render

package
v1.40.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 23, 2025 License: Apache-2.0 Imports: 62 Imported by: 0

Documentation

Overview

This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.

Index

Constants

View Source 
const (
	APIServerPort       = 5443
	APIServerPortName   = "apiserver"
	APIServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "apiserver-access"
)
View Source 
const (
	APIServerResourceName  = "apiserver"
	APIServerNamespace     = common.CalicoNamespace
	QueryServerPort        = 8080
	QueryServerPortName    = "queryserver"
	QueryserverNamespace   = "calico-system"
	QueryserverServiceName = "calico-api"

	// Use the same API server container name for both OSS and Enterprise.
	APIServerName                                         = "calico-apiserver"
	APIServerContainerName                  ContainerName = "calico-apiserver"
	TigeraAPIServerQueryServerContainerName ContainerName = "tigera-queryserver"

	CalicoAPIServerTLSSecretName = "calico-apiserver-certs"
	APIServerServiceName         = "calico-api"
	APIServerServiceAccountName  = "calico-apiserver"

	APIServerSecretsRBACName                                      = "calico-extension-apiserver-secrets-access"
	MultiTenantManagedClustersAccessClusterRoleName               = "calico-managed-cluster-access"
	ManagedClustersWatchClusterRoleName                           = "calico-managed-cluster-watch"
	L7AdmissionControllerContainerName              ContainerName = "calico-l7-admission-controller"
	L7AdmissionControllerPort                                     = 6443
	L7AdmissionControllerPortName                                 = "l7admctrl"
)
View Source 
const (
	ComplianceNamespace                                       = "tigera-compliance"
	ComplianceServiceName                                     = "compliance"
	ComplianceServerName                                      = "compliance-server"
	ComplianceControllerName                                  = "compliance-controller"
	ComplianceSnapshotterName                                 = "compliance-snapshotter"
	ComplianceReporterName                                    = "compliance-reporter"
	ComplianceBenchmarkerName                                 = "compliance-benchmarker"
	ComplianceAccessPolicyName                                = networkpolicy.TigeraComponentPolicyPrefix + "compliance-access"
	ComplianceServerPolicyName                                = networkpolicy.TigeraComponentPolicyPrefix + ComplianceServerName
	MultiTenantComplianceManagedClustersAccessRoleBindingName = "compliance-server-managed-cluster-access"

	// ServiceAccount names.
	ComplianceServerServiceAccount      = "tigera-compliance-server"
	ComplianceSnapshotterServiceAccount = "tigera-compliance-snapshotter"
	ComplianceBenchmarkerServiceAccount = "tigera-compliance-benchmarker"
	ComplianceReporterServiceAccount    = "tigera-compliance-reporter"
	ComplianceControllerServiceAccount  = "tigera-compliance-controller"
)
View Source 
const (
	ElasticsearchCuratorUserSecret = "tigera-ee-curator-elasticsearch-access"

	ComplianceServerCertSecret  = "tigera-compliance-server-tls"
	ComplianceSnapshotterSecret = "tigera-compliance-snapshotter-tls"
	ComplianceBenchmarkerSecret = "tigera-compliance-benchmarker-tls"
	ComplianceControllerSecret  = "tigera-compliance-controller-tls"
	ComplianceReporterSecret    = "tigera-compliance-reporter-tls"
)
View Source 
const (
	CSIDriverName             = "csi.tigera.io"
	CSIDaemonSetName          = "csi-node-driver"
	CSIDaemonSetNamespace     = "calico-system"
	CSIContainerName          = "calico-csi"
	CSIRegistrarContainerName = "csi-node-driver-registrar"
)
View Source 
const (
	DexNamespace     = "tigera-dex"
	DexObjectName    = "tigera-dex"
	DexPort          = 5556
	DexTLSSecretName = "tigera-dex-tls"
	DexClientId      = "tigera-manager"
	DexPolicyName    = networkpolicy.TigeraComponentPolicyPrefix + "allow-tigera-dex"
)
View Source 
const (
	ClientSecretSecretField = "clientSecret"

	RootCASecretField           = "rootCA"
	OIDCSecretName              = "tigera-oidc-credentials"
	OIDCSecretProviderClassName = "tigera-oidc-credentials"
	OpenshiftSecretName         = "tigera-openshift-credentials"
	LDAPSecretName              = "tigera-ldap-credentials"

	ClientIDSecretField = "clientID"
	BindDNSecretField   = "bindDN"
	BindPWSecretField   = "bindPW"

	// Default claims to use to data from a JWT.
	DefaultGroupsClaim = "groups"
)
View Source 
const (
	// OperatorCompleteFinalizer is applied by the core controller as part of Installation defaulting to ensure it can
	// clean up resources if the Installation is ever deleted. This Finalizer is only removed after all operator
	// finalization logic has completed.
	OperatorCompleteFinalizer = "tigera.io/operator-cleanup"

	// APIServerFinalizer is added to the Installation by the API server controller when installing the API server so that
	// Calico CNI resources are not removed until the API server controller has had time to properly tear down pods.
	APIServerFinalizer = "operator.tigera.io/apiserver-controller"

	// InstallationControllerFinalizer is added to the Installation by the core Installation controller when installing Calico
	// so that Calico CNI resources are not removed until calico-kube-controllers has had time to properly be torn down.
	InstallationControllerFinalizer = "operator.tigera.io/installation-controller"

	// WhiskerFinalizer is added to the Installation by the whisker controller when the whisker CR is created so that
	// Calico CNI resources are not removed until the whisker controller has had time to properly delete the whisker deployment.
	WhiskerFinalizer = "operator.tigera.io/whisker-controller"

	// GuardianFinalizer is added to the Installation by the cluster connection controller when the management cluster connection CR
	//  is created so that Calico CNI resources are not removed until the controller has had time to properly delete the guardian deployment.
	GuardianFinalizer = "operator.tigera.io/guardian-controller"

	// GoldmaneFinalizer is added to the Installation by the goldmane controller when the goldmane CR is created so that
	// Calico CNI resources are not removed until the goldmane controller has had time to properly delete the goldmane deployment.
	GoldmaneFinalizer = "operator.tigera.io/goldmane-controller"

	// GatewayAPIFinalizer is added to the Installation by the GatewayAPI controller when installing the Gateway API so that
	// Calico CNI resources are not removed until the GatewayAPI Deployment has had time to properly tear down pods.
	GatewayAPIFinalizer = "operator.tigera.io/gatewayapi-controller"
)
View Source 
const (
	LogCollectorNamespace      = "tigera-fluentd"
	FluentdFilterConfigMapName = "fluentd-filters"
	FluentdFilterFlowName      = "flow"
	FluentdFilterDNSName       = "dns"
	S3FluentdSecretName        = "log-collector-s3-credentials"
	S3KeyIdName                = "key-id"
	S3KeySecretName            = "key-secret"

