adm-controller/internal/constants/constants.go at 2c3884648f3a49feb10019ae1c4efa9d3d132a42 · kubewarden/adm-controller · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package constants

import "time"

const (
	// DefaultPolicyServer is the default policy server name to be used when
	// policies does not have a policy server name defined.
	DefaultPolicyServer = "default"

	PolicyServerEnableMetricsEnvVar                 = "KUBEWARDEN_ENABLE_METRICS"
	PolicyServerDeploymentConfigVersionAnnotation   = "kubewarden/config-version"
	PolicyServerDeploymentPodSpecConfigVersionLabel = "kubewarden/config-version"
	PolicyServerListenPort                          = 8443
	PolicyServerServicePort                         = 443
	PolicyServerMetricsPortEnvVar                   = "KUBEWARDEN_POLICY_SERVER_SERVICES_METRICS_PORT"
	PolicyServerMetricsPort                         = 8080
	PolicyServerReadinessProbePort                  = 8081
	PolicyServerReadinessProbe                      = "/readiness"
	PolicyServerLogFmtEnvVar                        = "KUBEWARDEN_LOG_FMT"

	PolicyServerConfigPoliciesEntry         = "policies.yml"
	PolicyServerDeploymentRestartAnnotation = "kubectl.kubernetes.io/restartedAt"
	PolicyServerConfigSourcesEntry          = "sources.yml"
	PolicyServerSourcesConfigContainerPath  = "/sources"

	PolicyServerVerificationConfigEntry         = "verification-config"
	PolicyServerVerificationConfigContainerPath = "/verification"

	PolicyServerSigstoreTrustConfigEntry         = "sigstore-trust-config"
	PolicyServerSigstoreTrustConfigContainerPath = "/sigstore-trust"
	PolicyServerSigstoreTrustConfigVolumeName    = "sigstore-trust-config"
	PolicyServerSigstoreTrustConfigFilename      = "sigstore-trust-config.json"
	PolicyServerSigstoreTrustConfigEnvVar        = "KUBEWARDEN_SIGSTORE_TRUST_CONFIG_PATH"

	// Policy Server Labels.

	// AppLabelKey is the label used to identify the pod template in the deployment
	//
	// Deprecated: use the other standard labels.
	AppLabelKey                     = "app"
	PolicyServerLabelKey            = "kubewarden/policy-server"
	ComponentPolicyServerLabelValue = "policy-server"
	InstanceLabelKey                = "app.kubernetes.io/instance"
	ComponentLabelKey               = "app.kubernetes.io/component"
	PartOfLabelKey                  = "app.kubernetes.io/part-of"
	PartOfLabelValue                = "kubewarden"
	ManagedByKey                    = "app.kubernetes.io/managed-by"

	PolicyServerIndexKey = ".spec.policyServer"

	KubewardenFinalizerPre114 = "kubewarden"
	KubewardenFinalizer       = "kubewarden.io/finalizer"

	KubernetesRevisionAnnotation = "deployment.kubernetes.io/revision"

	OptelInjectAnnotation = "sidecar.opentelemetry.io/inject"

	// PolicyServerDeploymentManagedAnnotationKeysAnnotation is the annotation used to track
	// which annotation keys on a Deployment/Pod template are managed by the controller (i.e.,
	// came from spec.annotations). On each reconcile the controller removes keys that were
	// previously managed but are no longer present in the spec, without touching annotations
	// set by Kubernetes itself or other tooling.
	PolicyServerDeploymentManagedAnnotationKeysAnnotation = "kubewarden.io/managed-annotation-keys"

	// PolicyServerDeploymentManagedLabelKeysAnnotation is the annotation used to track
	// which label keys on a Deployment/Pod template are managed by the controller (i.e.,
	// came from spec.labels). On each reconcile the controller removes keys that were
	// previously managed but are no longer present in the spec, without touching labels
	// set by Kubernetes itself or other tooling.
	PolicyServerDeploymentManagedLabelKeysAnnotation = "kubewarden.io/managed-label-keys"

	WebhookConfigurationPolicyNameAnnotationKey      = "kubewardenPolicyName"
	WebhookConfigurationPolicyNamespaceAnnotationKey = "kubewardenPolicyNamespace"

	NamespacePolicyScope = "namespace"
	ClusterPolicyScope   = "cluster"

	// TimeToRequeuePolicyReconciliation is the Duration to be used when a policy should be reconciliation should be requeued.
	TimeToRequeuePolicyReconciliation = 2 * time.Second
	MetricsShutdownTimeout            = 5 * time.Second

	WebhookServerCertSecretName      = "kubewarden-webhook-server-cert" //nolint:gosec // This is not a credential
	ServerCert                       = "tls.crt"
	ServerPrivateKey                 = "tls.key"
	ServerCertSecretFormatVersion    = "1"
	ServerCertSecretFormatAnnotation = "kubewarden.io/cert-format-version" //nolint:gosec // This is not a credential

	CARootSecretName = "kubewarden-ca"
	CARootCert       = "ca.crt"
	CARootPrivateKey = "ca.key"
	OldCARootCert    = "old-ca.crt"

	ClientCACert = "client-ca.crt"

	CertExpirationYears  = 10
	CACertExpiration     = 10 * 365 * 24 * time.Hour
	ServerCertExpiration = 1 * 365 * 24 * time.Hour
	CertLookahead        = 60 * 24 * time.Hour
)