Module bootstrap

Source

Expand description

Bootstrap logic for bindy bootstrap.

§`bindy bootstrap operator`

Applies all operator prerequisites to a Kubernetes cluster in order:

Namespace (bindy-system by default, or --namespace)
CRDs — generated from Rust types, always in sync with the operator
ServiceAccount (bindy)
ClusterRole (bindy-role) — operator permissions
ClusterRole (bindy-admin-role) — admin/destructive permissions
ClusterRoleBinding (bindy-rolebinding) — binds SA to operator role
Deployment (bindy) — the operator itself

§`bindy bootstrap scout`

Applies all scout prerequisites to a Kubernetes cluster in order:

Namespace (bindy-system by default, or --namespace)
CRDs — same 12 CRDs as the operator (shared types)
ServiceAccount (bindy-scout)
ClusterRole (bindy-scout) — scout cluster-scoped permissions
ClusterRoleBinding (bindy-scout) — binds scout SA to scout ClusterRole
Role (bindy-scout-writer) — namespaced ARecord write permissions
RoleBinding (bindy-scout-writer) — binds scout SA to writer Role
Deployment (bindy-scout) — the scout controller itself

§`bindy bootstrap mc`

Sets up remote access so a scout running on a child (workload) cluster can write ARecords to the queen-ship (bindy) cluster. Run this command against the queen-ship cluster (KUBECONFIG must point at it):

ServiceAccount (bindy-scout-remote by default, or --service-account) — one SA per child cluster so access can be revoked independently
Role (bindy-scout-remote) — namespaced ARecord CRUD + DNSZone read permissions on the queen-ship. A namespaced Role is sufficient because the scout watches DNSZones via Api::namespaced (not Api::all) in the same target namespace.
RoleBinding (bindy-scout-remote) — binds the SA to the namespaced Role
SA token Secret — a long-lived token for the SA
Kubeconfig Secret (bindy-scout-remote-remote-kubeconfig) — a ready-to-use kubeconfig for the SA, printed to stdout as YAML

The stdout output is applied to the child cluster where scout runs:

bindy bootstrap mc | kubectl --context=<child-cluster> apply -f -

Then set BINDY_SCOUT_REMOTE_SECRET=bindy-scout-remote-kubeconfig on the scout Deployment so it picks up the remote kubeconfig at startup.

Structs§

ScoutDeploymentOptions: Configuration options for the Scout Deployment and bootstrap process.

Constants§

BINDY_ADMIN_ROLE_YAML
BINDY_ROLE_YAML: Embedded RBAC YAML files — compiled into the binary so bootstrap is self-contained.
CLUSTER_ROLE_BINDING_NAME: ClusterRoleBinding name.
DEFAULT_IMAGE_TAG: Default image tag for operator and scout Deployments.
DEFAULT_NAMESPACE: Default namespace for the bindy operator deployment.
DEFAULT_SCOUT_CLUSTER_NAME: Default logical cluster name stamped on ARecord labels by the scout controller.
MC_DEFAULT_SERVICE_ACCOUNT_NAME: Default ServiceAccount name created by bootstrap mc on the queen-ship cluster.
OPERATOR_DEPLOYMENT_NAME: Operator Deployment name.
OPERATOR_IMAGE_BASE: Container image registry and repository (without tag).
OPERATOR_ROLE_NAME: Operator ClusterRole name.
REMOTE_KUBECONFIG_SECRET_SUFFIX: Suffix appended to the service account name when naming the remote kubeconfig Secret.
REMOTE_KUBECONFIG_SECRET_TYPE: Secret type for the kubeconfig Secret placed on a child (workload) cluster.
SA_TOKEN_SECRET_SUFFIX: Suffix appended to the service account name when naming the SA token Secret.
SCOUT_CLUSTER_ROLE_BINDING_NAME: Scout ClusterRoleBinding name.
SCOUT_CLUSTER_ROLE_NAME: Scout ClusterRole name.
SCOUT_DEPLOYMENT_NAME: Scout Deployment name.
SCOUT_SERVICE_ACCOUNT_NAME: Scout ServiceAccount name.
SCOUT_WRITER_ROLE_BINDING_NAME: Scout namespaced RoleBinding name.
SCOUT_WRITER_ROLE_NAME: Scout namespaced Role name (ARecord write permissions).
SERVICE_ACCOUNT_NAME: ServiceAccount name created for the operator.

Functions§

build_all_crds: Build all 12 CRDs in the same order as crdgen.
build_cluster_role_binding: Build the ClusterRoleBinding that binds the bindy ServiceAccount to bindy-role.
build_crd: Build a single CRD from a Rust type, ensuring storage: true and served: true.
build_deployment: Build the operator Deployment manifest.
build_kubeconfig_yaml: Build a kubeconfig YAML string for the given service account token.
build_mc_kubeconfig_secret: Build the bindy.firestoned.io/remote-kubeconfig Secret containing the kubeconfig YAML.
build_mc_sa_token_secret: Build the kubernetes.io/service-account-token Secret that triggers token generation.
build_mc_service_account: Build the multi-cluster ServiceAccount on the queen-ship cluster.
build_mc_writer_role: Build the namespaced Role for the multi-cluster service account on the queen-ship.
build_mc_writer_role_binding: Build the RoleBinding that binds the multi-cluster SA to its Role on the queen-ship.
build_namespace: Build the operator namespace object.
build_scout_cluster_role: Build the scout ClusterRole with cluster-scoped permissions.
build_scout_cluster_role_binding: Build the ClusterRoleBinding that binds the scout ServiceAccount to the scout ClusterRole.
build_scout_deployment: Build the scout Deployment manifest.
build_scout_service_account: Build the scout ServiceAccount in the given namespace.
build_scout_writer_role: Build the scout writer Role (namespaced ARecord write permissions).
build_scout_writer_role_binding: Build the scout writer RoleBinding (binds scout SA to writer Role).
build_service_account: Build the bindy ServiceAccount in the given namespace.
parse_cluster_role: Parse a ClusterRole from embedded YAML.
resolve_image: Resolve the full container image reference for the bindy image.
run_bootstrap_multi_cluster: Run the multi-cluster bootstrap process (bindy bootstrap multi-cluster).
run_bootstrap_operator: Run the operator bootstrap process (bindy bootstrap operator).
run_bootstrap_scout: Run the scout bootstrap process (bindy bootstrap scout).
run_revoke_multi_cluster: Revoke all resources that bootstrap mc created for a given service account.