Documentation ¶
Overview ¶
Package v1 contains API Schema definitions for the App v1 API group +groupName=app.kvdi.io
Package v1 contains API Schema definitions for the app v1 API group +kubebuilder:object:generate=true +groupName=app.kvdi.io
Index ¶
- Constants
- Variables
- type AppConfig
- type AuthConfig
- type DesktopsConfig
- type GrafanaConfig
- type K8SSecretConfig
- type LDAPConfig
- type LocalAuthConfig
- type MetricsConfig
- type OIDCConfig
- type PrometheusConfig
- type SecretsConfig
- type ServiceMonitorConfig
- type TLSConfig
- type UserdataSelector
- type UserdataSpec
- type VDICluster
- func (c *VDICluster) AllowNonGroupedReadOnly() bool
- func (c *VDICluster) AnonymousAllowed() bool
- func (c *VDICluster) AppIsUsingExternalServerTLS() bool
- func (c *VDICluster) AuditLogEnabled() bool
- func (c *VDICluster) AuthIsUsingSecretEngine() bool
- func (c *VDICluster) CreateAppServiceMonitor() bool
- func (c *VDICluster) CreatePrometheusCR() bool
- func (in *VDICluster) DeepCopy() *VDICluster
- func (in *VDICluster) DeepCopyInto(out *VDICluster)
- func (in *VDICluster) DeepCopyObject() runtime.Object
- func (c *VDICluster) EnableCORS() bool
- func (c *VDICluster) GetAdminRole() *rbacv1.VDIRole
- func (c *VDICluster) GetAdminSecret() string
- func (c *VDICluster) GetAppClientTLSNamespacedName() types.NamespacedName
- func (c *VDICluster) GetAppClientTLSSecretName() string
- func (c *VDICluster) GetAppImage() string
- func (c *VDICluster) GetAppName() string
- func (c *VDICluster) GetAppPullPolicy() corev1.PullPolicy
- func (c *VDICluster) GetAppReplicas() *int32
- func (c *VDICluster) GetAppResources() corev1.ResourceRequirements
- func (c *VDICluster) GetAppSecretsName() string
- func (c *VDICluster) GetAppSecurityContext() *corev1.PodSecurityContext
- func (c *VDICluster) GetAppServerTLSNamespacedName() types.NamespacedName
- func (c *VDICluster) GetAppServerTLSSecretName() string
- func (c *VDICluster) GetAppServiceType() corev1.ServiceType
- func (c *VDICluster) GetAuthK8sSecret() string
- func (c *VDICluster) GetCAName() string
- func (c *VDICluster) GetClusterDesktopsSelector() client.MatchingLabels
- func (c *VDICluster) GetComponentLabels(component string) map[string]string
- func (c *VDICluster) GetCoreNamespace() string
- func (c *VDICluster) GetLDAPAdminGroups() []string
- func (c *VDICluster) GetLDAPCA() ([]byte, error)
- func (c *VDICluster) GetLDAPDoUserStatusCheck() bool
- func (c *VDICluster) GetLDAPInsecureSkipVerify() bool
- func (c *VDICluster) GetLDAPPasswordKey() string
- func (c *VDICluster) GetLDAPSearchBase() string
- func (c *VDICluster) GetLDAPURL() string
- func (c *VDICluster) GetLDAPUserDNKey() string
- func (c *VDICluster) GetLDAPUserGroupsAttribute() string
- func (c *VDICluster) GetLDAPUserIDAttribute() string
- func (c *VDICluster) GetLDAPUserStatusAttribute() string
- func (c *VDICluster) GetLDAPUserStatusDisabledValue() string
- func (c *VDICluster) GetLaunchTemplatesRole() *rbacv1.VDIRole
- func (c *VDICluster) GetMaxSessionLength() time.Duration
- func (c *VDICluster) GetMaxSessionsPerUser() int
- func (c *VDICluster) GetOIDCAdminGroups() []string
- func (c *VDICluster) GetOIDCCA() ([]byte, error)
- func (c *VDICluster) GetOIDCClientIDKey() string
- func (c *VDICluster) GetOIDCClientSecretKey() string
- func (c *VDICluster) GetOIDCGroupScope() string
- func (c *VDICluster) GetOIDCInsecureSkipVerify() bool
- func (c *VDICluster) GetOIDCIssuerURL() string
- func (c *VDICluster) GetOIDCRedirectURL() string
- func (c *VDICluster) GetOIDCScopes() []string
- func (c *VDICluster) GetPrometheusName() string
- func (c *VDICluster) GetPrometheusResources() corev1.ResourceRequirements
- func (c *VDICluster) GetPullSecrets() []corev1.LocalObjectReference
- func (c *VDICluster) GetRoles(cl client.Client) ([]*rbacv1.VDIRole, error)
- func (c *VDICluster) GetSecretsBackend() string
- func (c *VDICluster) GetServiceAnnotations() map[string]string
- func (c *VDICluster) GetServiceMonitorLabels() map[string]string
- func (c *VDICluster) GetSignerName() string
- func (c *VDICluster) GetTokenDuration() time.Duration
- func (c *VDICluster) GetUserDesktopSelector(username string) map[string]string
- func (c *VDICluster) GetUserDesktopsSelector(username string) client.MatchingLabels
- func (c *VDICluster) GetUserdataSelector() *UserdataSelector
- func (c *VDICluster) GetUserdataVolumeMapName() types.NamespacedName
- func (c *VDICluster) GetUserdataVolumeName(username string) string
- func (c *VDICluster) GetUserdataVolumeSpec() *corev1.PersistentVolumeClaimSpec
- func (c *VDICluster) IsUsingLDAPAuth() bool
- func (c *VDICluster) IsUsingLDAPOverTLS() bool
- func (c *VDICluster) IsUsingLocalAuth() bool
- func (c *VDICluster) IsUsingOIDCAuth() bool
- func (c *VDICluster) NamespacedName() types.NamespacedName
- func (c *VDICluster) OwnerReferences() []metav1.OwnerReference
- func (c *VDICluster) PreserveOIDCTokens() bool
- func (c *VDICluster) RetainPVCs() bool
- func (c *VDICluster) RunAppGrafanaSidecar() bool
- type VDIClusterList
- type VDIClusterSpec