	// FluentdPrometheusTLSSecretName is the name of the secret containing the key pair fluentd presents to identify itself.
	// Somewhat confusingly, this is named the prometheus TLS key pair because that was the first
	// use-case for this credential. However, it is used on all TLS connections served by fluentd.
	FluentdPrometheusTLSSecretName = "tigera-fluentd-prometheus-tls"
	FluentdMetricsService          = "fluentd-metrics"
	FluentdMetricsServiceWindows   = "fluentd-metrics-windows"
	FluentdInputService            = "fluentd-http-input"
	FluentdMetricsPortName         = "fluentd-metrics-port"
	FluentdMetricsPort             = 9081
	FluentdInputPortName           = "fluentd-http-input-port"
	FluentdInputPort               = 9880
	FluentdPolicyName              = networkpolicy.TigeraComponentPolicyPrefix + "allow-fluentd-node"

	ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access"
	EksLogForwarderSecret                  = "tigera-eks-log-forwarder-secret"
	EksLogForwarderAwsId                   = "aws-id"
	EksLogForwarderAwsKey                  = "aws-key"
	SplunkFluentdTokenSecretName           = "logcollector-splunk-credentials"
	SplunkFluentdSecretTokenKey            = "token"
	SplunkFluentdSecretCertificateKey      = "ca.pem"
	SysLogPublicCADir                      = "/etc/pki/tls/certs/"
	SysLogPublicCertKey                    = "ca-bundle.crt"
	SysLogPublicCAPath                     = SysLogPublicCADir + SysLogPublicCertKey
	SyslogCAConfigMapName                  = "syslog-ca"

	// Constants for Linseed token volume mounting in managed clusters.
	LinseedTokenVolumeName = "linseed-token"
	LinseedTokenKey        = "token"
	LinseedTokenSubPath    = "token"
	LinseedTokenSecret     = "%s-tigera-linseed-token"
	LinseedVolumeMountPath = "/var/run/secrets/tigera.io/linseed/"
	LinseedTokenPath       = "/var/run/secrets/tigera.io/linseed/token"

	FluentdNodeName = "fluentd-node"

	EKSLogForwarderName          = "eks-log-forwarder"
	EKSLogForwarderTLSSecretName = "tigera-eks-log-forwarder-tls"

	PacketCaptureAPIRole        = "packetcapture-api-role"
	PacketCaptureAPIRoleBinding = "packetcapture-api-role-binding"

	ForwardingDestinationS3     ForwardingDestination = "S3"
	ForwardingDestinationSyslog ForwardingDestination = "Syslog"
	ForwardingDestinationSplunk ForwardingDestination = "Splunk"
)
View Source 
const (
	GuardianName                   = "guardian"
	GuardianNamespace              = common.CalicoNamespace
	GuardianServiceAccountName     = GuardianName
	GuardianClusterRoleName        = "calico-guardian"
	GuardianClusterRoleBindingName = "calico-guardian"
	GuardianDeploymentName         = GuardianName

	// GuardianContainerName name is the name of the container running guardian. It's named `tigera-guardian`, instead
	// of `guardian` so that the API for the container overrides don't have to change (`tigera-guardian` is a legacy name).
	GuardianContainerName = "tigera-guardian"
	GuardianServiceName   = "guardian"
	GuardianVolumeName    = "guardian-certs"
	GuardianSecretName    = "tigera-managed-cluster-connection"
	GuardianTargetPort    = 8080
	GuardianPolicyName    = networkpolicy.TigeraComponentPolicyPrefix + "guardian-access"
	GuardianKeyPairSecret = "guardian-key-pair"

	GoldmaneDeploymentName         = "goldmane"
	GuardianSecretsRole            = "calico-guardian-secrets"
	GuardianSecretsRoleBindingName = "calico-guardian-secrets"
)

The names of the components related to the Guardian related rendered objects.

View Source 
const (
	IntrusionDetectionNamespace = "tigera-intrusion-detection"
	IntrusionDetectionName      = "intrusion-detection-controller"

	ElasticsearchIntrusionDetectionUserSecret    = "tigera-ee-intrusion-detection-elasticsearch-access"
	ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access"
	ElasticsearchPerformanceHotspotsUserSecret   = "tigera-ee-performance-hotspots-elasticsearch-access"

	IntrusionDetectionInstallerJobName                     = "intrusion-detection-es-job-installer"
	IntrusionDetectionControllerName                       = "intrusion-detection-controller"
	IntrusionDetectionControllerPolicyName                 = networkpolicy.TigeraComponentPolicyPrefix + IntrusionDetectionControllerName
	IntrusionDetectionInstallerPolicyName                  = networkpolicy.TigeraComponentPolicyPrefix + "intrusion-detection-elastic"
	MultiTenantManagedClustersAccessClusterRoleBindingName = "tigera-intrusion-detection-managed-cluster-access"
	IntrusionDetectionManagedClustersWatchRoleBindingName  = "tigera-intrusion-detection-managed-cluster-watch"

	ADAPIObjectName                 = "anomaly-detection-api"
	IntrusionDetectionTLSSecretName = "intrusion-detection-tls"
	DPITLSSecretName                = "deep-packet-inspection-tls"
	ADAPIPolicyName                 = networkpolicy.TigeraComponentPolicyPrefix + ADAPIObjectName

	ADPersistentVolumeClaimName = "tigera-anomaly-detection"
	ADJobPodTemplateBaseName    = "tigera.io.detectors"

	ADDetectorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + adDetectorName
)
View Source 
const (
	ElasticsearchObjectName = "tigera-elasticsearch"
	ElasticsearchNamespace  = ElasticsearchObjectName

	// TigeraLinseedSecret is the name of the secret that holds the TLS key pair mounted into Linseed.
	// The secret contains server key and certificate.
	TigeraLinseedSecret = "tigera-secure-linseed-cert"

	// TigeraLinseedSecretsClusterRole is the name of the ClusterRole used to make RoleBindings in namespaces where Linseed
	// needs to be able to manipulate secrets
	TigeraLinseedSecretsClusterRole = "tigera-linseed-secrets"

	// TigeraLinseedTokenSecret is the name of the secret that holds the access token signing key for Linseed.
	TigeraLinseedTokenSecret = "tigera-secure-linseed-token-tls"

	// TigeraElasticsearchGatewaySecret is the TLS key pair that is mounted by Elasticsearch gateway.
	TigeraElasticsearchGatewaySecret = "tigera-secure-elasticsearch-cert"

	// TigeraElasticsearchInternalCertSecret is the TLS key pair that is mounted by the Elasticsearch pods.
	TigeraElasticsearchInternalCertSecret = "tigera-secure-internal-elasticsearch-cert"

	// Linseed vars.
	LinseedServiceName = "tigera-linseed"

	ElasticsearchName               = "tigera-secure"
	ElasticsearchServiceName        = "tigera-secure-es-http"
	ESGatewayServiceName            = "tigera-secure-es-gateway-http"
	ElasticsearchDefaultPort        = 9200
	ElasticsearchInternalPort       = 9300
	ElasticsearchAdminUserSecret    = "tigera-secure-es-elastic-user"
	ElasticsearchLinseedUserSecret  = "tigera-ee-linseed-elasticsearch-user-secret"
	ElasticsearchPolicyName         = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-access"
	ElasticsearchInternalPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-internal"

	KibanaBasePath = "tigera-kibana"

	DefaultElasticsearchClusterName = "cluster"
	DefaultElasticsearchReplicas    = 0
	DefaultElasticStorageGi         = 10

	ESCuratorName           = "elastic-curator"
	EsCuratorServiceAccount = "tigera-elastic-curator"
	EsCuratorPolicyName     = networkpolicy.TigeraComponentPolicyPrefix + "allow-elastic-curator"

	OIDCUsersConfigMapName = "tigera-known-oidc-users"
	OIDCUsersESSecretName  = "tigera-oidc-users-elasticsearch-credentials"

	ElasticsearchLicenseTypeBasic           ElasticsearchLicenseType = "basic"
	ElasticsearchLicenseTypeEnterprise      ElasticsearchLicenseType = "enterprise"
	ElasticsearchLicenseTypeEnterpriseTrial ElasticsearchLicenseType = "enterprise_trial"
	ElasticsearchLicenseTypeUnknown         ElasticsearchLicenseType = ""

	EsManagerRole        = "es-manager"
	EsManagerRoleBinding = "es-manager"

	CalicoKubeControllerSecret = "calico-kube-controller-secrets"

	ElasticsearchTLSHashAnnotation = "hash.operator.tigera.io/es-secrets"
)
View Source 
const (
	// Volume that is added by ECK and is overridden if certificate management is used.
	CSRVolumeNameHTTP = "elastic-internal-http-certificates"
	// Volume that is added by ECK and is overridden if certificate management is used.
	CSRVolumeNameTransport = "elastic-internal-transport-certificates"
	// Volume name that is added by ECK for the purpose of mounting certs.
	CAVolumeName = "elasticsearch-certs"
)

Certificate management constants.

View Source 
const (
	ManagerServiceName    = "tigera-manager"
	ManagerDeploymentName = "tigera-manager"
	ManagerNamespace      = "tigera-manager"
	ManagerServiceAccount = "tigera-manager"

	// Default manager RBAC resources.
	ManagerClusterRole        = "tigera-manager-role"
	ManagerClusterRoleBinding = "tigera-manager-binding"

	// Manager RBAC resources for Calico managed clusters.
	ManagerManagedCalicoClusterRole        = "tigera-manager-managed-calico"
	ManagerManagedCalicoClusterRoleBinding = "tigera-manager-managed-calico"

	ManagerTLSSecretName         = "manager-tls"
	ManagerInternalTLSSecretName = "internal-manager-tls"
	ManagerPolicyName            = networkpolicy.TigeraComponentPolicyPrefix + "manager-access"

	// The name of the TLS certificate used by Voltron to authenticate connections from managed
	// cluster clients talking to Linseed.
	VoltronLinseedTLS        = "tigera-voltron-linseed-tls"
	VoltronLinseedPublicCert = "tigera-voltron-linseed-certs-public"

	ManagerClusterSettings            = "cluster-settings"
	ManagerUserSettings               = "user-settings"
	ManagerClusterSettingsLayerTigera = "cluster-settings.layer.tigera-infrastructure"
	ManagerClusterSettingsViewDefault = "cluster-settings.view.default"

	ElasticsearchManagerUserSecret                                = "tigera-ee-manager-elasticsearch-access"
	TlsSecretHashAnnotation                                       = "hash.operator.tigera.io/tls-secret"
	KibanaTLSHashAnnotation                                       = "hash.operator.tigera.io/kibana-secrets"
	ElasticsearchUserHashAnnotation                               = "hash.operator.tigera.io/elasticsearch-user"
	ManagerMultiTenantManagedClustersAccessClusterRoleBindingName = "tigera-manager-managed-cluster-access"
	ManagerManagedClustersWatchRoleBindingName                    = "tigera-manager-managed-cluster-watch"
	ManagerManagedClustersUpdateRBACName                          = "tigera-manager-managed-cluster-write-access"
)
View Source 
const (
	ManagerName             = "tigera-manager"
	UIAPIsName              = "tigera-ui-apis"
	VoltronName             = "tigera-voltron"
	VoltronTunnelSecretName = "tigera-management-cluster-connection"

	DashboardAPIPort       = "8444"
	DashboardAPIHealthPort = "8090"
	DashboardAPIName       = "tigera-dashboard-api"
)

ManagementClusterConnection configuration constants

View Source 
const (
	PSSPrivileged = "privileged"
	PSSBaseline   = "baseline"
	PSSRestricted = "restricted"
)
View Source 
const (
	BirdTemplatesConfigMapName = "bird-templates"

	BPFOperatorAnnotation = "operator.tigera.io/bpfEnabled"

	DisableKubeProxyKey = "operator.tigera.io/disable-kube-proxy"

	BGPLayoutConfigMapName      = "bgp-layout"
	BGPLayoutConfigMapKey       = "earlyNetworkConfiguration"
	BGPLayoutVolumeName         = "bgp-layout"
	BGPLayoutPath               = "/etc/calico/early-networking.yaml"
	K8sSvcEndpointConfigMapName = "kubernetes-services-endpoint"

	CNIFinalizer = "tigera.io/cni-protector"

	CalicoNodeMetricsService      = "calico-node-metrics"
	NodePrometheusTLSServerSecret = "calico-node-prometheus-server-tls"
	CalicoNodeObjectName          = "calico-node"
	CalicoCNIPluginObjectName     = "calico-cni-plugin"
	BPFVolumeName                 = "bpffs"
)
View Source 
const (
	PacketCaptureContainerName          = "tigera-packetcapture-server"
	PacketCaptureName                   = "tigera-packetcapture"
	PacketCaptureNamespace              = PacketCaptureName
	PacketCaptureServiceAccountName     = PacketCaptureName
	PacketCaptureClusterRoleName        = PacketCaptureName
	PacketCaptureClusterRoleBindingName = PacketCaptureName
	PacketCaptureDeploymentName         = PacketCaptureName
	PacketCaptureServiceName            = PacketCaptureName
	PacketCapturePolicyName             = networkpolicy.TigeraComponentPolicyPrefix + PacketCaptureName
	PacketCapturePort                   = 8444
	PacketCaptureServerCert             = "tigera-packetcapture-server-tls"
)

The names of the components related to the PacketCapture APIs related rendered objects.

View Source 
const (
	ElasticsearchPolicyRecommendationUserSecret = "tigera-ee-policy-recommendation-elasticsearch-access"

	PolicyRecommendationName       = "tigera-policy-recommendation"
	PolicyRecommendationNamespace  = common.CalicoNamespace
	PolicyRecommendationPolicyName = networkpolicy.TigeraComponentPolicyPrefix + PolicyRecommendationName

	PolicyRecommendationTLSSecretName                                   = "policy-recommendation-tls"
	PolicyRecommendationMultiTenantManagedClustersAccessRoleBindingName = "tigera-policy-recommendation-managed-cluster-access"
	PolicyRecommendationManagedClustersWatchRoleBindingName             = "tigera-policy-recommendation-managed-cluster-watch"
)

The names of the components related to the PolicyRecommendation APIs related rendered objects.

View Source 
const (
	TyphaServiceName              = "calico-typha"
	TyphaPortName                 = "calico-typha"
	TyphaK8sAppName               = "calico-typha"
	TyphaServiceAccountName       = "calico-typha"
	AppLabelName                  = "k8s-app"
	TyphaPort               int32 = 5473
	TyphaMetricsName              = "calico-typha-metrics"

	TyphaContainerName = "calico-typha"

	TyphaNonClusterHostSuffix            = "-noncluster-host"
	TyphaNonClusterHostNetworkPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "typha-noncluster-host-access"
)
View Source 
const (
	WindowsNodeObjectName     = "calico-node-windows"
	WindowsNodeMetricsService = "calico-node-metrics-windows"
)
View Source 
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"
View Source 
const (
	TigeraOperatorSecrets = "tigera-operator-secrets"
)

Variables

View Source 
var (
	GuardianEntityRule                = networkpolicy.CreateEntityRule(GuardianNamespace, GuardianDeploymentName, GuardianTargetPort)
	GuardianSourceEntityRule          = networkpolicy.CreateSourceEntityRule(GuardianNamespace, GuardianDeploymentName)
	GuardianServiceSelectorEntityRule = networkpolicy.CreateServiceSelectorEntityRule(GuardianNamespace, GuardianName)
)
View Source 
var (
	ElasticsearchSelector   = fmt.Sprintf("elasticsearch.k8s.elastic.co/cluster-name == '%s'", ElasticsearchName)
	ElasticsearchEntityRule = v3.EntityRule{
		NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace),
		Selector:          ElasticsearchSelector,
		Ports:             []numorstring.Port{{MinPort: ElasticsearchDefaultPort, MaxPort: ElasticsearchDefaultPort}},
	}
)
View Source 
var (
	SourceKibanaEntityRule      = networkpolicy.CreateSourceEntityRule("tigera-kibana", "tigera-secure")
	ECKOperatorSourceEntityRule = networkpolicy.CreateSourceEntityRule("tigera-eck-operator", "elastic-operator")
)
View Source 
var (
	NodeTLSSecretName               = "node-certs"
	NodeTLSSecretNameNonClusterHost = NodeTLSSecretName + TyphaNonClusterHostSuffix
)
View Source 
var (
	PacketCaptureEntityRule       = networkpolicy.CreateEntityRule(PacketCaptureNamespace, PacketCaptureDeploymentName, PacketCapturePort)
	PacketCaptureSourceEntityRule = networkpolicy.CreateSourceEntityRule(PacketCaptureNamespace, PacketCaptureDeploymentName)
)
View Source 
var (
	CommonName               = "common-name"
	URISAN                   = "uri-san"
	TyphaCommonName          = "typha-server"
	FelixCommonName          = "typha-client"
	NodePriorityClassName    = "system-node-critical"
	ClusterPriorityClassName = "system-cluster-critical"
)
View Source 
var (
	TyphaTLSSecretName               = "typha-certs"
	TyphaTLSSecretNameNonClusterHost = TyphaTLSSecretName + TyphaNonClusterHostSuffix

	TyphaCAConfigMapName = "typha-ca"
	TyphaCABundleName    = "caBundle"
)
View Source 
var DexEntityRule = networkpolicy.CreateEntityRule(DexNamespace, DexObjectName, DexPort)
View Source 
var EKSLogForwarderEntityRule = networkpolicy.CreateSourceEntityRule(LogCollectorNamespace, EKSLogForwarderName)
View Source 
var FluentdSourceEntityRule = v3.EntityRule{
	NamespaceSelector: fmt.Sprintf("name == '%s'", LogCollectorNamespace),
	Selector:          networkpolicy.KubernetesAppSelector(FluentdNodeName, fluentdNodeWindowsName),
}
View Source 
var InternalElasticsearchEntityRule = v3.EntityRule{
	NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace),
	Selector:          ElasticsearchSelector,
	Ports:             []numorstring.Port{{MinPort: ElasticsearchInternalPort, MaxPort: ElasticsearchInternalPort}},
}
View Source 
var IntrusionDetectionInstallerSourceEntityRule = v3.EntityRule{
	NamespaceSelector: intrusionDetectionNamespaceSelector,
	Selector:          fmt.Sprintf("job-name == '%s'", IntrusionDetectionInstallerJobName),
}
View Source 
var (
	IntrusionDetectionSourceEntityRule = v3.EntityRule{
		NamespaceSelector: intrusionDetectionNamespaceSelector,
		Selector:          fmt.Sprintf("k8s-app == '%s'", IntrusionDetectionControllerName),
	}
)

Register secret/certs that need Server and Client Key usage

View Source 
var (
	TigeraAPIServerEntityRule = v3.EntityRule{
		Services: &v3.ServiceMatch{
			Namespace: QueryserverNamespace,
			Name:      QueryserverServiceName,
		},
	}
)

Functions

func CNIPluginFinalizedObjects added in v1.34.1 

func CNIPluginFinalizedObjects() []client.Object

CNIPluginFinalizedObjects returns a list of objects that use the CNIFinalizer that should be removed only after the CNI plugin is removed.

func CreateCertificateConfigMap added in v1.25.1 

func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap

CreateCertificateConfigMap is a convenience method for creating a configmap that contains only a ca or cert to trust.

func CreateCertificateSecret added in v1.18.0 

func CreateCertificateSecret(caPem []byte, secretName string, namespace string) *corev1.Secret

CreateCertificateSecret is a convenience method for creating a secret that contains only a ca or cert to trust.

func CreateNamespace added in v1.22.0 

func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard, azure *operatorv1.Azure) *corev1.Namespace

func CreateOperatorSecretsRoleBinding added in v1.37.0 

func CreateOperatorSecretsRoleBinding(namespace string) *rbacv1.RoleBinding

CreateOperatorSecretsRoleBinding binds the tigera-operator-secrets ClusterRole to the operator's ServiceAccount in the given namespace, granting permission to manipulate secrets.

func DefaultCNIDirectories added in v1.39.0 

func DefaultCNIDirectories(provider v1.Provider) (string, string)

DefaultCNIDirectories returns the binary and network config directories for the configured platform.

func DefaultWindowsCNIDirectories added in v1.32.0 

func DefaultWindowsCNIDirectories(installation operatorv1.InstallationSpec) (string, string, string)

DefaultWindowsCNIDirectories returns the CNI binary, network config and log directories and the CNI conf filename for the configured platform. FIXME: populate with known default for other providers

func GetIPv4Pool added in v1.2.0 

func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv4Pool returns the IPv4 IPPool in an installation, or nil if one can't be found.

func GetIPv6Pool added in v1.2.0 

func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool

GetIPv6Pool returns the IPv6 IPPool in an installation, or nil if one can't be found.

