single envoy-gateway install in calico-system with deploy.type=GatewayNamespace, so proxies run in each Gateway's own namespace.
View Source
const ( GatewayAPIName = "calico-gateway-api" GatewayControllerLabel = GatewayAPIName + "-controller" GatewayCertgenLabel = GatewayAPIName + "-certgen" EnvoyGatewayConfigName = "envoy-gateway-config" EnvoyGatewayConfigKey = "envoy-gateway.yaml" EnvoyGatewayDeploymentContainerName = "envoy-gateway" EnvoyGatewayJobContainerName = "envoy-gateway-certgen" )
View Source
const GatewayNamespacesCRBName = wafFilterName + "-gateway-namespaces"
GatewayNamespacesCRBName is the name of the shared ClusterRoleBinding that binds the waf-http-filter ClusterRole to ServiceAccounts in all Gateway namespaces.
Variables ¶
View Source
var ( // logger gateway name and namespace are set from the k8s downward api pod metadata. GatewayNameEnvVar = corev1.EnvVar{ Name: "LOGGER_GATEWAY_NAME", ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "metadata.name", }, }, } GatewayNamespaceEnvVar = corev1.EnvVar{ Name: "LOGGER_GATEWAY_NAMESPACE", ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "metadata.namespace", }, }, } // Owning Gateway name and namespace are exposed via pod labels set by EnvoyProxy. // These allow the l7-log-collector to know which Gateway it is collecting logs for // without needing to query the Kubernetes API. OwningGatewayNameEnvVar = corev1.EnvVar{ Name: "OWNING_GATEWAY_NAME", ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "metadata.labels['gateway.envoyproxy.io/owning-gateway-name']", }, }, } OwningGatewayNamespaceEnvVar = corev1.EnvVar{ Name: "OWNING_GATEWAY_NAMESPACE", ValueFrom: &corev1.EnvVarSource{ FieldRef: &corev1.ObjectFieldSelector{ FieldPath: "metadata.labels['gateway.envoyproxy.io/owning-gateway-namespace']", }, }, } )
View Source
var (
AccessLogType envoyapi.ProxyAccessLogType = "Route"
)
Functions ¶
func GatewayAPICRDs ¶
func GatewayAPICRDs(provider operatorv1.Provider, scheme *runtime.Scheme) (essentialCRDs, optionalCRDs []client.Object, err error)
GatewayAPICRDs returns the k8s GatewayAPI CRDs and the Envoy CRDs together, necessary for the deployment of Calico Gateway API.
func GatewayAPIImplementationComponent ¶
func GatewayAPIImplementationComponent(cfg *GatewayAPIImplementationConfig) (render.Component, error)
func GatewayNamespaceRoleBinding ¶
func GatewayNamespaceRoleBinding(namespace string) *rbacv1.RoleBinding
gatewayNamespaceRoleBinding scopes the WAF SA's Gateway API read access to its own namespace (least privilege for proxies in user namespaces). GatewayNamespaceRoleBinding returns the waf-http-filter-gateway-resources RoleBinding for a Gateway namespace.
func GatewayNamespaceServiceAccount ¶
func GatewayNamespaceServiceAccount(namespace string) *corev1.ServiceAccount
GatewayNamespaceServiceAccount returns the waf-http-filter ServiceAccount for a Gateway namespace.
func K8SGatewayAPICRDs ¶ added in v1.40.3
Types ¶
type GatewayAPIImplementationConfig ¶
type GatewayAPIImplementationConfig struct {
Scheme *runtime.Scheme
Installation *operatorv1.InstallationSpec
GatewayAPI *operatorv1.GatewayAPI
PullSecrets []*corev1.Secret
CustomEnvoyGateway *envoyapi.EnvoyGateway
CustomEnvoyProxies map[string]*envoyapi.EnvoyProxy
CurrentGatewayClasses set.Set[string]
IncludeV3NetworkPolicy bool
// GatewayNamespaces is the list of namespaces containing a Gateway managed by
// this operator, used to keep the shared WAF CRB's subjects in sync (Enterprise only).
GatewayNamespaces []string
// TrustedBundle carries the public CA bundle (extracted from the operator's UBI
// base image) plus Calico's internal CA. Mounted on the envoy-gateway controller
// and on every provisioned envoy-proxy pod so outbound TLS (OCI wasm fetch,
// JWT/OIDC providers, public upstreams, tracing exporters) can validate peers.
TrustedBundle certificatemanagement.TrustedBundle
}
type GatewayAPIImplementationConfigInterface ¶
type GatewayAPIImplementationConfigInterface interface {
GetConfig() *GatewayAPIImplementationConfig
}
Source Files
Click to show internal directories.
Click to hide internal directories.