- type VDIClusterStatus
- type VaultConfig
Constants ¶
const ( // SecretsBackendK8s represents using a kubernetes secret for secret storage. SecretsBackendK8s = "k8s" // SecretsBackendVault represents using vault for secret storage. SecretsBackendVault = "vault" )
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "app.kvdi.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type AppConfig ¶
type AppConfig struct { // The image to use for the app instances. Defaults to the public image // matching the version of the currently running manager. Image string `json:"image,omitempty"` // Whether to add CORS headers to API requests CORSEnabled bool `json:"corsEnabled,omitempty"` // Whether to log auditing events to stdout AuditLog bool `json:"auditLog,omitempty"` // The number of app replicas to run Replicas int32 `json:"replicas,omitempty"` // The type of service to create in front of the app instance. // Defaults to `LoadBalancer`. ServiceType corev1.ServiceType `json:"serviceType,omitempty"` // Extra annotations to apply to the app service. ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"` // TLS configurations for the app instance TLS *TLSConfig `json:"tls,omitempty"` // Resource requirements to place on the app pods Resources corev1.ResourceRequirements `json:"resources,omitempty"` }
AppConfig represents app configurations for the VDI cluster
func (*AppConfig) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppConfig.
func (*AppConfig) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AuthConfig ¶
type AuthConfig struct { // Allow anonymous users to create desktop instances AllowAnonymous bool `json:"allowAnonymous,omitempty"` // A secret where a generated admin password will be stored AdminSecret string `json:"adminSecret,omitempty"` // How long issued access tokens should be valid for. When using OIDC auth // you may want to set this to a higher value (e.g. 8-10h) since the refresh token // flow will not be able to lookup a user's grants from the provider. Defaults to `15m`. TokenDuration string `json:"tokenDuration,omitempty"` // The rules to apply to the default role created for this cluster. These are the rules applied to // anonymous users (if allowed) and non-grouped OIDC users. They can also be used for convenience // when getting started. The defaults only allow for launching templates in the `appNamespace`. DefaultRoleRules []v1.Rule `json:"defaultRoleRules,omitempty"` // Use local auth (secret-backed) authentication LocalAuth *LocalAuthConfig `json:"localAuth,omitempty"` // Use LDAP for authentication. LDAPAuth *LDAPConfig `json:"ldapAuth,omitempty"` // Use OIDC for authentication OIDCAuth *OIDCConfig `json:"oidcAuth,omitempty"` }
AuthConfig will be for authentication driver configurations. The goal is to support multiple backends, e.g. local, oauth, ldap, etc.
func (*AuthConfig) DeepCopy ¶
func (in *AuthConfig) DeepCopy() *AuthConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthConfig.
func (*AuthConfig) DeepCopyInto ¶
func (in *AuthConfig) DeepCopyInto(out *AuthConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DesktopsConfig ¶
type DesktopsConfig struct { // When configured, desktop sessions will be forcefully terminated when // the time limit is reached. MaxSessionLength string `json:"maxSessionLength,omitempty"` // The maximum number of sessions a user can run at a time. A zero value (or undefined) // means no limit. When using a `userdataSpec`, you might want to set this value to 1 if // you aren't using ReadWriteMany volumes. The storage controller would inevitably enforce // this behavior anyway, but you would save the `kvdi-manager` some extra work. SessionsPerUser int `json:"sessionsPerUser,omitempty"` }
DesktopsConfig represents global configurations for desktop sessions.
func (*DesktopsConfig) DeepCopy ¶
func (in *DesktopsConfig) DeepCopy() *DesktopsConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DesktopsConfig.
func (*DesktopsConfig) DeepCopyInto ¶
func (in *DesktopsConfig) DeepCopyInto(out *DesktopsConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GrafanaConfig ¶
type GrafanaConfig struct { // Set to true to run a grafana sidecar with the app pods. This can be used to visualize // data in the prometheus deployment. Enabled bool `json:"enabled,omitempty"` }
GrafanaConfig contains configuration options for the grafana sidecar.
func (*GrafanaConfig) DeepCopy ¶
func (in *GrafanaConfig) DeepCopy() *GrafanaConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GrafanaConfig.
func (*GrafanaConfig) DeepCopyInto ¶
func (in *GrafanaConfig) DeepCopyInto(out *GrafanaConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type K8SSecretConfig ¶
type K8SSecretConfig struct { // The name of the secret backing the values. Default is `<cluster-name>-app-secrets`. SecretName string `json:"secretName,omitempty"` }
K8SSecretConfig uses a Kubernetes secret to store and retrieve sensitive values.
func (*K8SSecretConfig) DeepCopy ¶
func (in *K8SSecretConfig) DeepCopy() *K8SSecretConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8SSecretConfig.