func GetLinseedTokenPath added in v1.30.0 

func GetLinseedTokenPath(managedCluster bool) string

func GuardianService added in v1.38.0 

func GuardianService(clusterDomain string) string

func ImagePullPolicy added in v1.31.0 

func ImagePullPolicy() corev1.PullPolicy

ImagePullPolicy returns the image pull policy to use for all components.

func JoinServiceEndpoints added in v1.40.0 

func JoinServiceEndpoints(endpoints []k8sapi.ServiceEndpoint) string

JoinServiceEndpoints joins a list of ServiceEndpoint into a comma-separated string of ip:port.

func LinseedNamespace added in v1.33.0 

func LinseedNamespace(tenant *operatorv1.Tenant) string

LinseedNamespace determine the namespace in which Linseed is running. For management and standalone clusters, this is always the tigera-elasticsearch namespace. For multi-tenant management clusters, this is the tenant namespace

func ManagerService added in v1.33.0 

func ManagerService(tenant *operatorv1.Tenant) string

ManagerService determine the name of the tigera manager service. For management and standalone clusters, this is always the tigera-manager.tigera-manager namespace. For multi-tenant management clusters, this is a service that resides within the tenant namespace

func NewDexKeyValidatorConfig added in v1.12.0 

func NewDexKeyValidatorConfig(
	authentication *oprv1.Authentication,
	clusterDomain string) authentication.KeyValidatorConfig

func ProcessPodProxies added in v1.35.3 

func ProcessPodProxies(podProxies []*httpproxy.Config) []*httpproxy.Config

func SetClusterCriticalPod added in v1.22.0 

func SetClusterCriticalPod(t *corev1.PodTemplateSpec)

func SetTestLogger 

func SetTestLogger(l logr.Logger)

Types

type APIServerConfiguration added in v1.25.0 

type APIServerConfiguration struct {
	K8SServiceEndpoint          k8sapi.ServiceEndpoint
	Installation                *operatorv1.InstallationSpec
	APIServer                   *operatorv1.APIServerSpec
	ForceHostNetwork            bool
	ApplicationLayer            *operatorv1.ApplicationLayer
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	TLSKeyPair                  certificatemanagement.KeyPairInterface
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	TrustedBundle               certificatemanagement.TrustedBundle
	MultiTenant                 bool
	KeyValidatorConfig          authentication.KeyValidatorConfig
	KubernetesVersion           *common.VersionInfo

	// When certificate management is enabled, we need a separate init container to create a cert, running
	// with the same permissions as query server.
	QueryServerTLSKeyPairCertificateManagementOnly certificatemanagement.KeyPairInterface
}

APIServerConfiguration contains all the config information needed to render the component.

func (*APIServerConfiguration) IsSidecarInjectionEnabled added in v1.36.0 

func (cfg *APIServerConfiguration) IsSidecarInjectionEnabled() bool

type AWSSGSetupConfiguration added in v1.25.0 

type AWSSGSetupConfiguration struct {
	PullSecrets     []corev1.LocalObjectReference
	Installation    *operatorv1.InstallationSpec
	HostedOpenShift bool
}

AWSSGSetupConfiguration contains all the config information needed to render the component.

type CSIConfiguration added in v1.28.0 

type CSIConfiguration struct {
	Installation *operatorv1.InstallationSpec
	Terminating  bool
	OpenShift    bool
}

type ComplianceConfiguration added in v1.25.0 

type ComplianceConfiguration struct {
	Installation                *operatorv1.InstallationSpec
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	ManagementCluster           *operatorv1.ManagementCluster
	ManagementClusterConnection *operatorv1.ManagementClusterConnection
	KeyValidatorConfig          authentication.KeyValidatorConfig
	ClusterDomain               string
	HasNoLicense                bool

	// Trusted certificate bundle for all compliance pods.
	TrustedBundle certificatemanagement.TrustedBundleRO

	// Key pairs used for mTLS.
	ServerKeyPair      certificatemanagement.KeyPairInterface
	BenchmarkerKeyPair certificatemanagement.KeyPairInterface
	ReporterKeyPair    certificatemanagement.KeyPairInterface
	SnapshotterKeyPair certificatemanagement.KeyPairInterface
	ControllerKeyPair  certificatemanagement.KeyPairInterface

	Namespace         string
	BindingNamespaces []string

	// Whether to run the rendered components in multi-tenant, single-tenant, or zero-tenant mode
	Tenant          *operatorv1.Tenant
	ExternalElastic bool
	Compliance      *operatorv1.Compliance
}

ComplianceConfiguration contains all the config information needed to render the component.

type Component 

type Component interface {
	// ResolveImages should call components.GetReference for all images that the Component
	// needs, passing 'is' to the GetReference call and if there are any errors those
	// are returned. It is valid to pass nil for 'is' as GetReference accepts the value.
	// ResolveImages must be called before Objects is called for the component.
	ResolveImages(is *operatorv1.ImageSet) error

	// Objects returns the lists of objects in this component that should be created and/or deleted during
	// rendering.
	Objects() (objsToCreate, objsToDelete []client.Object)

	// Ready returns true if the component is ready to be created.
	Ready() bool

	// SupportedOSTypes returns operating systems that is supported of the components returned by the Objects() function.
	// The "componentHandler" converts the returned OSTypes to a node selectors for the "kubernetes.io/os" label on client.Objects
	// that create pods. Return OSTypeAny means that no node selector should be set for the "kubernetes.io/os" label.
	SupportedOSType() rmeta.OSType
}

func APIServer 

func APIServer(cfg *APIServerConfiguration) (Component, error)

func APIServerPolicy added in v1.28.0 

func APIServerPolicy(cfg *APIServerConfiguration) Component

func AWSSecurityGroupSetup added in v1.0.0 

func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)

func CSI added in v1.28.0 

func CSI(cfg *CSIConfiguration) Component

func Compliance 

func Compliance(cfg *ComplianceConfiguration) (Component, error)

func Dex added in v1.12.0 

func Dex(cfg *DexComponentConfiguration) Component

func Fluentd added in v1.0.0 

func Fluentd(cfg *FluentdConfiguration) Component

func Guardian added in v1.2.0 

func Guardian(cfg *GuardianConfiguration) Component

func GuardianPolicy added in v1.28.0 

func GuardianPolicy(cfg *GuardianConfiguration) (Component, error)

func IntrusionDetection 

func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component

func LogStorage added in v1.4.0 

func LogStorage(cfg *ElasticsearchConfiguration) Component

LogStorage renders the components necessary for kibana and elasticsearch

func Manager added in v1.0.0 

func Manager(cfg *ManagerConfiguration) (Component, error)

Manager returns a component for rendering namespaced manager resources.

func Namespaces 

func Namespaces(cfg *NamespaceConfiguration) Component

func NewDeletionPassthrough added in v1.29.1 

func NewDeletionPassthrough(objs ...client.Object) Component

func NewManagedClusterLogStorage added in v1.32.0 

func NewManagedClusterLogStorage(cfg *ManagedClusterLogStorageConfiguration) Component

NewManagedClusterLogStorage returns a component for managed cluster log storage resources.

func NewPassthrough added in v1.22.0 

func NewPassthrough(objs ...client.Object) Component

func NewPassthroughWithLog added in v1.34.0 

func NewPassthroughWithLog(l logr.Logger, objs ...client.Object) Component

func NewSetup added in v1.40.0 

func NewSetup(cfg *SetUpConfiguration) Component

func NewTyphaNonClusterHostPolicy added in v1.38.0 

func NewTyphaNonClusterHostPolicy(cfg *TyphaConfiguration) Component

func Node 

func Node(cfg *NodeConfiguration) Component

Node creates the node daemonset and other resources for the daemonset to operate normally.

func PacketCaptureAPI added in v1.21.0 

func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component

func PacketCaptureAPIPolicy added in v1.28.0 

func PacketCaptureAPIPolicy(cfg *PacketCaptureApiConfiguration) Component

func PolicyRecommendation added in v1.30.0 

func PolicyRecommendation(cfg *PolicyRecommendationConfiguration) Component

func Typha added in v1.0.0 

func Typha(cfg *TyphaConfiguration) Component

Typha creates the typha daemonset and other resources for the daemonset to operate normally.

func Windows added in v1.23.0 

func Windows(
	cfg *WindowsConfiguration,
) Component

type ContainerName added in v1.38.0 

type ContainerName string

type DexComponentConfiguration added in v1.25.0 

type DexComponentConfiguration struct {
	PullSecrets   []*corev1.Secret
	OpenShift     bool
	Installation  *operatorv1.InstallationSpec
	DexConfig     DexConfig
	ClusterDomain string
	DeleteDex     bool
	TLSKeyPair    certificatemanagement.KeyPairInterface
	TrustedBundle certificatemanagement.TrustedBundle

	Authentication *operatorv1.Authentication

	// PodProxies represents the resolved proxy configuration for each Dex pod.
	// If this slice is empty, then resolution has not yet occurred. Pods with no proxy
	// configured are represented with a nil value.
	PodProxies []*httpproxy.Config
}

DexComponentConfiguration contains all the config information needed to render the component.

type DexConfig added in v1.12.0 

type DexConfig interface {
	// Connector returns the dex connector configuration block.
	Connector() map[string]interface{}
	// RedirectURIs returns the list of redirect URIs for the dex static client.
	RedirectURIs() []string
	// Issuer returns the issuer URL for dex.
	Issuer() string
	// RequiredEnv returns env variables required by the dex deployment.
	RequiredEnv(prefix string) []corev1.EnvVar
	// RequiredAnnotations returns pod annotations required by the dex deployment.
	RequiredAnnotations() map[string]string
	// RequiredSecrets returns secrets required by the dex deployment in the given namespace.
	RequiredSecrets(namespace string) []*corev1.Secret
	// RequiredVolumeMounts returns volume mounts required by the dex deployment.
	RequiredVolumeMounts() []corev1.VolumeMount
	// RequiredVolumes returns volumes required by the dex deployment.
	RequiredVolumes() []corev1.Volume
	// RequiredSecretProviderClass returns SecretProviderClass objects required by the dex deployment.
	RequiredSecretProviderClass(namespace string) []*csisecret.SecretProviderClass
}

DexConfig is a config for DexIdP itself.

func NewDexConfig added in v1.12.0 

func NewDexConfig(
	certificateManagement *oprv1.CertificateManagement,
	authentication *oprv1.Authentication,
	idpSecret *corev1.Secret,
	secretProviderClass *csisecret.SecretProviderClass,
	clusterDomain string) DexConfig

Create a new DexConfig.

type DexKeyValidatorConfig added in v1.12.0 

type DexKeyValidatorConfig struct {
	// contains filtered or unexported fields
}

func (*DexKeyValidatorConfig) BaseURL added in v1.18.0 

func (d *DexKeyValidatorConfig) BaseURL() string

func (*DexKeyValidatorConfig) ClientID added in v1.18.0 

func (d *DexKeyValidatorConfig) ClientID() string

func (*DexKeyValidatorConfig) Issuer added in v1.18.0 

func (d *DexKeyValidatorConfig) Issuer() string

func (*DexKeyValidatorConfig) RequiredAnnotations added in v1.12.0 

func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string

RequiredAnnotations returns the annotations that are relevant for a validator config.

func (*DexKeyValidatorConfig) RequiredConfigMaps added in v1.18.0 

func (d *DexKeyValidatorConfig) RequiredConfigMaps(string) []*corev1.ConfigMap

func (*DexKeyValidatorConfig) RequiredEnv added in v1.12.0 

func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar

Append variables that are necessary for using the dex authenticator.

func (*DexKeyValidatorConfig) RequiredSecrets added in v1.12.0 

func (d *DexKeyValidatorConfig) RequiredSecrets(namespace string) []*corev1.Secret

func (*DexKeyValidatorConfig) RequiredVolumeMounts added in v1.12.0 

func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount

func (*DexKeyValidatorConfig) RequiredVolumes added in v1.12.0 

func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume

func (*DexKeyValidatorConfig) UsernameClaim added in v1.18.0 

func (d *DexKeyValidatorConfig) UsernameClaim() string

type EksCloudwatchLogConfig added in v1.0.0 

type EksCloudwatchLogConfig struct {
	AwsId         []byte
	AwsKey        []byte
	AwsRegion     string
	GroupName     string
	StreamPrefix  string
	FetchInterval int32
}

type ElasticsearchConfiguration added in v1.25.0 

type ElasticsearchConfiguration struct {
	LogStorage              *operatorv1.LogStorage
	Installation            *operatorv1.InstallationSpec
	ManagementCluster       *operatorv1.ManagementCluster
	Elasticsearch           *esv1.Elasticsearch
	ClusterConfig           *relasticsearch.ClusterConfig
	ElasticsearchUserSecret *corev1.Secret
	ElasticsearchKeyPair    certificatemanagement.KeyPairInterface
	PullSecrets             []*corev1.Secret
	Provider                operatorv1.Provider
	CuratorSecrets          []*corev1.Secret
	ESService               *corev1.Service
	ClusterDomain           string
	ElasticLicenseType      ElasticsearchLicenseType
	TrustedBundle           certificatemanagement.TrustedBundleRO
	UnusedTLSSecret         *corev1.Secret
}

ElasticsearchConfiguration contains all the config information needed to render the component.

type ElasticsearchLicenseType added in v1.14.0 

type ElasticsearchLicenseType string

type FluentdConfiguration added in v1.25.0 

type FluentdConfiguration struct {
	LogCollector   *operatorv1.LogCollector
	S3Credential   *S3Credential
	SplkCredential *SplunkCredential
	Filters        *FluentdFilters
	// ESClusterConfig is only populated for when EKSConfig
	// is also defined
	ESClusterConfig *relasticsearch.ClusterConfig
	EKSConfig       *EksCloudwatchLogConfig
	PullSecrets     []*corev1.Secret
	Installation    *operatorv1.InstallationSpec
	ClusterDomain   string
	OSType          rmeta.OSType
	FluentdKeyPair  certificatemanagement.KeyPairInterface
	TrustedBundle   certificatemanagement.TrustedBundle
	ManagedCluster  bool

