controller

package
v0.0.0-...-78c2b3f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 28, 2026 License: Apache-2.0 Imports: 53 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// ControllerAgentName distinguishes this controller from other things writing to API objects
	ControllerAgentName = "sessiongate-controller"

	// LabelManagedBy identifies resources managed by the sessiongate controller
	LabelManagedBy = "app.kubernetes.io/managed-by"

	// AnnotationSessiongate identifies the namespace/session pair that the resource belongs to
	// this is used on resources where owner references are not possible (e.g. cross cluster resources)
	AnnotationSessiongate = "sessiongate.aro-hcp.azure.com/session"

	// RSAKeySize is the size in bits for RSA private keys generated for session credentials
	RSAKeySize = 2048

	// MCProviderCacheSyncTimeout is the maximum time to wait for management cluster
	// informer caches to sync during provider registration
	MCProviderCacheSyncTimeout = 30 * time.Second

	// MinCSRExpirationSeconds is the minimum CSR expiration allowed by Kubernetes (10 minutes).
	// See https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
	MinCSRExpirationSeconds = 600
)
View Source 
const (
	// CSRSignerNameTemplate must match the hypershift CSR approver.
	// See: https://github.com/openshift/hypershift/blob/main/control-plane-operator/controllers/hostedcontrolplane/csr/reconcile.go
	CSRSignerNameTemplate = "hypershift.openshift.io/%s.sre-break-glass"
)

Variables

This section is empty.

Functions

func ApplyConfigForStatus 

func ApplyConfigForStatus(status sessiongatev1alpha1.SessionStatus) *sessiongatv1alpha1applyconfigurations.SessionStatusApplyConfiguration

func CSRCommonName 

func CSRCommonName(user string) string

func CSRSignerName 

func CSRSignerName(hcpNamespace string) string

CSRSignerName returns the signer name for break-glass CSRs in the given HCP namespace.

func CompareWithFixture 

func CompareWithFixture(t *testing.T, output interface{}, opts ...cmp.Option)

CompareWithFixture will compare output with a test fixture and allows to automatically update them by setting the UPDATE env var. The output will be serialized as YAML prior to the comparison. The fixtures are stored in testdata/zz_fixture_${testName}.yaml

func CredentialsNotAvailableCondition 

func CredentialsNotAvailableCondition(reason, message string, generation int64, now time.Time) *applyv1.ConditionApplyConfiguration

func HostedControlPlaneAvailableCondition 

func HostedControlPlaneAvailableCondition(generation int64, now time.Time) *applyv1.ConditionApplyConfiguration

func HostedControlPlaneNotAvailableCondition 

func HostedControlPlaneNotAvailableCondition(reason, message string, generation int64, now time.Time) *applyv1.ConditionApplyConfiguration

func ManagedByLabelSelector 

func ManagedByLabelSelector() string

ManagedByLabelSelector returns a label selector string for resources managed by this controller This is used to filter informers to only watch resources created and managed by sessiongate-controller

func NotReadyCondition 

func NotReadyCondition(generation int64, now time.Time) *applyv1.ConditionApplyConfiguration

func RunWithLeaderElection 

func RunWithLeaderElection(ctx context.Context, controllerName string, config *LeaderElectionConfig, run func() error) error

RunWithLeaderElection wraps a controller with leader election using a Kubernetes Lease. Only the pod that acquires the lease will execute the provided run function, preventing duplicate work across replicas. When leadership is lost, the controller stops gracefully.

Types

type CredentialSecret 

type CredentialSecret struct {
	// contains filtered or unexported fields
}

func NewCredentialSecret 

func NewCredentialSecret(secret *corev1.Secret) *CredentialSecret

func (*CredentialSecret) ApplyConfigurationForCertificate 

func (c *CredentialSecret) ApplyConfigurationForCertificate(session *sessiongatev1alpha1.Session, certificate []byte) *corev1apply.SecretApplyConfiguration

func (*CredentialSecret) ApplyConfigurationForPrivateKey 

func (c *CredentialSecret) ApplyConfigurationForPrivateKey(session *sessiongatev1alpha1.Session, privateKey *rsa.PrivateKey) *corev1apply.SecretApplyConfiguration

func (*CredentialSecret) GetCertificate 

func (c *CredentialSecret) GetCertificate() ([]byte, bool)

func (*CredentialSecret) GetPrivateKey 

func (c *CredentialSecret) GetPrivateKey() (*rsa.PrivateKey, bool)

func (*CredentialSecret) GetPrivateKeyBytes 

func (c *CredentialSecret) GetPrivateKeyBytes() ([]byte, bool)

type DataplaneController 

type DataplaneController struct {
	// contains filtered or unexported fields
}

This is the data plane controller, reacting to sessions becoming ready and offering it to the proxy registry. Also reacts to sessions being deleted and unregisters them from the proxy registry.

func NewDataplaneController 

func NewDataplaneController(
	ctx context.Context,
	logger klog.Logger,
	sessiongateInformers sessiongateinformers.SharedInformerFactory,
	kubeInformers kubeinformers.SharedInformerFactory,
	registry registry.SessionRegistry,
	eventRecorder record.EventRecorder,
) (*DataplaneController, error)

func (*DataplaneController) Run 

func (c *DataplaneController) Run(ctx context.Context, workers int) error

type LeaderElectionConfig 

type LeaderElectionConfig struct {
	LockName      string
	LeaseDuration time.Duration
	RenewDeadline time.Duration
	RetryPeriod   time.Duration
	Namespace     string
	KubeConfig    *rest.Config
}

LeaderElectionConfig holds configuration for leader election

type ManagementClusterProvider 

type ManagementClusterProvider struct {
	DynamicClient    dynamic.Interface
	DynamicInformers dynamicinformer.DynamicSharedInformerFactory
	KubeClient       kubernetes.Interface
	KubeInformers    kubeinformers.SharedInformerFactory
	// contains filtered or unexported fields
}

managementClusterProvider implements ManagementClusterProvider

func (*ManagementClusterProvider) GetCSR 

func (d *ManagementClusterProvider) GetCSR(name string) (*certificatesv1.CertificateSigningRequest, error)

func (*ManagementClusterProvider) GetCSRApproval 

func (d *ManagementClusterProvider) GetCSRApproval(hostedControlPlaneNamespace, name string) (*certificatesv1alpha1.CertificateSigningRequestApproval, error)

func (*ManagementClusterProvider) GetHostedControlPlane 

func (d *ManagementClusterProvider) GetHostedControlPlane(namespace string) (*hypershiftv1beta1.HostedControlPlane, error)

type ManagementClusterProviderFactory 

type ManagementClusterProviderFactory struct {
	// contains filtered or unexported fields
}

func NewManagementClusterProviderFactory 

func NewManagementClusterProviderFactory(azureCredentials azcore.TokenCredential) *ManagementClusterProviderFactory

func (*ManagementClusterProviderFactory) BuildManagementClusterProvider 

func (f *ManagementClusterProviderFactory) BuildManagementClusterProvider(ctx context.Context, resourceId string) (*ManagementClusterProvider, error)

type ManagementClusterQuerier 

type ManagementClusterQuerier interface {
	GetHostedControlPlane(namespace string) (*hypershiftv1beta1.HostedControlPlane, error)
	GetCSR(name string) (*certificatesv1.CertificateSigningRequest, error)
	GetCSRApproval(namespace, name string) (*certificatesv1alpha1.CertificateSigningRequestApproval, error)
}

ManagementClusterQuerier provides read access to management cluster resources via informer listers.

type SessionController 

type SessionController struct {
	// contains filtered or unexported fields
}

func NewSessionController 

func NewSessionController(
	kubeClient kubernetes.Interface,
	sessiongateClient sessiongateclient.Interface,
	sessiongateInformers sessiongateinformers.SharedInformerFactory,
	kubeinformers kubeinformers.SharedInformerFactory,
	eventRecorder record.EventRecorder,
	namespace string,
	managementClusterProviderFactory *ManagementClusterProviderFactory,
	endpointProvider SessionEndpointProvider,
) (*SessionController, error)

func (*SessionController) Run 

func (c *SessionController) Run(ctx context.Context, workers int) error

type SessionEndpointProvider 

type SessionEndpointProvider interface {
	GetSessionEndpoint(sessionID string) string
}

SessionEndpointProvider provides session endpoint URLs

type Status 

type Status struct {
	// contains filtered or unexported fields
}

func NewStatus 

func NewStatus(status sessiongatev1alpha1.SessionStatus) *Status

func (*Status) AsApplyConfiguration 

func (s *Status) AsApplyConfiguration(session *sessiongatev1alpha1.Session) (*sessiongatv1alpha1applyconfigurations.SessionApplyConfiguration, bool)

AsApplyConfiguration returns the apply configuration for the status and a boolean indicating if the status needs to be updated. The needsUpdate check is required because the controller uses an action-based reconciliation pattern where each sync loop performs at most one mutating action. The controller must know whether a status update is necessary before deciding to emit it as the action for the current loop iteration, rather than falling through to the next step.

func (*Status) WithBackendKASURL 

func (s *Status) WithBackendKASURL(url string) *Status

func (*Status) WithConditions 

func (s *Status) WithConditions(updated ...*applyv1.ConditionApplyConfiguration) *Status

func (*Status) WithCredentialsSecretRef 

func (s *Status) WithCredentialsSecretRef(ref string) *Status

func (*Status) WithEndpoint 

func (s *Status) WithEndpoint(endpoint string) *Status

func (*Status) WithExpiresAt 

func (s *Status) WithExpiresAt(expiresAt metav1.Time) *Status

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.