func (*K8SSecretConfig) DeepCopyInto ¶
func (in *K8SSecretConfig) DeepCopyInto(out *K8SSecretConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LDAPConfig ¶
type LDAPConfig struct { // The URL to the LDAP server. URL string `json:"url,omitempty"` // Set to true to skip TLS verification of an `ldaps` connection. TLSInsecureSkipVerify bool `json:"tlsInsecureSkipVerify,omitempty"` // The base64 encoded CA certificate to use when verifying the TLS certificate of // the LDAP server. TLSCACert string `json:"tlsCACert,omitempty"` // If you want to use the built-in secrets backend (vault or k8s currently), // set this to either the name of the secret in the vault path (the key must be "data" for now), or the key of // the secret used in `secrets.k8sSecret.secretName`. In default configurations this is // `kvdi-app-secrets`. Defaults to `ldap-userdn`. BindUserDNSecretKey string `json:"bindUserDNSecretKey,omitempty"` // Similar to the `bindUserDNSecretKey`, but for the location of the password // secret. Defaults to `ldap-password`. BindPasswordSecretKey string `json:"bindPasswordSecretKey,omitempty"` // If you'd rather create a separate k8s secret (instead of the configured backend) // for the LDAP credentials, set its name here. The keys in the secret need to // be defined in the other fields still. Default is to use the secret backend. BindCredentialsSecret string `json:"bindCredentialsSecret,omitempty"` // Group DNs that are allowed administrator access to the cluster. Kubernetes // admins will still have the ability to change configurations via the CRDs. AdminGroups []string `json:"adminGroups,omitempty"` // The base scope to search for users in. Default is to search the entire // directory. UserSearchBase string `json:"userSearchBase,omitempty"` // The user ID attribute to use when looking up a provided username. Defaults to `uid`. // This value may be different depending on the LDAP provider. For example, in an Active Directory // environment you may want to set this value to `sAMAccountName`. UserIDAttribute string `json:"userIDAttribute,omitempty"` // The user attribute use to lookup group membership in LDAP. Defaults to `memberOf`. UserGroupsAttribute string `json:"userGroupsAttribute,omitempty"` // The user attribute to use when querying if an account is active. Defaults to `accountStatus`. // Only takes effect if `doStatusCheck` is `true`. A user is considered disabled when the attribute is // both present and matches the value in `userStatusDisabledValue`. UserStatusAttribute string `json:"userStatusAttribute,omitempty"` // The value for the `userStatusAttribute` that signifies that the user is disabled. Defaults to `inactive`. UserStatusDisabledValue string `json:"userStatusDisabledValue,omitempty"` // When set to true, the authentication provider will query the user's attributes for the `userStatusAttribute` // and make sure it matches the value in `userStatusEnabledValue` before attemtping to bind. DoStatusCheck bool `json:"doStatusCheck,omitempty"` }
LDAPConfig represents the configurations for using LDAP as the authentication backend.
func (*LDAPConfig) DeepCopy ¶
func (in *LDAPConfig) DeepCopy() *LDAPConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPConfig.
func (*LDAPConfig) DeepCopyInto ¶
func (in *LDAPConfig) DeepCopyInto(out *LDAPConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*LDAPConfig) IsUndefined ¶
func (l *LDAPConfig) IsUndefined() bool
IsUndefined returns true if the given LDAPConfig object is not actually configured. It checks that required values are present.
type LocalAuthConfig ¶
type LocalAuthConfig struct{}
LocalAuthConfig represents a local, 'passwd'-like authentication driver.
func (*LocalAuthConfig) DeepCopy ¶
func (in *LocalAuthConfig) DeepCopy() *LocalAuthConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalAuthConfig.
func (*LocalAuthConfig) DeepCopyInto ¶
func (in *LocalAuthConfig) DeepCopyInto(out *LocalAuthConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MetricsConfig ¶
type MetricsConfig struct { // Configurations for creating a ServiceMonitor CR for a pre-existing // prometheus-operator installation. ServiceMonitor *ServiceMonitorConfig `json:"serviceMonitor,omitempty"` // Prometheus deployment configurations.g. Prometheus *PrometheusConfig `json:"prometheus,omitempty"` // Grafana sidecar configurations. Grafana *GrafanaConfig `json:"grafana,omitempty"` }
MetricsConfig contains configuration options for gathering metrics.
func (*MetricsConfig) DeepCopy ¶
func (in *MetricsConfig) DeepCopy() *MetricsConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricsConfig.
func (*MetricsConfig) DeepCopyInto ¶
func (in *MetricsConfig) DeepCopyInto(out *MetricsConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCConfig ¶
type OIDCConfig struct { // The OIDC issuer URL used for discovery IssuerURL string `json:"issuerURL,omitempty"` // When using the built-in secrets backend, the key to where the client-id is // stored. Set this to either the name of the secret in the vault path (the key must be "data" for now), // or the key of the secret used in `secrets.k8sSecret.secretName`. When configuring `clientCredentialsSecret`, // set this to the key in that secret. Defaults to `oidc-clientid`. ClientIDKey string `json:"clientIDKey,omitempty"` // Similar to `clientIDKey`, but for the location of the client secret. Defaults // to `oidc-clientsecret`. ClientSecretKey string `json:"clientSecretKey,omitempty"` // When creating your own kubernets secret with the `clientIDKey` and `clientSecretKey`, // set this to the name of the created secret. It must be in the same namespace // as the manager and app instances. Defaults to `oidc-clientsecret`. ClientCredentialsSecret string `json:"clientCredentialsSecret,omitempty"` // The redirect URL path configured in the OIDC provider. This should be the full // path where kvdi is hosted followed by `/api/login`. For example, if `kvdi` is // hosted at https://kvdi.local, then this value should be set `https://kvdi.local/api/login`. RedirectURL string `json:"redirectURL,omitempty"` // The scopes to request with the authentication request. Defaults to // `["openid", "email", "profile", "groups"]`. Scopes []string `json:"scopes,omitempty"` // If your OIDC provider does not return a `groups` object, set this to the user // attribute to use for binding authenticated users to VDIRoles. Defaults to `groups`. GroupScope string `json:"groupScope,omitempty"` // Groups that are allowed administrator access to the cluster. Kubernetes // admins will still have the ability to change rbac configurations via the CRDs. AdminGroups []string `json:"adminGroups,omitempty"` // Set to true to skip TLS verification of an OIDC provider. TLSInsecureSkipVerify bool `json:"tlsInsecureSkipVerify,omitempty"` // The base64 encoded CA certificate to use when verifying the TLS certificate of // the OIDC provider. TLSCACert string `json:"tlsCACert,omitempty"` // Set to true if the OIDC provider does not support the "groups" claim (or any // valid alternative) and/or you would like to allow any authenticated user // read-only access. AllowNonGroupedReadOnly bool `json:"allowNonGroupedReadOnly,omitempty"` // The access tokens returned by the OIDC provider are usually discarded after identify information // is retrieved from them. If you set this to true, these fields will be available for mapping in // desktops at the following paths: // // - `{{ .Session.Data.access_token }}` // - `{{ .Session.Data.token_type }}` // - `{{ .Session.Data.refresh_token }}` // - `{{ .Session.Data.expiry }}` // // **NOTE:** This should be considered an insecure option and only turned on taking into account // the inherent risks. If the access token used for authorizing actions against the kvdi API gets compromised, // it would be relatively easy for the attacker to extract this information from the token and use it for // authenticating against third-party resources. Additionally, when mapping these values to desktops, they will // be stored temporarily in Kubernetes Secrets. The security of those secrets depends highly on your Kubernetes // RBAC setup and who has access to secrets in the namespace where the Desktop is. So in short, it would be wise to // only use this setting in trusted environments where access to the necessary kubernetes APIs is only available to // a select group of administrators, and the risk of the user using a compromised browser is minimal. PreserveTokens bool `json:"preserveTokens,omitempty"` }
OIDCConfig represents configurations for using an OIDC/OAuth provider for authentication.
func (*OIDCConfig) DeepCopy ¶
func (in *OIDCConfig) DeepCopy() *OIDCConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCConfig.
func (*OIDCConfig) DeepCopyInto ¶
func (in *OIDCConfig) DeepCopyInto(out *OIDCConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCConfig) IsUndefined ¶
func (o *OIDCConfig) IsUndefined() bool
IsUndefined returns true if the given OIDCConfig object is not actually configured. It checks that required values are present.
type PrometheusConfig ¶
type PrometheusConfig struct { // Set to true to create a prometheus instance. Create bool `json:"create,omitempty"` // Resource requirements to place on the Prometheus deployment Resources corev1.ResourceRequirements `json:"resources,omitempty"` }
PrometheusConfig contains configuration options for a prometheus deployment.
func (*PrometheusConfig) DeepCopy ¶
func (in *PrometheusConfig) DeepCopy() *PrometheusConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusConfig.
func (*PrometheusConfig) DeepCopyInto ¶
func (in *PrometheusConfig) DeepCopyInto(out *PrometheusConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecretsConfig ¶
type SecretsConfig struct { // Use a kubernetes secret for storing sensitive values. If no other coniguration is provided // then this is the fallback. K8SSecret *K8SSecretConfig `json:"k8sSecret,omitempty"` // Use vault for storing sensitive values. Requires kubernetes service account // authentication. Vault *VaultConfig `json:"vault,omitempty"` }
SecretsConfig configurese the backend for secrets management.
func (*SecretsConfig) DeepCopy ¶
func (in *SecretsConfig) DeepCopy() *SecretsConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsConfig.
func (*SecretsConfig) DeepCopyInto ¶
func (in *SecretsConfig) DeepCopyInto(out *SecretsConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ServiceMonitorConfig ¶
type ServiceMonitorConfig struct { // Set to true to create a ServiceMonitor object for the kvdi metrics. Create bool `json:"create,omitempty"` // Extra labels to apply to the ServiceMonitor object. Set these to the selector // in your prometheus-operator configuration (usually `{"release": "<helm_release_name>"}`). // Defaults to `{"release": "prometheus"}`. Labels map[string]string `json:"labels,omitempty"` }
ServiceMonitorConfig contains configuration options for creating a ServiceMonitor.
func (*ServiceMonitorConfig) DeepCopy ¶
func (in *ServiceMonitorConfig) DeepCopy() *ServiceMonitorConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceMonitorConfig.
func (*ServiceMonitorConfig) DeepCopyInto ¶
func (in *ServiceMonitorConfig) DeepCopyInto(out *ServiceMonitorConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TLSConfig ¶
type TLSConfig struct { // A pre-existing TLS secret to use for the HTTPS listener. If not defined, // a certificate is generated. ServerSecret string `json:"serverSecret,omitempty"` }
TLSConfig contains TLS configurations for kVDI.
func (*TLSConfig) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfig.
func (*TLSConfig) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UserdataSelector ¶
type UserdataSelector struct { // MatchName is a pattern to match for the name of the PVC. The string ${USERNAME} will be // replaced in the pattern with the actual username when searching for the volume. Note, this // will only work if usernames are DNS compliant. MatchName string `json:"matchName,omitempty"` // MatchLabel is a label **key** to use to select a PVC for the user. The value will in the // selector will be the name of the user launching the session. Use this if your usernames // may not always be DNS compliant. MatchLabel string `json:"matchLabel,omitempty"` }
UserdataSelector represents a means for selecting pre-existing userdata PVCs based off a label or name match. Note that you will need to restrict templates to launching in namespaces that contain the PVCs yourself.
func (*UserdataSelector) DeepCopy ¶
func (in *UserdataSelector) DeepCopy() *UserdataSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserdataSelector.
func (*UserdataSelector) DeepCopyInto ¶
func (in *UserdataSelector) DeepCopyInto(out *UserdataSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*UserdataSelector) IsValid ¶
func (u *UserdataSelector) IsValid() bool
IsValid returns true if this is a usable selector.
type UserdataSpec ¶ added in v0.3.6
type UserdataSpec struct { *corev1.PersistentVolumeClaimSpec `json:",inline"` // RetainPVCs tells the desktop controller to leave PVCs in-tact after they // are allocated for a user. The default behavior is to free the volume from // the PVC after each desktop session so it can be used across other namespaces. // Note that if you set this value to `true` users will only be able to launch // sessions in a single namespace (unless the PVC is manually removed). RetainPVCs bool `json:"retainPVCs,omitempty"` }
UserdataSpec is an inline of the corev1 PersistentVolumeClaimSpec. It contains additional fields for controlling how kvdi works with volumes.
func (*UserdataSpec) DeepCopy ¶ added in v0.3.6
func (in *UserdataSpec) DeepCopy() *UserdataSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserdataSpec.
func (*UserdataSpec) DeepCopyInto ¶ added in v0.3.6
func (in *UserdataSpec) DeepCopyInto(out *UserdataSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VDICluster ¶
type VDICluster struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec VDIClusterSpec `json:"spec,omitempty"` Status VDIClusterStatus `json:"status,omitempty"` }
VDICluster is the Schema for the vdiclusters API
func (*VDICluster) AllowNonGroupedReadOnly ¶
func (c *VDICluster) AllowNonGroupedReadOnly() bool
AllowNonGroupedReadOnly returns true if non-grouped users from the OpenID provider should be allowed read-only access to kVDI.
func (*VDICluster) AnonymousAllowed ¶
func (c *VDICluster) AnonymousAllowed() bool
AnonymousAllowed returns true if anonymous users are allowed to interact with this cluster.
func (*VDICluster) AppIsUsingExternalServerTLS ¶
func (c *VDICluster) AppIsUsingExternalServerTLS() bool
AppIsUsingExternalServerTLS returns true if the app server certificate is user-supplied.
func (*VDICluster) AuditLogEnabled ¶
func (c *VDICluster) AuditLogEnabled() bool
AuditLogEnabled returns true if auditing events should be logged to stdout.
func (*VDICluster) AuthIsUsingSecretEngine ¶
func (c *VDICluster) AuthIsUsingSecretEngine() bool
AuthIsUsingSecretEngine returns true if the secrets for the configured auth backend are using the built-in secrets engine and not a separate kubernetes secret.
func (*VDICluster) CreateAppServiceMonitor ¶
func (c *VDICluster) CreateAppServiceMonitor() bool
CreateAppServiceMonitor returns true if the cluster specifies to create a ServiceMonitor.
func (*VDICluster) CreatePrometheusCR ¶
func (c *VDICluster) CreatePrometheusCR() bool
CreatePrometheusCR returns true if the cluster specifies to create a Prometheus CR.
func (*VDICluster) DeepCopy ¶
func (in *VDICluster) DeepCopy() *VDICluster
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDICluster.
func (*VDICluster) DeepCopyInto ¶
func (in *VDICluster) DeepCopyInto(out *VDICluster)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VDICluster) DeepCopyObject ¶
func (in *VDICluster) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*VDICluster) EnableCORS ¶
func (c *VDICluster) EnableCORS() bool
EnableCORS returns true if CORS headers should be included in responses from the app server.
func (*VDICluster) GetAdminRole ¶
func (c *VDICluster) GetAdminRole() *rbacv1.VDIRole
GetAdminRole returns an admin role for this VDICluster.
func (*VDICluster) GetAdminSecret ¶
func (c *VDICluster) GetAdminSecret() string
GetAdminSecret returns the name of the secret for storing the admin password.
func (*VDICluster) GetAppClientTLSNamespacedName ¶
func (c *VDICluster) GetAppClientTLSNamespacedName() types.NamespacedName
GetAppClientTLSNamespacedName returns the namespaced name for the client TLS certificate.
func (*VDICluster) GetAppClientTLSSecretName ¶
func (c *VDICluster) GetAppClientTLSSecretName() string
GetAppClientTLSSecretName returns the name of the client TLS secret for the app.
func (*VDICluster) GetAppImage ¶
func (c *VDICluster) GetAppImage() string
GetAppImage returns the image to use for the app deployment.
func (*VDICluster) GetAppName ¶
func (c *VDICluster) GetAppName() string
GetAppName returns the name of the kVDI app deployment for this VDICluster.
func (*VDICluster) GetAppPullPolicy ¶
func (c *VDICluster) GetAppPullPolicy() corev1.PullPolicy
GetAppPullPolicy returns the ImagePullPolicy to use for the app deployment.
func (*VDICluster) GetAppReplicas ¶
func (c *VDICluster) GetAppReplicas() *int32
GetAppReplicas returns the number of app replicas to run in this VDICluster. TODO: auto-scaling?
func (*VDICluster) GetAppResources ¶
func (c *VDICluster) GetAppResources() corev1.ResourceRequirements
GetAppResources returns the resource requirements for the app deployments.
func (*VDICluster) GetAppSecretsName ¶
func (c *VDICluster) GetAppSecretsName() string
GetAppSecretsName returns the name of the secret to use for app secrets.
