From 7caccec11df57933f75837172b1ee033b69e687c Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 16 May 2024 14:04:00 +0200 Subject: [PATCH 01/67] upd kubernetes (#134) * Allow root login without password * add ephemeral volumes for containerd and kubelet * update kubernetes application --- packages/apps/kubernetes/Chart.yaml | 4 +- .../apps/kubernetes/templates/cluster.yaml | 38 +++++++++++++++++-- packages/apps/versions_map | 3 +- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index 49dbcc63..2028768d 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,10 +16,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.19.0" +appVersion: "1.19.4" diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 31382c74..19aebd00 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -74,6 +74,21 @@ metadata: spec: template: spec: + diskSetup: + filesystems: + - device: /dev/vdb + filesystem: xfs + label: containerd + partition: "none" + - device: /dev/vdc + filesystem: xfs + label: kubelet + partition: "none" + mounts: + - ["LABEL=containerd", "/var/lib/containerd"] + - ["LABEL=kubelet", "/var/lib/kubelet"] + preKubeadmCommands: + - sed -i 's|root:x:|root::|' /etc/passwd joinConfiguration: nodeRegistration: kubeletExtraArgs: {} @@ -108,17 +123,32 @@ spec: sockets: 1 devices: disks: - - disk: + - name: system + disk: bus: virtio - name: containervolume + pciAddress: 0000:07:00.0 + - name: containerd + disk: + bus: virtio + pciAddress: 0000:08:00.0 + - name: kubelet + disk: + bus: virtio + pciAddress: 0000:09:00.0 networkInterfaceMultiqueue: true memory: guest: {{ $group.resources.memory }} evictionStrategy: External volumes: - - containerDisk: + - name: system + containerDisk: image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}" - name: containervolume + - name: containerd + emptyDisk: + capacity: 20Gi + - name: kubelet + emptyDisk: + capacity: 20Gi --- apiVersion: cluster.x-k8s.io/v1beta1 kind: MachineDeployment diff --git a/packages/apps/versions_map b/packages/apps/versions_map index c7288590..e0b4f8b4 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -5,7 +5,8 @@ http-cache 0.2.0 HEAD kafka 0.1.0 760f86d2 kafka 0.2.0 HEAD kubernetes 0.1.0 f642698 -kubernetes 0.2.0 HEAD +kubernetes 0.2.0 7cd7de73 +kubernetes 0.3.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD From 6fc1cc7d5dae72f9dfb5d05362c563956625b127 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 16 May 2024 14:04:10 +0200 Subject: [PATCH 02/67] etcd: Add quota-backend-bytes calculations (#133) --- packages/extra/etcd/Chart.yaml | 2 +- packages/extra/etcd/templates/etcd-cluster.yaml | 11 +++++++++++ packages/extra/versions_map | 3 ++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml index 54c171e1..3403ec0c 100644 --- a/packages/extra/etcd/Chart.yaml +++ b/packages/extra/etcd/Chart.yaml @@ -3,4 +3,4 @@ name: etcd description: Storage for Kubernetes clusters icon: https://www.svgrepo.com/show/353714/etcd.svg type: application -version: 2.0.0 +version: 2.0.1 diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml index a1f05c89..78bc5f00 100644 --- a/packages/extra/etcd/templates/etcd-cluster.yaml +++ b/packages/extra/etcd/templates/etcd-cluster.yaml @@ -1,9 +1,20 @@ +{{- define "calculateQuotaBackendBytes" -}} +{{- $units := dict "Ki" 1024 "Mi" 1048576 "Gi" 1073741824 -}} +{{- $value := regexFind "[0-9.]+" . -}} +{{- $unit := regexFind "[a-zA-Z]+" . -}} +{{- $numericValue := float64 $value -}} +{{- $bytes := mulf $numericValue (index $units $unit) -}} +{{- $result := mulf $bytes 0.95 -}} +{{- printf "%.0f" $result -}} +{{- end -}} --- apiVersion: etcd.aenix.io/v1alpha1 kind: EtcdCluster metadata: name: etcd spec: + options: + quota-backend-bytes: {{ include "calculateQuotaBackendBytes" .Values.size | quote }} replicas: {{ .Values.replicas }} storage: volumeClaimTemplate: diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 551c0a11..82611637 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -1,4 +1,5 @@ etcd 1.0.0 f7eaab0 -etcd 2.0.0 HEAD +etcd 2.0.0 a6d0f7cf +etcd 2.0.1 HEAD ingress 1.0.0 HEAD monitoring 1.0.0 HEAD From 007d414f0e0767a1a38dd37864ce887317475ceb Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 16 May 2024 16:11:37 +0200 Subject: [PATCH 03/67] Prepare release v0.6.0 (#135) --- manifests/cozystack-installer.yaml | 4 ++-- packages/apps/http-cache/images/nginx-cache.json | 4 ++-- packages/apps/kubernetes/images/ubuntu-container-disk.json | 4 ++-- packages/core/installer/images/cozystack.json | 4 ++-- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/matchbox.json | 4 ++-- packages/system/dashboard/images/dashboard.json | 4 ++-- packages/system/dashboard/images/dashboard.tag | 2 +- packages/system/dashboard/images/kubeapps-apis.json | 4 ++-- packages/system/dashboard/images/kubeapps-apis.tag | 2 +- 10 files changed, 17 insertions(+), 17 deletions(-) diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index c3186105..742c7723 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.5.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.5.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/http-cache/images/nginx-cache.json b/packages/apps/http-cache/images/nginx-cache.json index 4314d5f3..e0e737b3 100644 --- a/packages/apps/http-cache/images/nginx-cache.json +++ b/packages/apps/http-cache/images/nginx-cache.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:fbf82620e58e1502946ab32b5b11ada483f06c0c903d6a532a46ab842f913555", - "containerimage.digest": "sha256:f51a4f2f3d9452ead2c77e3a85a29167d08d86e924196b250c5f7d3b8ebf990c" + "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf", + "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb" } \ No newline at end of file diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.json b/packages/apps/kubernetes/images/ubuntu-container-disk.json index 70490771..e7685393 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.json +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:77f663f46e86e66579e9025bb96511b9f547470bbd78716c11f9ccc25587c597", - "containerimage.digest": "sha256:e3e5e5ec8732c5d585ccba38fd457dc9bf0b0d9bc394131c19934c2c11b66ec9" + "containerimage.config.digest": "sha256:24cee18d0bc9ed40e741412da86820dd99bdb9ffa4c794c81856725a4a10d86e", + "containerimage.digest": "sha256:6a43369905e0630bb401e1cf73084bbef3060e960756f261676cd3bea4195e9a" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index ebbb5138..68f3bc54 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:dac122af1e85d9d668e0a0260d08bb80892f1087b09fb4a4ace2e568257889d2", - "containerimage.digest": "sha256:bc9029117d985748290b88839082b65b28aaa718b694ff686d6cf49971be424f" + "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188", + "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index ac4f6a03..27f181d5 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.5.0 +ghcr.io/aenix-io/cozystack/cozystack:v0.6.0 diff --git a/packages/core/installer/images/matchbox.json b/packages/core/installer/images/matchbox.json index bae7399c..2ff00e73 100644 --- a/packages/core/installer/images/matchbox.json +++ b/packages/core/installer/images/matchbox.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:f731c71f65f96700528d89de985fb0adea867dbe9952b11c146c89eea809986c", - "containerimage.digest": "sha256:701b57ae218d71616432ef9f02f53ba5fcca98057f201b8f5db37d24281f1fae" + "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64", + "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.json b/packages/system/dashboard/images/dashboard.json index bd6daef8..fa70d533 100644 --- a/packages/system/dashboard/images/dashboard.json +++ b/packages/system/dashboard/images/dashboard.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:ff8fcec27b1ef0a815cb94bc71e616392e096c0b554e4c1e1c149fec7bbc85d0", - "containerimage.digest": "sha256:ad0ecbe1e5b63f4a9842918014f644e2667327c946a5308dbab530bbcb543b92" + "containerimage.config.digest": "sha256:8126f86f18708a9157206884c63dc9df7f3090a33e05f4a1b94f2a7da7610c74", + "containerimage.digest": "sha256:e1a285812d1ce34bcf5c37db2a5c12ec99887c930b46ac261895dc98f674c066" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index 3d28767b..7f20ff19 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.5.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.6.0 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index 7a39f578..f54437aa 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:582aef7b5b407698dd98c0491cfd0150303c489a42869ccd92ea08f7e0155a7f", - "containerimage.digest": "sha256:7587d68b7797ccf70c9775a543f28301c71553c2fef6e80d510a181c08021ce8" + "containerimage.config.digest": "sha256:79ac02f0fe54d2007b222efe05596a1bf35b8557e406d018f825a2334bd73249", + "containerimage.digest": "sha256:1c1dbee8e5c4be14e5df36a69be75a6a2907445564379e23b7f8fbea1afc7093" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index 8d97f7de..6cd70ddb 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.5.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.6.0 From 2b00fcf8f986387ddd4209b63ae0802a11d88fea Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 20 May 2024 20:53:19 +0200 Subject: [PATCH 04/67] etcd: enable autocompact and defrag (#137) Signed-off-by: Andrei Kvapil --- packages/extra/etcd/Chart.yaml | 2 +- .../extra/etcd/templates/etcd-cluster.yaml | 3 ++ .../extra/etcd/templates/etcd-defrag.yaml | 31 +++++++++++++++++++ packages/extra/versions_map | 3 +- 4 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 packages/extra/etcd/templates/etcd-defrag.yaml diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml index 3403ec0c..76d426a9 100644 --- a/packages/extra/etcd/Chart.yaml +++ b/packages/extra/etcd/Chart.yaml @@ -3,4 +3,4 @@ name: etcd description: Storage for Kubernetes clusters icon: https://www.svgrepo.com/show/353714/etcd.svg type: application -version: 2.0.1 +version: 2.1.0 diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml index 78bc5f00..6edf5616 100644 --- a/packages/extra/etcd/templates/etcd-cluster.yaml +++ b/packages/extra/etcd/templates/etcd-cluster.yaml @@ -15,6 +15,9 @@ metadata: spec: options: quota-backend-bytes: {{ include "calculateQuotaBackendBytes" .Values.size | quote }} + auto-compaction-mode: "periodic" + auto-compaction-retention: "5m" + snapshot-count: "10000" replicas: {{ .Values.replicas }} storage: volumeClaimTemplate: diff --git a/packages/extra/etcd/templates/etcd-defrag.yaml b/packages/extra/etcd/templates/etcd-defrag.yaml new file mode 100644 index 00000000..21a8e514 --- /dev/null +++ b/packages/extra/etcd/templates/etcd-defrag.yaml @@ -0,0 +1,31 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .Release.Name }}-defrag +spec: + schedule: "0 * * * *" + successfulJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + spec: + containers: + - name: etcd-defrag + image: ghcr.io/ahrtr/etcd-defrag:v0.13.0 + args: + - --endpoints={{ range $i, $e := until (int .Values.replicas) }}{{ if $i }},{{ end }}https://{{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-headless.{{ $.Release.Namespace }}.svc:2379{{ end }} + - --cacert=/etc/etcd/pki/client/cert/ca.crt + - --cert=/etc/etcd/pki/client/cert/tls.crt + - --key=/etc/etcd/pki/client/cert/tls.key + - --cluster + - --defrag-rule + - "dbQuotaUsage > 0.8 || dbSize - dbSizeInUse > 200*1024*1024" + volumeMounts: + - mountPath: /etc/etcd/pki/client/cert + name: client-certificate + readOnly: true + volumes: + - name: client-certificate + secret: + secretName: {{ .Release.Name }}-client-tls + restartPolicy: OnFailure diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 82611637..6bc2b2f9 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -1,5 +1,6 @@ etcd 1.0.0 f7eaab0 etcd 2.0.0 a6d0f7cf -etcd 2.0.1 HEAD +etcd 2.0.1 6fc1cc7d +etcd 2.1.0 HEAD ingress 1.0.0 HEAD monitoring 1.0.0 HEAD From 6abaf7c0fa73db892271e9f5e9cfeb71b4171f15 Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Tue, 21 May 2024 02:29:34 +0200 Subject: [PATCH 05/67] switched place -maxdepth im Makefiles (#140) --- packages/apps/Makefile | 2 +- packages/extra/Makefile | 2 +- packages/system/Makefile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/apps/Makefile b/packages/apps/Makefile index 22937eff..506c8750 100644 --- a/packages/apps/Makefile +++ b/packages/apps/Makefile @@ -11,7 +11,7 @@ repo: rm -rf "$(TMP)" fix-chartnames: - find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done + find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done gen-versions-map: fix-chartnames ../../hack/gen_versions_map.sh diff --git a/packages/extra/Makefile b/packages/extra/Makefile index 6b3ff995..5586c59e 100644 --- a/packages/extra/Makefile +++ b/packages/extra/Makefile @@ -11,7 +11,7 @@ repo: rm -rf "$(TMP)" fix-chartnames: - find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done + find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: $$i/" "$$i/Chart.yaml"; done gen-versions-map: fix-chartnames ../../hack/gen_versions_map.sh diff --git a/packages/system/Makefile b/packages/system/Makefile index 9162b1a4..e40b0bf1 100644 --- a/packages/system/Makefile +++ b/packages/system/Makefile @@ -9,4 +9,4 @@ repo: cd "$(OUT)" && helm repo index . fix-chartnames: - find . -name Chart.yaml -maxdepth 2 | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done + find . -maxdepth 2 -name Chart.yaml | awk -F/ '{print $$2}' | while read i; do sed -i "s/^name: .*/name: cozy-$$i/" "$$i/Chart.yaml"; done From 4a97e297d43d6c8fbdf85ffe99e3748a0779bffe Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 02:29:49 +0200 Subject: [PATCH 06/67] postgres: fix users and roles (#138) Signed-off-by: Andrei Kvapil --- packages/apps/postgres/Chart.yaml | 2 +- packages/apps/postgres/templates/init-script.yaml | 6 +++--- packages/apps/versions_map | 3 ++- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml index c9e8d9f5..89dee73f 100644 --- a/packages/apps/postgres/Chart.yaml +++ b/packages/apps/postgres/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/postgres/templates/init-script.yaml b/packages/apps/postgres/templates/init-script.yaml index e402fce3..f5f6431c 100644 --- a/packages/apps/postgres/templates/init-script.yaml +++ b/packages/apps/postgres/templates/init-script.yaml @@ -100,13 +100,13 @@ stringData: echo "== assign roles to users" psql -v ON_ERROR_STOP=1 --echo-all <<\EOT {{- range $database, $d := .Values.databases }} - {{- range $user, $u := $.Values.roles }} - {{- if has $user $d.users.admin }} + {{- range $user, $u := $.Values.users }} + {{- if has $user $d.roles.admin }} GRANT {{ $database }}_admin TO {{ $user }}; {{- else }} REVOKE {{ $database }}_admin FROM {{ $user }}; {{- end }} - {{- if has $user $d.users.readonly }} + {{- if has $user $d.roles.readonly }} GRANT {{ $database }}_readonly TO {{ $user }}; {{- else }} REVOKE {{ $database }}_readonly FROM {{ $user }}; diff --git a/packages/apps/versions_map b/packages/apps/versions_map index e0b4f8b4..41965a09 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -11,7 +11,8 @@ mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD postgres 0.1.0 f642698 -postgres 0.2.0 HEAD +postgres 0.2.0 7cd7de73 +postgres 0.2.1 HEAD rabbitmq 0.1.0 f642698 rabbitmq 0.2.0 HEAD redis 0.1.1 f642698 From 6cae6ce8ce3cfe455b01c13d33770a13711808a5 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 11:22:37 +0200 Subject: [PATCH 07/67] kubernetes: enable bpf masqurade and tunnel routing (#144) --- packages/apps/kubernetes/Chart.yaml | 2 +- packages/apps/kubernetes/templates/cluster.yaml | 4 ++-- .../apps/kubernetes/templates/helmreleases/cilium.yaml | 8 +++++--- packages/apps/versions_map | 3 ++- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index 2028768d..39e8cc22 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.0 +version: 0.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 19aebd00..345265fd 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -55,7 +55,7 @@ spec: className: "{{ $ingress }}" deployment: replicas: 2 - version: 1.29.0 + version: 1.29.4 --- apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtCluster @@ -176,5 +176,5 @@ spec: kind: KubevirtMachineTemplate name: {{ $.Release.Name }}-{{ $groupName }} namespace: default - version: v1.29.0 + version: v1.29.4 {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml index 96c759fd..14577407 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml @@ -26,7 +26,9 @@ spec: values: cilium: tunnel: disabled - autoDirectNodeRoutes: true + autoDirectNodeRoutes: false + bpf: + masquerade: true cgroup: autoMount: enabled: true @@ -38,9 +40,9 @@ spec: chainingMode: ~ customConf: false configMap: "" - routingMode: native + routingMode: tunnel enableIPv4Masquerade: true - ipv4NativeRoutingCIDR: "10.244.0.0/16" + ipv4NativeRoutingCIDR: "" dependsOn: - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 41965a09..bd195c9a 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -6,7 +6,8 @@ kafka 0.1.0 760f86d2 kafka 0.2.0 HEAD kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 -kubernetes 0.3.0 HEAD +kubernetes 0.3.0 7caccec1 +kubernetes 0.4.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD From f30f7be6cc0c7e035bd945fc213cf57725ac4abb Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 11:22:54 +0200 Subject: [PATCH 08/67] Unhardcode cluster.local domain (#142) Allow using other domains for the cluster Signed-off-by: Andrei Kvapil --- packages/core/fluxcd/Makefile | 7 +++++++ .../fluxcd/charts/flux2/templates/helm-controller.yaml | 2 +- .../flux2/templates/image-automation-controller.yaml | 2 +- .../charts/flux2/templates/image-reflector-controller.yaml | 2 +- .../charts/flux2/templates/kustomize-controller.yaml | 2 +- .../fluxcd/charts/flux2/templates/source-controller.yaml | 4 ++-- packages/system/dashboard/Makefile | 1 + .../charts/kubeapps/templates/kubeappsapis/deployment.yaml | 2 +- 8 files changed, 15 insertions(+), 7 deletions(-) diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile index 7f1ddacf..9a44bd14 100644 --- a/packages/core/fluxcd/Makefile +++ b/packages/core/fluxcd/Makefile @@ -11,3 +11,10 @@ apply: diff: helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- + +update: + rm -rf charts + helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts + helm repo update fluxcd-community + helm pull fluxcd-community/flux2 --untar --untardir charts + sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts` diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml index 0811c156..8177c17c 100644 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml @@ -44,7 +44,7 @@ spec: - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml index 47da44d5..40e4da8d 100644 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml @@ -43,7 +43,7 @@ spec: - --no-cross-namespace-refs=true {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml index 58abd295..6be9c3e1 100644 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml @@ -43,7 +43,7 @@ spec: - --no-cross-namespace-refs=true {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml index fff3ed0d..6473dbe0 100644 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml @@ -44,7 +44,7 @@ spec: - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} {{- end}} {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml index 46c7cfe8..517b54bd 100644 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml +++ b/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml @@ -38,14 +38,14 @@ spec: containers: - args: {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc {{- end}} - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - --log-level={{ .Values.logLevel | default "info" }} - --log-encoding=json - --enable-leader-election - --storage-path=/data - - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. + - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc {{- range .Values.sourceController.container.additionalArgs }} - {{ . }} {{- end}} diff --git a/packages/system/dashboard/Makefile b/packages/system/dashboard/Makefile index 7172288b..f7a66c71 100644 --- a/packages/system/dashboard/Makefile +++ b/packages/system/dashboard/Makefile @@ -14,6 +14,7 @@ update-chart: helm pull bitnami/kubeapps --untar --untardir charts rm -rf charts/kubeapps/charts/postgresql/ ln -s ../../images charts/kubeapps/images + sed -i 's/.cluster.local//g' charts/kubeapps/templates/kubeappsapis/deployment.yaml update-dockerfiles: tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps | awk -F'[/^]' 'END{print $$3}') && \ diff --git a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml index 61d6e603..5791a2f4 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml @@ -133,7 +133,7 @@ spec: # longer-term pass something to the plugins so that the plugins won't need to # know these details). Currently they're used directly by the flux plugin - name: REDIS_ADDR - value: {{ printf "%s-master.%s.svc.cluster.local:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }} + value: {{ printf "%s-master.%s.svc:6379" (include "kubeapps.redis.fullname" .) .Release.Namespace }} - name: REDIS_PASSWORD valueFrom: secretKeyRef: From 2cf23364b472206bdecb936c34f8910ce35031f2 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 21 May 2024 11:23:10 +0200 Subject: [PATCH 09/67] kamaji: unhardcode cluster.local domain (#145) Signed-off-by: Andrei Kvapil --- packages/system/kamaji/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/system/kamaji/values.yaml b/packages/system/kamaji/values.yaml index 2ef13714..de677502 100644 --- a/packages/system/kamaji/values.yaml +++ b/packages/system/kamaji/values.yaml @@ -1,3 +1,8 @@ kamaji: etcd: deploy: false + + # Fix https://github.com/clastix/kamaji/pull/467 + image: + repository: ghcr.io/kvaps/test + tag: kamaji-v0.6.0-fix From 5f01f30fe7d6cc8e5383e3ff247ff4fe7bdd0045 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 22 May 2024 08:32:06 +0200 Subject: [PATCH 10/67] kubernetes: specify correct dns address (#147) --- packages/apps/kubernetes/templates/cluster.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 345265fd..baa0bc6b 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -39,7 +39,9 @@ metadata: spec: dataStoreName: "{{ $etcd }}" addons: - coreDNS: {} + coreDNS: + dnsServiceIPs: + - 10.95.0.10 konnectivity: {} kubelet: cgroupfs: systemd From 48df98230f83eff22b767e902928391aa536c3b1 Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Fri, 24 May 2024 12:44:56 +0200 Subject: [PATCH 11/67] change hardcode for talos registry (#148) without this fix can't build project localy --- packages/core/installer/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/core/installer/Makefile b/packages/core/installer/Makefile index 5e96fb48..7cea7ed7 100644 --- a/packages/core/installer/Makefile +++ b/packages/core/installer/Makefile @@ -34,8 +34,8 @@ image-cozystack: image-talos: test -f ../../../_out/assets/installer-amd64.tar || make talos-installer docker load -i ../../../_out/assets/installer-amd64.tar - docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION)) - docker push ghcr.io/aenix-io/cozystack/talos:$(call settag,$(TALOS_VERSION)) + docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION)) + docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION)) image-matchbox: test -f ../../../_out/assets/kernel-amd64 || make talos-kernel From 3254cc784ec0f155889152a960027fcd76210a5f Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 24 May 2024 17:39:38 +0200 Subject: [PATCH 12/67] Update Cilium v1.15.5 Signed-off-by: Andrei Kvapil --- packages/system/cilium/Makefile | 2 +- .../system/cilium/charts/cilium/Chart.yaml | 207 ++-- .../system/cilium/charts/cilium/README.md | 139 ++- .../dashboards/cilium-dashboard.json | 382 +++++-- .../configmap/bootstrap-config.json | 8 + .../hubble/dashboards/hubble-dashboard.json | 2 +- .../dashboards/hubble-dns-namespace.json | 602 ++++++++++ .../hubble-network-overview-namespace.json | 1001 +++++++++++++++++ .../templates/cilium-agent/clusterrole.yaml | 8 + .../cilium-agent/clusterrolebinding.yaml | 4 + .../templates/cilium-agent/daemonset.yaml | 56 +- .../cilium-agent/dashboards-configmap.yaml | 9 +- .../cilium/templates/cilium-agent/role.yaml | 36 + .../templates/cilium-agent/rolebinding.yaml | 35 + .../templates/cilium-agent/service.yaml | 4 + .../cilium-agent/serviceaccount.yaml | 9 +- .../cilium-agent/servicemonitor.yaml | 12 +- .../cilium/templates/cilium-ca-secret.yaml | 2 +- .../cilium/templates/cilium-configmap.yaml | 144 ++- .../templates/cilium-envoy/configmap.yaml | 4 + .../templates/cilium-envoy/daemonset.yaml | 21 +- .../templates/cilium-envoy/service.yaml | 7 +- .../cilium-envoy/serviceaccount.yaml | 9 +- .../cilium-envoy/servicemonitor.yaml | 9 +- .../templates/cilium-flowlog-configmap.yaml | 12 + .../templates/cilium-gateway-api-class.yaml | 4 +- .../templates/cilium-nodeinit/daemonset.yaml | 15 + .../cilium-nodeinit/serviceaccount.yaml | 9 +- .../cilium-operator/clusterrole.yaml | 16 + .../cilium-operator/clusterrolebinding.yaml | 4 + .../cilium-operator/dashboards-configmap.yaml | 9 +- .../templates/cilium-operator/deployment.yaml | 4 + .../cilium-operator/poddisruptionbudget.yaml | 4 + .../templates/cilium-operator/role.yaml | 8 + .../cilium-operator/rolebinding.yaml | 8 + .../templates/cilium-operator/secret.yaml | 4 + .../templates/cilium-operator/service.yaml | 4 + .../cilium-operator/serviceaccount.yaml | 9 +- .../cilium-operator/servicemonitor.yaml | 12 +- .../cilium-preflight/clusterrole.yaml | 8 + .../cilium-preflight/clusterrolebinding.yaml | 4 + .../templates/cilium-preflight/daemonset.yaml | 6 +- .../cilium-preflight/deployment.yaml | 6 +- .../cilium-preflight/poddisruptionbudget.yaml | 4 + .../cilium-preflight/serviceaccount.yaml | 9 +- .../templates/cilium-secrets-namespace.yaml | 34 +- .../clustermesh-apiserver/clusterrole.yaml | 4 + .../clusterrolebinding.yaml | 4 + .../clustermesh-apiserver/deployment.yaml | 112 +- .../metrics-service.yaml | 4 + .../poddisruptionbudget.yaml | 4 + .../clustermesh-apiserver/service.yaml | 9 +- .../clustermesh-apiserver/serviceaccount.yaml | 9 +- .../clustermesh-apiserver/servicemonitor.yaml | 9 +- .../tls-certmanager/admin-secret.yaml | 4 + .../tls-certmanager/client-secret.yaml | 4 + .../tls-certmanager/remote-secret.yaml | 4 + .../tls-certmanager/server-secret.yaml | 4 + .../tls-cronjob/_job-spec.tpl | 10 +- .../tls-cronjob/ca-secret.yaml | 15 - .../tls-cronjob/cronjob.yaml | 4 + .../tls-cronjob/job.yaml | 3 + .../tls-cronjob/role.yaml | 5 +- .../tls-cronjob/rolebinding.yaml | 4 + .../tls-cronjob/serviceaccount.yaml | 9 +- .../tls-helm/_helpers.tpl | 37 - .../tls-helm/admin-secret.yaml | 10 +- .../tls-helm/ca-secret.yaml | 12 - .../tls-helm/client-secret.yaml | 10 +- .../tls-helm/remote-secret.yaml | 10 +- .../tls-helm/server-secret.yaml | 10 +- .../tls-provided/admin-secret.yaml | 6 +- .../tls-provided/ca-secret.yaml | 12 - .../tls-provided/client-secret.yaml | 6 +- .../tls-provided/remote-secret.yaml | 6 +- .../tls-provided/server-secret.yaml | 6 +- .../users-configmap.yaml | 4 + .../templates/clustermesh-config/_helpers.tpl | 5 +- .../clustermesh-secret.yaml | 16 +- .../kvstoremesh-secret.yaml | 11 +- .../cilium-etcd-operator-clusterrole.yaml | 4 + ...lium-etcd-operator-clusterrolebinding.yaml | 4 + .../cilium-etcd-operator-deployment.yaml | 4 + .../cilium-etcd-operator-serviceaccount.yaml | 9 +- .../etcd-operator-clusterrole.yaml | 4 + .../etcd-operator-clusterrolebinding.yaml | 4 + .../etcd-operator-serviceaccount.yaml | 9 +- .../etcd-operator/poddisruptionbudget.yaml | 4 + .../templates/hubble-relay/configmap.yaml | 4 + .../templates/hubble-relay/deployment.yaml | 41 +- .../hubble-relay/metrics-service.yaml | 4 + .../hubble-relay/poddisruptionbudget.yaml | 4 + .../templates/hubble-relay/service.yaml | 4 + .../hubble-relay/serviceaccount.yaml | 9 +- .../hubble-relay/servicemonitor.yaml | 9 +- .../cilium/templates/hubble-ui/_nginx.tpl | 7 + .../templates/hubble-ui/clusterrole.yaml | 4 + .../hubble-ui/clusterrolebinding.yaml | 4 + .../cilium/templates/hubble-ui/configmap.yaml | 4 + .../templates/hubble-ui/deployment.yaml | 26 +- .../cilium/templates/hubble-ui/ingress.yaml | 9 +- .../hubble-ui/poddisruptionbudget.yaml | 4 + .../cilium/templates/hubble-ui/service.yaml | 9 +- .../templates/hubble-ui/serviceaccount.yaml | 9 +- .../hubble/dashboards-configmap.yaml | 9 +- .../templates/hubble/metrics-service.yaml | 3 + .../cilium/templates/hubble/peer-service.yaml | 4 + .../templates/hubble/servicemonitor.yaml | 12 +- .../tls-certmanager/relay-client-secret.yaml | 4 + .../tls-certmanager/relay-server-secret.yaml | 4 + .../hubble/tls-certmanager/server-secret.yaml | 4 + .../tls-certmanager/ui-client-certs.yaml | 4 + .../hubble/tls-cronjob/_job-spec.tpl | 4 + .../hubble/tls-cronjob/clusterrole.yaml | 4 + .../tls-cronjob/clusterrolebinding.yaml | 4 + .../templates/hubble/tls-cronjob/cronjob.yaml | 9 +- .../templates/hubble/tls-cronjob/job.yaml | 3 + .../hubble/tls-cronjob/serviceaccount.yaml | 9 +- .../hubble/tls-helm/relay-client-secret.yaml | 4 + .../hubble/tls-helm/relay-server-secret.yaml | 4 + .../hubble/tls-helm/server-secret.yaml | 4 + .../hubble/tls-helm/ui-client-certs.yaml | 4 + .../tls-provided/relay-client-secret.yaml | 4 + .../tls-provided/relay-server-secret.yaml | 4 + .../hubble/tls-provided/server-secret.yaml | 4 + .../hubble/tls-provided/ui-client-certs.yaml | 4 + .../templates/spire/agent/clusterrole.yaml | 4 + .../spire/agent/clusterrolebinding.yaml | 4 + .../templates/spire/agent/configmap.yaml | 4 + .../templates/spire/agent/daemonset.yaml | 17 +- .../templates/spire/agent/serviceaccount.yaml | 4 + .../templates/spire/bundle-configmap.yaml | 4 + .../cilium/templates/spire/namespace.yaml | 6 +- .../templates/spire/server/clusterrole.yaml | 4 + .../spire/server/clusterrolebinding.yaml | 4 + .../templates/spire/server/configmap.yaml | 4 + .../cilium/templates/spire/server/role.yaml | 4 + .../templates/spire/server/rolebinding.yaml | 8 + .../templates/spire/server/service.yaml | 9 +- .../spire/server/serviceaccount.yaml | 4 + .../templates/spire/server/statefulset.yaml | 25 +- .../charts/cilium/templates/validate.yaml | 27 + .../system/cilium/charts/cilium/values.yaml | 466 ++++++-- .../cilium/charts/cilium/values.yaml.tmpl | 432 +++++-- 144 files changed, 3921 insertions(+), 698 deletions(-) create mode 100644 packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json create mode 100644 packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json create mode 100644 packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml delete mode 100644 packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index 45287aba..038b767c 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -7,6 +7,6 @@ update: rm -rf charts helm repo add cilium https://helm.cilium.io/ helm repo update cilium - helm pull cilium/cilium --untar --untardir charts --version 1.14 + helm pull cilium/cilium --untar --untardir charts --version 1.15 sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch diff --git a/packages/system/cilium/charts/cilium/Chart.yaml b/packages/system/cilium/charts/cilium/Chart.yaml index 1ce003b3..f393c004 100644 --- a/packages/system/cilium/charts/cilium/Chart.yaml +++ b/packages/system/cilium/charts/cilium/Chart.yaml @@ -1,131 +1,88 @@ annotations: - artifacthub.io/crds: | - - kind: CiliumNetworkPolicy - version: v2 - name: ciliumnetworkpolicies.cilium.io - displayName: Cilium Network Policy - description: | - Cilium Network Policies provide additional functionality beyond what - is provided by standard Kubernetes NetworkPolicy such as the ability - to allow traffic based on FQDNs, or to filter at Layer 7. - - kind: CiliumClusterwideNetworkPolicy - version: v2 - name: ciliumclusterwidenetworkpolicies.cilium.io - displayName: Cilium Clusterwide Network Policy - description: | - Cilium Clusterwide Network Policies support configuring network traffic - policiies across the entire cluster, including applying node firewalls. - - kind: CiliumExternalWorkload - version: v2 - name: ciliumexternalworkloads.cilium.io - displayName: Cilium External Workload - description: | - Cilium External Workload supports configuring the ability for external - non-Kubernetes workloads to join the cluster. - - kind: CiliumLocalRedirectPolicy - version: v2 - name: ciliumlocalredirectpolicies.cilium.io - displayName: Cilium Local Redirect Policy - description: | - Cilium Local Redirect Policy allows local redirects to be configured - within a node to support use cases like Node-Local DNS or KIAM. - - kind: CiliumNode - version: v2 - name: ciliumnodes.cilium.io - displayName: Cilium Node - description: | - Cilium Node represents a node managed by Cilium. It contains a - specification to control various node specific configuration aspects - and a status section to represent the status of the node. - - kind: CiliumIdentity - version: v2 - name: ciliumidentities.cilium.io - displayName: Cilium Identity - description: | - Cilium Identity allows introspection into security identities that - Cilium allocates which identify sets of labels that are assigned to - individual endpoints in the cluster. - - kind: CiliumEndpoint - version: v2 - name: ciliumendpoints.cilium.io - displayName: Cilium Endpoint - description: | - Cilium Endpoint represents the status of individual pods or nodes in - the cluster which are managed by Cilium, including enforcement status, - IP addressing and whether the networking is succesfully operational. - - kind: CiliumEndpointSlice - version: v2alpha1 - name: ciliumendpointslices.cilium.io - displayName: Cilium Endpoint Slice - description: | - Cilium Endpoint Slice represents the status of groups of pods or nodes - in the cluster which are managed by Cilium, including enforcement status, - IP addressing and whether the networking is succesfully operational. - - kind: CiliumEgressGatewayPolicy - version: v2 - name: ciliumegressgatewaypolicies.cilium.io - displayName: Cilium Egress Gateway Policy - description: | - Cilium Egress Gateway Policy provides control over the way that traffic - leaves the cluster and which source addresses to use for that traffic. - - kind: CiliumClusterwideEnvoyConfig - version: v2 - name: ciliumclusterwideenvoyconfigs.cilium.io - displayName: Cilium Clusterwide Envoy Config - description: | - Cilium Clusterwide Envoy Config specifies Envoy resources and K8s service mappings - to be provisioned into Cilium host proxy instances in cluster context. - - kind: CiliumEnvoyConfig - version: v2 - name: ciliumenvoyconfigs.cilium.io - displayName: Cilium Envoy Config - description: | - Cilium Envoy Config specifies Envoy resources and K8s service mappings - to be provisioned into Cilium host proxy instances in namespace context. - - kind: CiliumBGPPeeringPolicy - version: v2alpha1 - name: ciliumbgppeeringpolicies.cilium.io - displayName: Cilium BGP Peering Policy - description: | - Cilium BGP Peering Policy instructs Cilium to create specific BGP peering - configurations. - - kind: CiliumLoadBalancerIPPool - version: v2alpha1 - name: ciliumloadbalancerippools.cilium.io - displayName: Cilium Load Balancer IP Pool - description: | - Defining a Cilium Load Balancer IP Pool instructs Cilium to assign IPs to LoadBalancer Services. - - kind: CiliumNodeConfig - version: v2alpha1 - name: ciliumnodeconfigs.cilium.io - displayName: Cilium Node Configuration - description: | - CiliumNodeConfig is a list of configuration key-value pairs. It is applied to - nodes indicated by a label selector. - - kind: CiliumCIDRGroup - version: v2alpha1 - name: ciliumcidrgroups.cilium.io - displayName: Cilium CIDR Group - description: | - CiliumCIDRGroup is a list of CIDRs that can be referenced as a single entity from CiliumNetworkPolicies. - - kind: CiliumL2AnnouncementPolicy - version: v2alpha1 - name: ciliuml2announcementpolicies.cilium.io - displayName: Cilium L2 Announcement Policy - description: | - CiliumL2AnnouncementPolicy is a policy which determines which service IPs will be announced to - the local area network, by which nodes, and via which interfaces. - - kind: CiliumPodIPPool - version: v2alpha1 - name: ciliumpodippools.cilium.io - displayName: Cilium Pod IP Pool - description: | - CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode). + artifacthub.io/crds: "- kind: CiliumNetworkPolicy\n version: v2\n name: ciliumnetworkpolicies.cilium.io\n + \ displayName: Cilium Network Policy\n description: |\n Cilium Network Policies + provide additional functionality beyond what\n is provided by standard Kubernetes + NetworkPolicy such as the ability\n to allow traffic based on FQDNs, or to + filter at Layer 7.