* feat: pausing reconciliation of controlled objects
Objects such as TenantControlPlane and Secret can be annotated with
kamaji.clastix.io/paused to prevent controllers from processing them.
This will stop reconciling objects for debugging or other purposes.
Annotation value is irrelevant, just the key presence is evaluated.
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* docs: pausing reconciliation of controlled objects
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* chore(logs): typo for deleted resources
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
---------
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
This patch switches default kubelet-preferred-address-types to
"InternalIP,ExternalIP,Hostname" to avoid failures in kube-apiserver
connection to kubelet when node hostnames are not resolvable by the
external DNS server. This improves out-of-the-box reliability across
most environments by choosing node `InternalIP` as the preferred mode
to reach Kubelet.
Signed-off-by: Parth Yadav <parthyadav3105@gmail.com>
* feat(api): introducing sleeping status
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* chore(helm)!: introducing sleeping status
Marking this commit as breaking since a CustomResourceDefinition update
is required for users dealing with scale to zero since the introduction
of the new enum for the status field.
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* docs: introducing sleeping status
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
---------
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* feat: Validate DataStores with CEL using the following rules
- certificateAuthority privateKey must have secretReference or content when driver is etcd
- clientCertificate must have secretReference or content when driver is etcd
- clientCertificate privateKey must have secretReference or content when driver is etcd
- When driver is not etcd and tlsConfig exists, certificateAuthority must be null or contain valid content
- When driver is not etcd and tlsConfig exists, clientCertificate must be null or contain valid content
- When driver is not etcd and basicAuth exists, username must have secretReference or content
- When driver is not etcd and basicAuth exists, password must have secretReference or content
- When driver is not etcd, either tlsConfig or basicAuth must be provided
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Add extra rule
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: ginkgo flag ordering
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Fix syntax of tls or basic auth rule and remove the certificate authority rule
Signed-off-by: aerosouund <aerosound161@gmail.com>
* test: Add ginkgo tests for validations
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix(test): missing default values
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* chore(ci): running integration tests as gh job
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
---------
Signed-off-by: aerosouund <aerosound161@gmail.com>
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
* fix: cel for load balancer class
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* fix(helm): cel for load balancer class
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
---------
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* feat: automatically set dns service address
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* feat(helm): automatically set dns service address
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* docs: automatically set dns service address
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
---------
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* feat(crd): add LoadBalancerSourceRanges field and integrate with service resource
* test(crd): add tests for CEL validation logic
* feat(webhook): implement LoadBalancerSourceRanges validation logic for CIDRs
* test(webhook): add tests for webhook validation logic
* test: modify Makefile for envtest setup
* docs: add LoadBalancerSourceRanges field to API reference
* feat: Add DataStoreSchema field to TCP spec
* feat: Read DB_SCHEMA from TCP spec field
* feat: Default DataStoreSchema in webhook
* fix: Catch unsetting the dataStore via CEL
* fix: Apply all patches, not only the first
This also includes converting OnUpdate() to a no-op, as the
existence and immutability of the fields are already checked
by the API server, thanks to kubebuilder markers.
The webhook ensures that fields like dataStore, dataStoreSchema
are defaulted during creation (if unset), and the CEL expressions
prohibit unsetting them during update.
* test: Add tests for defaulting webhook
* fix: typo
* fix: Linter issues
* fix: make apidoc
* Update TCP CRD in charts folder
* fix: Don't run E2E tests during `make test`
* fix: Use proper `metav1` import name
* feat: Handle updates of TCPs without dataStoreSchema (+ tests)
* fix: Prioritize Status over Spec
Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
* Update goDoc on DataStore field
* make apidoc
---------
Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
* chore(makefile): installing cert-manager via helm
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* chore: removing need of kustomize in favor of yq
By removing kustomize generation files we can simply release, despite
the bundles must be removed since based on kustomize despite never being
used.
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* chore(ci): aligning to latest manifest generation strategy
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
---------
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
* chore: improve error handling and logging for certificate operations
- Enhance error reporting in GenerateCertificatePrivateKeyPair function
- Add detailed error checks for CA certificate and private key parsing
- Implement check for expected number of certificate files
- Improve error logging in APIServerCertificate resource
This commit preserves more details about certificate-related issues,
aiding in debugging and troubleshooting.
* feat: support loadbalancer hostname resolution
Add functionality to resolve loadbalancer hostname to IP address in DeclaredControlPlaneAddress method.
This enhances the existing IP address handling by allowing the use of hostnames for loadbalancers.
- Add hostname check in addition to IP check
- Implement hostname resolution using net.LookupIP
- Return the first resolved IP address if available
* fix: Remove hostname support for LoadBalancer ingress
- Extract LoadBalancer address logic to separate function
- Remove hostname resolution for LoadBalancer ingress
- Add explanatory comments on reasons for not supporting hostnames
* fix: replace fmt and vet with golint
- Remove fmt and vet targets
- Update build target to use golint instead of fmt and vet
- Remove fmt and vet dependencies from run target
* fix: lint errors
During reconciliation, the bootstrap provider copies the content from the secret provided by Kamaji, named `<cluster>-admin-kubeconfig` into a `cluster-info` configmap of tenant cluster, which then used by kubeadm to join nodes.
This change introduces a new annotation, `kamaji.clastix.io/kubeconfig-secret-key`, for the TenantControlPlane resource. This annotation instructs kamaji to read the kubeconfig from a specific key (the default one is super-admin.conf).
Example:
```
kamaji.clastix.io/kubeconfig-secret-key: super-admin.svc
```
This will instruct the system to use `super-admin.svc` a kubeconfig with a local service FQDN (introduced by https://github.com/clastix/kamaji/pull/403).
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