func (*VDICluster) GetAppSecurityContext ¶
func (c *VDICluster) GetAppSecurityContext() *corev1.PodSecurityContext
GetAppSecurityContext returns the pod security context for the app deployment.
func (*VDICluster) GetAppServerTLSNamespacedName ¶
func (c *VDICluster) GetAppServerTLSNamespacedName() types.NamespacedName
GetAppServerTLSNamespacedName returns the namespaced name for the server TLS certificate.
func (*VDICluster) GetAppServerTLSSecretName ¶
func (c *VDICluster) GetAppServerTLSSecretName() string
GetAppServerTLSSecretName returns the name of the server TLS secret for the app.
func (*VDICluster) GetAppServiceType ¶
func (c *VDICluster) GetAppServiceType() corev1.ServiceType
GetAppServiceType returns the type of service to create in front of the app pods.
func (*VDICluster) GetAuthK8sSecret ¶
func (c *VDICluster) GetAuthK8sSecret() string
GetAuthK8sSecret returns the name of the k8s auth secret. For safety it returns the name of the app secret, however, the caller should only be using this function because they know they are not using the built-in secrets.
func (*VDICluster) GetCAName ¶
func (c *VDICluster) GetCAName() string
GetCAName returns the name of the CA certificate for the VDICluster.
func (*VDICluster) GetClusterDesktopsSelector ¶
func (c *VDICluster) GetClusterDesktopsSelector() client.MatchingLabels
GetClusterDesktopsSelector gets the label selector for looking up all desktops owned by this VDICluster.
func (*VDICluster) GetComponentLabels ¶
func (c *VDICluster) GetComponentLabels(component string) map[string]string
GetComponentLabels returns the labels to apply to a given kVDI component.
func (*VDICluster) GetCoreNamespace ¶
func (c *VDICluster) GetCoreNamespace() string
GetCoreNamespace returns the namespace where kVDI components should be created.
func (*VDICluster) GetLDAPAdminGroups ¶
func (c *VDICluster) GetLDAPAdminGroups() []string
GetLDAPAdminGroups returns the list of groups in LDAP that should be bound to the kvdi-admin role.
func (*VDICluster) GetLDAPCA ¶
func (c *VDICluster) GetLDAPCA() ([]byte, error)
GetLDAPCA returns the CA certificate to use when verifying the LDAPS server certificate. The configured result is base64 decoded and sent back to the caller.
func (*VDICluster) GetLDAPDoUserStatusCheck ¶
func (c *VDICluster) GetLDAPDoUserStatusCheck() bool
GetLDAPDoUserStatusCheck returns if the account status check should be done when performing user authentication.
func (*VDICluster) GetLDAPInsecureSkipVerify ¶
func (c *VDICluster) GetLDAPInsecureSkipVerify() bool
GetLDAPInsecureSkipVerify returns whether TLS certificate verification should be performed on the LDAPS connection.
func (*VDICluster) GetLDAPPasswordKey ¶
func (c *VDICluster) GetLDAPPasswordKey() string
GetLDAPPasswordKey returns the key in the secret where the bind password can be retrieved.
func (*VDICluster) GetLDAPSearchBase ¶
func (c *VDICluster) GetLDAPSearchBase() string
GetLDAPSearchBase returns the base DN to use when querying users from LDAP.
func (*VDICluster) GetLDAPURL ¶
func (c *VDICluster) GetLDAPURL() string
GetLDAPURL returns the full URL to the configured LDAP server.
func (*VDICluster) GetLDAPUserDNKey ¶
func (c *VDICluster) GetLDAPUserDNKey() string
GetLDAPUserDNKey returns the key in the secret where the bind DN can be retrieved.
func (*VDICluster) GetLDAPUserGroupsAttribute ¶
func (c *VDICluster) GetLDAPUserGroupsAttribute() string
GetLDAPUserGroupsAttribute returns the user attribute to use when querying user groups.
func (*VDICluster) GetLDAPUserIDAttribute ¶
func (c *VDICluster) GetLDAPUserIDAttribute() string
GetLDAPUserIDAttribute returns the user attribute to use when querying user IDs.
func (*VDICluster) GetLDAPUserStatusAttribute ¶
func (c *VDICluster) GetLDAPUserStatusAttribute() string
GetLDAPUserStatusAttribute returns the user attribute to use when querying account status.
func (*VDICluster) GetLDAPUserStatusDisabledValue ¶
func (c *VDICluster) GetLDAPUserStatusDisabledValue() string
GetLDAPUserStatusDisabledValue returns the value to match that means the user is disabled.
func (*VDICluster) GetLaunchTemplatesRole ¶
func (c *VDICluster) GetLaunchTemplatesRole() *rbacv1.VDIRole
GetLaunchTemplatesRole returns a launch-templates role for a cluster. A role like this is created for every cluster for convenience. It is the default role applied to anonymous users, and for non-grouped OIDC users.
func (*VDICluster) GetMaxSessionLength ¶
func (c *VDICluster) GetMaxSessionLength() time.Duration
GetMaxSessionLength returns the duration to wait to kill a desktop pod. If the duration is not parseable or unconfigured, 0 is returned.
func (*VDICluster) GetMaxSessionsPerUser ¶
func (c *VDICluster) GetMaxSessionsPerUser() int
GetMaxSessionsPerUser returns the maximum number of sessions a user can run for this VDICluster.
func (*VDICluster) GetOIDCAdminGroups ¶
func (c *VDICluster) GetOIDCAdminGroups() []string
GetOIDCAdminGroups returns the values in the groups claim that will map to administrator access.
func (*VDICluster) GetOIDCCA ¶
func (c *VDICluster) GetOIDCCA() ([]byte, error)
GetOIDCCA returns the CA certificate to use when verifying the OIDC provider certificate. The value is base64 decoded and returned to the caller.
