openshift

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 21, 2024 License: AGPL-3.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GatewayOPAHTTPPort is the HTTP port of the OpenPolicyAgent sidecar.
	GatewayOPAHTTPPort int32 = 8082
	// GatewayOPAInternalPort is the HTTP metrics port of the OpenPolicyAgent sidecar.
	GatewayOPAInternalPort int32 = 8083

	// GatewayOPAHTTPPortName is the HTTP container port name of the OpenPolicyAgent sidecar.
	GatewayOPAHTTPPortName = "public"
	// GatewayOPAInternalPortName is the HTTP container metrics port name of the OpenPolicyAgent sidecar.
	GatewayOPAInternalPortName = "opa-metrics"

	// ServingCertKey is the annotation key for services used the
	// cert-signing service to create a new key/cert pair signed
	// by the service CA stored in a secret with the same name
	// as the annotated service.
	ServingCertKey = "service.beta.openshift.io/serving-cert-secret-name"
	// InjectCABundleKey is the annotation key for configmaps used by the
	// cert-signing service to inject the service CA into the annotated
	// configmap.
	InjectCABundleKey = "service.beta.openshift.io/inject-cabundle"

	// MonitoringNS is the namespace containing cluster monitoring objects such as alertmanager.
	MonitoringNS = "openshift-monitoring"
	// MonitoringSVCMain is the name of the alertmanager main service used for alerts.
	MonitoringSVCMain = "alertmanager-main"
	// MonitoringSVCOperated is the name of the alertmanager operator service used for alerts.
	MonitoringSVCOperated = "alertmanager-operated"

	MonitoringSVCUserWorkload = "alertmanager-user-workload"
	MonitoringUserWorkloadNS  = "openshift-user-workload-monitoring"
)

Functions

func AlertingRuleTenantLabels 

func AlertingRuleTenantLabels(ar *lokiv1.AlertingRule)

func BuildAlertManagerCAConfigMap 

func BuildAlertManagerCAConfigMap(opts Options) *corev1.ConfigMap

BuildAlertManagerCAConfigMap returns a k8s configmap for the LokiStack alertmanager serviceCA configmap. This configmap is used to configure the ruler to verify AlertManager TLS certificates.

func BuildCredentialsRequest added in v0.6.0 

func BuildCredentialsRequest(opts Options) (*cloudcredentialv1.CredentialsRequest, error)

func BuildDashboards added in v0.5.0 

func BuildDashboards(operatorNs string) ([]client.Object, error)

func BuildGatewayCAConfigMap 

func BuildGatewayCAConfigMap(opts Options) *corev1.ConfigMap

BuildGatewayCAConfigMap returns a k8s configmap for the LokiStack serviceCA configmap. This configmap is used to configure the gateway and components to verify TLS certificates.

func BuildGatewayClusterRole 

func BuildGatewayClusterRole(opts Options) *rbacv1.ClusterRole

BuildGatewayClusterRole returns a k8s ClusterRole object for the lokistack gateway serviceaccount to allow creating:

  • TokenReviews to authenticate the user by bearer token.
  • SubjectAccessReview to authorize the user by bearer token. if having access to read/create logs.

func BuildGatewayClusterRoleBinding 

func BuildGatewayClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding

BuildGatewayClusterRoleBinding returns a k8s ClusterRoleBinding object for the lokistack gateway serviceaccount to grant access to: - rbac.authentication.k8s.io/TokenReviews - rbac.authorization.k8s.io/SubjectAccessReviews

func BuildGatewayObjects 

func BuildGatewayObjects(opts Options) []client.Object

BuildGatewayObjects returns a list of auxiliary openshift/k8s objects for lokistack gateway deployments on OpenShift.

func BuildGatewayTenantModeObjects 

func BuildGatewayTenantModeObjects(opts Options) []client.Object

BuildGatewayTenantModeObjects returns a list of auxiliary openshift/k8s objects for lokistack gateway deployments on OpenShift for tenant modes: - openshift-logging - openshift-network

func BuildMonitoringRole 

func BuildMonitoringRole(opts Options) *rbacv1.Role

BuildMonitoringRole returns a Role resource that defines list and watch access on pods, services and endpoints.

func BuildMonitoringRoleBinding 

func BuildMonitoringRoleBinding(opts Options) *rbacv1.RoleBinding

BuildMonitoringRoleBinding returns a RoleBinding resource that binds the OpenShift Cluster Monitoring Prometheus service account `prometheus-k8s` to the LokiStack namespace to allow discovering LokiStack owned pods, services and endpoints.

func BuildRoute 

func BuildRoute(opts Options) client.Object

BuildRoute builds an OpenShift route object for the LokiStack Gateway

func BuildRulerClusterRole 

func BuildRulerClusterRole(opts Options) *rbacv1.ClusterRole

BuildRulerClusterRole returns a k8s ClusterRole object for the lokistack ruler serviceaccount to allow patching sending alerts to alertmanagers.

func BuildRulerClusterRoleBinding 

func BuildRulerClusterRoleBinding(opts Options) *rbacv1.ClusterRoleBinding

BuildRulerClusterRoleBinding returns a k8s ClusterRoleBinding object for the lokistack ruler serviceaccount to grant access to alertmanagers.

func BuildRulerObjects 

func BuildRulerObjects(opts Options) []client.Object

BuildRulerObjects returns a list of auxiliary openshift/k8s objects for lokistack ruler deployments on OpenShift.

func BuildRulerServiceAccount 

func BuildRulerServiceAccount(opts Options) client.Object

BuildRulerServiceAccount returns a k8s object for the LokiStack Ruler serviceaccount. This ServiceAccount is used to autheticate and access the alertmanager host.

func ConfigureGatewayDeployment 

func ConfigureGatewayDeployment(
	d *appsv1.Deployment,
	mode lokiv1.ModeType,
	secretVolumeName, tlsDir string,
	minTLSVersion, ciphers string,
	withTLS bool, adminGroups []string,
) error

ConfigureGatewayDeployment merges an OpenPolicyAgent sidecar into the deployment spec. With this, the deployment will route authorization request to the OpenShift apiserver through the sidecar. This function also forces the use of a TLS connection for the gateway.

func ConfigureGatewayDeploymentRulesAPI 

func ConfigureGatewayDeploymentRulesAPI(d *appsv1.Deployment, containerName string) error

ConfigureGatewayDeploymentRulesAPI merges CLI argument to the gateway container that allow only Rules API access with a valid namespace input for the tenant application.

func ConfigureGatewayService 

func ConfigureGatewayService(s *corev1.ServiceSpec) error

ConfigureGatewayService merges the OpenPolicyAgent sidecar metrics port into the service spec. With this the metrics are exposed through the same service.

func ConfigureGatewayServiceMonitor 

func ConfigureGatewayServiceMonitor(sm *monitoringv1.ServiceMonitor, withTLS bool) error

ConfigureGatewayServiceMonitor merges the OpenPolicyAgent sidecar endpoint into the service monitor. With this cluster-monitoring prometheus can scrape the sidecar metrics.

func ConfigureOptions 

func ConfigureOptions(configOpt *config.Options, am, uwam bool, token, caPath, monitorServerName string) error

ConfigureOptions applies default configuration for the use of the cluster monitoring alertmanager.

func ConfigureRulerStatefulSet 

func ConfigureRulerStatefulSet(
	ss *appsv1.StatefulSet,
	alertmanagerCABundleName string,
	token, caDir, caPath string,
	monitorServerName, rulerContainerName string,
) error

ConfigureRulerStatefulSet configures the ruler to use the cluster monitoring alertmanager.

func GetTenants 

func GetTenants(mode lokiv1.ModeType) []string

GetTenants return the slice of all supported tenants for a specified mode

func RecordingRuleTenantLabels 

func RecordingRuleTenantLabels(r *lokiv1.RecordingRule)

func ServiceAccountAnnotations 

func ServiceAccountAnnotations(opts Options) map[string]string

ServiceAccountAnnotations returns a map of OpenShift specific routes for ServiceAccounts. Specifically the serviceacount will be annotated for each tenant with the OAuthRedirectReference to make the serviceaccount a valid oauth-client.

Types

type AuthenticationSpec 

type AuthenticationSpec struct {
	TenantName     string
	TenantID       string
	ServiceAccount string
	RedirectURL    string
	CookieSecret   string
}

AuthenticationSpec describes the authentication specification for a single tenant to authenticate it's subjects through OpenShift Auth.

type AuthorizationSpec 

type AuthorizationSpec struct {
	OPAUrl string
}

AuthorizationSpec describes the authorization specification for all tenants to authorize access for it's subjects through the opa-openshift sidecar.

type BuildOptions 

type BuildOptions struct {
	LokiStackName                   string
	LokiStackNamespace              string
	GatewayName                     string
	GatewaySvcName                  string
	GatewaySvcTargetPort            string
	GatewayRouteTimeout             time.Duration
	RulerName                       string
	Labels                          map[string]string
	AlertManagerEnabled             bool
	UserWorkloadAlertManagerEnabled bool
}

BuildOptions represents the set of options required to build extra lokistack gateway k8s objects (e.g. ServiceAccount, Route, RBAC) on openshift.

type Options 

type Options struct {
	BuildOpts      BuildOptions
	Authentication []AuthenticationSpec
	Authorization  AuthorizationSpec
	TokenCCOAuth   *config.TokenCCOAuthConfig
}

Options is the set of internal template options for rendering the lokistack-gateway tenants configuration file when mode openshift-logging or openshift-network.

func NewOptions 

func NewOptions(
	stackName, stackNamespace string,
	gwName, gwSvcName, gwPortName string,
	gwWriteTimeout time.Duration,
	gwLabels map[string]string,
	rulerName string,
) *Options

NewOptions returns an openshift options struct.

func (*Options) WithTenantsForMode 

func (o *Options) WithTenantsForMode(mode lokiv1.ModeType, gwBaseDomain string, tenantConfigMap map[string]TenantData) *Options

type TenantData 

type TenantData struct {
	CookieSecret string
}

TenantData defines the existing cookieSecret for lokistack reconcile.

Source Files

View all Source files

Directories

Path Synopsis
internal
dashboards

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.