\n- kind: CiliumClusterwideNetworkPolicy\n version: v2\n name: + ciliumclusterwidenetworkpolicies.cilium.io\n displayName: Cilium Clusterwide + Network Policy\n description: |\n Cilium Clusterwide Network Policies support + configuring network traffic\n policiies across the entire cluster, including + applying node firewalls.\n- kind: CiliumExternalWorkload\n version: v2\n name: + ciliumexternalworkloads.cilium.io\n displayName: Cilium External Workload\n description: + |\n Cilium External Workload supports configuring the ability for external\n + \ non-Kubernetes workloads to join the cluster.\n- kind: CiliumLocalRedirectPolicy\n + \ version: v2\n name: ciliumlocalredirectpolicies.cilium.io\n displayName: Cilium + Local Redirect Policy\n description: |\n Cilium Local Redirect Policy allows + local redirects to be configured\n within a node to support use cases like + Node-Local DNS or KIAM.\n- kind: CiliumNode\n version: v2\n name: ciliumnodes.cilium.io\n + \ displayName: Cilium Node\n description: |\n Cilium Node represents a node + managed by Cilium. It contains a\n specification to control various node specific + configuration aspects\n and a status section to represent the status of the + node.\n- kind: CiliumIdentity\n version: v2\n name: ciliumidentities.cilium.io\n + \ displayName: Cilium Identity\n description: |\n Cilium Identity allows introspection + into security identities that\n Cilium allocates which identify sets of labels + that are assigned to\n individual endpoints in the cluster.\n- kind: CiliumEndpoint\n + \ version: v2\n name: ciliumendpoints.cilium.io\n displayName: Cilium Endpoint\n + \ description: |\n Cilium Endpoint represents the status of individual pods + or nodes in\n the cluster which are managed by Cilium, including enforcement + status,\n IP addressing and whether the networking is successfully operational.\n- + kind: CiliumEndpointSlice\n version: v2alpha1\n name: ciliumendpointslices.cilium.io\n + \ displayName: Cilium Endpoint Slice\n description: |\n Cilium Endpoint Slice + represents the status of groups of pods or nodes\n in the cluster which are + managed by Cilium, including enforcement status,\n IP addressing and whether + the networking is successfully operational.\n- kind: CiliumEgressGatewayPolicy\n + \ version: v2\n name: ciliumegressgatewaypolicies.cilium.io\n displayName: Cilium + Egress Gateway Policy\n description: |\n Cilium Egress Gateway Policy provides + control over the way that traffic\n leaves the cluster and which source addresses + to use for that traffic.\n- kind: CiliumClusterwideEnvoyConfig\n version: v2\n + \ name: ciliumclusterwideenvoyconfigs.cilium.io\n displayName: Cilium Clusterwide + Envoy Config\n description: |\n Cilium Clusterwide Envoy Config specifies + Envoy resources and K8s service mappings\n to be provisioned into Cilium host + proxy instances in cluster context.\n- kind: CiliumEnvoyConfig\n version: v2\n + \ name: ciliumenvoyconfigs.cilium.io\n displayName: Cilium Envoy Config\n description: + |\n Cilium Envoy Config specifies Envoy resources and K8s service mappings\n + \ to be provisioned into Cilium host proxy instances in namespace context.\n- + kind: CiliumBGPPeeringPolicy\n version: v2alpha1\n name: ciliumbgppeeringpolicies.cilium.io\n + \ displayName: Cilium BGP Peering Policy\n description: |\n Cilium BGP Peering + Policy instructs Cilium to create specific BGP peering\n configurations.\n- + kind: CiliumBGPClusterConfig\n version: v2alpha1\n name: ciliumbgpclusterconfigs.cilium.io\n + \ displayName: Cilium BGP Cluster Config\n description: |\n Cilium BGP Cluster + Config instructs Cilium operator to create specific BGP cluster\n configurations.\n- + kind: CiliumBGPPeerConfig\n version: v2alpha1\n name: ciliumbgppeerconfigs.cilium.io\n + \ displayName: Cilium BGP Peer Config\n description: |\n CiliumBGPPeerConfig + is a common set of BGP peer configurations. It can be referenced \n by multiple + peers from CiliumBGPClusterConfig.\n- kind: CiliumBGPAdvertisement\n version: + v2alpha1\n name: ciliumbgpadvertisements.cilium.io\n displayName: Cilium BGP + Advertisement\n description: |\n CiliumBGPAdvertisement is used to define + source of BGP advertisement as well as BGP attributes \n to be advertised with + those prefixes.\n- kind: CiliumBGPNodeConfig\n version: v2alpha1\n name: ciliumbgpnodeconfigs.cilium.io\n + \ displayName: Cilium BGP Node Config\n description: |\n CiliumBGPNodeConfig + is read only node specific BGP configuration. It is constructed by Cilium operator.\n + \ It will also contain node local BGP state information.\n- kind: CiliumBGPNodeConfigOverride\n + \ version: v2alpha1\n name: ciliumbgpnodeconfigoverrides.cilium.io\n displayName: + Cilium BGP Node Config Override\n description: |\n CiliumBGPNodeConfigOverride + can be used to override node specific BGP configuration.\n- kind: CiliumLoadBalancerIPPool\n + \ version: v2alpha1\n name: ciliumloadbalancerippools.cilium.io\n displayName: + Cilium Load Balancer IP Pool\n description: |\n Defining a Cilium Load Balancer + IP Pool instructs Cilium to assign IPs to LoadBalancer Services.\n- kind: CiliumNodeConfig\n + \ version: v2alpha1\n name: ciliumnodeconfigs.cilium.io\n displayName: Cilium + Node Configuration\n description: |\n CiliumNodeConfig is a list of configuration + key-value pairs. It is applied to\n nodes indicated by a label selector.\n- + kind: CiliumCIDRGroup\n version: v2alpha1\n name: ciliumcidrgroups.cilium.io\n + \ displayName: Cilium CIDR Group\n description: |\n CiliumCIDRGroup is a list + of CIDRs that can be referenced as a single entity from CiliumNetworkPolicies.\n- + kind: CiliumL2AnnouncementPolicy\n version: v2alpha1\n name: ciliuml2announcementpolicies.cilium.io\n + \ displayName: Cilium L2 Announcement Policy\n description: |\n CiliumL2AnnouncementPolicy + is a policy which determines which service IPs will be announced to\n the local + area network, by which nodes, and via which interfaces.\n- kind: CiliumPodIPPool\n + \ version: v2alpha1\n name: ciliumpodippools.cilium.io\n displayName: Cilium + Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can + be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" apiVersion: v2 -appVersion: 1.14.10 +appVersion: 1.15.5 description: eBPF-based Networking, Security, and Observability home: https://cilium.io/ -icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg +icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg keywords: - BPF - eBPF @@ -138,4 +95,4 @@ kubeVersion: '>= 1.16.0-0' name: cilium sources: - https://github.com/cilium/cilium -version: 1.14.10 +version: 1.15.5 diff --git a/packages/system/cilium/charts/cilium/README.md b/packages/system/cilium/charts/cilium/README.md index 35c70b10..98e52a92 100644 --- a/packages/system/cilium/charts/cilium/README.md +++ b/packages/system/cilium/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.14.10](https://img.shields.io/badge/Version-1.14.10-informational?style=flat-square) ![AppVersion: 1.14.10](https://img.shields.io/badge/AppVersion-1.14.10-informational?style=flat-square) +![Version: 1.15.5](https://img.shields.io/badge/Version-1.15.5-informational?style=flat-square) ![AppVersion: 1.15.5](https://img.shields.io/badge/AppVersion-1.15.5-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -60,16 +60,20 @@ contributors across the globe, there is almost always someone available to help. | aksbyocni.enabled | bool | `false` | Enable AKS BYOCNI integration. Note that this is incompatible with AKS clusters not created in BYOCNI mode: use Azure integration (`azure.enabled`) instead. | | alibabacloud.enabled | bool | `false` | Enable AlibabaCloud ENI integration | | annotateK8sNode | bool | `false` | Annotate k8s node upon initialization with Cilium's metadata. | +| annotations | object | `{}` | Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) | +| apiRateLimit | string | `nil` | The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API | | authentication.enabled | bool | `true` | Enable authentication processing and garbage collection. Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed. | | authentication.gcInterval | string | `"5m0s"` | Interval for garbage collection of auth map entries. | +| authentication.mutual.connectTimeout | string | `"5s"` | Timeout for connecting to the remote node TCP socket | | authentication.mutual.port | int | `4250` | Port on the agent where mutual authentication handshakes between agents will be performed | | authentication.mutual.spire.adminSocketPath | string | `"/run/spire/sockets/admin.sock"` | SPIRE socket path where the SPIRE delegated api agent is listening | | authentication.mutual.spire.agentSocketPath | string | `"/run/spire/sockets/agent/agent.sock"` | SPIRE socket path where the SPIRE workload agent is listening. Applies to both the Cilium Agent and Operator | +| authentication.mutual.spire.annotations | object | `{}` | Annotations to be added to all top-level spire objects (resources under templates/spire) | | authentication.mutual.spire.connectionTimeout | string | `"30s"` | SPIRE connection timeout | | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | -| authentication.mutual.spire.install.agent.image | string | `"ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823"` | SPIRE agent image | +| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | @@ -78,6 +82,8 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. | | authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | +| authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | +| authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | | authentication.mutual.spire.install.server.annotations | object | `{}` | SPIRE server annotations | @@ -87,10 +93,12 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage | -| authentication.mutual.spire.install.server.image | string | `"ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f"` | SPIRE server image | +| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | +| authentication.mutual.spire.install.server.podSecurityContext | object | `{}` | Security context to be added to spire server pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | +| authentication.mutual.spire.install.server.securityContext | object | `{}` | Security context to be added to spire server containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | | authentication.mutual.spire.install.server.service.annotations | object | `{}` | Annotations to be added to the SPIRE server service | | authentication.mutual.spire.install.server.service.labels | object | `{}` | Labels to be added to the SPIRE server service | | authentication.mutual.spire.install.server.service.type | string | `"ClusterIP"` | Service type for the SPIRE server service | @@ -109,8 +117,11 @@ contributors across the globe, there is almost always someone available to help. | bgp.announce.loadbalancerIP | bool | `false` | Enable allocation and announcement of service LoadBalancer IPs | | bgp.announce.podCIDR | bool | `false` | Enable announcement of node pod CIDR | | bgp.enabled | bool | `false` | Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside cilium-agent and cilium-operator | -| bgpControlPlane | object | `{"enabled":false}` | This feature set enables virtual BGP routers to be created via CiliumBGPPeeringPolicy CRDs. | +| bgpControlPlane | object | `{"enabled":false,"secretsNamespace":{"create":false,"name":"kube-system"}}` | This feature set enables virtual BGP routers to be created via CiliumBGPPeeringPolicy CRDs. | | bgpControlPlane.enabled | bool | `false` | Enables the BGP control plane. | +| bgpControlPlane.secretsNamespace | object | `{"create":false,"name":"kube-system"}` | SecretsNamespace is the namespace which BGP support will retrieve secrets from. | +| bgpControlPlane.secretsNamespace.create | bool | `false` | Create secrets namespace for BGP secrets. | +| bgpControlPlane.secretsNamespace.name | string | `"kube-system"` | The name of the secret namespace to which Cilium agents are given read access | | bpf.authMapMax | int | `524288` | Configure the maximum number of entries in auth map. | | bpf.autoMount.enabled | bool | `true` | Enable automatic mount of BPF filesystem When `autoMount` is enabled, the BPF filesystem is mounted at `bpf.root` path on the underlying host and inside the cilium agent pod. If users disable `autoMount`, it's expected that users have mounted bpffs filesystem at the specified `bpf.root` volume, and then the volume will be mounted inside the cilium agent pod at the same path. | | bpf.ctAnyMax | int | `262144` | Configure the maximum number of entries for the non-TCP connection tracking table. | @@ -125,13 +136,15 @@ contributors across the globe, there is almost always someone available to help. | bpf.monitorInterval | string | `"5s"` | Configure the typical time between monitor notifications for active connections. | | bpf.natMax | int | `524288` | Configure the maximum number of entries for the NAT table. | | bpf.neighMax | int | `524288` | Configure the maximum number of entries for the neighbor table. | -| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). | +| bpf.nodeMapMax | int | `nil` | Configures the maximum number of entries for the node table. | +| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). @schema type: [null, integer] @schema | | bpf.preallocateMaps | bool | `false` | Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency. | | bpf.root | string | `"/sys/fs/bpf"` | Configure the mount point for the BPF filesystem | | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.11","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | | certgen.extraVolumes | list | `[]` | Additional certgen volumes. | @@ -146,25 +159,29 @@ contributors across the globe, there is almost always someone available to help. | cleanState | bool | `false` | Clean all local Cilium state from the initContainer of the cilium-agent DaemonSet. Implies cleanBpfState: true. WARNING: Use with care! | | cluster.id | int | `0` | Unique ID of the cluster. Must be unique across all connected clusters and in the range of 1 to 255. Only required for Cluster Mesh, may be 0 if Cluster Mesh is not used. | | cluster.name | string | `"default"` | Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. | +| clustermesh.annotations | object | `{}` | Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) | | clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver | -| clustermesh.apiserver.etcd.image | object | `{"digest":"sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4","useDigest":true}` | Clustermesh API server etcd image. | +| clustermesh.apiserver.etcd.init.extraArgs | list | `[]` | Additional arguments to `clustermesh-apiserver etcdinit`. | +| clustermesh.apiserver.etcd.init.extraEnv | list | `[]` | Additional environment variables to `clustermesh-apiserver etcdinit`. | | clustermesh.apiserver.etcd.init.resources | object | `{}` | Specifies the resources for etcd init container in the apiserver | +| clustermesh.apiserver.etcd.lifecycle | object | `{}` | lifecycle setting for the etcd container | | clustermesh.apiserver.etcd.resources | object | `{}` | Specifies the resources for etcd container in the apiserver | | clustermesh.apiserver.etcd.securityContext | object | `{}` | Security context to be added to clustermesh-apiserver etcd containers | | clustermesh.apiserver.extraArgs | list | `[]` | Additional clustermesh-apiserver arguments. | | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.10","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.5","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. | -| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.10","useDigest":true}` | KVStoreMesh image. | +| clustermesh.apiserver.kvstoremesh.lifecycle | object | `{}` | lifecycle setting for the KVStoreMesh container | | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container | | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context | +| clustermesh.apiserver.lifecycle | object | `{}` | lifecycle setting for the apiserver container | | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. | -| clustermesh.apiserver.metrics.etcd.enabled | bool | `false` | Enables exporting etcd metrics in OpenMetrics format. | +| clustermesh.apiserver.metrics.etcd.enabled | bool | `true` | Enables exporting etcd metrics in OpenMetrics format. | | clustermesh.apiserver.metrics.etcd.mode | string | `"basic"` | Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. | | clustermesh.apiserver.metrics.etcd.port | int | `9963` | Configure the port the etcd metric server listens on. | | clustermesh.apiserver.metrics.kvstoremesh.enabled | bool | `true` | Enables exporting KVStoreMesh metrics in OpenMetrics format. | @@ -198,15 +215,13 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.service.internalTrafficPolicy | string | `nil` | The internalTrafficPolicy of service used for apiserver access. | | clustermesh.apiserver.service.nodePort | int | `32379` | Optional port to use as the node port for apiserver access. WARNING: make sure to configure a different NodePort in each cluster if kube-proxy replacement is enabled, as Cilium is currently affected by a known bug (#24692) when NodePorts are handled by the KPR implementation. If a service with the same NodePort exists both in the local and the remote cluster, all traffic originating from inside the cluster and targeting the corresponding NodePort will be redirected to a local backend, regardless of whether the destination node belongs to the local or the remote cluster. | | clustermesh.apiserver.service.type | string | `"NodePort"` | The type of service used for apiserver access. | +| clustermesh.apiserver.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for the clustermesh-apiserver deployment | | clustermesh.apiserver.tls.admin | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.authMode | string | `"legacy"` | Configure the clustermesh authentication mode. Supported values: - legacy: All clusters access remote clustermesh instances with the same username (i.e., remote). The "remote" certificate must be generated with CN=remote if provided manually. - migration: Intermediate mode required to upgrade from legacy to cluster (and vice versa) with no disruption. Specifically, it enables the creation of the per-cluster usernames, while still using the common one for authentication. The "remote" certificate must be generated with CN=remote if provided manually (same as legacy). - cluster: Each cluster accesses remote etcd instances with a username depending on the local cluster name (i.e., remote-). The "remote" certificate must be generated with CN=remote- if provided manually. Cluster mode is meaningful only when the same CA is shared across all clusters part of the mesh. | | clustermesh.apiserver.tls.auto | object | `{"certManagerIssuerRef":{},"certValidityDuration":1095,"enabled":true,"method":"helm"}` | Configure automatic TLS certificates generation. A Kubernetes CronJob is used the generate any certificates not provided by the user at installation time. | | clustermesh.apiserver.tls.auto.certManagerIssuerRef | object | `{}` | certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. | | clustermesh.apiserver.tls.auto.certValidityDuration | int | `1095` | Generated certificates validity duration in days. | | clustermesh.apiserver.tls.auto.enabled | bool | `true` | When set to true, automatically generate a CA and certificates to enable mTLS between clustermesh-apiserver and external workload instances. If set to false, the certs to be provided by setting appropriate values below. | -| clustermesh.apiserver.tls.ca | object | `{"cert":"","key":""}` | Deprecated in favor of tls.ca. To be removed in 1.15. base64 encoded PEM values for the ExternalWorkload CA certificate and private key. | -| clustermesh.apiserver.tls.ca.cert | string | `""` | Deprecated in favor of tls.ca.cert. To be removed in 1.15. Optional CA cert. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. | -| clustermesh.apiserver.tls.ca.key | string | `""` | Deprecated in favor of tls.ca.key. To be removed in 1.15. Optional CA private key. If it is provided, it will be used by the 'cronJob' method to generate all other certificates. Otherwise, an ephemeral CA is generated. | | clustermesh.apiserver.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver client certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.remote | object | `{"cert":"","key":""}` | base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key. Used if 'auto' is not enabled. | | clustermesh.apiserver.tls.server | object | `{"cert":"","extraDnsNames":[],"extraIpAddresses":[],"key":""}` | base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. Used if 'auto' is not enabled. | @@ -219,6 +234,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.config.clusters | list | `[]` | List of clusters to be peered in the mesh. | | clustermesh.config.domain | string | `"mesh.cilium.io"` | Default dns domain for the Clustermesh API servers This is used in the case cluster addresses are not provided and IPs are used. | | clustermesh.config.enabled | bool | `false` | Enable the Clustermesh explicit configuration. | +| clustermesh.maxConnectedClusters | int | `255` | The maximum number of clusters to support in a ClusterMesh. This value cannot be changed on running clusters, and all clusters in a ClusterMesh must be configured with the same value. Values > 255 will decrease the maximum allocatable cluster-local identities. Supported values are 255 and 511. | | clustermesh.useAPIServer | bool | `false` | Deploy clustermesh-apiserver for clustermesh | | cni.binPath | string | `"/opt/cni/bin"` | Configure the path to the CNI binary directory on the host. | | cni.chainingMode | string | `nil` | Configure chaining on top of other CNI plugins. Possible values: - none - aws-cni - flannel - generic-veth - portmap | @@ -231,6 +247,7 @@ contributors across the globe, there is almost always someone available to help. | cni.hostConfDirMountPath | string | `"/host/etc/cni/net.d"` | Configure the path to where the CNI configuration directory is mounted inside the agent pod. | | cni.install | bool | `true` | Install the CNI configuration and binary files into the filesystem. | | cni.logFile | string | `"/var/run/cilium/cilium-cni.log"` | Configure the log file for CNI logging with retention policy of 7 days. Disable CNI file logging by setting this field to empty explicitly. | +| cni.resources | object | `{"requests":{"cpu":"100m","memory":"10Mi"}}` | Specifies the resources for the cni initContainer | | cni.uninstall | bool | `false` | Remove the CNI configuration and binary files on agent shutdown. Enable this if you're removing Cilium from the cluster. Disable this to prevent the CNI configuration file from being removed during agent upgrade, which can cause nodes to go unmanageable. | | conntrackGCInterval | string | `"0s"` | Configure how frequently garbage collection should occur for the datapath connection tracking table. | | conntrackGCMaxInterval | string | `""` | Configure the maximum frequency for the garbage collection of the connection tracking table. Only affects the automatic computation for the frequency and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently clean up unused identities created from ToFQDN policies. | @@ -245,7 +262,7 @@ contributors across the globe, there is almost always someone available to help. | daemon.runPath | string | `"/var/run/cilium"` | Configure where Cilium runtime state should be stored. | | dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-agent grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards | | debug.enabled | bool | `false` | Enable debug logging | -| debug.verbose | string | `nil` | Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Applicable values: - flow - kvstore - envoy - datapath - policy | +| debug.verbose | string | `nil` | Configure verbosity levels for debug logging This option is used to enable debug messages for operations related to such sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is for enabling debug messages emitted per request, message and connection. Multiple values can be set via a space-separated string (e.g. "datapath envoy"). Applicable values: - flow - kvstore - envoy - datapath - policy | | disableEndpointCRD | bool | `false` | Disable the usage of CiliumEndpoint CRD. | | dnsPolicy | string | `""` | DNS policy for Cilium agent pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | | dnsProxy.dnsRejectResponseCode | string | `"refused"` | DNS response code for rejecting DNS requests, available options are '[nameError refused]'. | @@ -257,18 +274,17 @@ contributors across the globe, there is almost always someone available to help. | dnsProxy.preCache | string | `""` | DNS cache data at this path is preloaded on agent startup. | | dnsProxy.proxyPort | int | `0` | Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port. | | dnsProxy.proxyResponseMaxDelay | string | `"100ms"` | The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. | -| egressGateway | object | `{"enabled":false,"installRoutes":false,"reconciliationTriggerInterval":"1s"}` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. | -| egressGateway.installRoutes | bool | `false` | Install egress gateway IP rules and routes in order to properly steer egress gateway traffic to the correct ENI interface | +| egressGateway.enabled | bool | `false` | Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. | +| egressGateway.installRoutes | bool | `false` | Deprecated without a replacement necessary. | | egressGateway.reconciliationTriggerInterval | string | `"1s"` | Time between triggers of egress gateway state reconciliations | | enableCiliumEndpointSlice | bool | `false` | Enable CiliumEndpointSlice feature. | -| enableCnpStatusUpdates | bool | `false` | Whether to enable CNP status updates. | | enableCriticalPriorityClass | bool | `true` | Explicitly enable or disable priority class. .Capabilities.KubeVersion is unsettable in `helm template` calls, it depends on k8s libraries version that Helm was compiled against. This option allows to explicitly disable setting the priority class, which is useful for rendering charts for gke clusters in advance. | | enableIPv4BIGTCP | bool | `false` | Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods | | enableIPv4Masquerade | bool | `true` | Enables masquerading of IPv4 traffic leaving the node from endpoints. | | enableIPv6BIGTCP | bool | `false` | Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods | | enableIPv6Masquerade | bool | `true` | Enables masquerading of IPv6 traffic leaving the node from endpoints. | -| enableK8sEventHandover | bool | `false` | Configures the use of the KVStore to optimize Kubernetes event handling by mirroring it into the KVstore for reduced overhead in large clusters. | | enableK8sTerminatingEndpoint | bool | `true` | Configure whether to enable auto detect of terminating state for endpoints in order to support graceful termination. | +| enableMasqueradeRouteSource | bool | `false` | Enables masquerading to the source of the route for traffic leaving the node from endpoints. | | enableRuntimeDeviceDetection | bool | `false` | Enables experimental support for the detection of new and removed datapath devices. When devices change the eBPF datapath is reloaded and services updated. If "devices" is set then only those devices, or devices matching a wildcard will be considered. | | enableXTSocketFallback | bool | `true` | Enables the fallback compatibility solution for when the xt_socket kernel module is missing and it is needed for the datapath L7 redirection to work properly. See documentation for details on when this can be disabled: https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel. | | encryption.enabled | bool | `false` | Enable transparent network encryption. | @@ -283,7 +299,12 @@ contributors across the globe, there is almost always someone available to help. | encryption.mountPath | string | `"/etc/ipsec"` | Deprecated in favor of encryption.ipsec.mountPath. To be removed in 1.15. Path to mount the secret inside the Cilium pod. This option is only effective when encryption.type is set to ipsec. | | encryption.nodeEncryption | bool | `false` | Enable encryption for pure node to node traffic. This option is only effective when encryption.type is set to "wireguard". | | encryption.secretName | string | `"cilium-ipsec-keys"` | Deprecated in favor of encryption.ipsec.secretName. To be removed in 1.15. Name of the Kubernetes secret containing the encryption keys. This option is only effective when encryption.type is set to ipsec. | +| encryption.strictMode | object | `{"allowRemoteNodeIdentities":false,"cidr":"","enabled":false}` | Configure the WireGuard Pod2Pod strict mode. | +| encryption.strictMode.allowRemoteNodeIdentities | bool | `false` | Allow dynamic lookup of remote node identities. This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. | +| encryption.strictMode.cidr | string | `""` | CIDR for the WireGuard Pod2Pod strict mode. | +| encryption.strictMode.enabled | bool | `false` | Enable WireGuard Pod2Pod strict mode. | | encryption.type | string | `"ipsec"` | Encryption method. Can be either ipsec or wireguard. | +| encryption.wireguard.persistentKeepalive | string | `"0s"` | Controls Wireguard PersistentKeepalive option. Set 0s to disable. | | encryption.wireguard.userspaceFallback | bool | `false` | Enables the fallback to the user-space implementation. | | endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. | | endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. | @@ -301,6 +322,7 @@ contributors across the globe, there is almost always someone available to help. | eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API | | envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. | +| envoy.annotations | object | `{}` | Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) | | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out | | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | | envoy.enabled | bool | `false` | Enable Envoy Proxy in standalone DaemonSet. | @@ -312,7 +334,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -322,7 +344,8 @@ contributors across the globe, there is almost always someone available to help. | envoy.