k8scfg

package

v0.0.0-...-ee44553 Latest Latest Go to latest Published: Dec 27, 2023 License: MIT Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/zostay/genifest

Documentation ¶

Index ¶

Constants
Variables
func ConfigFiles(cloudHome, kubeDir string, excludeMatches []string, match string, remove bool) ([]string, error)
func ProcessResourceFile(ctx context.Context, tools Tools, config string, skipSecrets bool) ([]k8scfg.Resource, error)
func RewriteConfigFile(ctx context.Context, tools Tools, data string, ...) ([]k8scfg.Resource, error)
func RewriteCronJobAuth(ctx context.Context, tools Tools, rin k8scfg.Resource, opt *RewriteOptions) ([]k8scfg.ProcessedResource, error)
func RewriteDeploymentAuth(ctx context.Context, tools Tools, rin k8scfg.Resource, opt *RewriteOptions) ([]k8scfg.ProcessedResource, error)
func SaveResourceFile(ctx context.Context, tools Tools, saveDir string, sr *k8s.SerializedResource) error
type RewriteOptions
type RewriteRoutine
type Tools

Constants ¶

View Source

const (
	AnnotationRotationEnabled   = "qubling.cloud/key-rotation"
	AnnotationIAMUser           = "iam.amazonaws.com/user"
	AnnotationManagedSecretName = "qubling.cloud/managed-secret-name"

	AnnotationValueRotationEnabled = "perform"
)

View Source

const TrashDir = "TRASH"

Variables ¶

View Source

var AccessKeyLifetime = 30 * 24 * time.Hour

View Source

var ErrSecret = errors.New("SKIP SECRET")

View Source

var PhasePrefixes = []string{"storageclass", "namespace", "addon"} // phases that need to run first in this order

View Source

var Rewriters = []RewriteRoutine{
	RewriteDeploymentAuth,
	RewriteCronJobAuth,
}

Functions ¶

func ConfigFiles ¶

func ConfigFiles(
	cloudHome,
	kubeDir string,
	excludeMatches []string,
	match string,
	remove bool,
) ([]string, error)

ConfigFiles returns the names of all the Kubernetes configuration files that match the given glob pattern.

func ProcessResourceFile ¶

func ProcessResourceFile(
	ctx context.Context,
	tools Tools,
	config string,
	skipSecrets bool,
) ([]k8scfg.Resource, error)

ProcessResourceFile reads the contents of the named resource file and breaks it into individual resources. These are each templated and rewritten and then the result is returned as a slice of Resource objects, which contain the parsed resource and any other options.

Returns an error if any of this fails.

func RewriteConfigFile ¶

func RewriteConfigFile(
	ctx context.Context,
	tools Tools,
	data string,
	resourceOpt k8scfg.ResourceOptions,
	rewriters []RewriteRoutine,
	rewriteOpt *RewriteOptions,
) ([]k8scfg.Resource, error)

RewriteConfigFile applies rewrite routines to the configuration file. The configuration file is parsed into the generic unstructured.Unstructured format. It is passed to each handler in turn to be processed. The processor will then return at least one object (but possibly more if the object needs to generate additional objects in the process), which are then passed on to the next rewrite routines until all rewrite routines have been used to process the objects. This means later routines may run against more than one object per original singular objects.

If any rewrite routine returns an error, the process is immediately halted and only an error is returned.

If all rewrite routines succeed, the results are serialized back into YAML for further processing.

func RewriteCronJobAuth ¶

func RewriteCronJobAuth(
	ctx context.Context,
	tools Tools,
	rin k8scfg.Resource,
	opt *RewriteOptions,
) ([]k8scfg.ProcessedResource, error)

RewriteCronJobAuth is a RewriteRoutine which looks for the iam.amazonaws.com/user annotation in cronjobs. When found, it finds that user, checks on the status of the managed secret for tracking the access key information for the user, and refreshes that status if needed.

The managed secret either has the name qubling.cloud/managed-secret-name (if present as an annotation on the cronjob) or the name of the user is used as the secret name.

If the associated secret does not exist, an access key is generated, the secret is deployed, and the cronjob is marked for restart.

If the associated secret has an access key that differs from the most recent access key for the IAM user, the access key is rotated, the secret is updated, and the cronjob is marked for restart.

If the key associated with the user is older than AccessKeyLifetime, then the access key for the IAM user is rotated, the secret is updated, and the cronjob is marked for restart.

In all cases where the iam.amazon.com/user annotation is set, the environment for each container in the cronjob's pod template is updated to include an AWS_ACCESS_KEY_ID and an AWS_SECRET_ACCESS_KEY that refer to those values in the managed secret.

func RewriteDeploymentAuth ¶

func RewriteDeploymentAuth(
	ctx context.Context,
	tools Tools,
	rin k8scfg.Resource,
	opt *RewriteOptions,
) ([]k8scfg.ProcessedResource, error)

RewriteDeploymentAuth is a RewriteRoutine which looks for the iam.amazonaws.com/user annotation in deployments. When found, it finds that user, checks on the status of the managed secret for tracking the access key information for the user, and refreshes that status if needed.

The managed secret either has the name qubling.cloud/managed-secret-name (if present as an annotation on the deployment) or the name of the user is used as the secret name.

If the associated secret does not exist, an access key is generated, the secret is deployed, and the deployment is marked for restart.

If the associated secret has an access key that differs from the most recent access key for the IAM user, the access key is rotated, the secret is updated, and the deployment is marked for restart.

If the key associated with the user is older than AccessKeyLifetime, then the access key for the IAM user is rotated, the secret is updated, and the deployment is marked for restart.

In all cases where the iam.amazon.com/user annotation is set, the environment for each container in the deployment's pod template is updated to include an AWS_ACCESS_KEY_ID and an AWS_SECRET_ACCESS_KEY that refer to those values in the managed secret.

func SaveResourceFile ¶

func SaveResourceFile(
	ctx context.Context,
	tools Tools,
	saveDir string,
	sr *k8s.SerializedResource,
) error

SaveResourceFile turns a serialized resource into a resource file mounted in the given save directory.

Types ¶

type RewriteOptions ¶

type RewriteOptions struct {
	SkipSecrets bool
}

type RewriteRoutine ¶

type RewriteRoutine func(context.Context, Tools, k8scfg.Resource, *RewriteOptions) ([]k8scfg.ProcessedResource, error)

type Tools ¶

type Tools interface {
	Kube() (*k8s.Client, error)

	ResMgr(context.Context) (*k8scfg.Client, error)

	IAM() (*iam.Client, error)
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL