Documentation
¶
Index ¶
- Constants
- func AddObjectsToInventory(inv *kustomizev1.ResourceInventory, set *ssa.ChangeSet) error
- func DiffInventory(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInventory) ([]*unstructured.Unstructured, error)
- func IsEncryptedSecret(object *unstructured.Unstructured) bool
- func ListMetaInInventory(inv *kustomizev1.ResourceInventory) (object.ObjMetadataSet, error)
- func ListObjectsInInventory(inv *kustomizev1.ResourceInventory) ([]*unstructured.Unstructured, error)
- func MkdirTempAbs(dir, pattern string) (string, error)
- func NewInventory() *kustomizev1.ResourceInventory
- type KustomizationReconciler
- type KustomizationReconcilerOptions
- type KustomizeDecryptor
- func (d *KustomizeDecryptor) DecryptEnvSources(path string) error
- func (d *KustomizeDecryptor) DecryptResource(res *resource.Resource) (*resource.Resource, error)
- func (d *KustomizeDecryptor) ImportKeys(ctx context.Context) error
- func (d *KustomizeDecryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) ([]byte, error)
- type KustomizeGenerator
- type KustomizeImpersonation
- type SourceRevisionChangePredicate
Constants ¶
const ( // DecryptionProviderSOPS is the SOPS provider name. DecryptionProviderSOPS = "sops" // DecryptionPGPExt is the extension of the file containing an armored PGP //key. DecryptionPGPExt = ".asc" // DecryptionAgeExt is the extension of the file containing an age key // file. DecryptionAgeExt = ".agekey" // DecryptionVaultTokenFileName is the name of the file containing the // Hashicorp Vault token. DecryptionVaultTokenFileName = "sops.vault-token" // DecryptionAWSKmsFile is the name of the file containing the AWS KMS // credentials. DecryptionAWSKmsFile = "sops.aws-kms" // DecryptionAzureAuthFile is the name of the file containing the Azure // credentials. DecryptionAzureAuthFile = "sops.azure-kv" // DecryptionGCPCredsFile is the name of the file containing the GCP // credentials. DecryptionGCPCredsFile = "sops.gcp-kms" )
Variables ¶
This section is empty.
Functions ¶
func AddObjectsToInventory ¶ added in v0.15.0
func AddObjectsToInventory(inv *kustomizev1.ResourceInventory, set *ssa.ChangeSet) error
AddObjectsToInventory extracts the metadata from the given objects and adds it to the inventory.
func DiffInventory ¶ added in v0.15.0
func DiffInventory(inv *kustomizev1.ResourceInventory, target *kustomizev1.ResourceInventory) ([]*unstructured.Unstructured, error)
DiffInventory returns the slice of objects that do not exist in the target inventory.
func IsEncryptedSecret ¶ added in v0.17.0
func IsEncryptedSecret(object *unstructured.Unstructured) bool
IsEncryptedSecret checks if the given object is a Kubernetes Secret encrypted with Mozilla SOPS.
func ListMetaInInventory ¶ added in v0.15.0
func ListMetaInInventory(inv *kustomizev1.ResourceInventory) (object.ObjMetadataSet, error)
ListMetaInInventory returns the inventory entries as object.ObjMetadata objects.
func ListObjectsInInventory ¶ added in v0.15.0
func ListObjectsInInventory(inv *kustomizev1.ResourceInventory) ([]*unstructured.Unstructured, error)
ListObjectsInInventory returns the inventory entries as unstructured.Unstructured objects.
func MkdirTempAbs ¶ added in v0.24.3
MkdirTempAbs creates a tmp dir and returns the absolute path to the dir. This is required since certain OSes like MacOS create temporary files in e.g. `/private/var`, to which `/var` is a symlink.
func NewInventory ¶ added in v0.15.0
func NewInventory() *kustomizev1.ResourceInventory
Types ¶
type KustomizationReconciler ¶
type KustomizationReconciler struct {
client.Client
Scheme *runtime.Scheme
EventRecorder kuberecorder.EventRecorder
MetricsRecorder *metrics.Recorder
StatusPoller *polling.StatusPoller
ControllerName string
NoCrossNamespaceRefs bool
NoRemoteBases bool
DefaultServiceAccount string
KubeConfigOpts runtimeClient.KubeConfigOptions
// contains filtered or unexported fields
}
KustomizationReconciler reconciles a Kustomization object
func (*KustomizationReconciler) SetupWithManager ¶
func (r *KustomizationReconciler) SetupWithManager(mgr ctrl.Manager, opts KustomizationReconcilerOptions) error
type KustomizationReconcilerOptions ¶
type KustomizationReconcilerOptions struct {
MaxConcurrentReconciles int
HTTPRetry int
DependencyRequeueInterval time.Duration
RateLimiter ratelimiter.RateLimiter
}
KustomizationReconcilerOptions contains options for the KustomizationReconciler.
