Documentation

Overview

    Package kubecertagent provides controllers that ensure a set of pods (the kube-cert-agent), is colocated with the Kubernetes controller manager so that Pinniped can access its signing keys.

    Note: the controllers use a filter that accepts all pods that look like the controller manager or an agent pod, across any add/update/delete event. Each of the controllers only care about a subset of these events in reality, but the liberal filter implementation serves as an MVP.

    Index

    Constants

    View Source
    const (
    	// ControllerManagerNamespace is the assumed namespace of the kube-controller-manager pod(s).
    	ControllerManagerNamespace = "kube-system"
    )

    Variables

    This section is empty.

    Functions

    func NewAnnotaterController

    func NewAnnotaterController(
    	agentPodConfig *AgentPodConfig,
    	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
    	clock clock.Clock,
    	k8sClient kubernetes.Interface,
    	pinnipedAPIClient pinnipedclientset.Interface,
    	kubeSystemPodInformer corev1informers.PodInformer,
    	agentPodInformer corev1informers.PodInformer,
    	withInformer pinnipedcontroller.WithInformerOptionFunc,
    ) controllerlib.Controller

      NewAnnotaterController returns a controller that updates agent pods with the path to the kube API's certificate and key.

      This controller will add annotations to agent pods with the best-guess paths to the kube API's certificate and key.

      It also is tasked with updating the CredentialIssuer, located via the provided credentialIssuerLocationConfig, with any errors that it encounters.

      func NewCreaterController

      func NewCreaterController(
      	agentPodConfig *AgentPodConfig,
      	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
      	credentialIssuerLabels map[string]string,
      	clock clock.Clock,
      	k8sClient kubernetes.Interface,
      	pinnipedAPIClient pinnipedclientset.Interface,
      	kubeSystemPodInformer corev1informers.PodInformer,
      	agentPodInformer corev1informers.PodInformer,
      	withInformer pinnipedcontroller.WithInformerOptionFunc,
      	withInitialEvent pinnipedcontroller.WithInitialEventOptionFunc,
      ) controllerlib.Controller

        NewCreaterController returns a controller that creates new kube-cert-agent pods for every known kube-controller-manager pod.

        It also is tasked with updating the CredentialIssuer, located via the provided credentialIssuerLocationConfig, with any errors that it encounters.

        func NewDeleterController

        func NewDeleterController(
        	agentPodConfig *AgentPodConfig,
        	k8sClient kubernetes.Interface,
        	kubeSystemPodInformer corev1informers.PodInformer,
        	agentPodInformer corev1informers.PodInformer,
        	withInformer pinnipedcontroller.WithInformerOptionFunc,
        ) controllerlib.Controller

          NewDeleterController returns a controller that deletes any kube-cert-agent pods that are out of sync with the known kube-controller-manager pods.

          func NewExecerController

          func NewExecerController(
          	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
          	dynamicCertProvider dynamiccert.Provider,
          	podCommandExecutor PodCommandExecutor,
          	pinnipedAPIClient pinnipedclientset.Interface,
          	clock clock.Clock,
          	agentPodInformer corev1informers.PodInformer,
          	withInformer pinnipedcontroller.WithInformerOptionFunc,
          ) controllerlib.Controller

            NewExecerController returns a controllerlib.Controller that listens for agent pods with proper cert/key path annotations and execs into them to get the cert/key material. It sets the retrieved key material in a provided dynamicCertProvider.

            It also is tasked with updating the CredentialIssuer, located via the provided credentialIssuerLocationConfig, with any errors that it encounters.

            Types

            type AgentPodConfig

            type AgentPodConfig struct {
            	// The namespace in which agent pods will be created.
            	Namespace string
            
            	// The container image used for the agent pods.
            	ContainerImage string
            
            	// The name prefix for each of the agent pods.
            	PodNamePrefix string
            
            	// ContainerImagePullSecrets is a list of names of Kubernetes Secret objects that will be used as
            	// ImagePullSecrets on the kube-cert-agent pods.
            	ContainerImagePullSecrets []string
            
            	// Additional labels that should be added to every agent pod during creation.
            	AdditionalLabels map[string]string
            }

            func (*AgentPodConfig) AgentSelector

            func (c *AgentPodConfig) AgentSelector() labels.Selector

            func (*AgentPodConfig) Labels

            func (c *AgentPodConfig) Labels() map[string]string

            type CredentialIssuerLocationConfig

            type CredentialIssuerLocationConfig struct {
            	// The resource name for the CredentialIssuer to be created/updated.
            	Name string
            }

            type PodCommandExecutor

            type PodCommandExecutor interface {
            	Exec(podNamespace string, podName string, commandAndArgs ...string) (stdoutResult string, err error)
            }

              PodCommandExecutor can exec a command in a pod located via namespace and name.

              func NewPodCommandExecutor

              func NewPodCommandExecutor(kubeConfig *restclient.Config, kubeClient kubernetes.Interface) PodCommandExecutor

                NewPodCommandExecutor returns a PodCommandExecutor that will interact with a pod via the provided kubeConfig and corresponding kubeClient.