	// Set if running as a multi-tenant management cluster. Configures the management cluster's
	// own fluentd daemonset.
	Tenant          *operatorv1.Tenant
	ExternalElastic bool

	// Whether to use User provided certificate or not.
	UseSyslogCertificate bool

	// EKSLogForwarderKeyPair contains the certificate presented by EKS LogForwarder when communicating with Linseed
	EKSLogForwarderKeyPair certificatemanagement.KeyPairInterface

	PacketCapture *operatorv1.PacketCaptureAPI

	NonClusterHost *operatorv1.NonClusterHost
}

FluentdConfiguration contains all the config information needed to render the component.

type FluentdFilters added in v1.0.0 

type FluentdFilters struct {
	Flow string
	DNS  string
}

type ForwardingDestination added in v1.39.0 

type ForwardingDestination string

type GuardianComponent added in v1.2.0 

type GuardianComponent struct {
	// contains filtered or unexported fields
}

func (*GuardianComponent) Objects added in v1.2.0 

func (c *GuardianComponent) Objects() ([]client.Object, []client.Object)

func (*GuardianComponent) Ready added in v1.2.0 

func (c *GuardianComponent) Ready() bool

func (*GuardianComponent) ResolveImages added in v1.14.0 

func (c *GuardianComponent) ResolveImages(is *operatorv1.ImageSet) error

func (*GuardianComponent) SupportedOSType added in v1.11.0 

func (c *GuardianComponent) SupportedOSType() rmeta.OSType

type GuardianConfiguration added in v1.25.0 

type GuardianConfiguration struct {
	URL                         string
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	Installation                *operatorv1.InstallationSpec
	TunnelSecret                *corev1.Secret
	TrustedCertBundle           certificatemanagement.TrustedBundleRO
	TunnelCAType                operatorv1.CAType
	ManagementClusterConnection *operatorv1.ManagementClusterConnection

	// PodProxies represents the resolved proxy configuration for each Guardian pod.
	// If this slice is empty, then resolution has not yet occurred. Pods with no proxy
	// configured are represented with a nil value.
	PodProxies []*httpproxy.Config

	GuardianClientKeyPair certificatemanagement.KeyPairInterface

	// Version stores the version of the cluster, as reported by the ClusterInformation object. It is used to restart
	// guardian when the version changes, which triggers the management cluster to re-check for version skew.
	Version string
}

GuardianConfiguration contains all the config information needed to render the component.

type IntrusionDetectionConfiguration added in v1.25.0 

type IntrusionDetectionConfiguration struct {
	IntrusionDetection        *operatorv1.IntrusionDetection
	LogCollector              *operatorv1.LogCollector
	Installation              *operatorv1.InstallationSpec
	PullSecrets               []*corev1.Secret
	OpenShift                 bool
	ClusterDomain             string
	ESLicenseType             ElasticsearchLicenseType
	ManagedCluster            bool
	ManagementCluster         bool
	SyslogForwardingIsEnabled bool

	HasNoLicense                 bool
	TrustedCertBundle            certificatemanagement.TrustedBundleRO
	IntrusionDetectionCertSecret certificatemanagement.KeyPairInterface

	Namespace       string
	BindNamespaces  []string
	Tenant          *operatorv1.Tenant
	ExternalElastic bool
}

IntrusionDetectionConfiguration contains all the config information needed to render the component.

type ManagedClusterLogStorageConfiguration added in v1.32.0 

type ManagedClusterLogStorageConfiguration struct {
	Installation  *operatorv1.InstallationSpec
	ClusterDomain string
	Provider      operatorv1.Provider
}

ManagedClusterLogStorageConfiguration contains configuration for managed cluster log storage.

type ManagerConfiguration added in v1.25.0 

type ManagerConfiguration struct {
	VoltronRouteConfig *manager.VoltronRouteConfig

	KeyValidatorConfig authentication.KeyValidatorConfig
	PullSecrets        []*corev1.Secret
	OpenShift          bool
	Installation       *operatorv1.InstallationSpec
	ManagementCluster  *operatorv1.ManagementCluster
	NonClusterHost     *operatorv1.NonClusterHost

	// If provided, the KeyPair to used for external connections terminated by Voltron,
	// and connections from the manager pod to Linseed.
	TLSKeyPair certificatemanagement.KeyPairInterface

	// The key pair to use for TLS between Linseed clients in managed clusters and Voltron
	// in the management cluster.
	VoltronLinseedKeyPair certificatemanagement.KeyPairInterface

	// KeyPair used by Voltron as the server certificate when establishing an mTLS tunnel with Guardian.
	TunnelServerCert certificatemanagement.KeyPairInterface

	// TLS KeyPair used by both Voltron and ui-apis, presented by each as part of the mTLS handshake with
	// other services within the cluster. This is used in both management and standalone clusters.
	InternalTLSKeyPair certificatemanagement.KeyPairInterface

	// Certificate bundle used by the manager pod to verify certificates presented
	// by clients as part of mTLS authentication.
	TrustedCertBundle certificatemanagement.TrustedBundleRO

	ClusterDomain           string
	ESLicenseType           ElasticsearchLicenseType
	Replicas                *int32
	Compliance              *operatorv1.Compliance
	ComplianceLicenseActive bool
	ComplianceNamespace     string

	Namespace      string
	TruthNamespace string

	// Single namespace to which RBAC should be bound, in single-tenant systems.
	// List of all tenant namespaces, in a multi-tenant system.
	BindingNamespaces []string

	// List of namespaces for Tenants who manage Calico OSS clusters, in a multi-tenant system.
	OSSTenantNamespaces []string

	// Whether to run the rendered components in multi-tenant, single-tenant, or zero-tenant mode
	Tenant          *operatorv1.Tenant
	ExternalElastic bool

	Manager *operatorv1.Manager
}

ManagerConfiguration contains all the config information needed to render the component.

type NamespaceConfiguration added in v1.25.0 

type NamespaceConfiguration struct {
	Installation *operatorv1.InstallationSpec
	PullSecrets  []*corev1.Secret
	Terminating  bool
}

NamespaceConfiguration contains all the config information needed to render the component.

type NodeConfiguration added in v1.22.0 

type NodeConfiguration struct {
	GoldmaneRunning  bool
	K8sServiceEp     k8sapi.ServiceEndpoint
	K8sServiceAddrs  []k8sapi.ServiceEndpoint
	K8sEndpointSlice []k8sapi.ServiceEndpoint
	Installation     *operatorv1.InstallationSpec
	IPPools          []operatorv1.IPPool
	TLS              *TyphaNodeTLS
	ClusterDomain    string

	// Defaults for DNS.
	DefaultDNSPolicy corev1.DNSPolicy
	DefaultDNSConfig *corev1.PodDNSConfig