type KustomizeDecryptor ¶ added in v0.0.9
type KustomizeDecryptor struct {
// contains filtered or unexported fields
}
KustomizeDecryptor performs decryption operations for a v1beta2.Kustomization. The only supported decryption provider at present is DecryptionProviderSOPS.
func NewDecryptor ¶ added in v0.0.9
func NewDecryptor(root string, client client.Client, kustomization kustomizev1.Kustomization, maxFileSize int64, gnuPGHome string) *KustomizeDecryptor
NewDecryptor creates a new KustomizeDecryptor for the given kustomization. gnuPGHome can be empty, in which case the systems' keyring is used.
func NewTempDecryptor ¶ added in v0.0.9
func NewTempDecryptor(root string, client client.Client, kustomization kustomizev1.Kustomization) (*KustomizeDecryptor, func(), error)
NewTempDecryptor creates a new KustomizeDecryptor, with a temporary GnuPG home directory to KustomizeDecryptor.ImportKeys() into.
func (*KustomizeDecryptor) DecryptEnvSources ¶ added in v0.24.0
func (d *KustomizeDecryptor) DecryptEnvSources(path string) error
DecryptEnvSources attempts to decrypt all types.SecretArgs FileSources and EnvSources a Kustomization file in the directory at the provided path refers to, before walking recursively over all other resources it refers to. It ignores resource references which refer to absolute or relative paths outside the working directory of the decryptor, but returns any decryption error.
func (*KustomizeDecryptor) DecryptResource ¶ added in v0.24.0
DecryptResource attempts to decrypt the provided resource with the decryption provider specified on the Kustomization, overwriting the resource with the decrypted data. It has special support for Kubernetes Secrets with encrypted data entries while decrypting with DecryptionProviderSOPS, to allow individual data entries injected by e.g. a Kustomize secret generator to be decrypted
func (*KustomizeDecryptor) ImportKeys ¶ added in v0.0.9
func (d *KustomizeDecryptor) ImportKeys(ctx context.Context) error
ImportKeys imports the DecryptionProviderSOPS keys from the data values of the Secret referenced in the Kustomization's v1beta2.Decryption spec. It returns an error if the Secret cannot be retrieved, or if one of the imports fails. Imports do not have an effect after the first call to SopsDecryptWithFormat(), which initializes and caches SOPS' (local) key service server. For the import of PGP keys, the KustomizeDecryptor must be configured with an absolute GnuPG home directory path.
func (*KustomizeDecryptor) SopsDecryptWithFormat ¶ added in v0.24.0
func (d *KustomizeDecryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) ([]byte, error)
SopsDecryptWithFormat attempts to load a SOPS encrypted file using the store for the input format, gathers the data key for it from the key service, and then decrypts the file data with the retrieved data key. It returns the decrypted bytes in the provided output format, or an error.
type KustomizeGenerator ¶ added in v0.0.9
type KustomizeGenerator struct {
// contains filtered or unexported fields
}
func NewGenerator ¶ added in v0.0.9
func NewGenerator(root string, kustomization kustomizev1.Kustomization) *KustomizeGenerator
func (*KustomizeGenerator) WriteFile ¶ added in v0.0.9
func (kg *KustomizeGenerator) WriteFile(dirPath string) error
type KustomizeImpersonation ¶ added in v0.6.0
KustomizeImpersonation holds the state for impersonating a service account.
func NewKustomizeImpersonation ¶ added in v0.6.0
func NewKustomizeImpersonation( kustomization kustomizev1.Kustomization, kubeClient client.Client, statusPoller *polling.StatusPoller, defaultServiceAccount string, kubeConfigOpts runtimeClient.KubeConfigOptions) *KustomizeImpersonation
NewKustomizeImpersonation creates a new KustomizeImpersonation.
func (*KustomizeImpersonation) CanFinalize ¶ added in v0.20.0
func (ki *KustomizeImpersonation) CanFinalize(ctx context.Context) bool
CanFinalize asserts if the given Kustomization can be finalized using impersonation.
func (*KustomizeImpersonation) GetClient ¶ added in v0.6.0
func (ki *KustomizeImpersonation) GetClient(ctx context.Context) (client.Client, *polling.StatusPoller, error)
GetClient creates a controller-runtime client for talking to a Kubernetes API server. If spec.KubeConfig is set, use the kubeconfig bytes from the Kubernetes secret. Otherwise will assume running in cluster and use the cluster provided kubeconfig. If a --default-service-account is set and no spec.ServiceAccountName, use the provided kubeconfig and impersonate the default SA. If spec.ServiceAccountName is set, use the provided kubeconfig and impersonate the specified SA.
type SourceRevisionChangePredicate ¶ added in v0.2.0
func (SourceRevisionChangePredicate) Update ¶ added in v0.2.0
func (SourceRevisionChangePredicate) Update(e event.UpdateEvent) bool
Source Files