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-envoy. | | envoy.podAnnotations | object | `{}` | Annotations to be added to envoy pods | | envoy.podLabels | object | `{}` | Labels to be added to envoy pods | -| envoy.podSecurityContext | object | `{}` | Security Context for cilium-envoy pods. | +| envoy.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-envoy pods. | +| envoy.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers | | envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. | | envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. | | envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy | @@ -345,10 +368,13 @@ contributors across the globe, there is almost always someone available to help. | envoy.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-envoy DaemonSet. | | envoy.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for envoy scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | envoy.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | cilium-envoy update strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset | +| envoy.xffNumTrustedHopsL7PolicyEgress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. | +| envoy.xffNumTrustedHopsL7PolicyIngress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. | | envoyConfig.enabled | bool | `false` | Enable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options. | | envoyConfig.secretsNamespace | object | `{"create":true,"name":"cilium-secrets"}` | SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. | | envoyConfig.secretsNamespace.create | bool | `true` | Create secrets namespace for CiliumEnvoyConfig CRDs. | | envoyConfig.secretsNamespace.name | string | `"cilium-secrets"` | The name of the secret namespace to which Cilium agents are given read access. | +| etcd.annotations | object | `{}` | Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) | | etcd.clusterDomain | string | `"cluster.local"` | Cluster domain for cilium-etcd-operator. | | etcd.enabled | bool | `false` | Enable etcd mode for the agent. | | etcd.endpoints | list | `["https://CHANGE-ME:2379"]` | List of etcd endpoints (not needed when using managed=true). | @@ -394,24 +420,41 @@ contributors across the globe, there is almost always someone available to help. | hostFirewall | object | `{"enabled":false}` | Configure the host firewall. | | hostFirewall.enabled | bool | `false` | Enables the enforcement of host policies in the eBPF datapath. | | hostPort.enabled | bool | `false` | Enable hostPort service support. | +| hubble.annotations | object | `{}` | Annotations to be added to all top-level hubble objects (resources under templates/hubble) | | hubble.enabled | bool | `true` | Enable Hubble (true by default). | +| hubble.export | object | `{"dynamic":{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false},"fileMaxBackups":5,"fileMaxSizeMb":10,"static":{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}}` | Hubble flows export. | +| hubble.export.dynamic | object | `{"config":{"configMapName":"cilium-flowlog-config","content":[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}],"createConfigMap":true},"enabled":false}` | - Dynamic exporters configuration. Dynamic exporters may be reconfigured without a need of agent restarts. | +| hubble.export.dynamic.config.configMapName | string | `"cilium-flowlog-config"` | -- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. | +| hubble.export.dynamic.config.content | list | `[{"excludeFilters":[],"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log","includeFilters":[],"name":"all"}]` | -- Exporters configuration in YAML format. | +| hubble.export.dynamic.config.createConfigMap | bool | `true` | -- True if helm installer should create config map. Switch to false if you want to self maintain the file content. | +| hubble.export.fileMaxBackups | int | `5` | - Defines max number of backup/rotated files. | +| hubble.export.fileMaxSizeMb | int | `10` | - Defines max file size of output file before it gets rotated. | +| hubble.export.static | object | `{"allowList":[],"denyList":[],"enabled":false,"fieldMask":[],"filePath":"/var/run/cilium/hubble/events.log"}` | - Static exporter configuration. Static exporter is bound to agent lifecycle. | | hubble.listenAddress | string | `":4244"` | An additional address for Hubble to listen to. Set this field ":4244" if you are enabling Hubble Relay, as it assumes that Hubble is listening on port 4244. | -| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. | +| hubble.metrics | object | `{"dashboards":{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null},"enableOpenMetrics":false,"enabled":null,"port":9965,"serviceAnnotations":{},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Hubble metrics configuration. See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics for more comprehensive documentation about Hubble metrics. | | hubble.metrics.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for hubble grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards | | hubble.metrics.enableOpenMetrics | bool | `false` | Enables exporting hubble metrics in OpenMetrics format. | -| hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" | +| hubble.metrics.enabled | string | `nil` | Configures the list of metrics to collect. If empty or null, metrics are disabled. Example: enabled: - dns:query;ignoreAAAA - drop - tcp - flow - icmp - http You can specify the list of metrics from the helm CLI: --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" | | hubble.metrics.port | int | `9965` | Configure the port the hubble metric server listens on. | | hubble.metrics.serviceAnnotations | object | `{}` | Annotations to be added to hubble-metrics service. | | hubble.metrics.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor hubble | | hubble.metrics.serviceMonitor.enabled | bool | `false` | Create ServiceMonitor resources for Prometheus Operator. This requires the prometheus CRDs to be available. ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | | hubble.metrics.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | +| hubble.metrics.serviceMonitor.jobLabel | string | `""` | jobLabel to add for ServiceMonitor hubble | | hubble.metrics.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor hubble | | hubble.metrics.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor hubble | | hubble.metrics.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor hubble | | hubble.peerService.clusterDomain | string | `"cluster.local"` | The cluster domain to use to query the Hubble Peer service. It should be the local cluster. | | hubble.peerService.targetPort | int | `4244` | Target Port for the Peer service, must match the hubble.listenAddress' port. | | hubble.preferIpv6 | bool | `false` | Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available. | +| hubble.redact | object | `{"enabled":false,"http":{"headers":{"allow":[],"deny":[]},"urlQuery":false,"userInfo":true},"kafka":{"apiKey":false}}` | Enables redacting sensitive information present in Layer 7 flows. | +| hubble.redact.http.headers.allow | list | `[]` | List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: allow: - traceparent - tracestate - Cache-Control You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" | +| hubble.redact.http.headers.deny | list | `[]` | List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. Example: redact: enabled: true http: headers: deny: - Authorization - Proxy-Authorization You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" | +| hubble.redact.http.urlQuery | bool | `false` | Enables redacting URL query (GET) parameters. Example: redact: enabled: true http: urlQuery: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.urlQuery="true" | +| hubble.redact.http.userInfo | bool | `true` | Enables redacting user info, e.g., password when basic auth is used. Example: redact: enabled: true http: userInfo: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.http.userInfo="true" | +| hubble.redact.kafka.apiKey | bool | `false` | Enables redacting Kafka's API key. Example: redact: enabled: true kafka: apiKey: true You can specify the options from the helm CLI: --set hubble.redact.enabled="true" --set hubble.redact.kafka.apiKey="true" | | hubble.relay.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for hubble-replay | +| hubble.relay.annotations | object | `{}` | Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) | | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | @@ -419,7 +462,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.10","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.5","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -451,9 +494,9 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.sortBufferDrainTimeout | string | `nil` | When the per-request flows sort buffer is not full, a flow is drained every time this timeout is reached (only affects requests in follow-mode) (e.g. "1s"). | | hubble.relay.sortBufferLenMax | string | `nil` | Max number of flows that can be buffered for sorting before being sent to the client (per request) (e.g. 100). | | hubble.relay.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for hubble relay Deployment. | -| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false}}` | TLS configuration for Hubble Relay | +| hubble.relay.tls | object | `{"client":{"cert":"","key":""},"server":{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}}` | TLS configuration for Hubble Relay | | hubble.relay.tls.client | object | `{"cert":"","key":""}` | base64 encoded PEM values for the hubble-relay client certificate and private key This keypair is presented to Hubble server instances for mTLS authentication and is required when hubble.tls.enabled is true. These values need to be set manually if hubble.tls.auto.enabled is false. | -| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false}` | base64 encoded PEM values for the hubble-relay server certificate and private key | +| hubble.relay.tls.server | object | `{"cert":"","enabled":false,"extraDnsNames":[],"extraIpAddresses":[],"key":"","mtls":false,"relayName":"ui.hubble-relay.cilium.io"}` | base64 encoded PEM values for the hubble-relay server certificate and private key | | hubble.relay.tls.server.extraDnsNames | list | `[]` | extra DNS names added to certificate when its auto gen | | hubble.relay.tls.server.extraIpAddresses | list | `[]` | extra IP addresses added to certificate when its auto gen | | hubble.relay.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | @@ -473,10 +516,13 @@ contributors across the globe, there is almost always someone available to help. | hubble.tls.server.extraDnsNames | list | `[]` | Extra DNS names added to certificate when it's auto generated | | hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated | | hubble.ui.affinity | object | `{}` | Affinity for hubble-ui | +| hubble.ui.annotations | object | `{}` | Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) | | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | | hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | +| hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | | hubble.ui.backend.securityContext | object | `{}` | Hubble-ui backend security context. | | hubble.ui.baseUrl | string | `"/"` | Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing `/` is required for custom path, ex. `/service-map/` | @@ -511,14 +557,15 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":true}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | | ingressController.defaultSecretNamespace | string | `nil` | Default secret namespace for ingresses without .spec.tls[].secretName set. | +| ingressController.enableProxyProtocol | bool | `false` | Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. | | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. | | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. | -| ingressController.ingressLBAnnotationPrefixes | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate from Ingress to the Load Balancer service | +| ingressController.ingressLBAnnotationPrefixes | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service | | ingressController.loadbalancerMode | string | `"dedicated"` | Default ingress load balancer mode Supported values: shared, dedicated For granular control, use the following annotations on the ingress resource ingress.cilium.io/loadbalancer-mode: shared|dedicated, | | ingressController.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. | | ingressController.secretsNamespace.create | bool | `true` | Create secrets namespace for Ingress. | @@ -551,9 +598,9 @@ contributors across the globe, there is almost always someone available to help. | ipv6.enabled | bool | `false` | Enable IPv6 support. | | ipv6NativeRoutingCIDR | string | `""` | Allows to explicitly specify the IPv6 CIDR for native routing. When specified, Cilium assumes networking for this CIDR is preconfigured and hands traffic destined for that range to the Linux network stack without applying any SNAT. Generally speaking, specifying a native routing CIDR implies that Cilium can depend on the underlying networking stack to route packets to their destination. To offer a concrete example, if Cilium is configured to use direct routing and the Kubernetes CIDR is included in the native routing CIDR, the user must configure the routes to reach pods, either manually or by setting the auto-direct-node-routes flag. | | k8s | object | `{}` | Configure Kubernetes specific configuration | -| k8sClientRateLimit | object | `{"burst":10,"qps":5}` | Configure the client side rate limit for the agent and operator If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent and operator will start to throttle requests by delaying them until there is budget or the request times out. | -| k8sClientRateLimit.burst | int | `10` | The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate. | -| k8sClientRateLimit.qps | int | `5` | The sustained request rate in requests per second. | +| k8sClientRateLimit | object | `{"burst":null,"qps":null}` | Configure the client side rate limit for the agent and operator If the amount of requests to the Kubernetes API server exceeds the configured rate limit, the agent and operator will start to throttle requests by delaying them until there is budget or the request times out. | +| k8sClientRateLimit.burst | int | 10 for k8s up to 1.26. 20 for k8s version 1.27+ | The burst request rate in requests per second. The rate limiter will allow short bursts with a higher rate. | +| k8sClientRateLimit.qps | int | 5 for k8s up to 1.26. 10 for k8s version 1.27+ | The sustained request rate in requests per second. | | k8sNetworkPolicy.enabled | bool | `true` | Enable support for K8s NetworkPolicy | | k8sServiceHost | string | `""` | Kubernetes service host | | k8sServicePort | string | `""` | Kubernetes service port | @@ -571,7 +618,8 @@ contributors across the globe, there is almost always someone available to help. | l7Proxy | bool | `true` | Enable Layer 7 network policy. | | livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | -| loadBalancer | object | `{"l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}` | Configure service load balancing | +| loadBalancer | object | `{"acceleration":"disabled","l7":{"algorithm":"round_robin","backend":"disabled","ports":[]}}` | Configure service load balancing | +| loadBalancer.acceleration | string | `"disabled"` | acceleration is the option to accelerate service handling via XDP Applicable values can be: disabled (do not use XDP), native (XDP BPF program is run directly out of the networking driver's early receive path), or best-effort (use native mode XDP acceleration on devices that support it). | | loadBalancer.l7 | object | `{"algorithm":"round_robin","backend":"disabled","ports":[]}` | L7 LoadBalancer | | loadBalancer.l7.algorithm | string | `"round_robin"` | Default LB algorithm The default LB algorithm to be used for services, which can be overridden by the service annotation (e.g. service.cilium.io/lb-l7-algorithm) Applicable values: round_robin, least_request, random | | loadBalancer.l7.backend | string | `"disabled"` | Enable L7 service load balancing via envoy proxy. The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7, will be forwarded to the local backend proxy to be load balanced to the service endpoints. Please refer to docs for supported annotations for more configuration. Applicable values: - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well. - disabled: Disable L7 load balancing by way of service annotation. | @@ -584,22 +632,26 @@ contributors across the globe, there is almost always someone available to help. | name | string | `"cilium"` | Agent container name. | | nat46x64Gateway | object | `{"enabled":false}` | Configure standalone NAT46/NAT64 gateway | | nat46x64Gateway.enabled | bool | `false` | Enable RFC8215-prefixed translation | -| nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enabled":false}` | Configure N-S k8s service loadbalancing | +| nodePort | object | `{"autoProtectPortRange":true,"bindProtection":true,"enableHealthCheck":true,"enableHealthCheckLoadBalancerIP":false,"enabled":false}` | Configure N-S k8s service loadbalancing | | nodePort.autoProtectPortRange | bool | `true` | Append NodePort range to ip_local_reserved_ports if clash with ephemeral ports is detected. | | nodePort.bindProtection | bool | `true` | Set to true to prevent applications binding to service ports. | | nodePort.enableHealthCheck | bool | `true` | Enable healthcheck nodePort server for NodePort services | +| nodePort.enableHealthCheckLoadBalancerIP | bool | `false` | Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs EnableHealthCheck to be enabled | | nodePort.enabled | bool | `false` | Enable the Cilium NodePort service implementation. | | nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-agent. | | nodeinit.affinity | object | `{}` | Affinity for cilium-nodeinit | +| nodeinit.annotations | object | `{}` | Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) | | nodeinit.bootstrapFile | string | `"/tmp/cilium-bootstrap.d/cilium-bootstrap-time"` | bootstrapFile is the location of the file where the bootstrap timestamp is written by the node-init DaemonSet | | nodeinit.enabled | bool | `false` | Enable the node initialization DaemonSet | | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. | | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. | -| nodeinit.image | object | `{"digest":"sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f","useDigest":true}` | node-init image. | +| nodeinit.image | object | `{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}` | node-init image. | | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | +| nodeinit.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-node-init pods. | +| nodeinit.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-node-init` and init containers | | nodeinit.prestop | object | `{"postScript":"","preScript":""}` | prestop offers way to customize prestop nodeinit script (pre and post position) | | nodeinit.priorityClassName | string | `""` | The priority class to use for the nodeinit pod. | | nodeinit.resources | object | `{"requests":{"cpu":"100m","memory":"100Mi"}}` | nodeinit resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | @@ -608,6 +660,7 @@ contributors across the globe, there is almost always someone available to help. | nodeinit.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for nodeinit scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | nodeinit.updateStrategy | object | `{"type":"RollingUpdate"}` | node-init update strategy | | operator.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-operator | +| operator.annotations | object | `{}` | Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) | | operator.dashboards | object | `{"annotations":{},"enabled":false,"label":"grafana_dashboard","labelValue":"1","namespace":null}` | Grafana dashboards for cilium-operator grafana can import dashboards based on the label and value ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards | | operator.dnsPolicy | string | `""` | DNS policy for Cilium operator pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | | operator.enabled | bool | `true` | Enable the cilium-operator component (required). | @@ -619,7 +672,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14","awsDigest":"sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6","azureDigest":"sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4","genericDigest":"sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.10","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3","awsDigest":"sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9","azureDigest":"sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522","genericDigest":"sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.5","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -632,10 +685,11 @@ contributors across the globe, there is almost always someone available to help. | operator.pprof.enabled | bool | `false` | Enable pprof for cilium-operator | | operator.pprof.port | int | `6061` | Configure pprof listen port for cilium-operator | | operator.priorityClassName | string | `""` | The priority class to use for cilium-operator | -| operator.prometheus | object | `{"enabled":false,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":null}}` | Enable prometheus metrics for cilium-operator on the configured port at /metrics | +| operator.prometheus | object | `{"enabled":true,"port":9963,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":null}}` | Enable prometheus metrics for cilium-operator on the configured port at /metrics | | operator.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | | operator.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | +| operator.prometheus.serviceMonitor.jobLabel | string | `""` | jobLabel to add for ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-operator | | operator.prometheus.serviceMonitor.relabelings | string | `nil` | Relabeling configs for the ServiceMonitor cilium-operator | @@ -656,17 +710,20 @@ contributors across the globe, there is almost always someone available to help. | pmtuDiscovery.enabled | bool | `false` | Enable path MTU discovery to send ICMP fragmentation-needed replies to the client. | | podAnnotations | object | `{}` | Annotations to be added to agent pods | | podLabels | object | `{}` | Labels to be added to agent pods | -| podSecurityContext | object | `{}` | Security Context for cilium-agent pods. | +| podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-agent pods. | +| podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers | +| policyCIDRMatchMode | string | `nil` | policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. The possible value is "nodes". | | policyEnforcementMode | string | `"default"` | The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes | | pprof.address | string | `"localhost"` | Configure pprof listen address for cilium-agent | | pprof.enabled | bool | `false` | Enable pprof for cilium-agent | | pprof.port | int | `6060` | Configure pprof listen port for cilium-agent | | preflight.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-preflight | +| preflight.annotations | object | `{}` | Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) | | preflight.enabled | bool | `false` | Enable Cilium pre-flight resources (required for upgrade) | | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.10","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -683,11 +740,13 @@ contributors across the globe, there is almost always someone available to help. | preflight.updateStrategy | object | `{"type":"RollingUpdate"}` | preflight update strategy | | preflight.validateCNPs | bool | `true` | By default we should always validate the installed CNPs before upgrading Cilium. This will make sure the user will have the policies deployed in the cluster with the right schema. | | priorityClassName | string | `""` | The priority class to use for cilium-agent. | -| prometheus | object | `{"enabled":false,"metrics":null,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"trustCRDsExist":false}}` | Configure prometheus metrics on the configured port at /metrics | +| prometheus | object | `{"controllerGroupMetrics":["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"],"enabled":false,"metrics":null,"port":9962,"serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","jobLabel":"","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}],"trustCRDsExist":false}}` | Configure prometheus metrics on the configured port at /metrics | +| prometheus.controllerGroupMetrics | list | `["write-cni-file","sync-host-ips","sync-lb-maps-with-k8s-services"]` | - Enable controller group metrics for monitoring specific Cilium subsystems. The list is a list of controller group names. The special values of "all" and "none" are supported. The set of controller group names is not guaranteed to be stable between Cilium versions. | | prometheus.metrics | string | `nil` | Metrics that should be enabled or disabled from the default metric list. The list is expected to be separated by a space. (+metric_foo to enable metric_foo , -metric_bar to disable metric_bar). ref: https://docs.cilium.io/en/stable/observability/metrics/ | | prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-agent | | prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | | prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | +| prometheus.serviceMonitor.jobLabel | string | `""` | jobLabel to add for ServiceMonitor cilium-agent | | prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-agent | | prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-agent | | prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-agent | @@ -699,7 +758,7 @@ contributors across the globe, there is almost always someone available to help. | rbac.create | bool | `true` | Enable creation of Resource-Based Access Control configuration. | | readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe | | readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe | -| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity | +| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity Deprecated without replacement in 1.15. To be removed in 1.16. | | resourceQuotas | object | `{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}` | Enable resource quotas for priority classes used in the cluster. | | resources | object | `{}` | Agent resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | rollOutCiliumPods | bool | `false` | Roll out cilium agent pods automatically when configmap is updated. | @@ -716,6 +775,7 @@ contributors across the globe, there is almost always someone available to help. | serviceAccounts.clustermeshcertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"clustermesh-apiserver-generate-certs"}` | Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob | | serviceAccounts.hubblecertgen | object | `{"annotations":{},"automount":true,"create":true,"name":"hubble-generate-certs"}` | Hubblecertgen is used if hubble.tls.auto.method=cronJob | | serviceAccounts.nodeinit.enabled | bool | `false` | Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented. Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by this issue. Name and automount can be configured, if enabled is set to true. Otherwise, they are ignored. Enabled can be removed once the issue is fixed. Cilium-nodeinit DS must also be fixed. | +| serviceNoBackendResponse | string | `"reject"` | Configure what the response should be to traffic for a service without backends. "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". Possible values: - reject (default) - drop | | sleepAfterInit | bool | `false` | Do not run Cilium agent when running with clean mode. Useful to completely uninstall Cilium as it will stop Cilium from starting and create artifacts in the node. | | socketLB | object | `{"enabled":false}` | Configure socket LB | | socketLB.enabled | bool | `false` | Enable socket LB | @@ -736,7 +796,6 @@ contributors across the globe, there is almost always someone available to help. | tls.caBundle.useSecret | bool | `false` | Use a Secret instead of a ConfigMap. | | tls.secretsBackend | string | `"local"` | This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies (namely the secrets referenced by terminatingTLS and originatingTLS). Possible values: - local - k8s | | tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for agent scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | -| tunnel | string | `"vxlan"` | Configure the encapsulation configuration for communication between nodes. Deprecated in favor of tunnelProtocol and routingMode. To be removed in 1.15. Possible values: - disabled - vxlan - geneve | | tunnelPort | int | Port 8472 for VXLAN, Port 6081 for Geneve | Configure VXLAN and Geneve tunnel port. | | tunnelProtocol | string | `"vxlan"` | Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. Possible values: - "" - vxlan - geneve | | updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | Cilium agent update strategy | diff --git a/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json b/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json index 997608ee..94af2eac 100644 --- a/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json +++ b/packages/system/cilium/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json @@ -27,7 +27,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -131,7 +134,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -271,7 +277,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -394,7 +403,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -511,7 +523,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -636,7 +651,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "description": "BPF memory usage in the entire system including components not managed by Cilium.", "fieldConfig": { "defaults": { @@ -759,7 +777,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "description": "Fill percentage of BPF maps, tagged by map name", "fieldConfig": { "defaults": { @@ -870,7 +891,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -971,7 +995,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1072,7 +1099,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1173,7 +1203,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1274,7 +1307,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1375,7 +1411,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1511,7 +1550,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1612,7 +1654,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": 2, "fieldConfig": { "defaults": { @@ -1715,7 +1760,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1816,7 +1864,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -1915,7 +1966,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2016,7 +2070,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2117,7 +2174,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2239,7 +2299,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": 2, "fieldConfig": { "defaults": { @@ -2342,7 +2405,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": 2, "fieldConfig": { "defaults": { @@ -2445,7 +2511,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2546,7 +2615,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2647,7 +2719,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2767,7 +2842,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2864,7 +2942,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -2984,7 +3065,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3150,7 +3234,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3316,7 +3403,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3482,7 +3572,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3633,7 +3726,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": null, "fieldConfig": { "defaults": { @@ -3740,7 +3836,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3837,7 +3936,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -3934,7 +4036,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4047,7 +4152,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4147,7 +4255,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4270,7 +4381,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4370,7 +4484,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4518,7 +4635,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4638,7 +4758,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4740,7 +4863,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4864,7 +4990,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -4966,7 +5095,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5102,7 +5234,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5218,7 +5353,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5327,7 +5465,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5455,7 +5596,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5591,7 +5735,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5676,7 +5823,7 @@ "refId": "C" }, { - "expr": "sum(cilium_policy_change_total{k8s_app=\"cilium\", pod=~\"$pod\"}, outcome=\"fail\") by (pod)", + "expr": "sum(cilium_policy_change_total{k8s_app=\"cilium\", pod=~\"$pod\", outcome=\"fail\"}) by (pod)", "format": "time_series", "intervalFactor": 1, "legendFormat": "policy change errors", @@ -5733,7 +5880,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5841,7 +5991,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -5983,7 +6136,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": null, "fieldConfig": { "defaults": { @@ -6083,7 +6239,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "decimals": null, "fieldConfig": { "defaults": { @@ -6188,7 +6347,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6298,7 +6460,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6421,7 +6586,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6542,7 +6710,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6674,7 +6845,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6775,7 +6949,10 @@ "bars": false, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6876,7 +7053,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -6977,7 +7157,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7078,7 +7261,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7178,7 +7364,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7277,7 +7466,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7376,7 +7568,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7475,7 +7670,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7578,7 +7776,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7681,7 +7882,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7784,7 +7988,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7883,7 +8090,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -7982,7 +8192,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -8081,7 +8294,10 @@ "bars": true, "dashLength": 10, "dashes": false, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "fieldConfig": { "defaults": { "custom": {} @@ -8182,6 +8398,21 @@ "tags": [], "templating": { "list": [ + { + "current": {}, + "hide": 0, + "includeAll": false, + "label": "Prometheus", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, { "allValue": "cilium.*", "current": { @@ -8189,7 +8420,10 @@ "text": "All", "value": "$__all" }, - "datasource": "prometheus", + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, "definition": "label_values(cilium_version, pod)", "hide": 0, "includeAll": true, diff --git a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json index ea8984db..87939f69 100644 --- a/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json +++ b/packages/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json @@ -301,6 +301,14 @@ "resourceApiVersion": "V3" } }, + "bootstrapExtensions": [ + { + "name": "envoy.bootstrap.internal_listener", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener" + } + } + ], "layeredRuntime": { "layers": [ { diff --git a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json index 12de657d..8de5ec1d 100644 --- a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json +++ b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dashboard.json @@ -3226,7 +3226,7 @@ ] }, "timezone": "", - "title": "Hubble", + "title": "Hubble Metrics and Monitoring", "uid": "5HftnJAWz", "version": 24 } diff --git a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json new file mode 100644 index 00000000..d286fdb3 --- /dev/null +++ b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-dns-namespace.json @@ -0,0 +1,602 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "panel", + "id": "bargauge", + "name": "Bar gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.4.7" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 16612, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "cilium-overview" + ], + "targetBlank": false, + "title": "Cilium Overviews", + "tooltip": "", + "type": "dashboards", + "url": "" + }, + { + "asDropdown": true, + "icon": "external link", + "includeVars": false, + "keepTime": true, + "tags": [ + "hubble" + ], + "targetBlank": false, + "title": "Hubble", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 2, + "panels": [], + "title": "DNS", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 37, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_dns_queries_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source) > 0", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "DNS queries", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 41, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(10, sum(rate(hubble_dns_queries_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])*60) by (query))", + "legendFormat": "{{query}}", + "range": true, + "refId": "A" + } + ], + "title": "Top 10 DNS queries", + "type": "bargauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 39, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "round(sum(rate(hubble_dns_queries_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source) - sum(label_replace(sum(rate(hubble_dns_responses_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\"}[$__rate_interval])) by (destination), \"source\", \"$1\", \"destination\", \"(.*)\")) without (destination), 0.001) > 0", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Missing DNS responses", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 43, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_dns_responses_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\", rcode!=\"No Error\"}[$__rate_interval])) by (destination, rcode) > 0", + "legendFormat": "{{destination}}: {{rcode}}", + "range": true, + "refId": "A" + } + ], + "title": "DNS errors", + "type": "timeseries" + } + ], + "refresh": "", + "revision": 1, + "schemaVersion": 38, + "style": "dark", + "tags": [ + "kubecon-demo" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "label": "Data Source", + "multi": false, + "name": "prometheus_datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "(?!grafanacloud-usage|grafanacloud-ml-metrics).+", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(cilium_version, cluster)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "cluster", + "options": [], + "query": { + "query": "label_values(cilium_version, cluster)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(source_namespace)", + "hide": 0, + "includeAll": true, + "label": "Source Namespace", + "multi": true, + "name": "source_namespace", + "options": [], + "query": { + "query": "label_values(source_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(destination_namespace)", + "hide": 0, + "includeAll": true, + "label": "Destination Namespace", + "multi": true, + "name": "destination_namespace", + "options": [], + "query": { + "query": "label_values(destination_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Hubble / DNS Overview (Namespace)", + "uid": "_f0DUpY4k", + "version": 26, + "weekStart": "" + } + \ No newline at end of file diff --git a/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json new file mode 100644 index 00000000..d0cf9d3b --- /dev/null +++ b/packages/system/cilium/charts/cilium/files/hubble/dashboards/hubble-network-overview-namespace.json @@ -0,0 +1,1001 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "panel", + "id": "bargauge", + "name": "Bar gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.4.7" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 16612, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "cilium-overview" + ], + "targetBlank": false, + "title": "Cilium Overviews", + "tooltip": "", + "type": "dashboards", + "url": "" + }, + { + "asDropdown": true, + "icon": "external link", + "includeVars": false, + "keepTime": true, + "tags": [ + "hubble" + ], + "targetBlank": false, + "title": "Hubble", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 8, + "panels": [], + "title": "Flows processed", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (type, subtype)", + "legendFormat": "{{type}}/{{subtype}}", + "range": true, + "refId": "A" + } + ], + "title": "Flows processed by type", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "ops" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 35, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (verdict)", + "legendFormat": "{{verdict}}", + "range": true, + "refId": "A" + } + ], + "title": "Flows processed by verdict", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 36, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(10, sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source))", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Top 10 sources", + "type": "bargauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 37, + "options": { + "displayMode": "gradient", + "minVizHeight": 10, + "minVizWidth": 0, + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true + }, + "pluginVersion": "9.4.7", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "topk(10, sum(rate(hubble_flows_processed_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (destination))", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Top 10 destinations", + "type": "bargauge" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 10, + "panels": [], + "title": "Connection drops", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 20 + }, + "id": 23, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_tcp_flags_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\", flag=\"SYN\"}[$__rate_interval])) by (source) - sum(label_replace(sum(rate(hubble_tcp_flags_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\", flag=\"SYN-ACK\"}[$__rate_interval])) by (destination), \"source\", \"$1\", \"destination\", \"(.*)\")) without (destination) > 0", + "hide": false, + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Missing TCP SYN-ACKs", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 20 + }, + "id": 34, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_icmp_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\", type=\"EchoRequest\"}[$__rate_interval])) by (source) - sum(label_replace(sum(rate(hubble_icmp_total{cluster=~\"$cluster\", source_namespace=~\"$destination_namespace\", destination_namespace=~\"$source_namespace\", type=\"EchoReply\"}[$__rate_interval])) by (destination), \"source\", \"$1\", \"destination\", \"(.*)\")) without (destination) > 0", + "legendFormat": "{{source}}", + "range": true, + "refId": "A" + } + ], + "title": "Missing ICMP Echo Replys", + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 29 + }, + "id": 6, + "panels": [], + "title": "Network Policy drops", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 29, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_drop_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (source, reason) > 0", + "legendFormat": "{{source}}: {{reason}}", + "range": true, + "refId": "A" + } + ], + "title": "Network Policy drops by source", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "pps" + }, + "overrides": [ + { + "__systemRef": "hideSeriesFrom", + "matcher": { + "id": "byNames", + "options": { + "mode": "exclude", + "names": [ + "kube-dns-7d44cdb5d5-g85vg: UNSUPPORTED_PROTOCOL_FOR_NAT_MASQUERADE" + ], + "prefix": "All except:", + "readOnly": true + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": false, + "tooltip": false, + "viz": true + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 30, + "options": { + "legend": { + "calcs": [ + "mean", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(hubble_drop_total{cluster=~\"$cluster\", source_namespace=~\"$source_namespace\", destination_namespace=~\"$destination_namespace\"}[$__rate_interval])) by (destination, reason) > 0", + "legendFormat": "{{destination}}: {{reason}}", + "range": true, + "refId": "A" + } + ], + "title": "Network Policy drops by destination", + "type": "timeseries" + } + ], + "refresh": "", + "revision": 1, + "schemaVersion": 38, + "style": "dark", + "tags": [ + "kubecon-demo" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "label": "Data Source", + "multi": false, + "name": "prometheus_datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "(?!grafanacloud-usage|grafanacloud-ml-metrics).+", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(cilium_version, cluster)", + "hide": 0, + "includeAll": true, + "multi": true, + "name": "cluster", + "options": [], + "query": { + "query": "label_values(cilium_version, cluster)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(source_namespace)", + "hide": 0, + "includeAll": true, + "label": "Source Namespace", + "multi": true, + "name": "source_namespace", + "options": [], + "query": { + "query": "label_values(source_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(destination_namespace)", + "hide": 0, + "includeAll": true, + "label": "Destination Namespace", + "multi": true, + "name": "destination_namespace", + "options": [], + "query": { + "query": "label_values(destination_namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Hubble / Network Overview (Namespace)", + "uid": "nlsO8tYVz", + "version": 18, + "weekStart": "" + } + \ No newline at end of file diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml index 89e604a7..9ccf2192 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrole.yaml @@ -6,6 +6,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -82,6 +86,9 @@ rules: resources: - ciliumloadbalancerippools - ciliumbgppeeringpolicies + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs - ciliumclusterwideenvoyconfigs - ciliumclusterwidenetworkpolicies - ciliumegressgatewaypolicies @@ -137,6 +144,7 @@ rules: - ciliumendpoints/status - ciliumendpoints - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status verbs: - patch {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml index ecc32441..34b0a58b 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index 291f4a34..144025e0 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -16,6 +16,10 @@ kind: DaemonSet metadata: name: cilium namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium app.kubernetes.io/part-of: cilium @@ -49,6 +53,7 @@ spec: cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }} {{- end }} {{- if not .Values.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. @@ -59,6 +64,7 @@ spec: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined" {{- end }} {{- end }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -77,6 +83,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.podSecurityContext "appArmorProfile" }} + {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -128,6 +139,7 @@ spec: failureThreshold: {{ .Values.startupProbe.failureThreshold }} periodSeconds: {{ .Values.startupProbe.periodSeconds }} successThreshold: 1 + initialDelaySeconds: 5 {{- end }} livenessProbe: {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }} @@ -196,6 +208,11 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST value: {{ .Values.k8sServiceHost | quote }} @@ -371,6 +388,11 @@ spec: mountPropagation: {{ .mountPropagation }} {{- end }} {{- end }} + {{- if .Values.hubble.export.dynamic.enabled }} + - name: hubble-flowlog-config + mountPath: /flowlog-config + readOnly: true + {{- end }} {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} @@ -387,7 +409,7 @@ spec: for i in {1..5}; do \ [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ done; \ - cilium monitor + cilium-dbg monitor {{- range $type := .Values.monitor.eventTypes -}} {{ " " }}--type={{ $type }} {{- end }} @@ -411,7 +433,7 @@ spec: image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - - cilium + - cilium-dbg - build-config {{- if (not (kindIs "invalid" .Values.daemon.configSources)) }} - "--source={{.Values.daemon.configSources}}" @@ -422,6 +444,9 @@ spec: {{- if (not (kindIs "invalid" .Values.daemon.blockedConfigOverrides)) }} - "--deny-config-keys={{.Values.daemon.blockedConfigOverrides}}" {{- end }} + {{- if .Values.kubeConfigPath }} + - "--k8s-kubeconfig-path={{ .Values.kubeConfigPath }}" + {{- end }} env: - name: K8S_NODE_NAME valueFrom: @@ -447,6 +472,11 @@ spec: volumeMounts: - name: tmp mountPath: /tmp + {{- if .Values.kubeConfigPath }} + - name: kube-config + mountPath: {{ .Values.kubeConfigPath }} + readOnly: true + {{- end }} {{- with .Values.extraVolumeMounts }} {{- toYaml . | nindent 8 }} {{- end }} @@ -612,6 +642,12 @@ spec: name: cilium-config key: clean-cilium-bpf-state optional: true + - name: WRITE_CNI_CONF_WHEN_READY + valueFrom: + configMapKeyRef: + name: cilium-config + key: write-cni-conf-when-ready + optional: true {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST value: {{ .Values.k8sServiceHost | quote }} @@ -659,7 +695,7 @@ spec: resources: {{- toYaml . | trim | nindent 10 }} {{- end }} - {{- if and .Values.waitForKubeProxy (ne $kubeProxyReplacement "strict") }} + {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true")) }} - name: wait-for-kube-proxy image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -703,10 +739,10 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} command: - "/install-plugin.sh" + {{- with .Values.cni.resources }} resources: - requests: - cpu: 100m - memory: 10Mi + {{- toYaml . | trim | nindent 10 }} + {{- end }} securityContext: {{- if .Values.securityContext.privileged }} privileged: true @@ -750,7 +786,7 @@ spec: tolerations: {{- toYaml . | trim | nindent 8 }} {{- end }} - {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled (not .Values.clustermesh.apiserver.kvstoremesh.enabled) }} + {{- if and .Values.clustermesh.config.enabled (not (and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled )) }} hostAliases: {{- range $cluster := .Values.clustermesh.config.clusters }} {{- range $ip := $cluster.ips }} @@ -944,6 +980,12 @@ spec: path: client-ca.crt {{- end }} {{- end }} + {{- if .Values.hubble.export.dynamic.enabled }} + - name: hubble-flowlog-config + configMap: + name: {{ .Values.hubble.export.dynamic.config.configMapName }} + optional: true + {{- end }} {{- range .Values.extraHostPathMounts }} - name: {{ .name }} hostPath: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml index 7f1ff7c5..6f19135d 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/dashboards-configmap.yaml @@ -15,9 +15,14 @@ metadata: {{- if $.Values.dashboards.label }} {{ $.Values.dashboards.label }}: {{ ternary $.Values.dashboards.labelValue "1" (not (empty $.Values.dashboards.labelValue)) | quote }} {{- end }} - {{- with $.Values.dashboards.annotations }} + {{- if or $.Values.dashboards.annotations $.Values.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with $.Values.dashboards.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} data: {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml index abbf37d8..e4ad86d1 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/role.yaml @@ -5,6 +5,10 @@ kind: Role metadata: name: cilium-config-agent namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -26,6 +30,10 @@ kind: Role metadata: name: cilium-ingress-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -46,6 +54,10 @@ kind: Role metadata: name: cilium-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -66,6 +78,30 @@ kind: Role metadata: name: cilium-envoy-config-secrets namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{- end}} + +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.bgpControlPlane.enabled .Values.bgpControlPlane.secretsNamespace.name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cilium-bgp-control-plane-secrets + namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml index ec8c5d80..cfa8697b 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/rolebinding.yaml @@ -5,6 +5,10 @@ kind: RoleBinding metadata: name: cilium-config-agent namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -24,6 +28,10 @@ kind: RoleBinding metadata: name: cilium-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -43,6 +51,10 @@ kind: RoleBinding metadata: name: cilium-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -62,6 +74,10 @@ kind: RoleBinding metadata: name: cilium-envoy-config-secrets namespace: {{ .Values.envoyConfig.secretsNamespace.name | quote }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -73,3 +89,22 @@ subjects: name: {{ .Values.serviceAccounts.cilium.name | quote }} namespace: {{ .Release.Namespace }} {{- end}} + +{{- if and .Values.agent (not .Values.preflight.enabled) .Values.serviceAccounts.cilium.create .Values.bgpControlPlane.enabled .Values.bgpControlPlane.secretsNamespace.name}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cilium-bgp-control-plane-secrets + namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-bgp-control-plane-secrets +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccounts.cilium.name | quote }} + namespace: {{ .Release.Namespace }} +{{- end}} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml index e0a55803..f6ec4951 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/service.yaml @@ -5,6 +5,10 @@ kind: Service metadata: name: cilium-agent namespace: {{ .Release.Namespace }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium app.kubernetes.io/name: cilium-agent diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml index 605506f1..2c2cf399 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.cilium.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.cilium.annotations }} + {{- if or .Values.serviceAccounts.cilium.annotations .Values.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.cilium.annotations | nindent 4 }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.cilium.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml index 3beeacad..c2ffa66c 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml @@ -10,10 +10,15 @@ metadata: {{- with .Values.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.prometheus.serviceMonitor.annotations .Values.annotations }} annotations: - {{- with .Values.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: @@ -50,4 +55,7 @@ spec: {{- end }} targetLabels: - k8s-app +{{- if .Values.prometheus.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }} +{{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml index 5a74f787..f2225b93 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-ca-secret.yaml @@ -1,5 +1,5 @@ {{- if or - (and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") (not .Values.clustermesh.apiserver.tls.ca.cert)) + (and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm")) (and (or .Values.agent .Values.hubble.relay.enabled .Values.hubble.ui.enabled) .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "helm")) (and .Values.tls.ca.key .Values.tls.ca.cert) -}} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml index ca3d945c..9531ca18 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml @@ -1,6 +1,5 @@ {{- if and (.Values.agent) (not .Values.preflight.enabled) }} {{- /* Default values with backwards compatibility */ -}} -{{- $defaultEnableCnpStatusUpdates := "true" -}} {{- $defaultBpfMapDynamicSizeRatio := 0.0 -}} {{- $defaultBpfMasquerade := "false" -}} {{- $defaultBpfClockProbe := "false" -}} @@ -13,11 +12,12 @@ {{- $fragmentTracking := "true" -}} {{- $defaultKubeProxyReplacement := "false" -}} {{- $azureUsePrimaryAddress := "true" -}} +{{- $defaultK8sClientQPS := 5 -}} +{{- $defaultK8sClientBurst := 10 -}} {{- $defaultDNSProxyEnableTransparentMode := "false" -}} {{- /* Default values when 1.8 was initially deployed */ -}} {{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}} - {{- $defaultEnableCnpStatusUpdates = "false" -}} {{- $defaultBpfMapDynamicSizeRatio = 0.0025 -}} {{- $defaultBpfMasquerade = "true" -}} {{- $defaultBpfClockProbe = "true" -}} @@ -78,6 +78,11 @@ {{- else if (not (kindIs "invalid" .Values.cni.chainingTarget)) -}} {{- $cniChainingMode = "generic-veth" -}} {{- end -}} + +{{- if semverCompare ">=1.27-0" .Capabilities.KubeVersion.Version -}} + {{- $defaultK8sClientQPS = 10 -}} + {{- $defaultK8sClientBurst = 20 -}} +{{- end -}} --- apiVersion: v1 kind: ConfigMap @@ -191,6 +196,11 @@ data: enable-policy: "{{ lower .Values.policyEnforcementMode }}" {{- end }} +{{- if hasKey .Values "policyCIDRMatchMode" }} + policy-cidr-match-mode: {{ join " " .Values.policyCIDRMatchMode | quote }} +{{- end}} + + {{- if .Values.prometheus.enabled }} # If you want metrics enabled in all of your Cilium agents, set the port for # which the Cilium agents will have their metrics exposed. @@ -207,6 +217,13 @@ data: {{ . }} {{- end }} {{- end }} + {{- if .Values.prometheus.controllerGroupMetrics }} + # A space-separated list of controller groups for which to enable metrics. + # The special values of "all" and "none" are supported. + controller-group-metrics: {{- range .Values.prometheus.controllerGroupMetrics }} + {{ . }} + {{- end }} + {{- end }} {{- end }} {{- if not .Values.envoy.enabled }} @@ -240,6 +257,7 @@ data: {{- if .Values.ingressController.enabled }} enable-ingress-controller: "true" enforce-ingress-https: {{ .Values.ingressController.enforceHttps | quote }} + enable-ingress-proxy-protocol: {{ .Values.ingressController.enableProxyProtocol | quote }} enable-ingress-secrets-sync: {{ .Values.ingressController.secretsNamespace.sync | quote }} ingress-secrets-namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} ingress-lb-annotation-prefixes: {{ .Values.ingressController.ingressLBAnnotationPrefixes | join " " | quote }} @@ -348,6 +366,11 @@ data: enable-host-legacy-routing: "true" {{- end }} +{{- if .Values.bpf.nodeMapMax }} + # node-map-max specifies the maximum number of entries for the node map. + bpf-node-map-max: {{ .Values.bpf.nodeMapMax | quote }} +{{- end }} + {{- if .Values.bpf.authMapMax }} # bpf-auth-map-max specifies the maximum number of entries in the auth map bpf-auth-map-max: {{ .Values.bpf.authMapMax | quote }} @@ -437,7 +460,6 @@ data: {{- end }} routing-mode: "native" enable-endpoint-routes: "true" - enable-local-node-route: "false" {{- else if .Values.aksbyocni.enabled }} {{- if ne (.Values.routingMode | default "tunnel") "tunnel" }} {{- fail (printf "RoutingMode must be set to tunnel when aksbyocni.enabled=true" )}} @@ -447,19 +469,9 @@ data: {{- else if .Values.routingMode }} routing-mode: {{ .Values.routingMode | quote }} {{- else }} - {{- if eq .Values.tunnel "disabled" }} - routing-mode: "native" - {{- else if eq .Values.tunnel "vxlan" }} - routing-mode: "tunnel" - tunnel-protocol: "vxlan" - {{- else if eq .Values.tunnel "geneve" }} - routing-mode: "tunnel" - tunnel-protocol: "geneve" - {{- else }} # Default case routing-mode: "tunnel" tunnel-protocol: "vxlan" - {{- end }} {{- end }} {{- if .Values.tunnelProtocol }} @@ -470,6 +482,10 @@ data: tunnel-port: {{ .Values.tunnelPort | quote }} {{- end }} +{{- if .Values.serviceNoBackendResponse }} + service-no-backend-response: "{{ .Values.serviceNoBackendResponse }}" +{{- end}} + {{- if .Values.MTU }} mtu: {{ .Values.MTU | quote }} {{- end }} @@ -508,7 +524,6 @@ data: {{- if .Values.azure.enabled }} enable-endpoint-routes: "true" auto-create-cilium-node-resource: "true" - enable-local-node-route: "false" {{- if .Values.azure.userAssignedIdentityID }} azure-user-assigned-identity-id: {{ .Values.azure.userAssignedIdentityID | quote }} {{- end }} @@ -559,6 +574,7 @@ data: {{- else if eq $defaultBpfMasquerade "true" }} enable-bpf-masquerade: {{ $defaultBpfMasquerade | quote }} {{- end }} + enable-masquerade-to-route-source: {{ .Values.enableMasqueradeRouteSource | quote }} {{- if hasKey .Values "egressMasqueradeInterfaces" }} egress-masquerade-interfaces: {{ .Values.egressMasqueradeInterfaces }} {{- end }} @@ -591,8 +607,8 @@ data: {{- if .Values.encryption.wireguard.userspaceFallback }} enable-wireguard-userspace-fallback: {{ .Values.encryption.wireguard.userspaceFallback | quote }} {{- end }} - {{- if .Values.encryption.wireguard.encapsulate }} - wireguard-encapsulate: {{ .Values.encryption.wireguard.encapsulate | quote }} + {{- if .Values.encryption.wireguard.persistentKeepalive }} + wireguard-persistent-keepalive: {{ .Values.encryption.wireguard.persistentKeepalive | quote }} {{- end }} {{- end }} {{- if .Values.encryption.nodeEncryption }} @@ -600,6 +616,14 @@ data: {{- end }} {{- end }} +{{- if .Values.encryption.strictMode.enabled }} + enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled | quote }} + + encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr | quote }} + + encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities | quote }} +{{- end }} + enable-xt-socket-fallback: {{ .Values.enableXTSocketFallback | quote }} {{- if or (.Values.azure.enabled) (.Values.eni.enabled) (.Values.gke.enabled) (ne $cniChainingMode "none") }} install-no-conntrack-iptables-rules: "false" @@ -701,6 +725,11 @@ data: {{- end }} {{- if hasKey .Values.nodePort "enableHealthCheck" }} enable-health-check-nodeport: {{ .Values.nodePort.enableHealthCheck | quote}} +{{- end }} +{{- if .Values.gke.enabled }} + enable-health-check-loadbalancer-ip: "true" +{{- else if hasKey .Values.nodePort "enableHealthCheckLoadBalancerIP" }} + enable-health-check-loadbalancer-ip: {{ .Values.nodePort.enableHealthCheckLoadBalancerIP | quote}} {{- end }} node-port-bind-protection: {{ .Values.nodePort.bindProtection | quote }} enable-auto-protect-node-port-range: {{ .Values.nodePort.autoProtectPortRange | quote }} @@ -836,7 +865,7 @@ data: {{- if .Values.hubble.enabled }} # Enable Hubble gRPC service. - enable-hubble: {{ .Values.hubble.enabled | quote }} + enable-hubble: {{ .Values.hubble.enabled | quote }} # UNIX domain socket for Hubble server to listen to. hubble-socket-path: {{ .Values.hubble.socketPath | quote }} {{- if hasKey .Values.hubble "eventQueueSize" }} @@ -860,6 +889,49 @@ data: {{- end }} enable-hubble-open-metrics: {{ .Values.hubble.metrics.enableOpenMetrics | quote }} {{- end }} +{{- if .Values.hubble.redact }} +{{- if eq .Values.hubble.redact.enabled true }} + # Enables hubble redact capabilities + hubble-redact-enabled: "true" +{{- if .Values.hubble.redact.http }} + # Enables redaction of the http URL query part in flows + hubble-redact-http-urlquery: {{ .Values.hubble.redact.http.urlQuery | quote }} + # Enables redaction of the http user info in flows + hubble-redact-http-userinfo: {{ .Values.hubble.redact.http.userInfo | quote }} +{{- if .Values.hubble.redact.http.headers }} +{{- if .Values.hubble.redact.http.headers.allow }} + # Redact all http headers that do not match this list + hubble-redact-http-headers-allow: {{- range .Values.hubble.redact.http.headers.allow }} + {{ . }} +{{- end }} +{{- end }} +{{- if .Values.hubble.redact.http.headers.deny }} + # Redact all http headers that match this list + hubble-redact-http-headers-deny: {{- range .Values.hubble.redact.http.headers.deny }} + {{ . }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.hubble.redact.kafka }} + # Enables redaction of the Kafka API key part in flows + hubble-redact-kafka-apikey: {{ .Values.hubble.redact.kafka.apiKey | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- if .Values.hubble.export }} + hubble-export-file-max-size-mb: {{ .Values.hubble.export.fileMaxSizeMb | quote }} + hubble-export-file-max-backups: {{ .Values.hubble.export.fileMaxBackups | quote }} +{{- if .Values.hubble.export.static.enabled }} + hubble-export-file-path: {{ .Values.hubble.export.static.filePath | quote }} + hubble-export-fieldmask: {{ .Values.hubble.export.static.fieldMask | join " " | quote }} + hubble-export-allowlist: {{ .Values.hubble.export.static.allowList | join "," | quote }} + hubble-export-denylist: {{ .Values.hubble.export.static.denyList | join "," | quote }} +{{- end }} +{{- if .Values.hubble.export.dynamic.enabled }} + hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml +{{- end }} +{{- end }} {{- if hasKey .Values.hubble "listenAddress" }} # An additional address for Hubble server to listen to (e.g. ":4244"). hubble-listen-address: {{ .Values.hubble.listenAddress | quote }} @@ -893,7 +965,7 @@ data: ipam-cilium-node-update-rate: {{ include "validateDuration" .Values.ipam.ciliumNodeUpdateRate | quote }} {{- end }} -{{- if or (eq $ipam "cluster-pool") (eq $ipam "cluster-pool-v2beta") }} +{{- if (eq $ipam "cluster-pool") }} {{- if .Values.ipv4.enabled }} {{- if hasKey .Values.ipam.operator "clusterPoolIPv4PodCIDR" }} {{- /* ipam.operator.clusterPoolIPv4PodCIDR removed in v1.14, remove this failsafe around v1.17 */ -}} @@ -935,11 +1007,8 @@ data: limit-ipam-api-qps: {{ .Values.ipam.operator.externalAPILimitQPS | quote }} {{- end }} -{{- if .Values.enableCnpStatusUpdates }} - disable-cnp-status-updates: "false" -{{- else if (eq $defaultEnableCnpStatusUpdates "false") }} - disable-cnp-status-updates: "true" - cnp-node-status-gc-interval: "0s" +{{- if .Values.apiRateLimit }} + api-rate-limit: {{ .Values.apiRateLimit | quote }} {{- end }} {{- if .Values.egressGateway.enabled }} @@ -971,10 +1040,6 @@ data: {{- end }} {{- end }} -{{- if .Values.enableK8sEventHandover }} - enable-k8s-event-handover: "true" -{{- end }} - {{- if .Values.crdWaitTimeout }} crd-wait-timeout: {{ include "validateDuration" .Values.crdWaitTimeout | quote }} {{- end }} @@ -1026,6 +1091,7 @@ data: {{- if .Values.bgpControlPlane.enabled }} enable-bgp-control-plane: "true" + bgp-secrets-namespace: {{ .Values.bgpControlPlane.secretsNamespace.name | quote }} {{- else }} enable-bgp-control-plane: "false" {{- end }} @@ -1072,10 +1138,8 @@ data: annotate-k8s-node: "true" {{- end }} -{{- if hasKey .Values "k8sClientRateLimit" }} - k8s-client-qps: {{ .Values.k8sClientRateLimit.qps | quote }} - k8s-client-burst: {{ .Values.k8sClientRateLimit.burst | quote }} -{{- end }} + k8s-client-qps: {{ .Values.k8sClientRateLimit.qps | default $defaultK8sClientQPS | quote}} + k8s-client-burst: {{ .Values.k8sClientRateLimit.burst | default $defaultK8sClientBurst | quote }} {{- if and .Values.operator.setNodeTaints (not .Values.operator.removeNodeTaints) -}} {{ fail "Cannot have operator.setNodeTaintsMaxNodes and not operator.removeNodeTaints = false" }} @@ -1136,10 +1200,6 @@ data: {{- end }} {{- end }} -{{- if .Values.extraConfig }} - {{ toYaml .Values.extraConfig | nindent 2 }} -{{- end }} - {{- if hasKey .Values "agentNotReadyTaintKey" }} agent-not-ready-taint-key: {{ .Values.agentNotReadyTaintKey | quote }} {{- end }} @@ -1153,6 +1213,7 @@ data: mesh-auth-mutual-enabled: "true" mesh-auth-mutual-listener-port: {{ .Values.authentication.mutual.port | quote }} mesh-auth-spire-agent-socket: {{ .Values.authentication.mutual.spire.agentSocketPath | quote }} + mesh-auth-mutual-connect-timeout: {{ include "validateDuration" .Values.authentication.mutual.connectTimeout | quote }} {{- if .Values.authentication.mutual.spire.serverAddress }} mesh-auth-spire-server-address: {{ .Values.authentication.mutual.spire.serverAddress | quote }} {{- else }} @@ -1163,9 +1224,12 @@ data: mesh-auth-spiffe-trust-domain: {{ .Values.authentication.mutual.spire.trustDomain | quote }} {{- end }} + proxy-xff-num-trusted-hops-ingress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyIngress | quote }} + proxy-xff-num-trusted-hops-egress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyEgress | quote }} proxy-connect-timeout: {{ .Values.envoy.connectTimeoutSeconds | quote }} proxy-max-requests-per-connection: {{ .Values.envoy.maxRequestsPerConnection | quote }} proxy-max-connection-duration-seconds: {{ .Values.envoy.maxConnectionDurationSeconds | quote }} + proxy-idle-timeout-seconds: {{ .Values.envoy.idleTimeoutDurationSeconds | quote }} external-envoy-proxy: {{ .Values.envoy.enabled | quote }} @@ -1173,6 +1237,16 @@ data: envoy-log: {{ .Values.envoy.log.path | quote }} {{- end }} +{{- if hasKey .Values.clustermesh "maxConnectedClusters" }} + max-connected-clusters: {{ .Values.clustermesh.maxConnectedClusters | quote }} +{{- end }} + +# Extra config allows adding arbitrary properties to the cilium config. +# By putting it at the end of the ConfigMap, it's also possible to override existing properties. +{{- if .Values.extraConfig }} + {{ toYaml .Values.extraConfig | nindent 2 }} +{{- end }} + {{- end }} --- {{- if and .Values.ipMasqAgent.enabled .Values.ipMasqAgent.config }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml index 7aa0f046..990cf951 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/configmap.yaml @@ -6,6 +6,10 @@ kind: ConfigMap metadata: name: cilium-envoy-config namespace: {{ .Release.Namespace }} + {{- with .Values.envoy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: {{- (tpl (.Files.Glob "files/cilium-envoy/configmap/bootstrap-config.json").AsConfig .) | nindent 2 }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml index fcd5621b..30b9af0f 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml @@ -6,6 +6,10 @@ kind: DaemonSet metadata: name: cilium-envoy namespace: {{ .Release.Namespace }} + {{- with .Values.envoy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium-envoy app.kubernetes.io/part-of: cilium @@ -31,11 +35,13 @@ spec: cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }} {{- end }} {{- if not .Values.envoy.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. container.apparmor.security.beta.kubernetes.io/cilium-envoy: "unconfined" {{- end }} + {{- end }} {{- with .Values.envoy.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -52,6 +58,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.envoy.podSecurityContext "appArmorProfile" }} + {{- end }} {{- with .Values.envoy.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -65,7 +76,7 @@ spec: args: - '-c /var/run/cilium/envoy/bootstrap-config.json' - '--base-id 0' - {{- if and (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "envoy" ( splitList " " .Values.debug.verbose )) }} + {{- if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "envoy" ( splitList " " .Values.debug.verbose )) }} - '--log-level trace' {{- else if and (.Values.debug.enabled) (hasKey .Values.debug "verbose") (.Values.debug.verbose) (has "flow" ( splitList " " .Values.debug.verbose )) }} - '--log-level debug' @@ -89,6 +100,7 @@ spec: failureThreshold: {{ .Values.envoy.startupProbe.failureThreshold }} periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }} successThreshold: 1 + initialDelaySeconds: 5 {{- end }} livenessProbe: httpGet: @@ -175,6 +187,9 @@ spec: - name: envoy-sockets mountPath: /var/run/cilium/envoy/sockets readOnly: false + - name: envoy-artifacts + mountPath: /var/run/cilium/envoy/artifacts + readOnly: true - name: envoy-config mountPath: /var/run/cilium/envoy/ readOnly: true @@ -224,6 +239,10 @@ spec: hostPath: path: "{{ .Values.daemon.runPath }}/envoy/sockets" type: DirectoryOrCreate + - name: envoy-artifacts + hostPath: + path: "{{ .Values.daemon.runPath }}/envoy/artifacts" + type: DirectoryOrCreate - name: envoy-config configMap: name: cilium-envoy-config diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml index f5c2a09b..d238c62e 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/service.yaml @@ -4,11 +4,16 @@ kind: Service metadata: name: cilium-envoy namespace: {{ .Release.Namespace }} - {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }} + {{- if or (not .Values.envoy.prometheus.serviceMonitor.enabled) .Values.envoy.annotations }} annotations: + {{- if not .Values.envoy.prometheus.serviceMonitor.enabled }} prometheus.io/scrape: "true" prometheus.io/port: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port | quote }} {{- end }} + {{- with .Values.envoy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} labels: k8s-app: cilium-envoy app.kubernetes.io/name: cilium-envoy diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml index 6094ba20..607dabca 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.envoy.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.envoy.annotations }} + {{- if or .Values.serviceAccounts.envoy.annotations .Values.envoy.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.envoy.annotations | nindent 4 }} + {{- with .Values.envoy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.envoy.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml index 3f120b9d..10f84d82 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml @@ -11,10 +11,15 @@ metadata: {{- with .Values.envoy.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.envoy.prometheus.serviceMonitor.annotations .Values.envoy.annotations }} annotations: - {{- with .Values.envoy.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.envoy.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.envoy.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml new file mode 100644 index 00000000..8a1341e4 --- /dev/null +++ b/packages/system/cilium/charts/cilium/templates/cilium-flowlog-configmap.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.hubble.export.dynamic.enabled .Values.hubble.export.dynamic.config.createConfigMap }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.hubble.export.dynamic.config.configMapName }} + namespace: {{ .Release.Namespace }} +data: + flowlogs.yaml: | + flowLogs: +{{ .Values.hubble.export.dynamic.config.content | toYaml | indent 4 }} +{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml b/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml index 089649ff..74a78d8d 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-gateway-api-class.yaml @@ -1,6 +1,6 @@ {{- if .Values.gatewayAPI.enabled -}} -{{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1/GatewayClass" }} -apiVersion: gateway.networking.k8s.io/v1beta1 +{{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1/GatewayClass" }} +apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: cilium diff --git a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml index 63de5715..3ed09268 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/daemonset.yaml @@ -5,6 +5,10 @@ apiVersion: apps/v1 metadata: name: cilium-node-init namespace: {{ .Release.Namespace }} + {{- with .Values.nodeinit.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app: cilium-node-init app.kubernetes.io/part-of: cilium @@ -24,11 +28,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- if not .Values.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. container.apparmor.security.beta.kubernetes.io/node-init: "unconfined" {{- end }} + {{- end }} labels: app: cilium-node-init app.kubernetes.io/part-of: cilium @@ -41,6 +47,15 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.nodeinit.podSecurityContext "appArmorProfile" }} + {{- end }} + {{- with .Values.nodeinit.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: node-init image: {{ include "cilium.image" .Values.nodeinit.image | quote }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml index 806e3706..eb503ee9 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-nodeinit/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.nodeinit.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.nodeinit.annotations }} + {{- if or .Values.serviceAccounts.nodeinit.annotations .Values.nodeinit.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.nodeinit.annotations | nindent 4 }} + {{- with .Values.nodeinit.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.nodeinit.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml index 862fac10..7e9080b5 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-operator + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -157,6 +161,9 @@ rules: resources: - ciliumendpointslices - ciliumenvoyconfigs + - ciliumbgppeerconfigs + - ciliumbgpadvertisements + - ciliumbgpnodeconfigs verbs: - create - update @@ -183,6 +190,11 @@ rules: resourceNames: - ciliumloadbalancerippools.cilium.io - ciliumbgppeeringpolicies.cilium.io + - ciliumbgpclusterconfigs.cilium.io + - ciliumbgppeerconfigs.cilium.io + - ciliumbgpadvertisements.cilium.io + - ciliumbgpnodeconfigs.cilium.io + - ciliumbgpnodeconfigoverrides.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io @@ -203,6 +215,8 @@ rules: resources: - ciliumloadbalancerippools - ciliumpodippools + - ciliumbgpclusterconfigs + - ciliumbgpnodeconfigoverrides verbs: - get - list @@ -258,6 +272,7 @@ rules: - gateways - tlsroutes - httproutes + - grpcroutes - referencegrants - referencepolicies verbs: @@ -270,6 +285,7 @@ rules: - gatewayclasses/status - gateways/status - httproutes/status + - grpcroutes/status - tlsroutes/status verbs: - update diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml index a8a51bd4..f0d00e2e 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-operator + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml index 37402bed..c4b90a27 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/dashboards-configmap.yaml @@ -15,9 +15,14 @@ metadata: {{- if $.Values.operator.dashboards.label }} {{ $.Values.operator.dashboards.label }}: {{ ternary $.Values.operator.dashboards.labelValue "1" (not (empty $.Values.operator.dashboards.labelValue)) | quote }} {{- end }} - {{- with $.Values.operator.dashboards.annotations }} + {{- if or $.Values.operator.dashboards.annotations $.Values.operator.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with $.Values.operator.dashboards.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.operator.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} data: {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml index 44b1da2a..4f4450e5 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/deployment.yaml @@ -5,6 +5,10 @@ kind: Deployment metadata: name: cilium-operator namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: operator name: cilium-operator diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml index cb63aaf0..a224b9e6 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: cilium-operator namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: operator name: cilium-operator diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml index cf2526d9..20101b02 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/role.yaml @@ -5,6 +5,10 @@ kind: Role metadata: name: cilium-operator-ingress-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -26,6 +30,10 @@ kind: Role metadata: name: cilium-operator-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml index aa826906..8d8f73d8 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/rolebinding.yaml @@ -5,6 +5,10 @@ kind: RoleBinding metadata: name: cilium-operator-ingress-secrets namespace: {{ .Values.ingressController.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: @@ -24,6 +28,10 @@ kind: RoleBinding metadata: name: cilium-operator-gateway-secrets namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml index 42096412..31e917ec 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/secret.yaml @@ -5,6 +5,10 @@ kind: Secret metadata: name: cilium-azure namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: Opaque data: AZURE_CLIENT_ID: {{ default "" .Values.azure.clientID | b64enc | quote }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml index 61514916..8c201099 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/service.yaml @@ -4,6 +4,10 @@ apiVersion: v1 metadata: name: cilium-operator namespace: {{ .Release.Namespace }} + {{- with .Values.operator.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: operator name: cilium-operator diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml index 4bb3551c..b083907e 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/serviceaccount.yaml @@ -8,8 +8,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.operator.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.operator.annotations }} + {{- if or .Values.serviceAccounts.operator.annotations .Values.operator.annotations }} annotations: - {{- toYaml .Values.serviceAccounts.operator.annotations | nindent 4 }} + {{- with .Values.operator.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.operator.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml index a3edaec5..742993b8 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-operator/servicemonitor.yaml @@ -10,10 +10,15 @@ metadata: {{- with .Values.operator.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.operator.prometheus.serviceMonitor.annotations .Values.operator.annotations }} annotations: - {{- with .Values.operator.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.operator.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.operator.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: @@ -37,4 +42,7 @@ spec: {{- end }} targetLabels: - io.cilium/app +{{- if .Values.operator.prometheus.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.operator.prometheus.serviceMonitor.jobLabel | quote }} +{{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml index 379814c8..d2a8f4ca 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrole.yaml @@ -6,6 +6,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-pre-flight + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -82,6 +86,9 @@ rules: resources: - ciliumloadbalancerippools - ciliumbgppeeringpolicies + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs - ciliumclusterwideenvoyconfigs - ciliumclusterwidenetworkpolicies - ciliumegressgatewaypolicies @@ -137,6 +144,7 @@ rules: - ciliumendpoints/status - ciliumendpoints - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status verbs: - patch {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml index ef5be1de..1237d6ac 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-pre-flight + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml index a5e34f3d..bafd2700 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml @@ -4,6 +4,10 @@ kind: DaemonSet metadata: name: cilium-pre-flight-check namespace: {{ .Release.Namespace }} + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: @@ -109,7 +113,7 @@ spec: args: - -ec - | - cilium preflight fqdn-poller --tofqdns-pre-cache {{ .Values.preflight.tofqdnsPreCache }}; + cilium-dbg preflight fqdn-poller --tofqdns-pre-cache {{ .Values.preflight.tofqdnsPreCache }}; touch /tmp/ready-tofqdns-precache; livenessProbe: exec: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml index b4f542ea..af0a31ba 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml @@ -4,6 +4,10 @@ kind: Deployment metadata: name: cilium-pre-flight-check namespace: {{ .Release.Namespace }} + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium app.kubernetes.io/name: cilium-pre-flight-check @@ -39,7 +43,7 @@ spec: args: - -ec - | - cilium preflight validate-cnp; + cilium-dbg preflight validate-cnp; touch /tmp/ready-validate-cnp; sleep 1h; livenessProbe: diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml index d939a9a2..4b3c7cb0 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: cilium-pre-flight-check namespace: {{ .Release.Namespace }} + {{- with .Values.preflight.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium-pre-flight-check-deployment app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml index a55aaa40..b64a3296 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.preflight.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.preflight.annotations }} + {{- if or .Values.serviceAccounts.preflight.annotations .Values.preflight.annotations }} annotations: - {{ toYaml .Values.serviceAccounts.preflight.annotations | nindent 4 }} + {{- with .Values.preflight.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.preflight.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml b/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml index 6e1aa43d..d99967fa 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-secrets-namespace.yaml @@ -1,32 +1,14 @@ -{{- if and .Values.ingressController.enabled .Values.ingressController.secretsNamespace.create .Values.ingressController.secretsNamespace.name }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.ingressController.secretsNamespace.name | quote }} -{{- end}} +{{- $secretNamespaces := dict -}} +{{- range $cfg := tuple .Values.ingressController .Values.gatewayAPI .Values.envoyConfig .Values.bgpControlPlane -}} +{{- if and $cfg.enabled $cfg.secretsNamespace.create $cfg.secretsNamespace.name -}} +{{- $_ := set $secretNamespaces $cfg.secretsNamespace.name 1 -}} +{{- end -}} +{{- end -}} -# Only create the namespace if it's different from Ingress secret namespace or Ingress is not enabled. -{{- if and .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.create .Values.gatewayAPI.secretsNamespace.name - (or (not (and .Values.ingressController.enabled .Values.ingressController.secretsNamespace.create .Values.ingressController.secretsNamespace.name)) - (ne .Values.gatewayAPI.secretsNamespace.name .Values.ingressController.secretsNamespace.name)) }} +{{- range $name, $_ := $secretNamespaces }} --- apiVersion: v1 kind: Namespace metadata: - name: {{ .Values.gatewayAPI.secretsNamespace.name | quote }} -{{- end}} - -# Only create the namespace if it's different from Ingress and Gateway API secret namespaces (if enabled). -{{- if and .Values.envoyConfig.enabled .Values.envoyConfig.secretsNamespace.create .Values.envoyConfig.secretsNamespace.name - (and - (or (not (and .Values.ingressController.enabled .Values.ingressController.secretsNamespace.create .Values.ingressController.secretsNamespace.name)) - (ne .Values.envoyConfig.secretsNamespace.name .Values.ingressController.secretsNamespace.name)) - (or (not (and .Values.gatewayAPI.enabled .Values.gatewayAPI.secretsNamespace.create .Values.gatewayAPI.secretsNamespace.name)) - (ne .Values.envoyConfig.secretsNamespace.name .Values.gatewayAPI.secretsNamespace.name))) }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.envoyConfig.secretsNamespace.name | quote }} + name: {{ $name | quote }} {{- end}} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml index c00c8a51..c5df0163 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrole.yaml @@ -5,6 +5,10 @@ metadata: name: clustermesh-apiserver labels: app.kubernetes.io/part-of: cilium + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: - apiGroups: - cilium.io diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml index 8ef03cb2..edc3cf9c 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/clusterrolebinding.yaml @@ -5,6 +5,10 @@ metadata: name: clustermesh-apiserver labels: app.kubernetes.io/part-of: cilium + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml index 7783a9e5..6c5e6c3e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -7,6 +7,10 @@ kind: Deployment metadata: name: clustermesh-apiserver namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium @@ -44,41 +48,45 @@ spec: {{- end }} initContainers: - name: etcd-init - image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} - imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} - command: ["/bin/sh", "-c"] + image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} + command: + - /usr/bin/clustermesh-apiserver args: - - | - rm -rf /var/run/etcd/*; - /usr/local/bin/etcd --data-dir=/var/run/etcd --name=clustermesh-apiserver --listen-client-urls=http://127.0.0.1:2379 --advertise-client-urls=http://127.0.0.1:2379 --initial-cluster-token=clustermesh-apiserver --initial-cluster-state=new --auto-compaction-retention=1 & - - # The following key needs to be created before that the cilium agents - # have the possibility of connecting to etcd. - etcdctl put cilium/.has-cluster-config true - - etcdctl user add root --no-password; - etcdctl user grant-role root root; - etcdctl user add admin-{{ .Values.cluster.name }} --no-password; - etcdctl user grant-role admin-{{ .Values.cluster.name }} root; - etcdctl user add externalworkload --no-password; - etcdctl role add externalworkload; - etcdctl role grant-permission externalworkload --from-key read ''; - etcdctl role grant-permission externalworkload readwrite --prefix cilium/state/noderegister/v1/; - etcdctl role grant-permission externalworkload readwrite --prefix cilium/.initlock/; - etcdctl user grant-role externalworkload externalworkload; - etcdctl user add remote --no-password; - etcdctl role add remote; - etcdctl role grant-permission remote --from-key read ''; - etcdctl user grant-role remote remote; - etcdctl auth enable; - exit + - etcdinit + {{- if .Values.debug.enabled }} + - --debug + {{- end }} + # These need to match the equivalent arguments to etcd in the main container. + - --etcd-cluster-name=clustermesh-apiserver + - --etcd-initial-cluster-token=$(INITIAL_CLUSTER_TOKEN) + - --etcd-data-dir=/var/run/etcd + {{- with .Values.clustermesh.apiserver.etcd.init.extraArgs }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} env: - - name: ETCDCTL_API - value: "3" - - name: HOSTNAME_IP + # The Cilium cluster name (specified via the `CILIUM_CLUSTER_NAME` environment variable) and the etcd cluster + # name (specified via the `--etcd-cluster-name` argument) are very different concepts. The Cilium cluster name + # is the name of the overall Cilium cluster, and is used to set the admin account username. The etcd cluster + # name is a concept that's only relevant for etcd itself. The etcd cluster name must be the same for both this + # command and the actual invocation of etcd in the main containers of this Pod, but it's otherwise not + # relevant to Cilium. + - name: CILIUM_CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: cilium-config + key: cluster-name + - name: INITIAL_CLUSTER_TOKEN valueFrom: fieldRef: - fieldPath: status.podIP + fieldPath: metadata.uid + {{- with .Values.clustermesh.apiserver.etcd.init.extraEnv }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + {{- with .Values.clustermesh.apiserver.etcd.