func (*VDICluster) GetOIDCClientIDKey ¶
func (c *VDICluster) GetOIDCClientIDKey() string
GetOIDCClientIDKey returns the key in the secret where the client ID can be retrieved.
func (*VDICluster) GetOIDCClientSecretKey ¶
func (c *VDICluster) GetOIDCClientSecretKey() string
GetOIDCClientSecretKey returns the key in the secret where client secret can be retrieved.
func (*VDICluster) GetOIDCGroupScope ¶
func (c *VDICluster) GetOIDCGroupScope() string
GetOIDCGroupScope returns the scope to use for matching a user's groups to VDI roles.
func (*VDICluster) GetOIDCInsecureSkipVerify ¶
func (c *VDICluster) GetOIDCInsecureSkipVerify() bool
GetOIDCInsecureSkipVerify returns whether or not to verify the TLS certificate of the OIDC provider.
func (*VDICluster) GetOIDCIssuerURL ¶
func (c *VDICluster) GetOIDCIssuerURL() string
GetOIDCIssuerURL returns the OIDC issuer URL or a blank string (which will throw an error when used).
func (*VDICluster) GetOIDCRedirectURL ¶
func (c *VDICluster) GetOIDCRedirectURL() string
GetOIDCRedirectURL returns the URL that the OIDC provider should redirect to after a successful authentication.
func (*VDICluster) GetOIDCScopes ¶
func (c *VDICluster) GetOIDCScopes() []string
GetOIDCScopes returns the list of scopes to request from the OpenID provider.
func (*VDICluster) GetPrometheusName ¶
func (c *VDICluster) GetPrometheusName() string
GetPrometheusName returns the name of the kVDI prometheus deployment for this VDICluster.
func (*VDICluster) GetPrometheusResources ¶
func (c *VDICluster) GetPrometheusResources() corev1.ResourceRequirements
GetPrometheusResources returns the resource requirements to place on the Prometheus deployment.
func (*VDICluster) GetPullSecrets ¶
func (c *VDICluster) GetPullSecrets() []corev1.LocalObjectReference
GetPullSecrets returns any pull secrets required for pulling images.
func (*VDICluster) GetRoles ¶
GetRoles returns a list of all the VDIRoles that apply to this cluster instance. Note that the roles are trimmed of extra metadata before returning.
func (*VDICluster) GetSecretsBackend ¶
func (c *VDICluster) GetSecretsBackend() string
GetSecretsBackend returns the type of secrets backend this VDICluster is using.
func (*VDICluster) GetServiceAnnotations ¶
func (c *VDICluster) GetServiceAnnotations() map[string]string
GetServiceAnnotations returns the annotations to apply to the kvdi app service.
func (*VDICluster) GetServiceMonitorLabels ¶
func (c *VDICluster) GetServiceMonitorLabels() map[string]string
GetServiceMonitorLabels returns the labels to apply to the ServiceMonitor object.
func (*VDICluster) GetSignerName ¶
func (c *VDICluster) GetSignerName() string
GetSignerName returns the name of the signing certificate for the VDICluster.
func (*VDICluster) GetTokenDuration ¶
func (c *VDICluster) GetTokenDuration() time.Duration
GetTokenDuration returns the duration for a new token to live. If the duration cannot be parsed, the default is returned
func (*VDICluster) GetUserDesktopSelector ¶
func (c *VDICluster) GetUserDesktopSelector(username string) map[string]string
GetUserDesktopSelector returns a selector that can be used to find desktops for a given user.
func (*VDICluster) GetUserDesktopsSelector ¶
func (c *VDICluster) GetUserDesktopsSelector(username string) client.MatchingLabels
GetUserDesktopsSelector gets the label selector to use for looking up a user's desktop sessions.
func (*VDICluster) GetUserdataSelector ¶
func (c *VDICluster) GetUserdataSelector() *UserdataSelector
GetUserdataSelector returns the selector to use for locating PVCs for a user's $HOME.
func (*VDICluster) GetUserdataVolumeMapName ¶
func (c *VDICluster) GetUserdataVolumeMapName() types.NamespacedName
GetUserdataVolumeMapName returns the name of the configmap where user's are mapped to PVs.
func (*VDICluster) GetUserdataVolumeName ¶
func (c *VDICluster) GetUserdataVolumeName(username string) string
GetUserdataVolumeName returns the name of the userdata volume for the given user.
func (*VDICluster) GetUserdataVolumeSpec ¶
func (c *VDICluster) GetUserdataVolumeSpec() *corev1.PersistentVolumeClaimSpec
GetUserdataVolumeSpec returns the spec for creating PVCs for user persistence.
func (*VDICluster) IsUsingLDAPAuth ¶
func (c *VDICluster) IsUsingLDAPAuth() bool
IsUsingLDAPAuth returns true if the cluster is using the ldap authentication driver.
func (*VDICluster) IsUsingLDAPOverTLS ¶
func (c *VDICluster) IsUsingLDAPOverTLS() bool
IsUsingLDAPOverTLS returns true if the configured LDAP server is using TLS.
func (*VDICluster) IsUsingLocalAuth ¶
func (c *VDICluster) IsUsingLocalAuth() bool
IsUsingLocalAuth returns true if the cluster is using the local authentication driver. This function and the API should be refactored to just return true if no other options are defined.
func (*VDICluster) IsUsingOIDCAuth ¶
func (c *VDICluster) IsUsingOIDCAuth() bool
IsUsingOIDCAuth returns true if the cluster is using the oidc authentication driver.
func (*VDICluster) NamespacedName ¶
func (c *VDICluster) NamespacedName() types.NamespacedName
NamespacedName returns the NamespacedName of this VDICluster.
func (*VDICluster) OwnerReferences ¶
func (c *VDICluster) OwnerReferences() []metav1.OwnerReference
OwnerReferences returns an owner reference slice with this VDICluster instance as the owner.
func (*VDICluster) PreserveOIDCTokens ¶
func (c *VDICluster) PreserveOIDCTokens() bool
PreserveOIDCTokens returns whether OIDC tokens should be preserved and stored in the kvdi claims for the user.
func (*VDICluster) RetainPVCs ¶ added in v0.3.6
func (c *VDICluster) RetainPVCs() bool
RetainUserdataPVCs returns if userdata PVCs should be retained across sessions.
func (*VDICluster) RunAppGrafanaSidecar ¶
func (c *VDICluster) RunAppGrafanaSidecar() bool
RunAppGrafanaSidecar returns true if a Grafana sidecar should be run alongside the app containers for displaying metrics in the UI.
type VDIClusterList ¶
type VDIClusterList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []VDICluster `json:"items"` }
VDIClusterList contains a list of VDICluster
func (*VDIClusterList) DeepCopy ¶
func (in *VDIClusterList) DeepCopy() *VDIClusterList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDIClusterList.
func (*VDIClusterList) DeepCopyInto ¶
func (in *VDIClusterList) DeepCopyInto(out *VDIClusterList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VDIClusterList) DeepCopyObject ¶
func (in *VDIClusterList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type VDIClusterSpec ¶
type VDIClusterSpec struct { // The namespace to provision application resurces in. Defaults to the `default` // namespace AppNamespace string `json:"appNamespace,omitempty"` // Pull secrets to use when pulling container images ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"` // The configuration for user $HOME volumes to be managed by kVDI. // // **NOTE:** Even though the controller will try to force the reclaim policy on // created volumes to `Retain`, you may want to set it explicitly on your storage-class // controller as an extra safeguard. UserdataSpec *UserdataSpec `json:"userdataSpec,omitempty"` // A configuration for selecting pre-existing PVCs to use as the $HOME directory for // sessions. This configuration takes precedence over `userdataSpec`. UserdataSelector *UserdataSelector `json:"userdataSelector,omitempty"` // App configurations. App *AppConfig `json:"app,omitempty"` // Authentication configurations Auth *AuthConfig `json:"auth,omitempty"` // Global desktop configurations Desktops *DesktopsConfig `json:"desktops,omitempty"` // Secrets backend configurations Secrets *SecretsConfig `json:"secrets,omitempty"` // Metrics configurations. Metrics *MetricsConfig `json:"metrics,omitempty"` }
VDIClusterSpec defines the desired state of VDICluster
func (*VDIClusterSpec) DeepCopy ¶
func (in *VDIClusterSpec) DeepCopy() *VDIClusterSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDIClusterSpec.
func (*VDIClusterSpec) DeepCopyInto ¶
func (in *VDIClusterSpec) DeepCopyInto(out *VDIClusterSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VDIClusterStatus ¶
type VDIClusterStatus struct{}
VDIClusterStatus defines the observed state of VDICluster
func (*VDIClusterStatus) DeepCopy ¶
func (in *VDIClusterStatus) DeepCopy() *VDIClusterStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VDIClusterStatus.
func (*VDIClusterStatus) DeepCopyInto ¶
func (in *VDIClusterStatus) DeepCopyInto(out *VDIClusterStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type VaultConfig ¶
type VaultConfig struct { // The full URL to the vault server. Same as the `VAULT_ADDR` variable. Address string `json:"address,omitempty"` // The base64 encoded CA certificate for verifying the vault server certificate. CACertBase64 string `json:"caCertBase64,omitempty"` // Set to true to disable TLS verification. Insecure bool `json:"insecure,omitempty"` // Optionally set the SNI when connecting using HTTPS. TLSServerName string `json:"tlsServerName,omitempty"` // The auth role to assume when authenticating against vault. Defaults to `kvdi`. AuthRole string `json:"authRole,omitempty"` // The base path to store secrets in vault. "Keys" for other configurations in the // context of the vault backend can be put at `<secretsPath>/<secretKey>.data`. This // will change in the future to support keys inside the secret itself, instead of assuming // `data`. SecretsPath string `json:"secretsPath,omitempty"` }
VaultConfig represents the configurations for connecting to a vault server.
func (*VaultConfig) DeepCopy ¶
func (in *VaultConfig) DeepCopy() *VaultConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultConfig.
func (*VaultConfig) DeepCopyInto ¶
func (in *VaultConfig) DeepCopyInto(out *VaultConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*VaultConfig) GetAuthRole ¶
func (v *VaultConfig) GetAuthRole() string
GetAuthRole returns the auth role to use when connecting to a vault server.
func (*VaultConfig) GetSecretsPath ¶
func (v *VaultConfig) GetSecretsPath() string
GetSecretsPath returns the path in vault to use for storing and retrieving secrets.
func (*VaultConfig) IsUndefined ¶
func (v *VaultConfig) IsUndefined() bool
IsUndefined returns true if the given VaultConfig object is not actually configured. It checks that required values are present.
Source Files ¶
- auth_ldap_util.go
- auth_oidc_util.go
- doc.go
- groupversion_info.go
- vdicluster_app_util.go
- vdicluster_auth_util.go
- vdicluster_common_util.go
- vdicluster_desktop_util.go
- vdicluster_metrics_util.go
- vdicluster_pki_util.go
- vdicluster_roles_util.go
- vdicluster_secrets_util.go
- vdicluster_types.go
- zz_generated.deepcopy.go