	// Goldmane IP, to avoid DNS resolution using kube-dns.
	GoldmaneIP string

	// Optional fields.
	LogCollector            *operatorv1.LogCollector
	MigrateNamespaces       bool
	NodeAppArmorProfile     string
	BirdTemplates           map[string]string
	NodeReporterMetricsPort int

	// CanRemoveCNIFinalizer specifies whether CNI plugin is still needed during uninstall since the CNI plugin and
	// associated RBAC resources are required for pod teardown to succeed. Setting this to true removes
	// the finalizer from the CNI plugin and associated RBAC resources, allowing them to be deleted.
	// For details on why this is needed see 'Node and Installation finalizer' in the core_controller.
	CanRemoveCNIFinalizer bool

	PrometheusServerTLS certificatemanagement.KeyPairInterface

	// BGPLayouts is returned by the rendering code after modifying its namespace
	// so that it can be deployed into the cluster.
	// TODO: The controller should pass the contents, the renderer should build its own
	// configmap, rather than this "copy" semantic.
	BGPLayouts *corev1.ConfigMap

	// The health port that Felix should bind to. The controller reads FelixConfiguration
	// and sets this.
	FelixHealthPort int

	// Node's CgroupV2Path override. The controller reads FelixConfiguration and sets this.
	NodeCgroupV2Path string

	// The bindMode read from the default BGPConfiguration. Used to trigger rolling updates
	// should this value change.
	BindMode string

	FelixPrometheusMetricsEnabled bool

	FelixPrometheusMetricsPort int
}

NodeConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/node on a cluster.

type PacketCaptureApiConfiguration added in v1.25.0 

type PacketCaptureApiConfiguration struct {
	PullSecrets                 []*corev1.Secret
	OpenShift                   bool
	Installation                *operatorv1.InstallationSpec
	KeyValidatorConfig          authentication.KeyValidatorConfig
	ServerCertSecret            certificatemanagement.KeyPairInterface
	TrustedBundle               certificatemanagement.TrustedBundle
	ClusterDomain               string
	ManagementClusterConnection *operatorv1.ManagementClusterConnection

	PacketCaptureAPI *operatorv1.PacketCaptureAPI
}

PacketCaptureApiConfiguration contains all the config information needed to render the component.

type PodSecurityStandard added in v1.28.0 

type PodSecurityStandard string

type PolicyRecommendationConfiguration added in v1.30.0 

type PolicyRecommendationConfiguration struct {
	ClusterDomain                  string
	Installation                   *operatorv1.InstallationSpec
	ManagedCluster                 bool
	ManagementCluster              bool
	OpenShift                      bool
	PullSecrets                    []*corev1.Secret
	TrustedBundle                  certificatemanagement.TrustedBundleRO
	PolicyRecommendationCertSecret certificatemanagement.KeyPairInterface

	Namespace         string
	BindingNamespaces []string

	// Whether or not to run the rendered components in multi-tenant mode.
	Tenant          *operatorv1.Tenant
	ExternalElastic bool

	PolicyRecommendation *operatorv1.PolicyRecommendation
}

PolicyRecommendationConfiguration contains all the config information needed to render the component.

type Renderer 

type Renderer interface {
	Render() []Component
}

A Renderer is capable of generating components to be installed on the cluster.

type S3Credential added in v1.0.0 

type S3Credential struct {
	KeyId     []byte
	KeySecret []byte
}

type SetUpComponent added in v1.40.0 

type SetUpComponent struct {
	// contains filtered or unexported fields
}

SetUpComponent is an implementation of a Component that setup common resource between controllers

func (*SetUpComponent) Objects added in v1.40.0 

func (p *SetUpComponent) Objects() (objsToCreate []client.Object, objsToDelete []client.Object)

Objects returns the lists of objects in this component that should be created and/or deleted during rendering.

func (*SetUpComponent) Ready added in v1.40.0 

func (p *SetUpComponent) Ready() bool

Ready returns true if the component is ready to be created.

func (*SetUpComponent) ResolveImages added in v1.40.0 

func (p *SetUpComponent) ResolveImages(is *operatorv1.ImageSet) error

ResolveImages should call components.GetReference for all images that the Component needs, passing 'is' to the GetReference call and if there are any errors those are returned. It is valid to pass nil for 'is' as GetReference accepts the value. ResolveImages must be called before Objects is called for the component.

func (*SetUpComponent) SupportedOSType added in v1.40.0 

func (p *SetUpComponent) SupportedOSType() rmeta.OSType

SupportedOSType returns operating systems that is supported of the components returned by the Objects() function. The "componentHandler" converts the returned OSTypes to a node selectors for the "kubernetes.io/os" label on client.Objects that create pods. Return OSTypeAny means that no node selector should be set for the "kubernetes.io/os" label.

type SetUpConfiguration added in v1.40.0 

type SetUpConfiguration struct {
	OpenShift    bool
	Installation *operatorv1.InstallationSpec
	PullSecrets  []*corev1.Secret
	Namespace    string
	PSS          PodSecurityStandard

	CreateNamespace bool
}

type SplunkCredential added in v1.4.0 

type SplunkCredential struct {
	Token []byte
}

type TyphaConfiguration added in v1.22.0 

type TyphaConfiguration struct {
	K8sServiceEp      k8sapi.ServiceEndpoint
	Installation      *operatorv1.InstallationSpec
	TLS               *TyphaNodeTLS
	MigrateNamespaces bool
	ClusterDomain     string
	NonClusterHost    *operatorv1.NonClusterHost

	// The health port that Felix is bound to. We configure Typha to bind to the port
	// that is one less.
	FelixHealthPort int
}

TyphaConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/typha on a cluster.

type TyphaNodeTLS added in v1.0.0 

type TyphaNodeTLS struct {
	TrustedBundle             certificatemanagement.TrustedBundle
	TyphaSecret               certificatemanagement.KeyPairInterface
	TyphaSecretNonClusterHost certificatemanagement.KeyPairInterface
	TyphaCommonName           string
	TyphaURISAN               string
	NodeSecret                certificatemanagement.KeyPairInterface
	NodeCommonName            string
	NodeURISAN                string

	NodeNonClusterHostCommonName string
	NodeNonClusterHostURISAN     string
}

TyphaNodeTLS holds configuration for Node and Typha to establish TLS.

type WindowsConfiguration added in v1.32.0 

type WindowsConfiguration struct {
	K8sServiceEp            k8sapi.ServiceEndpoint
	K8sDNSServers           []string
	Installation            *operatorv1.InstallationSpec
	ClusterDomain           string
	TLS                     *TyphaNodeTLS
	PrometheusServerTLS     certificatemanagement.KeyPairInterface
	NodeReporterMetricsPort int
	VXLANVNI                int
}

Source Files

View all Source files

Directories

Path Synopsis
ruleset
common
authentication
authentication/tigera/key_validator_config
components
configmap
elasticsearch
kibana
meta
networkpolicy
podaffinity
resourcequota
secret
securitycontext
securitycontextconstraints
selector
test
intrusiondetection
dpi
dashboards
eck
esgateway
esmetrics
externalelasticsearch
kibana
linseed

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.