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} volumeMounts: - name: etcd-data-dir mountPath: /var/run/etcd @@ -92,10 +100,11 @@ spec: {{- end }} containers: - name: etcd - image: {{ include "cilium.image" .Values.clustermesh.apiserver.etcd.image | quote }} - imagePullPolicy: {{ .Values.clustermesh.apiserver.etcd.image.pullPolicy }} + # The clustermesh-apiserver container image includes an etcd binary. + image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} command: - - /usr/local/bin/etcd + - /usr/bin/etcd args: - --data-dir=/var/run/etcd - --name=clustermesh-apiserver @@ -107,7 +116,7 @@ spec: # uses net.SplitHostPort() internally and it accepts the that format. - --listen-client-urls=https://127.0.0.1:2379,https://[$(HOSTNAME_IP)]:2379 - --advertise-client-urls=https://[$(HOSTNAME_IP)]:2379 - - --initial-cluster-token=clustermesh-apiserver + - --initial-cluster-token=$(INITIAL_CLUSTER_TOKEN) - --auto-compaction-retention=1 {{- if .Values.clustermesh.apiserver.metrics.etcd.enabled }} - --listen-metrics-urls=http://[$(HOSTNAME_IP)]:{{ .Values.clustermesh.apiserver.metrics.etcd.port }} @@ -120,6 +129,10 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + - name: INITIAL_CLUSTER_TOKEN + valueFrom: + fieldRef: + fieldPath: metadata.uid ports: - name: etcd containerPort: 2379 @@ -147,12 +160,17 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.clustermesh.apiserver.etcd.lifecycle }} + lifecycle: + {{- toYaml . | nindent 10 }} + {{- end }} - name: apiserver image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} command: - /usr/bin/clustermesh-apiserver args: + - clustermesh {{- if .Values.debug.enabled }} - --debug {{- end }} @@ -160,6 +178,9 @@ spec: - --cluster-id=$(CLUSTER_ID) - --kvstore-opt - etcd.config=/var/lib/cilium/etcd-config.yaml + {{- if hasKey .Values.clustermesh "maxConnectedClusters" }} + - --max-connected-clusters={{ .Values.clustermesh.maxConnectedClusters }} + {{- end }} {{- if ne .Values.clustermesh.apiserver.tls.authMode "legacy" }} - --cluster-users-enabled - --cluster-users-config-path=/var/lib/cilium/etcd-config/users.yaml @@ -167,6 +188,7 @@ spec: - --enable-external-workloads={{ .Values.externalWorkloads.enabled }} {{- if .Values.clustermesh.apiserver.metrics.enabled }} - --prometheus-serve-addr=:{{ .Values.clustermesh.apiserver.metrics.port }} + - --controller-group-metrics=all {{- end }} {{- with .Values.clustermesh.apiserver.extraArgs }} {{- toYaml . | trim | nindent 8 }} @@ -224,13 +246,18 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.clustermesh.apiserver.lifecycle }} + lifecycle: + {{- toYaml . | nindent 10 }} + {{- end }} {{- if .Values.clustermesh.apiserver.kvstoremesh.enabled }} - name: kvstoremesh - image: {{ include "cilium.image" .Values.clustermesh.apiserver.kvstoremesh.image | quote }} - imagePullPolicy: {{ .Values.clustermesh.apiserver.kvstoremesh.image.pullPolicy }} + image: {{ include "cilium.image" .Values.clustermesh.apiserver.image | quote }} + imagePullPolicy: {{ .Values.clustermesh.apiserver.image.pullPolicy }} command: - - /usr/bin/kvstoremesh + - /usr/bin/clustermesh-apiserver args: + - kvstoremesh {{- if .Values.debug.enabled }} - --debug {{- end }} @@ -240,8 +267,12 @@ spec: - --kvstore-opt=etcd.qps=100 - --kvstore-opt=etcd.maxInflight=10 - --clustermesh-config=/var/lib/cilium/clustermesh + {{- if hasKey .Values.clustermesh "maxConnectedClusters" }} + - --max-connected-clusters={{ .Values.clustermesh.maxConnectedClusters }} + {{- end }} {{- if .Values.clustermesh.apiserver.metrics.kvstoremesh.enabled }} - --prometheus-serve-addr=:{{ .Values.clustermesh.apiserver.metrics.kvstoremesh.port }} + - --controller-group-metrics=all {{- end }} {{- with .Values.clustermesh.apiserver.kvstoremesh.extraArgs }} {{- toYaml . | trim | nindent 8 }} @@ -285,6 +316,10 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.clustermesh.apiserver.kvstoremesh.lifecycle }} + lifecycle: + {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} volumes: - name: etcd-server-secrets @@ -371,6 +406,7 @@ spec: priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.clustermesh.apiserver.priorityClassName "system-cluster-critical") }} serviceAccount: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} + terminationGracePeriodSeconds: {{ .Values.clustermesh.apiserver.terminationGracePeriodSeconds }} automountServiceAccountToken: {{ .Values.serviceAccounts.clustermeshApiserver.automount }} {{- with .Values.clustermesh.apiserver.affinity }} affinity: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml index 63b50ace..0781af1e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/metrics-service.yaml @@ -7,6 +7,10 @@ kind: Service metadata: name: clustermesh-apiserver-metrics namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml index 243e1b23..4a1bbf7e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: clustermesh-apiserver namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml index 466841d9..0a7028c5 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/service.yaml @@ -8,9 +8,14 @@ metadata: k8s-app: clustermesh-apiserver app.kubernetes.io/part-of: cilium app.kubernetes.io/name: clustermesh-apiserver - {{- with .Values.clustermesh.apiserver.service.annotations }} + {{- if or .Values.clustermesh.apiserver.service.annotations .Values.clustermesh.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.clustermesh.apiserver.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} spec: type: {{ .Values.clustermesh.apiserver.service.type }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml index b6153c39..0c8992ba 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.clustermeshApiserver.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.clustermeshApiserver.annotations }} + {{- if or .Values.serviceAccounts.clustermeshApiserver.annotations .Values.clustermesh.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.clustermeshApiserver.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml index d5ba6420..8ecf150b 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/servicemonitor.yaml @@ -14,10 +14,15 @@ metadata: {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations .Values.clustermesh.annotations }} annotations: - {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.clustermesh.apiserver.metrics.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml index 3bc84ae1..097cb14e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-admin-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml index 3c2cf643..f290fe8e 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-client-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml index 0a5e42e2..06bb8bd2 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-remote-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml index 86fe56f5..f7cfd7ad 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: clustermesh-apiserver-server-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl index 67503e33..52a99089 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/_job-spec.tpl @@ -26,12 +26,8 @@ spec: {{- end }} - "--ca-generate" - "--ca-reuse-secret" - {{- if .Values.clustermesh.apiserver.tls.ca.cert }} - - "--ca-secret-name=clustermesh-apiserver-ca-cert" - {{- else -}} - {{- if and .Values.tls.ca.cert .Values.tls.ca.key }} + {{- if and .Values.tls.ca.cert .Values.tls.ca.key }} - "--ca-secret-name=cilium-ca" - {{- end }} {{- end }} - "--clustermesh-apiserver-server-cert-generate" - "--clustermesh-apiserver-server-cert-validity-duration={{ $certValiditySecondsStr }}" @@ -69,5 +65,9 @@ spec: volumes: {{- toYaml . | nindent 6 }} {{- end }} + affinity: + {{- with .Values.certgen.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml deleted file mode 100644 index 6f499cd8..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/ca-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "cronJob") }} -{{- $crt := .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert -}} -{{- $key := .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key -}} -{{- if and $crt $key }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ $crt }} - ca.key: {{ $key }} -{{- end }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml index 7711bc93..946602b4 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/cronjob.yaml @@ -4,6 +4,10 @@ kind: CronJob metadata: name: clustermesh-apiserver-generate-certs namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: clustermesh-apiserver-generate-certs app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml index 06235f29..b6dd5bf1 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/job.yaml @@ -13,5 +13,8 @@ metadata: {{- with .Values.certgen.annotations.job }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{ include "clustermesh-apiserver-generate-certs.job.spec" . }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml index 0d0565a6..79960cba 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/role.yaml @@ -4,6 +4,10 @@ kind: Role metadata: name: clustermesh-apiserver-generate-certs namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: @@ -19,7 +23,6 @@ rules: - secrets resourceNames: - cilium-ca - - clustermesh-apiserver-ca-cert verbs: - get - update diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml index 22fc3ed7..4e67e047 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/rolebinding.yaml @@ -4,6 +4,10 @@ kind: RoleBinding metadata: name: clustermesh-apiserver-generate-certs namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml index a6f79a66..8dfaf52c 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-cronjob/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.clustermeshcertgen.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.clustermeshcertgen.annotations }} + {{- if or .Values.serviceAccounts.clustermeshcertgen.annotations .Values.clustermesh.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.serviceAccounts.clustermeshcertgen.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.clustermesh.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl deleted file mode 100644 index 576160f9..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/_helpers.tpl +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -Generate TLS certificates for ClusterMesh. - -Note: Always use this template as follows: - - {{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} - -The assignment to `$_` is required because we store the generated CI in a global `cmca` variable. -Please, don't try to "simplify" this, as without this trick, every generated -certificate would be signed by a different CA. -*/}} -{{- define "clustermesh-apiserver-generate-certs.helm.setup-ca" }} - {{- if not .cmca }} - {{- $ca := "" -}} - {{- $crt := .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert -}} - {{- $key := .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key -}} - {{- if and $crt $key }} - {{- $ca = buildCustomCert $crt $key -}} - {{- else }} - {{- with lookup "v1" "Secret" .Release.Namespace "clustermesh-apiserver-ca-cert" }} - {{- $crt := index .data "ca.crt" }} - {{- $key := index .data "ca.key" }} - {{- $ca = buildCustomCert $crt $key -}} - {{- else }} - {{- $_ := include "cilium.ca.setup" . -}} - {{- with lookup "v1" "Secret" .Release.Namespace .commonCASecretName }} - {{- $crt := index .data "ca.crt" }} - {{- $key := index .data "ca.key" }} - {{- $ca = buildCustomCert $crt $key -}} - {{- else }} - {{- $ca = .commonCA -}} - {{- end }} - {{- end }} - {{- end }} - {{- $_ := set . "cmca" $ca -}} - {{- end }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml index dfa1d987..63282c98 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/admin-secret.yaml @@ -1,17 +1,21 @@ {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := include "clustermesh-apiserver-generate-certs.admin-common-name" . -}} {{- $dns := list "localhost" }} -{{- $cert := genSignedCert $cn nil $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn nil $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-admin-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml deleted file mode 100644 index 832c6bb5..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/ca-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .cmca.Cert | b64enc }} - ca.key: {{ .cmca.Key | b64enc }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml index fd943340..85137111 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/client-secret.yaml @@ -1,16 +1,20 @@ {{- if and .Values.externalWorkloads.enabled .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := "externalworkload" }} -{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-client-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml index 4a68c747..7bfb1c5a 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/remote-secret.yaml @@ -1,16 +1,20 @@ {{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := include "clustermesh-apiserver-generate-certs.remote-common-name" . -}} -{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn nil nil (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-remote-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml index beacb063..f958f353 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-helm/server-secret.yaml @@ -1,18 +1,22 @@ {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "helm") }} -{{- $_ := include "clustermesh-apiserver-generate-certs.helm.setup-ca" . -}} +{{- $_ := include "cilium.ca.setup" . -}} {{- $cn := "clustermesh-apiserver.cilium.io" }} {{- $ip := concat (list "127.0.0.1" "::1") .Values.clustermesh.apiserver.tls.server.extraIpAddresses }} {{- $dns := concat (list $cn "*.mesh.cilium.io" (printf "clustermesh-apiserver.%s.svc" .Release.Namespace)) .Values.clustermesh.apiserver.tls.server.extraDnsNames }} -{{- $cert := genSignedCert $cn $ip $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .cmca -}} +{{- $cert := genSignedCert $cn $ip $dns (.Values.clustermesh.apiserver.tls.auto.certValidityDuration | int) .commonCA -}} --- apiVersion: v1 kind: Secret metadata: name: clustermesh-apiserver-server-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .cmca.Cert | b64enc }} + ca.crt: {{ .commonCA.Cert | b64enc }} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml index 4ff56ab2..de038ca8 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/admin-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-admin-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.admin.cert | required "missing clustermesh.apiserver.tls.admin.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.admin.key | required "missing clustermesh.apiserver.tls.admin.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml deleted file mode 100644 index 9b29a541..00000000 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/ca-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) (not .Values.clustermesh.apiserver.tls.auto.enabled) }} -apiVersion: v1 -kind: Secret -metadata: - name: clustermesh-apiserver-ca-cert - namespace: {{ .Release.Namespace }} -data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} - {{- if .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key }} - ca.key: {{ .Values.clustermesh.apiserver.tls.ca.key | default .Values.tls.ca.key }} - {{- end }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml index 02a180ff..b8ea7b60 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/client-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-client-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.client.cert | required "missing clustermesh.apiserver.tls.client.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.client.key | required "missing clustermesh.apiserver.tls.client.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml index 7850b332..8a253eb5 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/remote-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-remote-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.remote.cert | required "missing clustermesh.apiserver.tls.remote.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.remote.key | required "missing clustermesh.apiserver.tls.remote.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml index bb160d62..8c239b07 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/tls-provided/server-secret.yaml @@ -4,9 +4,13 @@ kind: Secret metadata: name: clustermesh-apiserver-server-cert namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: - ca.crt: {{ .Values.clustermesh.apiserver.tls.ca.cert | default .Values.tls.ca.cert }} + ca.crt: {{ .Values.tls.ca.cert }} tls.crt: {{ .Values.clustermesh.apiserver.tls.server.cert | required "missing clustermesh.apiserver.tls.server.cert" }} tls.key: {{ .Values.clustermesh.apiserver.tls.server.key | required "missing clustermesh.apiserver.tls.server.key" }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml index 7c278978..e1cbf95f 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-apiserver/users-configmap.yaml @@ -5,6 +5,10 @@ kind: ConfigMap metadata: name: clustermesh-remote-users namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium data: diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl b/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl index f492275f..5cd31486 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-config/_helpers.tpl @@ -1,8 +1,7 @@ {{- define "clustermesh-config-generate-etcd-cfg" }} {{- $cluster := index . 0 -}} {{- $domain := index . 1 -}} -{{- $hasCustomCACert := index . 2 -}} -{{- $override := index . 3 -}} +{{- $override := index . 2 -}} {{- /* The parenthesis around $cluster.tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} {{- $prefix := ternary "common-" (printf "%s." $cluster.name) (or (ne $override "") (empty ($cluster.tls).cert) (empty ($cluster.tls).key)) -}} @@ -14,7 +13,7 @@ endpoints: {{- else }} - https://{{ $cluster.address | required "missing clustermesh.apiserver.config.clusters.address" }}:{{ $cluster.port }} {{- end }} -{{- if $hasCustomCACert }} +{{- if not (empty ($cluster.tls).caCert) }} {{- /* The custom CA configuration takes effect only if a custom certificate and key are also set */}} trusted-ca-file: /var/lib/cilium/clustermesh/{{ $prefix }}etcd-client-ca.crt {{- else }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml index 36e23b4e..78ddecd9 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-config/clustermesh-secret.yaml @@ -1,19 +1,23 @@ -{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled }} +{{- if .Values.clustermesh.config.enabled }} --- apiVersion: v1 kind: Secret metadata: name: cilium-clustermesh namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: - {{- $override := ternary (printf "https://clustermesh-apiserver.%s.svc:2379" .Release.Namespace) "" $.Values.clustermesh.apiserver.kvstoremesh.enabled }} + {{- $kvstoremesh := and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled }} + {{- $override := ternary (printf "https://clustermesh-apiserver.%s.svc:2379" .Release.Namespace) "" $kvstoremesh }} {{- range .Values.clustermesh.config.clusters }} - {{- $hasCustomCACert := or (.tls).caCert $.Values.clustermesh.apiserver.tls.ca.cert }} - {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $hasCustomCACert $override) | b64enc }} + {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $override) | b64enc }} {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} {{- if and (eq $override "") (.tls).cert (.tls).key }} - {{- if $hasCustomCACert }} - {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert | default $.Values.clustermesh.apiserver.tls.ca.cert }} + {{- if .tls.caCert }} + {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} {{- end }} {{ .name }}.etcd-client.key: {{ .tls.key }} {{ .name }}.etcd-client.crt: {{ .tls.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml b/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml index f79c4ade..91ae0320 100644 --- a/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/clustermesh-config/kvstoremesh-secret.yaml @@ -5,14 +5,17 @@ kind: Secret metadata: name: cilium-kvstoremesh namespace: {{ .Release.Namespace }} + {{- with .Values.clustermesh.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: {{- range .Values.clustermesh.config.clusters }} - {{- $hasCustomCACert := or (.tls).caCert $.Values.clustermesh.apiserver.tls.ca.cert }} - {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain $hasCustomCACert "") | b64enc }} + {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain "") | b64enc }} {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}} {{- if and (.tls).cert (.tls).key }} - {{- if $hasCustomCACert }} - {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert | default $.Values.clustermesh.apiserver.tls.ca.cert }} + {{- if .tls.caCert }} + {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert }} {{- end }} {{ .name }}.etcd-client.key: {{ .tls.key }} {{ .name }}.etcd-client.crt: {{ .tls.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml index 2f0b6c22..22a81c2c 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml index e9578f7f..25a92e10 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml index 914087f6..5946219f 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-deployment.yaml @@ -9,6 +9,10 @@ metadata: app.kubernetes.io/part-of: cilium name: cilium-etcd-operator namespace: {{ .Release.Namespace }} + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: 1 selector: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml index 9bc0a3ea..7d7b765a 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/cilium-etcd-operator-serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.etcd.name | quote }} namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.etcd.annotations }} + {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} annotations: -{{ toYaml .Values.serviceAccounts.etcd.annotations | indent 4 }} + {{- with .Values.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml index 424498f6..72cb4e6e 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml index a56624d0..b729ea71 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: etcd-operator + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml index 278d9842..06ee39c1 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/etcd-operator-serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: cilium-etcd-sa namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAccounts.etcd.annotations }} + {{- if or .Values.serviceAccounts.etcd.annotations .Values.etcd.annotations }} annotations: -{{ toYaml .Values.serviceAccounts.etcd.annotations | indent 4 }} + {{- with .Values.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.etcd.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml index 72e0b835..5939b4ae 100644 --- a/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/etcd-operator/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: cilium-etcd-operator namespace: {{ .Release.Namespace }} + {{- with .Values.etcd.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: io.cilium/app: etcd-operator name: cilium-etcd-operator diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml index 0f5a037d..93f5b8d8 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/configmap.yaml @@ -9,6 +9,10 @@ kind: ConfigMap metadata: name: hubble-relay-config namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: config.yaml: | cluster-name: {{ .Values.cluster.name }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml index c72d9af8..52b9eba5 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml @@ -4,6 +4,10 @@ kind: Deployment metadata: name: hubble-relay namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay @@ -67,11 +71,26 @@ spec: protocol: TCP {{- end }} readinessProbe: - tcpSocket: - port: grpc + {{- include "hubble-relay.probe" . | nindent 12 }} + {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} + # Starting from Kubernetes 1.20, we are using startupProbe instead + # of this field. + initialDelaySeconds: 5 + {{- end }} livenessProbe: - tcpSocket: - port: grpc + {{- include "hubble-relay.probe" . | nindent 12 }} + {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} + # Starting from Kubernetes 1.20, we are using startupProbe instead + # of this field. + initialDelaySeconds: 60 + {{- end }} + {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} + startupProbe: + # give the relay one minute to start up + {{- include "hubble-relay.probe" . | nindent 12 }} + failureThreshold: 20 + periodSeconds: 3 + {{- end }} {{- with .Values.hubble.relay.extraEnv }} env: {{- toYaml . | trim | nindent 12 }} @@ -166,3 +185,17 @@ spec: {{- toYaml . | nindent 6 }} {{- end }} {{- end }} + +{{- define "hubble-relay.probe" }} +{{- /* This distinction can be removed once we drop support for k8s 1.23 */}} +{{- if semverCompare ">=1.24-0" .Capabilities.KubeVersion.Version -}} +grpc: + port: 4222 +{{- else }} +exec: + command: + - grpc_health_probe + - -addr=localhost:4222 +{{- end }} +timeoutSeconds: 3 +{{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml index 5b7c99c9..1066c6c4 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/metrics-service.yaml @@ -5,6 +5,10 @@ apiVersion: v1 metadata: name: hubble-relay-metrics namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay spec: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml index 8a90916a..4fd6da9b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: hubble-relay namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml index d995c419..39259473 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/service.yaml @@ -4,6 +4,10 @@ apiVersion: v1 metadata: name: hubble-relay namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.relay.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml index f42bd1b0..cf56d631 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.relay.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.relay.annotations }} + {{- if or .Values.serviceAccounts.relay.annotations .Values.hubble.relay.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.relay.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.relay.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml index 0b9f1622..4e41fdf3 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-relay/servicemonitor.yaml @@ -8,10 +8,15 @@ metadata: {{- with .Values.hubble.relay.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.hubble.relay.prometheus.serviceMonitor.annotations .Values.hubble.relay.annotations }} annotations: - {{- with .Values.hubble.relay.prometheus.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.relay.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.hubble.relay.prometheus.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl b/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl index 3b409207..e787b5aa 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/_nginx.tpl @@ -49,6 +49,13 @@ server { # double `/index.html` is required here try_files $uri $uri/ /index.html /index.html; } + + # Liveness probe + location /healthz { + access_log off; + add_header Content-Type text/plain; + return 200 'ok'; + } } } {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml index c3fa7809..5df709f7 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrole.yaml @@ -3,6 +3,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hubble-ui + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml index 16c688df..d091786b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/clusterrolebinding.yaml @@ -3,6 +3,10 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hubble-ui + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml index bbab253d..8b5f0141 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/configmap.yaml @@ -5,6 +5,10 @@ kind: ConfigMap metadata: name: hubble-ui-nginx namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: nginx.conf: {{ include "hubble-ui.nginx.conf" . | trim | quote }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml index 9dfbcdb5..a7dd5cb8 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/deployment.yaml @@ -4,6 +4,10 @@ apiVersion: apps/v1 metadata: name: hubble-ui namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-ui app.kubernetes.io/name: hubble-ui @@ -60,6 +64,14 @@ spec: env: {{- toYaml . | trim | nindent 12 }} {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + readinessProbe: + httpGet: + path: / + port: 8081 {{- with .Values.hubble.ui.frontend.resources }} resources: {{- toYaml . | trim | nindent 10 }} @@ -90,7 +102,7 @@ spec: - name: TLS_TO_RELAY_ENABLED value: "true" - name: TLS_RELAY_SERVER_NAME - value: ui.hubble-relay.cilium.io + value: {{ .Values.hubble.relay.tls.server.relayName }} - name: TLS_RELAY_CA_CERT_FILES value: /var/lib/hubble-ui/certs/hubble-relay-ca.crt - name: TLS_RELAY_CLIENT_CERT_FILE @@ -104,6 +116,18 @@ spec: {{- with .Values.hubble.ui.backend.extraEnv }} {{- toYaml . | trim | nindent 8 }} {{- end }} + {{- if .Values.hubble.ui.backend.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: 8090 + {{- end }} + {{- if .Values.hubble.ui.backend.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: 8090 + {{- end }} ports: - name: grpc containerPort: 8090 diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml index b48e2cb4..2c0ff7d3 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/ingress.yaml @@ -12,9 +12,14 @@ metadata: {{- with .Values.hubble.ui.ingress.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.hubble.ui.ingress.annotations }} + {{- if or .Values.hubble.ui.ingress.annotations .Values.hubble.ui.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.hubble.ui.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} spec: {{- if .Values.hubble.ui.ingress.className }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml index 3108a493..af3b6705 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/poddisruptionbudget.yaml @@ -5,6 +5,10 @@ kind: PodDisruptionBudget metadata: name: hubble-ui namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.ui.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: hubble-ui app.kubernetes.io/name: hubble-ui diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml index 52eb6eec..a820b342 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/service.yaml @@ -4,9 +4,14 @@ apiVersion: v1 metadata: name: hubble-ui namespace: {{ .Release.Namespace }} - {{- if .Values.hubble.ui.service.annotations }} + {{- if or .Values.hubble.ui.service.annotations .Values.hubble.ui.annotations }} annotations: - {{- toYaml .Values.hubble.ui.service.annotations | nindent 4 }} + {{- with .Values.hubble.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.hubble.ui.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} labels: k8s-app: hubble-ui diff --git a/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml index 28f6061c..dc02ea2b 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble-ui/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.ui.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.ui.annotations }} + {{- if or .Values.serviceAccounts.ui.annotations .Values.hubble.ui.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.ui.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml b/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml index c8453560..c668ebfd 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/dashboards-configmap.yaml @@ -15,9 +15,14 @@ metadata: {{- if $.Values.hubble.metrics.dashboards.label }} {{ $.Values.hubble.metrics.dashboards.label }}: {{ ternary $.Values.hubble.metrics.dashboards.labelValue "1" (not (empty $.Values.hubble.metrics.dashboards.labelValue)) | quote }} {{- end }} - {{- with $.Values.hubble.metrics.dashboards.annotations }} + {{- if or $.Values.hubble.metrics.dashboards.annotations $.Values.hubble.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with $.Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.hubble.metrics.dashboards.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} data: {{ $dashboardName }}.json: {{ $.Files.Get $path | toJson }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml b/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml index 0c72c0de..ab5cfbab 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/metrics-service.yaml @@ -9,6 +9,9 @@ metadata: app.kubernetes.io/name: hubble app.kubernetes.io/part-of: cilium annotations: + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.hubble.metrics.serviceAnnotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml b/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml index f54fa6c6..7ba56456 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/peer-service.yaml @@ -4,6 +4,10 @@ kind: Service metadata: name: hubble-peer namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: k8s-app: cilium app.kubernetes.io/part-of: cilium diff --git a/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml b/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml index 27304ee8..3b3ba8ba 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/servicemonitor.yaml @@ -9,10 +9,15 @@ metadata: {{- with .Values.hubble.metrics.