injector

package

v0.7.6 Latest Latest Go to latest Published: May 23, 2020 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/jacops/kubers

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func EscapeJSONPointer(s string) string
func Init(pod *corev1.Pod, cfg *AgentInjectorConfig) error
func ShouldInject(pod *corev1.Pod) (bool, error)
type AgentInjector
- func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*AgentInjector, error)
type AgentInjectorConfig
type Handler
- func (h *Handler) Handle(w http.ResponseWriter, r *http.Request)
- func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse

Constants ¶

View Source

const (
	// AnnotationAgentProvider sets a provider for the agent used to retrieve secrets
	AnnotationAgentProvider = "kubers.jacops.pl/agent-provider"

	// AnnotationAgentProviderAzureCredentialsSecret enables authentication via Azure service principal
	AnnotationAgentProviderAzureCredentialsSecret = "kubers.jacops.pl/agent-provider-azure-credentials-secret"

	// AnnotationAgentProviderAWSCredentialsSecret enables authentication via AWS keys
	AnnotationAgentProviderAWSCredentialsSecret = "kubers.jacops.pl/agent-provider-aws-credentials-secret"

	// AnnotationAgentProviderAWSRegion overrides aws region passed to the operator
	AnnotationAgentProviderAWSRegion = "kubers.jacops.pl/agent-provider-aws-region"

	// AnnotationAgentLogLevel sets a log level for the agent
	AnnotationAgentLogLevel = "kubers.jacops.pl/agent-log-level"

	// AnnotationAgentLogFormat sets a log format for the agent
	AnnotationAgentLogFormat = "kubers.jacops.pl/agent-log-format"

	// AnnotationAgentStatus is the key of the annotation that is added to
	// a pod after an injection is done.
	// There's only one valid status we care about: "injected".
	AnnotationAgentStatus = "kubers.jacops.pl/agent-inject-status"

	// AnnotationAgentInject is the key of the annotation that controls whether
	// injection is explicitly enabled or disabled for a pod. This should
	// be set to a true or false value, as parseable by strconv.ParseBool
	AnnotationAgentInject = "kubers.jacops.pl/agent-inject"

	// AnnotationAgentInjectSecret is the key annotation that configures Vault
	// Agent to retrieve the secrets from Vault required by the app.  The name
	// of the secret is any unique string after "vault.hashicorp.com/agent-inject-secret-",
	// such as "vault.hashicorp.com/agent-inject-secret-foobar".  The value is the
	// path in Vault where the secret is located.
	AnnotationAgentInjectSecret = "kubers.jacops.pl/agent-inject-secret"

	// AnnotationAgentImage is the name of the Vault docker image to use.
	AnnotationAgentImage = "kubers.jacops.pl/agent-image"

	// AnnotationVaultSecretVolumePath specifies where the secrets are to be
	// Mounted after fetching.
	AnnotationVaultSecretVolumePath = "kubers.jacops.pl/secret-volume-path"

	// AnnotationPreserveSecretCase if enabled will preserve the case of secret name
	// by default the name is converted to lower case.
	AnnotationPreserveSecretCase = "kubers.jacops.pl/preserve-secret-case"
)

View Source

const (
	DefaultVaultImage = "jacops/kubers-agent"
)

Variables ¶

This section is empty.

Functions ¶

func EscapeJSONPointer ¶

func EscapeJSONPointer(s string) string

EscapeJSONPointer escapes a JSON string to be compliant with the JavaScript Object Notation (JSON) Pointer syntax RFC: https://tools.ietf.org/html/rfc6901.

func Init ¶

func Init(pod *corev1.Pod, cfg *AgentInjectorConfig) error

Init configures the expected annotations required to create a new instance of Agent. This should be run before running new to ensure all annotations are present.

func ShouldInject ¶

func ShouldInject(pod *corev1.Pod) (bool, error)

ShouldInject checks whether the pod in question should be injected with Vault Agent containers.

Types ¶

type AgentInjector ¶

type AgentInjector struct {

	// Annotations are the current pod annotations used to
	// configure the Vault Agent container.
	Annotations map[string]string

	// ImageName is the name of the Vault image to use for the
	// sidecar container.
	ImageName string

	// Inject is the flag used to determine if a container should be requested
	// in a pod request.
	Inject bool

	// Patches are all the mutations we will make to the pod request.
	Patches []*jsonpatch.JsonPatchOperation

	// Pod is the original Kubernetes pod spec.
	Pod *corev1.Pod

	// Secrets are all the templates, the path in Vault where the secret can be
	//found, and the unique name of the secret which will be used for the filename.
	Secrets []*agent.Secret

	// Status is the current injection status.  The only status considered is "injected",
	// which prevents further mutations.  A user can patch this annotation to force a new
	// mutation.
	Status string
}

AgentInjector is the top level structure holding all the configurations for the Vault Agent container.

func New ¶

func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*AgentInjector, error)

New creates a new instance of Agent by parsing all the Kubernetes annotations.

func (*AgentInjector) ContainerEnvVars ¶

func (a *AgentInjector) ContainerEnvVars(init bool) ([]corev1.EnvVar, error)

ContainerEnvVars adds the applicable environment vars for the Vault Agent sidecar.

func (*AgentInjector) ContainerInitSidecar ¶

func (a *AgentInjector) ContainerInitSidecar() (corev1.Container, error)

ContainerInitSidecar creates a new init container to be added to the pod being mutated. After Vault 1.4 is released, this can be removed because an exit_after_auth environment variable is available for the agent. This means we won't need to generate two config files.

func (*AgentInjector) ContainerVolumeMounts ¶

func (a *AgentInjector) ContainerVolumeMounts() []corev1.VolumeMount

ContainerVolumeMounts mounts the shared memory volume where secrets will be rendered.

func (*AgentInjector) ContainerVolumes ¶

func (a *AgentInjector) ContainerVolumes() []corev1.Volume

ContainerVolumes returns the volume data to add to the pod. This volumes are used for shared data between containers.

func (*AgentInjector) Patch ¶

func (a *AgentInjector) Patch() ([]byte, error)

Patch creates the necessary pod patches to inject the Vault Agent containers.

func (*AgentInjector) Validate ¶

func (a *AgentInjector) Validate() error

Validate the instance of Agent to ensure we have everything needed for basic functionality.

type AgentInjectorConfig ¶

type AgentInjectorConfig struct {
	Image                  string
	AgentProviderName      string
	AgentProviderAWSRegion string
	LogLevel               string
	LogFormat              string
}

AgentInjectorConfig ...

type Handler ¶

type Handler struct {
	// RequireAnnotation means that the annotation must be given to inject.
	// If this is false, injection is default.
	RequireAnnotation bool
	Clientset         *kubernetes.Clientset
	Log               hclog.Logger
	InjectorConfig    *AgentInjectorConfig
}

Handler is the HTTP handler for admission webhooks.

func (*Handler) Handle ¶

func (h *Handler) Handle(w http.ResponseWriter, r *http.Request)

Handle is the http.HandlerFunc implementation that actually handles the webhook request for admission control. This should be registered or served via an HTTP server.

func (*Handler) Mutate ¶

func (h *Handler) Mutate(req *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse

Mutate takes an admission request and performs mutation if necessary, returning the final API response.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL