kubecontrollers

package
v1.44.0-0.dev Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 12, 2026 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	KubeController                  = "calico-kube-controllers"
	KubeControllerServiceAccount    = "calico-kube-controllers"
	KubeControllerRole              = "calico-kube-controllers"
	KubeControllerRoleBinding       = "calico-kube-controllers"
	KubeControllerMetrics           = "calico-kube-controllers-metrics"
	KubeControllerNetworkPolicyName = networkpolicy.CalicoComponentPolicyPrefix + "kube-controller-access"

	// WASMPullSecretName is the dedicated image-pull Secret (a renamed copy of
	// the install pull secret) that the WAF reconciler replicates into tenant
	// namespaces for the Coraza wasm OCI pull. A dedicated name avoids clashing
	// with the operator-managed tigera-pull-secret the GatewayAPI render also
	// copies into those namespaces (EV-6386).
	WASMPullSecretName = "tigera-waf-pull-secret"

	// WASMCACertName is the dedicated CA-bundle ConfigMap (in the controller
	// namespace) the WAF reconciler replicates into tenant namespaces for the
	// Coraza wasm OCI registry TLS check — a dedicated name avoids clashing with
	// the operator-managed tigera-ca-bundle ConfigMap the GatewayAPI render also
	// copies there (EV-6386). The source copy is a renamed copy of the trusted
	// bundle, provisioned by the core controller and passed in as WASMCACert.
	WASMCACertName = "tigera-waf-ca-bundle"

	EsKubeController                    = "es-calico-kube-controllers"
	EsKubeControllerRole                = "es-calico-kube-controllers"
	EsKubeControllerRoleBinding         = "es-calico-kube-controllers"
	EsKubeControllerMetrics             = "es-calico-kube-controllers-metrics"
	EsKubeControllerNetworkPolicyName   = networkpolicy.CalicoComponentPolicyPrefix + "es-kube-controller-access"
	ManagedClustersWatchRoleBindingName = "es-calico-kube-controllers-managed-cluster-watch"

	ElasticsearchKubeControllersUserSecret             = "tigera-ee-kube-controllers-elasticsearch-access"
	ElasticsearchKubeControllersUserName               = "tigera-ee-kube-controllers"
	ElasticsearchKubeControllersSecureUserSecret       = "tigera-ee-kube-controllers-elasticsearch-access-gateway"
	ElasticsearchKubeControllersVerificationUserSecret = "tigera-ee-kube-controllers-gateway-verification-credentials"
	KubeControllerPrometheusTLSSecret                  = "calico-kube-controllers-metrics-tls"

	// KubeControllersHealthPort is the port the kube-controllers HealthAggregator listens on when run from the
	// combined calico binary. The legacy per-component image uses file-based health checks instead.
	KubeControllersHealthPort = 9440
)
View Source 
const (
	MigrationClusterRoleName = "calico-kube-controllers-migration"
)

Variables

This section is empty.

Functions

func MergeWAFPullSecret 

func MergeWAFPullSecret(pullSecrets []*corev1.Secret) (*corev1.Secret, []string)

MergeWAFPullSecret synthesizes the dedicated WAF wasm pull secret (tigera-waf-pull-secret) by merging the registry auths of every Installation pull secret. The EnvoyExtensionPolicy image source takes a single pullSecretRef, so a merged secret is the only way to honor multiple Installation pull secrets for the Coraza wasm OCI pull (e.g. the Tigera pull secret plus credentials for a private registry mirror).

If the same registry appears in more than one secret, the first secret in Installation order wins. Secrets that cannot be parsed are skipped and their names returned, so the caller can log them without failing the reconcile. Returns a nil Secret when no registry auths could be collected.

func MigrationRBACComponent added in v1.42.0 

func MigrationRBACComponent(migrationActive bool) render.Component

MigrationRBACComponent returns a render component that creates or deletes the migration RBAC. When migrationActive is true, kube-controllers needs broad access to both API groups to read v1 resources and write v3 resources. When false, the extra permissions are cleaned up.

func NewCalicoKubeControllers 

func NewCalicoKubeControllers(cfg *KubeControllersConfiguration) *kubeControllersComponent

func NewCalicoKubeControllersPolicy added in v1.28.0 

func NewCalicoKubeControllersPolicy(cfg *KubeControllersConfiguration, defaultDeny *v3.NetworkPolicy) render.Component

func NewElasticsearchKubeControllers 

func NewElasticsearchKubeControllers(cfg *KubeControllersConfiguration) *kubeControllersComponent

Types

type KubeControllersConfiguration 

type KubeControllersConfiguration struct {
	K8sServiceEp           k8sapi.ServiceEndpoint
	K8sServiceEpPodNetwork k8sapi.ServiceEndpoint

	Installation                *operatorv1.InstallationSpec
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	Authentication              *operatorv1.Authentication

	// Whether or not the LogStorage CRD is present in the cluster.
	LogStorageExists bool

	ClusterDomain string
	MetricsPort   int

	// For details on why this is needed see 'Node and Installation finalizer' in the core_controller.
	Terminating bool

	// Secrets - provided by the caller. Used to generate secrets in the destination
	// namespace to be returned by the rendered. Expected that the calling code
	// take care to pass the same secret on each reconcile where possible.
	KubeControllersGatewaySecret *corev1.Secret
	WASMPullSecret               *corev1.Secret
	WASMCACert                   *corev1.ConfigMap
	TrustedBundle                certificatemanagement.TrustedBundleRO

	MetricsServerTLS certificatemanagement.KeyPairInterface

	// Namespace to be installed into.
	Namespace string

	// List of namespaces that are running a kube-controllers instance that need a cluster role binding.
	BindingNamespaces []string

	// Tenant object provides tenant configuration for both single and multi-tenant modes.
	// If this is nil, then we should run in zero-tenant mode.
	Tenant *operatorv1.Tenant

	// WAFGatewayExtensionEnabled gates the WAF v3 (Gateway API add-on) surface
	// on calico-kube-controllers: the applicationlayer controller enablement,
	// the WAF / Gateway-API / EnvoyExtensionPolicy / event / secret-replication
	// RBAC, the WASM_IMAGE / WASM_PULL_SECRET / WASM_CA_CERT env vars, and the
	// gateway envoy-proxy wasm image resolution.  Sourced from
	// `GatewayAPI.spec.extensions.waf.state == Enabled` (default off).
	// See design `tigera/designs#25` (PMREQ-384).
	WAFGatewayExtensionEnabled bool

	// WAFWebhookServerTLS is the serving certificate for the in-process WAF
	// SecLang validating admission webhook hosted by calico-kube-controllers.
	// When set (WAF enabled), it is mounted into the Pod and the webhook server
	// reads it from WAF_WEBHOOK_CERT_DIR. Issued for the tigera-waf-webhook
	// Service DNS name. Nil leaves the Deployment untouched (and the in-process
	// server self-disables when the cert is absent).
	WAFWebhookServerTLS certificatemanagement.KeyPairInterface

	// WAFWebhookCABundle is the PEM of the CA that issued WAFWebhookServerTLS
	// (the operator CA), stamped into the ValidatingWebhookConfiguration's
	// caBundle so the apiserver can verify the in-process webhook endpoint.
	// Only consulted when WAFGatewayExtensionEnabled is true.
	WAFWebhookCABundle []byte
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.