Documentation
¶
Index ¶
- Constants
- func MergeWAFPullSecret(pullSecrets []*corev1.Secret) (*corev1.Secret, []string)
- func MigrationRBACComponent(migrationActive bool) render.Component
- func NewCalicoKubeControllers(cfg *KubeControllersConfiguration) *kubeControllersComponent
- func NewCalicoKubeControllersPolicy(cfg *KubeControllersConfiguration, defaultDeny *v3.NetworkPolicy) render.Component
- func NewElasticsearchKubeControllers(cfg *KubeControllersConfiguration) *kubeControllersComponent
- type KubeControllersConfiguration
Constants ¶
View Source
const ( KubeController = "calico-kube-controllers" KubeControllerServiceAccount = "calico-kube-controllers" KubeControllerRole = "calico-kube-controllers" KubeControllerRoleBinding = "calico-kube-controllers" KubeControllerMetrics = "calico-kube-controllers-metrics" KubeControllerNetworkPolicyName = networkpolicy.CalicoComponentPolicyPrefix + "kube-controller-access" // WASMPullSecretName is the dedicated image-pull Secret (a renamed copy of // the install pull secret) that the WAF reconciler replicates into tenant // namespaces for the Coraza wasm OCI pull. A dedicated name avoids clashing // with the operator-managed tigera-pull-secret the GatewayAPI render also // copies into those namespaces (EV-6386). WASMPullSecretName = "tigera-waf-pull-secret" // WASMCACertName is the dedicated CA-bundle ConfigMap (in the controller // namespace) the WAF reconciler replicates into tenant namespaces for the // Coraza wasm OCI registry TLS check — a dedicated name avoids clashing with // the operator-managed tigera-ca-bundle ConfigMap the GatewayAPI render also // copies there (EV-6386). The source copy is a renamed copy of the trusted // bundle, provisioned by the core controller and passed in as WASMCACert. WASMCACertName = "tigera-waf-ca-bundle" EsKubeController = "es-calico-kube-controllers" EsKubeControllerRole = "es-calico-kube-controllers" EsKubeControllerRoleBinding = "es-calico-kube-controllers" EsKubeControllerMetrics = "es-calico-kube-controllers-metrics" EsKubeControllerNetworkPolicyName = networkpolicy.CalicoComponentPolicyPrefix + "es-kube-controller-access" ManagedClustersWatchRoleBindingName = "es-calico-kube-controllers-managed-cluster-watch" ElasticsearchKubeControllersUserSecret = "tigera-ee-kube-controllers-elasticsearch-access" ElasticsearchKubeControllersUserName = "tigera-ee-kube-controllers" ElasticsearchKubeControllersSecureUserSecret = "tigera-ee-kube-controllers-elasticsearch-access-gateway" ElasticsearchKubeControllersVerificationUserSecret = "tigera-ee-kube-controllers-gateway-verification-credentials" KubeControllerPrometheusTLSSecret = "calico-kube-controllers-metrics-tls" // KubeControllersHealthPort is the port the kube-controllers HealthAggregator listens on when run from the // combined calico binary. The legacy per-component image uses file-based health checks instead. KubeControllersHealthPort = 9440 )
View Source
const (
MigrationClusterRoleName = "calico-kube-controllers-migration"
)
Variables ¶
This section is empty.
Functions ¶
func MergeWAFPullSecret ¶
MergeWAFPullSecret synthesizes the dedicated WAF wasm pull secret (tigera-waf-pull-secret) by merging the registry auths of every Installation pull secret. The EnvoyExtensionPolicy image source takes a single pullSecretRef, so a merged secret is the only way to honor multiple Installation pull secrets for the Coraza wasm OCI pull (e.g. the Tigera pull secret plus credentials for a private registry mirror).
If the same registry appears in more than one secret, the first secret in Installation order wins. Secrets that cannot be parsed are skipped and their names returned, so the caller can log them without failing the reconcile. Returns a nil Secret when no registry auths could be collected.
func MigrationRBACComponent ¶ added in v1.42.0
MigrationRBACComponent returns a render component that creates or deletes the migration RBAC. When migrationActive is true, kube-controllers needs broad access to both API groups to read v1 resources and write v3 resources. When false, the extra permissions are cleaned up.
func NewCalicoKubeControllers ¶
func NewCalicoKubeControllers(cfg *KubeControllersConfiguration) *kubeControllersComponent
func NewCalicoKubeControllersPolicy ¶ added in v1.28.0
func NewCalicoKubeControllersPolicy(cfg *KubeControllersConfiguration, defaultDeny *v3.NetworkPolicy) render.Component
func NewElasticsearchKubeControllers ¶
func NewElasticsearchKubeControllers(cfg *KubeControllersConfiguration) *kubeControllersComponent
Types ¶
type KubeControllersConfiguration ¶
type KubeControllersConfiguration struct {
K8sServiceEp k8sapi.ServiceEndpoint
K8sServiceEpPodNetwork k8sapi.ServiceEndpoint
Installation *operatorv1.InstallationSpec
ManagementCluster *operatorv1.ManagementCluster
ManagementClusterConnection *operatorv1.ManagementClusterConnection
Authentication *operatorv1.Authentication
// Whether or not the LogStorage CRD is present in the cluster.
LogStorageExists bool
ClusterDomain string
MetricsPort int
// For details on why this is needed see 'Node and Installation finalizer' in the core_controller.
Terminating bool
// Secrets - provided by the caller. Used to generate secrets in the destination
// namespace to be returned by the rendered. Expected that the calling code
// take care to pass the same secret on each reconcile where possible.
KubeControllersGatewaySecret *corev1.Secret
WASMPullSecret *corev1.Secret
WASMCACert *corev1.ConfigMap
TrustedBundle certificatemanagement.TrustedBundleRO
MetricsServerTLS certificatemanagement.KeyPairInterface
// Namespace to be installed into.
Namespace string
// List of namespaces that are running a kube-controllers instance that need a cluster role binding.
BindingNamespaces []string
// Tenant object provides tenant configuration for both single and multi-tenant modes.
// If this is nil, then we should run in zero-tenant mode.
Tenant *operatorv1.Tenant
// WAFGatewayExtensionEnabled gates the WAF v3 (Gateway API add-on) surface
// on calico-kube-controllers: the applicationlayer controller enablement,
// the WAF / Gateway-API / EnvoyExtensionPolicy / event / secret-replication
// RBAC, the WASM_IMAGE / WASM_PULL_SECRET / WASM_CA_CERT env vars, and the
// gateway envoy-proxy wasm image resolution. Sourced from
// `GatewayAPI.spec.extensions.waf.state == Enabled` (default off).
// See design `tigera/designs#25` (PMREQ-384).
WAFGatewayExtensionEnabled bool
// WAFWebhookServerTLS is the serving certificate for the in-process WAF
// SecLang validating admission webhook hosted by calico-kube-controllers.
// When set (WAF enabled), it is mounted into the Pod and the webhook server
// reads it from WAF_WEBHOOK_CERT_DIR. Issued for the tigera-waf-webhook
// Service DNS name. Nil leaves the Deployment untouched (and the in-process
// server self-disables when the cert is absent).
WAFWebhookServerTLS certificatemanagement.KeyPairInterface
// WAFWebhookCABundle is the PEM of the CA that issued WAFWebhookServerTLS
// (the operator CA), stamped into the ValidatingWebhookConfiguration's
// caBundle so the apiserver can verify the in-process webhook endpoint.
// Only consulted when WAFGatewayExtensionEnabled is true.
WAFWebhookCABundle []byte
}
Source Files
Click to show internal directories.
Click to hide internal directories.