Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type MeshWebhook ¶
type MeshWebhook struct {
Clientset kubernetes.Interface
// ConsulClientConfig is the config to create a Consul API client.
ConsulConfig *consul.Config
// ConsulServerConnMgr is the watcher for the Consul server addresses.
ConsulServerConnMgr consul.ServerConnectionManager
// ImageConsul is the container image for Consul to use.
// ImageConsulDataplane is the container image for Envoy to use.
//
// Both of these MUST be set.
ImageConsul string
ImageConsulDataplane string
// ImageConsulK8S is the container image for consul-k8s to use.
// This image is used for the consul-sidecar container.
ImageConsulK8S string
// Optional: set when you need extra options to be set when running envoy
// See a list of args here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli
EnvoyExtraArgs string
// RequireAnnotation means that the annotation must be given to inject.
// If this is false, injection is default.
RequireAnnotation bool
// AuthMethod is the name of the Kubernetes Auth Method to
// use for identity with connectInjection if ACLs are enabled.
AuthMethod string
// The PEM-encoded CA certificate string
// to use when communicating with Consul clients over HTTPS.
// If not set, will use HTTP.
ConsulCACert string
// TLSEnabled indicates whether we should use TLS for communicating to Consul.
TLSEnabled bool
// ConsulAddress is the address of the Consul server. This should be only the
// host (i.e. not including port or protocol).
ConsulAddress string
// ConsulTLSServerName is the SNI header to use to connect to the Consul servers
// over TLS.
ConsulTLSServerName string
// ConsulPartition is the name of the Admin Partition that the controller
// is deployed in. It is an enterprise feature requiring Consul Enterprise 1.11+.
// Its value is an empty string if partitions aren't enabled.
ConsulPartition string
// EnableNamespaces indicates that a user is running Consul Enterprise
// with version 1.7+ which is namespace aware. It enables Consul namespaces,
// with injection into either a single Consul namespace or mirrored from
// k8s namespaces.
EnableNamespaces bool
// AllowK8sNamespacesSet is a set of k8s namespaces to explicitly allow for
// injection. It supports the special character `*` which indicates that
// all k8s namespaces are eligible unless explicitly denied. This filter
// is applied before checking pod annotations.
AllowK8sNamespacesSet mapset.Set
// DenyK8sNamespacesSet is a set of k8s namespaces to explicitly deny
// injection and thus service registration with Consul. An empty set
// means that no namespaces are removed from consideration. This filter
// takes precedence over AllowK8sNamespacesSet.
DenyK8sNamespacesSet mapset.Set
// ConsulDestinationNamespace is the name of the Consul namespace to register all
// injected services into if Consul namespaces are enabled and mirroring
// is disabled. This may be set, but will not be used if mirroring is enabled.
ConsulDestinationNamespace string
// EnableK8SNSMirroring causes Consul namespaces to be created to match the
// k8s namespace of any service being registered into Consul. Services are
// registered into the Consul namespace that mirrors their k8s namespace.
EnableK8SNSMirroring bool
// K8SNSMirroringPrefix is an optional prefix that can be added to the Consul
// namespaces created while mirroring. For example, if it is set to "k8s-",
// then the k8s `default` namespace will be mirrored in Consul's
// `k8s-default` namespace.
K8SNSMirroringPrefix string
// CrossNamespaceACLPolicy is the name of the ACL policy to attach to
// any created Consul namespaces to allow cross namespace service discovery.
// Only necessary if ACLs are enabled.
CrossNamespaceACLPolicy string
// Default resource settings for sidecar proxies. Some of these
// fields may be empty.
DefaultProxyCPURequest resource.Quantity
DefaultProxyCPULimit resource.Quantity
DefaultProxyMemoryRequest resource.Quantity
DefaultProxyMemoryLimit resource.Quantity
// LifecycleConfig contains proxy lifecycle management configuration from the inject-connect command and has methods to determine whether
// configuration should come from the default flags or annotations. The meshWebhook uses this to configure container sidecar proxy args.
LifecycleConfig lifecycle.Config
// Default Envoy concurrency flag, this is the number of worker threads to be used by the proxy.
DefaultEnvoyProxyConcurrency int
// MetricsConfig contains metrics configuration from the inject-connect command and has methods to determine whether
// configuration should come from the default flags or annotations. The meshWebhook uses this to configure prometheus
// annotations and the merged metrics server.
MetricsConfig metrics.Config
// Resource settings for init container. All of these fields
// will be populated by the defaults provided in the initial flags.
InitContainerResources corev1.ResourceRequirements
// Resource settings for Consul sidecar. All of these fields
// will be populated by the defaults provided in the initial flags.
DefaultConsulSidecarResources corev1.ResourceRequirements
// EnableTransparentProxy enables transparent proxy mode.
// This means that the injected init container will apply traffic redirection rules
// so that all traffic will go through the Envoy proxy.
EnableTransparentProxy bool
// EnableCNI enables the CNI plugin and prevents the connect-inject init container
// from running the consul redirect-traffic command as the CNI plugin handles traffic
// redirection
EnableCNI bool
// TProxyOverwriteProbes controls whether the webhook should mutate pod's HTTP probes
// to point them to the Envoy proxy.
TProxyOverwriteProbes bool
// EnableConsulDNS enables traffic redirection so that DNS requests are directed to Consul
// from mesh services.
EnableConsulDNS bool
// EnableOpenShift indicates that when tproxy is enabled, the security context for the Envoy and init
// containers should not be added because OpenShift sets a random user for those and will not allow
// those containers to be created otherwise.
EnableOpenShift bool
// SkipServerWatch prevents consul-dataplane from consuming the server update stream. This is useful
// for situations where Consul servers are behind a load balancer.
SkipServerWatch bool
// ReleaseNamespace is the Kubernetes namespace where this webhook is running.
ReleaseNamespace string
// Log
Log logr.Logger
// Log settings for consul-dataplane and connect-init containers.
LogLevel string
LogJSON bool
// contains filtered or unexported fields
}
MeshWebhook is the HTTP meshWebhook for admission webhooks.
func (*MeshWebhook) Handle ¶
Handle is the admission.Webhook implementation that actually handles the webhook request for admission control. This should be registered or served via the controller runtime manager.
func (*MeshWebhook) InjectDecoder ¶
func (w *MeshWebhook) InjectDecoder(d *admission.Decoder) error
type ReadinessCheck ¶
type ReadinessCheck struct {
CertDir string
}
Source Files
Click to show internal directories.
Click to hide internal directories.