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} + {{- if or .Values.hubble.metrics.serviceMonitor.annotations .Values.hubble.annotations }} annotations: - {{- with .Values.hubble.metrics.serviceMonitor.annotations }} - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.hubble.metrics.serviceMonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: selector: matchLabels: @@ -33,4 +38,7 @@ spec: metricRelabelings: {{- toYaml . | nindent 4 }} {{- end }} +{{- if .Values.hubble.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.hubble.metrics.serviceMonitor.jobLabel | quote }} +{{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml index 23bea64b..1dd96b18 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: hubble-relay-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml index 77f2800e..845b4fb8 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: hubble-relay-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml index 1ca815fb..5f202e10 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/server-secret.yaml @@ -6,6 +6,10 @@ kind: Certificate metadata: name: hubble-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml index 88d59490..5006666e 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml @@ -5,6 +5,10 @@ kind: Certificate metadata: name: hubble-ui-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: issuerRef: {{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl index f3d595b7..4bee347a 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/_job-spec.tpl @@ -60,5 +60,9 @@ spec: volumes: {{- toYaml . | nindent 6 }} {{- end }} + affinity: + {{- with .Values.certgen.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} ttlSecondsAfterFinished: {{ .Values.certgen.ttlSecondsAfterFinished }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml index dc075670..74d07831 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrole.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: hubble-generate-certs + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium rules: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml index ebe60279..5938f16c 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/clusterrolebinding.yaml @@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: hubble-generate-certs + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} labels: app.kubernetes.io/part-of: cilium roleRef: diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml index 5a5992cf..fa996608 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/cronjob.yaml @@ -8,10 +8,15 @@ metadata: k8s-app: hubble-generate-certs app.kubernetes.io/name: hubble-generate-certs app.kubernetes.io/part-of: cilium + {{- if or .Values.certgen.annotations.cronJob .Values.hubble.annotations }} annotations: - {{- with .Values.certgen.annotations.cronJob }} - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.certgen.annotations.cronJob }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} spec: schedule: {{ .Values.hubble.tls.auto.schedule | quote }} concurrencyPolicy: Forbid diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml index e748165a..9831fdc6 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/job.yaml @@ -14,5 +14,8 @@ metadata: {{- with .Values.certgen.annotations.job }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{ include "hubble-generate-certs.job.spec" . }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml index d538d67d..62a8de80 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-cronjob/serviceaccount.yaml @@ -4,8 +4,13 @@ kind: ServiceAccount metadata: name: {{ .Values.serviceAccounts.hubblecertgen.name | quote }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.hubblecertgen.annotations }} + {{- if or .Values.serviceAccounts.hubblecertgen.annotations .Values.hubble.annotations }} annotations: - {{- toYaml . | nindent 4 }} + {{- with .Values.hubble.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccounts.hubblecertgen.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml index 947565ea..e1d6e876 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-client-secret.yaml @@ -9,6 +9,10 @@ kind: Secret metadata: name: hubble-relay-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml index 2c2339d6..902c2be4 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/relay-server-secret.yaml @@ -10,6 +10,10 @@ kind: Secret metadata: name: hubble-relay-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml index cc3c1d91..a05c3266 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/server-secret.yaml @@ -10,6 +10,10 @@ kind: Secret metadata: name: hubble-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml index 90376d65..7b385b26 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-helm/ui-client-certs.yaml @@ -9,6 +9,10 @@ kind: Secret metadata: name: hubble-ui-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .ca.Cert | b64enc }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml index 4a15f646..b1512ed2 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-client-secret.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-relay-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml index 2038f785..07059143 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/relay-server-secret.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-relay-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml index ecc0bf07..f659a1fb 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/server-secret.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-server-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml index 7ed9472d..ca7683a4 100644 --- a/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml +++ b/packages/system/cilium/charts/cilium/templates/hubble/tls-provided/ui-client-certs.yaml @@ -4,6 +4,10 @@ kind: Secret metadata: name: hubble-ui-client-certs namespace: {{ .Release.Namespace }} + {{- with .Values.hubble.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} type: kubernetes.io/tls data: ca.crt: {{ .Values.tls.ca.cert }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml index 57d7ae0d..90e2165d 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrole.yaml @@ -3,6 +3,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: # Required cluster role to allow spire-agent to query k8s API server - apiGroups: [ "" ] diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml index f7290825..50fe9588 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/clusterrolebinding.yaml @@ -4,6 +4,10 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: kind: ClusterRole name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml index 21e1a70a..7d365ba6 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/configmap.yaml @@ -4,6 +4,10 @@ kind: ConfigMap metadata: name: spire-agent namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: agent.conf: | agent { diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml index 3edda5d5..6c0bffe7 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml @@ -4,9 +4,14 @@ kind: DaemonSet metadata: name: spire-agent namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- if or .Values.authentication.mutual.spire.install.server.annotations .Values.authentication.mutual.spire.annotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- with .Values.authentication.mutual.spire.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} labels: app: spire-agent @@ -36,7 +41,8 @@ spec: {{- end }} initContainers: - name: init - image: docker.io/library/busybox:1.35.0@sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.initImage.pullPolicy }} command: - /bin/sh - -c @@ -44,7 +50,12 @@ spec: {{- tpl (.Files.Get "files/spire/wait-for-spire.bash") . | nindent 14 }} containers: - name: spire-agent + {{- if eq (typeOf .Values.authentication.mutual.spire.install.agent.image) "string" }} image: {{ .Values.authentication.mutual.spire.install.agent.image }} + {{- else }} + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.agent.image | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.agent.image.pullPolicy }} + {{- end }} args: ["-config", "/run/spire/config/agent.conf"] {{- with .Values.authentication.mutual.spire.install.agent.securityContext }} securityContext: diff --git a/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml index f155b5e6..95f7e431 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/agent/serviceaccount.yaml @@ -4,4 +4,8 @@ kind: ServiceAccount metadata: name: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml b/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml index 986e6604..389b8d58 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/bundle-configmap.yaml @@ -4,4 +4,8 @@ kind: ConfigMap metadata: name: spire-bundle namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml b/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml index a0f3e23d..ccd38680 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/namespace.yaml @@ -1,6 +1,10 @@ -{{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} +{{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled (not .Values.authentication.mutual.spire.install.existingNamespace) -}} apiVersion: v1 kind: Namespace metadata: name: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml index 95cc911a..31bc2de1 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrole.yaml @@ -4,6 +4,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: # ClusterRole to allow spire-server node attestor to query Token Review API - apiGroups: [ "authentication.k8s.io" ] diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml index aaefe4ff..4a04d80c 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/clusterrolebinding.yaml @@ -3,6 +3,10 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: kind: ClusterRole name: spire-server diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml index 9785c11e..d7347595 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/configmap.yaml @@ -4,6 +4,10 @@ kind: ConfigMap metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} data: server.conf: | server { diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml index 38e0b113..2d38fe14 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/role.yaml @@ -4,6 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} rules: # Role (namespace scoped) to be able to push certificate bundles to a configmap - apiGroups: [ "" ] diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml index a3e18731..497bd60c 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/rolebinding.yaml @@ -4,6 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -18,6 +22,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }}-pod namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml index 31fee016..32288a44 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/service.yaml @@ -4,9 +4,14 @@ kind: Service metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.authentication.mutual.spire.install.server.service.annotations }} + {{- if or .Values.authentication.mutual.spire.install.server.service.annotations .Values.authentication.mutual.spire.annotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- with .Values.authentication.mutual.spire.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.service.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- with .Values.authentication.mutual.spire.install.server.service.labels }} labels: diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml index 2d4aa4a3..cd365c89 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/serviceaccount.yaml @@ -4,4 +4,8 @@ kind: ServiceAccount metadata: name: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} namespace: {{ .Values.authentication.mutual.spire.install.namespace }} + {{- with .Values.authentication.mutual.spire.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml index 43c2c9ee..49ab9690 100644 --- a/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml +++ b/packages/system/cilium/charts/cilium/templates/spire/server/statefulset.yaml @@ -4,9 +4,14 @@ kind: StatefulSet metadata: name: spire-server namespace: {{ .Values.authentication.mutual.spire.install.namespace }} - {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- if or .Values.authentication.mutual.spire.install.server.annotations .Values.authentication.mutual.spire.annotations }} annotations: - {{- toYaml . | nindent 8 }} + {{- with .Values.authentication.mutual.spire.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.server.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} labels: app: spire-server @@ -29,20 +34,30 @@ spec: spec: serviceAccountName: {{ .Values.authentication.mutual.spire.install.server.serviceAccount.name }} shareProcessNamespace: true + {{- with .Values.authentication.mutual.spire.install.server.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if gt (len .Values.authentication.mutual.spire.install.server.initContainers) 0 }} initContainers: {{- toYaml .Values.authentication.mutual.spire.install.server.initContainers | nindent 8 }} {{- end }} containers: - name: cilium-init - image: docker.io/library/busybox:1.35.0@sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.initImage | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.initImage.pullPolicy }} command: - /bin/sh - -c - | {{- tpl (.Files.Get "files/spire/init.bash") . | nindent 12 }} - name: spire-server + {{- if eq (typeOf .Values.authentication.mutual.spire.install.server.image) "string" }} image: {{ .Values.authentication.mutual.spire.install.server.image }} + {{- else }} + image: {{ include "cilium.image" .Values.authentication.mutual.spire.install.server.image | quote }} + imagePullPolicy: {{ .Values.authentication.mutual.spire.install.server.image.pullPolicy }} + {{- end }} args: - -config - /run/spire/config/server.conf @@ -75,6 +90,10 @@ spec: port: 8080 initialDelaySeconds: 5 periodSeconds: 5 + {{- with .Values.authentication.mutual.spire.install.server.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} {{- with .Values.authentication.mutual.spire.install.server.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/packages/system/cilium/charts/cilium/templates/validate.yaml b/packages/system/cilium/charts/cilium/templates/validate.yaml index dfb5cb30..3c89e4e3 100644 --- a/packages/system/cilium/charts/cilium/templates/validate.yaml +++ b/packages/system/cilium/charts/cilium/templates/validate.yaml @@ -30,6 +30,10 @@ {{- end }} {{- end }} +{{- if and .Values.hubble.redact.http.headers.allow .Values.hubble.redact.http.headers.deny }} + {{ fail "Only one of .Values.hubble.redact.http.headers.allow, .Values.hubble.redact.http.headers.deny can be specified"}} +{{- end }} + {{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }} {{- if not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }} {{ fail "ClusterMesh TLS certgen method=certmanager requires that user specifies .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef" }} @@ -74,3 +78,26 @@ {{ fail "if Cilium Endpoint Slice is enabled (.Values.enableCiliumEndpointSlice=true), it requires .Values.disableEndpointCRD=false" }} {{- end }} {{- end }} + +{{/* validate clustermesh-apiserver */}} +{{- if .Values.clustermesh.useAPIServer }} + {{- if ne .Values.identityAllocationMode "crd" }} + {{ fail (printf "The clustermesh-apiserver cannot be enabled in combination with .Values.identityAllocationMode=%s. To establish a Cluster Mesh, directly configure the parameters to access the remote kvstore through .Values.clustermesh.config" .Values.identityAllocationMode ) }} + {{- end }} + {{- if .Values.disableEndpointCRD }} + {{ fail "The clustermesh-apiserver cannot be enabled in combination with .Values.disableEndpointCRD=true" }} + {{- end }} +{{- end }} +{{- if .Values.externalWorkloads.enabled }} + {{- if ne .Values.identityAllocationMode "crd" }} + {{ fail (printf "External workloads support cannot be enabled in combination with .Values.identityAllocationMode=%s" .Values.identityAllocationMode ) }} + {{- end }} + {{- if .Values.disableEndpointCRD }} + {{ fail "External workloads support cannot be enabled in combination with .Values.disableEndpointCRD=true" }} + {{- end }} +{{- end }} + +{{/*validate ClusterMesh */}} +{{- if and (ne (int .Values.clustermesh.maxConnectedClusters) 255) (ne (int .Values.clustermesh.maxConnectedClusters) 511) }} + {{- fail "max-connected-clusters must be set to 255 or 511" }} +{{- end }} diff --git a/packages/system/cilium/charts/cilium/values.yaml b/packages/system/cilium/charts/cilium/values.yaml index 6774bd6c..3ee7a577 100644 --- a/packages/system/cilium/charts/cilium/values.yaml +++ b/packages/system/cilium/charts/cilium/values.yaml @@ -1,10 +1,10 @@ # File generated by install/kubernetes/Makefile; DO NOT EDIT. -# This file is based on install/kubernetes/cilium/values.yaml.tmpl. +# This file is based on install/kubernetes/cilium/*values.yaml.tmpl. # upgradeCompatibility helps users upgrading to ensure that the configMap for # Cilium will not change critical values to ensure continued operation -# This is flag is not required for new installations. +# This flag is not required for new installations. # For example: 1.7, 1.8, 1.9 # upgradeCompatibility: '1.8' @@ -15,6 +15,7 @@ debug: # This option is used to enable debug messages for operations related to such # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). # # Applicable values: # - flow @@ -46,11 +47,13 @@ k8sServicePort: "" # rate limit, the agent and operator will start to throttle requests by delaying # them until there is budget or the request times out. k8sClientRateLimit: - # -- The sustained request rate in requests per second. - qps: 5 - # -- The burst request rate in requests per second. + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. # The rate limiter will allow short bursts with a higher rate. - burst: 10 + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: cluster: # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. @@ -143,10 +146,10 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.14.10" + tag: "v1.15.5" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031" + digest: "sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40" useDigest: true # -- Affinity for cilium-agent. @@ -211,9 +214,14 @@ extraConfig: {} # test 2 # test 3 -# -- Security Context for cilium-agent pods. -podSecurityContext: {} +# -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) +annotations: {} +# -- Security Context for cilium-agent pods. +podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to agent pods podAnnotations: {} @@ -404,6 +412,12 @@ bgp: bgpControlPlane: # -- Enables the BGP control plane. enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system pmtuDiscovery: # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to @@ -452,7 +466,17 @@ bpf: # @default -- `524288` neighMax: ~ + # @schema + # type: [null, integer] + # @schema + # @default -- `16384` + # -- (int) Configures the maximum number of entries for the node table. + nodeMapMax: ~ + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + # @schema + # type: [null, integer] + # @schema policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. @@ -585,6 +609,12 @@ cni: # inside the agent pod. hostConfDirMountPath: /host/etc/cni/net.d + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + # -- (string) Configure how frequently garbage collection should occur for the datapath # connection tracking table. # @default -- `"0s"` @@ -646,7 +676,8 @@ daemon: # -- Specify which network interfaces can run the eBPF datapath. This means # that a packet sent from a pod to a destination outside the cluster will be # masqueraded (to an output device IPv4 address), if the output device runs the -# program. When not specified, probing will automatically detect devices. +# program. When not specified, probing will automatically detect devices that have +# a non-local route. This should be used only when autodetection is not suitable. # devices: "" # -- Enables experimental support for the detection of new and removed datapath @@ -661,13 +692,6 @@ enableRuntimeDeviceDetection: false # -- Limit iptables-based egress masquerading to interface selector. # egressMasqueradeInterfaces: "" -# -- Whether to enable CNP status updates. -enableCnpStatusUpdates: false - -# -- Configures the use of the KVStore to optimize Kubernetes event handling by -# mirroring it into the KVstore for reduced overhead in large clusters. -enableK8sEventHandover: false - # -- Enable setting identity mark for local traffic. # enableIdentityMark: true @@ -709,8 +733,10 @@ ingressController: # Incoming traffic to http listener will return 308 http error code with respective location in header. enforceHttps: true - # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate - # from Ingress to the Load Balancer service + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] # -- Default secret namespace for ingresses without .spec.tls[].secretName set. @@ -788,6 +814,18 @@ encryption: # This option is only effective when encryption.type is set to "wireguard". nodeEncryption: false + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + ipsec: # -- Name of the key file inside the Kubernetes secret configured via secretName. keyFile: "" @@ -812,6 +850,8 @@ encryption: wireguard: # -- Enables the fallback to the user-space implementation. userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. # Name of the key file inside the Kubernetes secret configured via secretName. @@ -933,8 +973,8 @@ certgen: image: override: ~ repository: "quay.io/cilium/certgen" - tag: "v0.1.11" - digest: "sha256:5586de5019abc104637a9818a626956cd9b1e827327b958186ec412ae3d5dea6" + tag: "v0.1.12" + digest: "sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e" useDigest: true pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted @@ -955,10 +995,16 @@ certgen: # -- Additional certgen volumeMounts. extraVolumeMounts: [] + # -- Affinity for certgen + affinity: {} + hubble: # -- Enable Hubble (true by default). enabled: true + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + # -- Buffer size of the channel Hubble uses to receive monitor events. If this # value is not set, the queue size is set to the default monitor queue size. # eventQueueSize: "" @@ -987,7 +1033,7 @@ hubble: # # You can specify the list of metrics from the helm CLI: # - # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" # enabled: ~ # -- Enables exporting hubble metrics in OpenMetrics format. @@ -1005,6 +1051,8 @@ hubble: labels: {} # -- Annotations to add to ServiceMonitor hubble annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor hubble @@ -1028,6 +1076,81 @@ hubble: # -- Unix domain socket path to listen to when Hubble is enabled. socketPath: /var/run/cilium/hubble.sock + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that # Hubble is listening on port 4244. @@ -1109,9 +1232,9 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.14.10" + tag: "v1.15.5" # hubble-relay-digest - digest: "sha256:c156c4fc2da520d2876142ea17490440b95431a1be755d2050e72115a495cfd0" + digest: "sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781" useDigest: true pullPolicy: "IfNotPresent" @@ -1148,6 +1271,9 @@ hubble: # -- Additional hubble-relay environment variables. extraEnv: [] + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + # -- Annotations to be added to hubble-relay pods podAnnotations: {} @@ -1235,6 +1361,12 @@ hubble: extraDnsNames: [] # -- extra IP addresses added to certificate when its auto gen extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). dialTimeout: ~ @@ -1354,6 +1486,14 @@ hubble: # -- Additional hubble-ui backend volumeMounts. extraVolumeMounts: [] + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1401,6 +1541,9 @@ hubble: # -- The number of replicas of Hubble UI to deploy. replicas: 1 + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + # -- Annotations to be added to hubble-ui pods podAnnotations: {} @@ -1480,6 +1623,55 @@ hubble: # hosts: # - chart-example.local + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" + # -- Method to use for identity allocation (`crd` or `kvstore`). identityAllocationMode: "crd" @@ -1530,6 +1722,9 @@ ipam: # @default -- `4.0` externalAPILimitQPS: ~ +# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API +apiRateLimit: ~ + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false @@ -1628,21 +1823,23 @@ maglev: {} # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. enableIPv4Masquerade: true -# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods -enableIPv6BIGTCP: false +# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. +enableIPv6Masquerade: true + +# -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. +enableMasqueradeRouteSource: false # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods enableIPv4BIGTCP: false -# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. -enableIPv6Masquerade: true +# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods +enableIPv6BIGTCP: false -# -- Enables egress gateway to redirect and SNAT the traffic that leaves the -# cluster. egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. enabled: false - # -- Install egress gateway IP rules and routes in order to properly steer - # egress gateway traffic to the correct ENI interface + # -- Deprecated without a replacement necessary. installRoutes: false # -- Time between triggers of egress gateway state reconciliations reconciliationTriggerInterval: 1s @@ -1707,8 +1904,11 @@ loadBalancer: # mode: snat # -- acceleration is the option to accelerate service handling via XDP - # e.g. native, disabled - # acceleration: disabled + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled # -- dsrDispatch configures whether IP option or IPIP encapsulation is # used to pass a service IP and port to remote backend @@ -1757,6 +1957,10 @@ nodePort: # -- Enable healthcheck nodePort server for NodePort services enableHealthCheck: true + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + # policyAuditMode: false # -- The agent can be put into one of the three policy enforcement modes: @@ -1764,6 +1968,10 @@ nodePort: # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" +# -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. +# The possible value is "nodes". +policyCIDRMatchMode: + pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1784,6 +1992,8 @@ prometheus: labels: {} # -- Annotations to add to ServiceMonitor cilium-agent annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Specify the Kubernetes namespace where Prometheus expects to find @@ -1806,6 +2016,15 @@ prometheus: # ref: https://docs.cilium.io/en/stable/observability/metrics/ metrics: ~ + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + # -- Grafana dashboards for cilium-agent # grafana can import dashboards based on the label and value # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards @@ -1848,14 +2067,18 @@ envoy: # -- Set Envoy upstream HTTP idle connection timeout seconds. # Does not apply to connections with pending requests. Default 60s idleTimeoutDurationSeconds: 60 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyIngress: 0 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyEgress: 0 # -- Envoy container image. image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f" + tag: "v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515" pullPolicy: "IfNotPresent" - digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc" + digest: "sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -1897,9 +2120,14 @@ envoy: # -- Roll out cilium envoy pods automatically when configmap is updated. rollOutPods: false - # -- Security Context for cilium-envoy pods. - podSecurityContext: {} + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + # -- Security Context for cilium-envoy pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to envoy pods podAnnotations: {} @@ -2037,6 +2265,7 @@ envoy: # -- Enable use of the remote node identity. # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +# Deprecated without replacement in 1.15. To be removed in 1.16. remoteNodeIdentity: true # -- Enable resource quotas for priority classes used in the cluster. @@ -2117,15 +2346,6 @@ tls: # ... # -----END CERTIFICATE----- -# -- Configure the encapsulation configuration for communication between nodes. -# Deprecated in favor of tunnelProtocol and routingMode. To be removed in 1.15. -# Possible values: -# - disabled -# - vxlan -# - geneve -# @default -- `"vxlan"` -tunnel: "" - # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. # Possible values: # - "" @@ -2146,6 +2366,13 @@ routingMode: "" # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 +# -- Configure what the response should be to traffic for a service without backends. +# "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". +# Possible values: +# - reject (default) +# - drop +serviceNoBackendResponse: reject + # -- Configure the underlying network MTU to overwrite auto-detected MTU. MTU: 0 @@ -2201,6 +2428,9 @@ etcd: nodeSelector: kubernetes.io/os: linux + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + # -- Security context to be added to cilium-etcd-operator pods podSecurityContext: {} @@ -2269,15 +2499,15 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.14.10" + tag: "v1.15.5" # operator-generic-digest - genericDigest: "sha256:415b7f0bb0e7339c6231d4b9ee74a6a513b2865acfccec884dbc806ecc3dd909" + genericDigest: "sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8" # operator-azure-digest - azureDigest: "sha256:404a46bb0a232c7d5ab7ab97a1d1a55635cdf0e334529a18d1ddb50f4aad71b4" + azureDigest: "sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522" # operator-aws-digest - awsDigest: "sha256:72440aa4cb8a42dddb05cfc74c6fba0a18d0902b1e434f5dcde8dca0354a8be6" + awsDigest: "sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:2fbb53c2fc9c7203db9065c4e6cedb8e98d32d5ebc64549949636b5344cd1f14" + alibabacloudDigest: "sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2349,6 +2579,9 @@ operator: # -- Additional cilium-operator volumeMounts. extraVolumeMounts: [] + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + # -- Security context to be added to cilium-operator pods podSecurityContext: {} @@ -2409,7 +2642,7 @@ operator: # -- Enable prometheus metrics for cilium-operator on the configured port at # /metrics prometheus: - enabled: false + enabled: true port: 9963 serviceMonitor: # -- Enable service monitors. @@ -2419,6 +2652,8 @@ operator: labels: {} # -- Annotations to add to ServiceMonitor cilium-operator annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor cilium-operator @@ -2467,8 +2702,8 @@ nodeinit: image: override: ~ repository: "quay.io/cilium/startup-script" - tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" - digest: "sha256:e1d442546e868db1a3289166c14011e0dbd32115b338b963e56f830972bc22a2" + tag: "19fb149fb3d5c7a37d3edfaf10a2be3ab7386661" + digest: "sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456" useDigest: true pullPolicy: "IfNotPresent" @@ -2505,12 +2740,19 @@ nodeinit: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + # -- Annotations to be added to node-init pods. podAnnotations: {} # -- Labels to be added to node-init pods. podLabels: {} - + # -- Security Context for cilium-node-init pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-node-init` and init containers + appArmorProfile: + type: "Unconfined" # -- nodeinit resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: @@ -2556,9 +2798,9 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.14.10" + tag: "v1.15.5" # cilium-digest - digest: "sha256:0a1bcd2859c6d18d60dba6650cca8c707101716a3e47b126679040cbd621c031" + digest: "sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40" useDigest: true pullPolicy: "IfNotPresent" @@ -2611,6 +2853,9 @@ preflight: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + # -- Security context to be added to preflight pods. podSecurityContext: {} @@ -2670,6 +2915,15 @@ enableCriticalPriorityClass: true clustermesh: # -- Deploy clustermesh-apiserver for clustermesh useAPIServer: false + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} # -- Clustermesh explicit configuration. config: @@ -2706,21 +2960,16 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.14.10" + tag: "v1.15.5" # clustermesh-apiserver-digest - digest: "sha256:609fea274caa016f15646f6e0b0f1f7c56b238c551e7b261bc1e99ce64f7b798" + digest: "sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7" useDigest: true pullPolicy: "IfNotPresent" etcd: - # -- Clustermesh API server etcd image. - image: - override: ~ - repository: "quay.io/coreos/etcd" - tag: "v3.5.4" - digest: "sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3" - useDigest: true - pullPolicy: "IfNotPresent" + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. # -- Specifies the resources for etcd container in the apiserver resources: {} @@ -2734,6 +2983,9 @@ clustermesh: # -- Security context to be added to clustermesh-apiserver etcd containers securityContext: {} + # -- lifecycle setting for the etcd container + lifecycle: {} + init: # -- Specifies the resources for etcd init container in the apiserver resources: {} @@ -2744,21 +2996,17 @@ clustermesh: # cpu: 100m # memory: 100Mi + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + kvstoremesh: # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved # from the remote clusters in the local etcd instance. enabled: false - # -- KVStoreMesh image. - image: - override: ~ - repository: "quay.io/cilium/kvstoremesh" - tag: "v1.14.10" - # kvstoremesh-digest - digest: "sha256:871ec4e3b07401d90b4433c7e2b7210b9b0c5f1a536caab3d0281a5faeea5070" - useDigest: true - pullPolicy: "IfNotPresent" - # -- Additional KVStoreMesh arguments. extraArgs: [] @@ -2784,6 +3032,9 @@ clustermesh: drop: - ALL + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + service: # -- The type of service used for apiserver access. type: NodePort @@ -2814,6 +3065,12 @@ clustermesh: # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + # -- Additional clustermesh-apiserver arguments. extraArgs: [] @@ -2956,17 +3213,6 @@ clustermesh: # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. certManagerIssuerRef: {} - # -- Deprecated in favor of tls.ca. To be removed in 1.15. - # base64 encoded PEM values for the ExternalWorkload CA certificate and private key. - ca: - # -- Deprecated in favor of tls.ca.cert. To be removed in 1.15. - # Optional CA cert. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - cert: "" - # -- Deprecated in favor of tls.ca.key. To be removed in 1.15. - # Optional CA private key. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - key: "" # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. # Used if 'auto' is not enabled. server: @@ -3007,7 +3253,7 @@ clustermesh: etcd: # -- Enables exporting etcd metrics in OpenMetrics format. - enabled: false + enabled: true # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. mode: basic # -- Configure the port the etcd metric server listens on. @@ -3133,10 +3379,14 @@ authentication: mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s # Settings for SPIRE spire: # -- Enable SPIRE integration (beta) enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} # Settings to control the SPIRE installation and configuration install: # -- Enable SPIRE installation. @@ -3144,10 +3394,26 @@ authentication: enabled: true # -- SPIRE namespace to install into namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "docker.io/library/busybox" + tag: "1.36.1" + digest: "sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b" + useDigest: true + pullPolicy: "IfNotPresent" # SPIRE agent configuration agent: # -- SPIRE agent image - image: ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823 + image: + override: ~ + repository: "ghcr.io/spiffe/spire-agent" + tag: "1.8.5" + digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" + useDigest: true + pullPolicy: "IfNotPresent" # -- SPIRE agent service account serviceAccount: create: true @@ -3189,7 +3455,13 @@ authentication: securityContext: {} server: # -- SPIRE server image - image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f + image: + override: ~ + repository: "ghcr.io/spiffe/spire-server" + tag: "1.8.5" + digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" + useDigest: true + pullPolicy: "IfNotPresent" # -- SPIRE server service account serviceAccount: create: true @@ -3226,6 +3498,14 @@ authentication: accessMode: ReadWriteOnce # -- StorageClass of the SPIRE server data storage storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} # SPIRE CA configuration ca: # -- SPIRE CA key type diff --git a/packages/system/cilium/charts/cilium/values.yaml.tmpl b/packages/system/cilium/charts/cilium/values.yaml.tmpl index 481bbe7b..679b4cac 100644 --- a/packages/system/cilium/charts/cilium/values.yaml.tmpl +++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl @@ -1,7 +1,7 @@ # upgradeCompatibility helps users upgrading to ensure that the configMap for # Cilium will not change critical values to ensure continued operation -# This is flag is not required for new installations. +# This flag is not required for new installations. # For example: 1.7, 1.8, 1.9 # upgradeCompatibility: '1.8' @@ -12,6 +12,7 @@ debug: # This option is used to enable debug messages for operations related to such # sub-system such as (e.g. kvstore, envoy, datapath or policy), and flow is # for enabling debug messages emitted per request, message and connection. + # Multiple values can be set via a space-separated string (e.g. "datapath envoy"). # # Applicable values: # - flow @@ -43,11 +44,13 @@ k8sServicePort: "" # rate limit, the agent and operator will start to throttle requests by delaying # them until there is budget or the request times out. k8sClientRateLimit: - # -- The sustained request rate in requests per second. - qps: 5 - # -- The burst request rate in requests per second. + # -- (int) The sustained request rate in requests per second. + # @default -- 5 for k8s up to 1.26. 10 for k8s version 1.27+ + qps: + # -- (int) The burst request rate in requests per second. # The rate limiter will allow short bursts with a higher rate. - burst: 10 + # @default -- 10 for k8s up to 1.26. 20 for k8s version 1.27+ + burst: cluster: # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. @@ -208,9 +211,14 @@ extraConfig: {} # test 2 # test 3 -# -- Security Context for cilium-agent pods. -podSecurityContext: {} +# -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent) +annotations: {} +# -- Security Context for cilium-agent pods. +podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to agent pods podAnnotations: {} @@ -405,6 +413,12 @@ bgp: bgpControlPlane: # -- Enables the BGP control plane. enabled: false + # -- SecretsNamespace is the namespace which BGP support will retrieve secrets from. + secretsNamespace: + # -- Create secrets namespace for BGP secrets. + create: false + # -- The name of the secret namespace to which Cilium agents are given read access + name: kube-system pmtuDiscovery: # -- Enable path MTU discovery to send ICMP fragmentation-needed replies to @@ -453,7 +467,17 @@ bpf: # @default -- `524288` neighMax: ~ + # @schema + # type: [null, integer] + # @schema + # @default -- `16384` + # -- (int) Configures the maximum number of entries for the node table. + nodeMapMax: ~ + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + # @schema + # type: [null, integer] + # @schema policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. @@ -586,6 +610,12 @@ cni: # inside the agent pod. hostConfDirMountPath: /host/etc/cni/net.d + # -- Specifies the resources for the cni initContainer + resources: + requests: + cpu: 100m + memory: 10Mi + # -- (string) Configure how frequently garbage collection should occur for the datapath # connection tracking table. # @default -- `"0s"` @@ -647,7 +677,8 @@ daemon: # -- Specify which network interfaces can run the eBPF datapath. This means # that a packet sent from a pod to a destination outside the cluster will be # masqueraded (to an output device IPv4 address), if the output device runs the -# program. When not specified, probing will automatically detect devices. +# program. When not specified, probing will automatically detect devices that have +# a non-local route. This should be used only when autodetection is not suitable. # devices: "" # -- Enables experimental support for the detection of new and removed datapath @@ -662,13 +693,6 @@ enableRuntimeDeviceDetection: false # -- Limit iptables-based egress masquerading to interface selector. # egressMasqueradeInterfaces: "" -# -- Whether to enable CNP status updates. -enableCnpStatusUpdates: false - -# -- Configures the use of the KVStore to optimize Kubernetes event handling by -# mirroring it into the KVstore for reduced overhead in large clusters. -enableK8sEventHandover: false - # -- Enable setting identity mark for local traffic. # enableIdentityMark: true @@ -710,8 +734,10 @@ ingressController: # Incoming traffic to http listener will return 308 http error code with respective location in header. enforceHttps: true - # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate - # from Ingress to the Load Balancer service + # -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled. + enableProxyProtocol: false + + # -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com'] # -- Default secret namespace for ingresses without .spec.tls[].secretName set. @@ -789,6 +815,18 @@ encryption: # This option is only effective when encryption.type is set to "wireguard". nodeEncryption: false + # -- Configure the WireGuard Pod2Pod strict mode. + strictMode: + # -- Enable WireGuard Pod2Pod strict mode. + enabled: false + + # -- CIDR for the WireGuard Pod2Pod strict mode. + cidr: "" + + # -- Allow dynamic lookup of remote node identities. + # This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap. + allowRemoteNodeIdentities: false + ipsec: # -- Name of the key file inside the Kubernetes secret configured via secretName. keyFile: "" @@ -813,6 +851,8 @@ encryption: wireguard: # -- Enables the fallback to the user-space implementation. userspaceFallback: false + # -- Controls Wireguard PersistentKeepalive option. Set 0s to disable. + persistentKeepalive: 0s # -- Deprecated in favor of encryption.ipsec.keyFile. To be removed in 1.15. # Name of the key file inside the Kubernetes secret configured via secretName. @@ -956,10 +996,16 @@ certgen: # -- Additional certgen volumeMounts. extraVolumeMounts: [] + # -- Affinity for certgen + affinity: {} + hubble: # -- Enable Hubble (true by default). enabled: true + # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble) + annotations: {} + # -- Buffer size of the channel Hubble uses to receive monitor events. If this # value is not set, the queue size is set to the default monitor queue size. # eventQueueSize: "" @@ -988,7 +1034,7 @@ hubble: # # You can specify the list of metrics from the helm CLI: # - # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" # enabled: ~ # -- Enables exporting hubble metrics in OpenMetrics format. @@ -1006,6 +1052,8 @@ hubble: labels: {} # -- Annotations to add to ServiceMonitor hubble annotations: {} + # -- jobLabel to add for ServiceMonitor hubble + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor hubble @@ -1029,6 +1077,81 @@ hubble: # -- Unix domain socket path to listen to when Hubble is enabled. socketPath: /var/run/cilium/hubble.sock + # -- Enables redacting sensitive information present in Layer 7 flows. + redact: + enabled: false + http: + # -- Enables redacting URL query (GET) parameters. + # Example: + # + # redact: + # enabled: true + # http: + # urlQuery: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.urlQuery="true" + urlQuery: false + # -- Enables redacting user info, e.g., password when basic auth is used. + # Example: + # + # redact: + # enabled: true + # http: + # userInfo: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.userInfo="true" + userInfo: true + headers: + # -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # allow: + # - traceparent + # - tracestate + # - Cache-Control + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control" + allow: [] + # -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present. + # Example: + # redact: + # enabled: true + # http: + # headers: + # deny: + # - Authorization + # - Proxy-Authorization + # + # You can specify the options from the helm CLI: + # --set hubble.redact.enabled="true" + # --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization" + deny: [] + kafka: + # -- Enables redacting Kafka's API key. + # Example: + # + # redact: + # enabled: true + # kafka: + # apiKey: true + # + # You can specify the options from the helm CLI: + # + # --set hubble.redact.enabled="true" + # --set hubble.redact.kafka.apiKey="true" + apiKey: false + # -- An additional address for Hubble to listen to. # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that # Hubble is listening on port 4244. @@ -1149,6 +1272,9 @@ hubble: # -- Additional hubble-relay environment variables. extraEnv: [] + # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay) + annotations: {} + # -- Annotations to be added to hubble-relay pods podAnnotations: {} @@ -1236,6 +1362,12 @@ hubble: extraDnsNames: [] # -- extra IP addresses added to certificate when its auto gen extraIpAddresses: [] + # DNS name used by the backend to connect to the relay + # This is a simple workaround as the relay certificates are currently hardcoded to + # *.hubble-relay.cilium.io + # See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546 + # For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local + relayName: "ui.hubble-relay.cilium.io" # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). dialTimeout: ~ @@ -1355,6 +1487,14 @@ hubble: # -- Additional hubble-ui backend volumeMounts. extraVolumeMounts: [] + livenessProbe: + # -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + + readinessProbe: + # -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) + enabled: false + # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. resources: {} # limits: @@ -1402,6 +1542,9 @@ hubble: # -- The number of replicas of Hubble UI to deploy. replicas: 1 + # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui) + annotations: {} + # -- Annotations to be added to hubble-ui pods podAnnotations: {} @@ -1481,6 +1624,55 @@ hubble: # hosts: # - chart-example.local + # -- Hubble flows export. + export: + # --- Defines max file size of output file before it gets rotated. + fileMaxSizeMb: 10 + # --- Defines max number of backup/rotated files. + fileMaxBackups: 5 + # --- Static exporter configuration. + # Static exporter is bound to agent lifecycle. + static: + enabled: false + filePath: /var/run/cilium/hubble/events.log + fieldMask: [] + # - time + # - source + # - destination + # - verdict + allowList: [] + # - '{"verdict":["DROPPED","ERROR"]}' + denyList: [] + # - '{"source_pod":["kube-system/"]}' + # - '{"destination_pod":["kube-system/"]}' + # --- Dynamic exporters configuration. + # Dynamic exporters may be reconfigured without a need of agent restarts. + dynamic: + enabled: false + config: + # ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents. + configMapName: cilium-flowlog-config + # ---- True if helm installer should create config map. + # Switch to false if you want to self maintain the file content. + createConfigMap: true + # ---- Exporters configuration in YAML format. + content: + - name: all + fieldMask: [] + includeFilters: [] + excludeFilters: [] + filePath: "/var/run/cilium/hubble/events.log" + #- name: "test002" + # filePath: "/var/log/network/flow-log/pa/test002.log" + # fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"] + # includeFilters: + # - source_pod: ["default/"] + # event_type: + # - type: 1 + # - destination_pod: ["frontend/nginx-975996d4c-7hhgt"] + # excludeFilters: [] + # end: "2023-10-09T23:59:59-07:00" + # -- Method to use for identity allocation (`crd` or `kvstore`). identityAllocationMode: "crd" @@ -1531,6 +1723,9 @@ ipam: # @default -- `4.0` externalAPILimitQPS: ~ +# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API +apiRateLimit: ~ + # -- Configure the eBPF-based ip-masq-agent ipMasqAgent: enabled: false @@ -1629,21 +1824,23 @@ maglev: {} # -- Enables masquerading of IPv4 traffic leaving the node from endpoints. enableIPv4Masquerade: true -# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods -enableIPv6BIGTCP: false +# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. +enableIPv6Masquerade: true + +# -- Enables masquerading to the source of the route for traffic leaving the node from endpoints. +enableMasqueradeRouteSource: false # -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods enableIPv4BIGTCP: false -# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. -enableIPv6Masquerade: true +# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods +enableIPv6BIGTCP: false -# -- Enables egress gateway to redirect and SNAT the traffic that leaves the -# cluster. egressGateway: + # -- Enables egress gateway to redirect and SNAT the traffic that leaves the + # cluster. enabled: false - # -- Install egress gateway IP rules and routes in order to properly steer - # egress gateway traffic to the correct ENI interface + # -- Deprecated without a replacement necessary. installRoutes: false # -- Time between triggers of egress gateway state reconciliations reconciliationTriggerInterval: 1s @@ -1708,8 +1905,11 @@ loadBalancer: # mode: snat # -- acceleration is the option to accelerate service handling via XDP - # e.g. native, disabled - # acceleration: disabled + # Applicable values can be: disabled (do not use XDP), native (XDP BPF + # program is run directly out of the networking driver's early receive + # path), or best-effort (use native mode XDP acceleration on devices + # that support it). + acceleration: disabled # -- dsrDispatch configures whether IP option or IPIP encapsulation is # used to pass a service IP and port to remote backend @@ -1758,6 +1958,10 @@ nodePort: # -- Enable healthcheck nodePort server for NodePort services enableHealthCheck: true + # -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs + # EnableHealthCheck to be enabled + enableHealthCheckLoadBalancerIP: false + # policyAuditMode: false # -- The agent can be put into one of the three policy enforcement modes: @@ -1765,6 +1969,10 @@ nodePort: # ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes policyEnforcementMode: "default" +# -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. +# The possible value is "nodes". +policyCIDRMatchMode: + pprof: # -- Enable pprof for cilium-agent enabled: false @@ -1785,6 +1993,8 @@ prometheus: labels: {} # -- Annotations to add to ServiceMonitor cilium-agent annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-agent + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Specify the Kubernetes namespace where Prometheus expects to find @@ -1807,6 +2017,15 @@ prometheus: # ref: https://docs.cilium.io/en/stable/observability/metrics/ metrics: ~ + # --- Enable controller group metrics for monitoring specific Cilium + # subsystems. The list is a list of controller group names. The special + # values of "all" and "none" are supported. The set of controller + # group names is not guaranteed to be stable between Cilium versions. + controllerGroupMetrics: + - write-cni-file + - sync-host-ips + - sync-lb-maps-with-k8s-services + # -- Grafana dashboards for cilium-agent # grafana can import dashboards based on the label and value # ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards @@ -1849,14 +2068,18 @@ envoy: # -- Set Envoy upstream HTTP idle connection timeout seconds. # Does not apply to connections with pending requests. Default 60s idleTimeoutDurationSeconds: 60 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyIngress: 0 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyEgress: 0 # -- Envoy container image. image: override: ~ - repository: "quay.io/cilium/cilium-envoy" - tag: "v1.27.4-21905253931655328edaacf3cd16aeda73bbea2f" + repository: "${CILIUM_ENVOY_REPO}" + tag: "${CILIUM_ENVOY_VERSION}" pullPolicy: "${PULL_POLICY}" - digest: "sha256:d52f476c29a97c8b250fdbfbb8472191a268916f6a8503671d0da61e323b02cc" + digest: "${CILIUM_ENVOY_DIGEST}" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -1898,9 +2121,14 @@ envoy: # -- Roll out cilium envoy pods automatically when configmap is updated. rollOutPods: false - # -- Security Context for cilium-envoy pods. - podSecurityContext: {} + # -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) + annotations: {} + # -- Security Context for cilium-envoy pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to envoy pods podAnnotations: {} @@ -2038,6 +2266,7 @@ envoy: # -- Enable use of the remote node identity. # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +# Deprecated without replacement in 1.15. To be removed in 1.16. remoteNodeIdentity: true # -- Enable resource quotas for priority classes used in the cluster. @@ -2118,15 +2347,6 @@ tls: # ... # -----END CERTIFICATE----- -# -- Configure the encapsulation configuration for communication between nodes. -# Deprecated in favor of tunnelProtocol and routingMode. To be removed in 1.15. -# Possible values: -# - disabled -# - vxlan -# - geneve -# @default -- `"vxlan"` -tunnel: "" - # -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels. # Possible values: # - "" @@ -2147,6 +2367,13 @@ routingMode: "" # @default -- Port 8472 for VXLAN, Port 6081 for Geneve tunnelPort: 0 +# -- Configure what the response should be to traffic for a service without backends. +# "reject" only works on kernels >= 5.10, on lower kernels we fallback to "drop". +# Possible values: +# - reject (default) +# - drop +serviceNoBackendResponse: reject + # -- Configure the underlying network MTU to overwrite auto-detected MTU. MTU: 0 @@ -2202,6 +2429,9 @@ etcd: nodeSelector: kubernetes.io/os: linux + # -- Annotations to be added to all top-level etcd-operator objects (resources under templates/etcd-operator) + annotations: {} + # -- Security context to be added to cilium-etcd-operator pods podSecurityContext: {} @@ -2350,6 +2580,9 @@ operator: # -- Additional cilium-operator volumeMounts. extraVolumeMounts: [] + # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator) + annotations: {} + # -- Security context to be added to cilium-operator pods podSecurityContext: {} @@ -2410,7 +2643,7 @@ operator: # -- Enable prometheus metrics for cilium-operator on the configured port at # /metrics prometheus: - enabled: false + enabled: true port: 9963 serviceMonitor: # -- Enable service monitors. @@ -2420,6 +2653,8 @@ operator: labels: {} # -- Annotations to add to ServiceMonitor cilium-operator annotations: {} + # -- jobLabel to add for ServiceMonitor cilium-operator + jobLabel: "" # -- Interval for scrape metrics. interval: "10s" # -- Relabeling configs for the ServiceMonitor cilium-operator @@ -2506,12 +2741,19 @@ nodeinit: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit) + annotations: {} + # -- Annotations to be added to node-init pods. podAnnotations: {} # -- Labels to be added to node-init pods. podLabels: {} - + # -- Security Context for cilium-node-init pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-node-init` and init containers + appArmorProfile: + type: "Unconfined" # -- nodeinit resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: @@ -2614,6 +2856,9 @@ preflight: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight) + annotations: {} + # -- Security context to be added to preflight pods. podSecurityContext: {} @@ -2673,6 +2918,15 @@ enableCriticalPriorityClass: true clustermesh: # -- Deploy clustermesh-apiserver for clustermesh useAPIServer: false + # -- The maximum number of clusters to support in a ClusterMesh. This value + # cannot be changed on running clusters, and all clusters in a ClusterMesh + # must be configured with the same value. Values > 255 will decrease the + # maximum allocatable cluster-local identities. + # Supported values are 255 and 511. + maxConnectedClusters: 255 + + # -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config) + annotations: {} # -- Clustermesh explicit configuration. config: @@ -2716,14 +2970,9 @@ clustermesh: pullPolicy: "${PULL_POLICY}" etcd: - # -- Clustermesh API server etcd image. - image: - override: ~ - repository: "${ETCD_REPO}" - tag: "${ETCD_VERSION}" - digest: "${ETCD_DIGEST}" - useDigest: true - pullPolicy: "${PULL_POLICY}" + # The etcd binary is included in the clustermesh API server image, so the same image from above is reused. + # Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is + # built with. # -- Specifies the resources for etcd container in the apiserver resources: {} @@ -2737,6 +2986,9 @@ clustermesh: # -- Security context to be added to clustermesh-apiserver etcd containers securityContext: {} + # -- lifecycle setting for the etcd container + lifecycle: {} + init: # -- Specifies the resources for etcd init container in the apiserver resources: {} @@ -2747,21 +2999,17 @@ clustermesh: # cpu: 100m # memory: 100Mi + # -- Additional arguments to `clustermesh-apiserver etcdinit`. + extraArgs: [] + + # -- Additional environment variables to `clustermesh-apiserver etcdinit`. + extraEnv: [] + kvstoremesh: # -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved # from the remote clusters in the local etcd instance. enabled: false - # -- KVStoreMesh image. - image: - override: ~ - repository: "${KVSTOREMESH_REPO}" - tag: "${CILIUM_VERSION}" - # kvstoremesh-digest - digest: ${KVSTOREMESH_DIGEST} - useDigest: ${USE_DIGESTS} - pullPolicy: "${PULL_POLICY}" - # -- Additional KVStoreMesh arguments. extraArgs: [] @@ -2787,6 +3035,9 @@ clustermesh: drop: - ALL + # -- lifecycle setting for the KVStoreMesh container + lifecycle: {} + service: # -- The type of service used for apiserver access. type: NodePort @@ -2817,6 +3068,12 @@ clustermesh: # -- Number of replicas run for the clustermesh-apiserver deployment. replicas: 1 + # -- lifecycle setting for the apiserver container + lifecycle: {} + + # -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment + terminationGracePeriodSeconds: 30 + # -- Additional clustermesh-apiserver arguments. extraArgs: [] @@ -2959,17 +3216,6 @@ clustermesh: # name: ca-issuer # -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager. certManagerIssuerRef: {} - # -- Deprecated in favor of tls.ca. To be removed in 1.15. - # base64 encoded PEM values for the ExternalWorkload CA certificate and private key. - ca: - # -- Deprecated in favor of tls.ca.cert. To be removed in 1.15. - # Optional CA cert. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - cert: "" - # -- Deprecated in favor of tls.ca.key. To be removed in 1.15. - # Optional CA private key. If it is provided, it will be used by the 'cronJob' method to - # generate all other certificates. Otherwise, an ephemeral CA is generated. - key: "" # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key. # Used if 'auto' is not enabled. server: @@ -3010,7 +3256,7 @@ clustermesh: etcd: # -- Enables exporting etcd metrics in OpenMetrics format. - enabled: false + enabled: true # -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics. mode: basic # -- Configure the port the etcd metric server listens on. @@ -3136,10 +3382,14 @@ authentication: mutual: # -- Port on the agent where mutual authentication handshakes between agents will be performed port: 4250 + # -- Timeout for connecting to the remote node TCP socket + connectTimeout: 5s # Settings for SPIRE spire: # -- Enable SPIRE integration (beta) enabled: false + # -- Annotations to be added to all top-level spire objects (resources under templates/spire) + annotations: {} # Settings to control the SPIRE installation and configuration install: # -- Enable SPIRE installation. @@ -3147,10 +3397,26 @@ authentication: enabled: true # -- SPIRE namespace to install into namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false + # -- init container image of SPIRE agent and server + initImage: + override: ~ + repository: "${SPIRE_INIT_REPO}" + tag: "${SPIRE_INIT_VERSION}" + digest: "${SPIRE_INIT_DIGEST}" + useDigest: true + pullPolicy: "${PULL_POLICY}" # SPIRE agent configuration agent: # -- SPIRE agent image - image: ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823 + image: + override: ~ + repository: "${SPIRE_AGENT_REPO}" + tag: "${SPIRE_AGENT_VERSION}" + digest: "${SPIRE_AGENT_DIGEST}" + useDigest: true + pullPolicy: "${PULL_POLICY}" # -- SPIRE agent service account serviceAccount: create: true @@ -3192,7 +3458,13 @@ authentication: securityContext: {} server: # -- SPIRE server image - image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f + image: + override: ~ + repository: "${SPIRE_SERVER_REPO}" + tag: "${SPIRE_SERVER_VERSION}" + digest: "${SPIRE_SERVER_DIGEST}" + useDigest: true + pullPolicy: "${PULL_POLICY}" # -- SPIRE server service account serviceAccount: create: true @@ -3229,6 +3501,14 @@ authentication: accessMode: ReadWriteOnce # -- StorageClass of the SPIRE server data storage storageClass: null + # -- Security context to be added to spire server pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire server containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} # SPIRE CA configuration ca: # -- SPIRE CA key type From e89926cca6187432ea480c5c2cb43e6bf813fc5b Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Sun, 26 May 2024 18:11:36 +0200 Subject: [PATCH 13/67] Update kube-ovn v1.13.0-ge1310e17 and enable image building (#149) Signed-off-by: Andrei Kvapil --- Makefile | 1 + packages/system/kubeovn/Makefile | 21 +- .../system/kubeovn/charts/kube-ovn/Chart.yaml | 4 +- .../system/kubeovn/charts/kube-ovn/README.md | 8 +- .../kubeovn/charts/kube-ovn/crds/crd.yaml | 2278 ----------------- .../system/kubeovn/charts/kube-ovn/images | 1 + .../charts/kube-ovn/kube-ovn/Chart.yaml | 24 - .../charts/kube-ovn/kube-ovn/README.md | 42 - .../kube-ovn/kube-ovn/templates/_helpers.tpl | 54 - .../kube-ovn/templates/central-deploy.yaml | 161 -- .../kube-ovn/templates/controller-deploy.yaml | 190 -- .../kube-ovn/templates/controller-svc.yaml | 16 - .../kube-ovn/templates/monitor-deploy.yaml | 139 - .../kube-ovn/templates/monitor-svc.yaml | 18 - .../kube-ovn/kube-ovn/templates/nb-svc.yaml | 19 - .../kube-ovn/templates/northd-svc.yaml | 19 - .../kube-ovn/kube-ovn/templates/ovn-CR.yaml | 256 -- .../kube-ovn/kube-ovn/templates/ovn-CRB.yaml | 54 - .../kube-ovn/templates/ovn-dpdk-ds.yaml | 164 -- .../kube-ovn/kube-ovn/templates/ovn-sa.yaml | 34 - .../kube-ovn/templates/ovn-tls-secret.yaml | 23 - .../kube-ovn/templates/ovncni-ds.yaml | 206 -- .../kube-ovn/templates/ovncni-svc.yaml | 16 - .../kube-ovn/templates/ovsovn-ds.yaml | 221 -- .../kube-ovn/templates/pinger-ds.yaml | 137 - .../kube-ovn/templates/pinger-svc.yaml | 16 - .../kube-ovn/templates/pre-delete-hook.yaml | 123 - .../kube-ovn/kube-ovn/templates/sb-svc.yaml | 19 - .../kube-ovn/templates/upgrade-ovs-ovn.yaml | 163 -- .../kube-ovn/templates/vpc-nat-config.yaml | 10 - .../charts/kube-ovn/kube-ovn/values.yaml | 181 -- .../charts/kube-ovn/templates/_helpers.tpl | 25 + .../kube-ovn/templates/central-deploy.yaml | 14 +- .../kube-ovn/templates/controller-deploy.yaml | 41 +- .../templates/ic-controller-deploy.yaml | 2 +- .../templates/kube-ovn-crd.yaml | 37 + .../kube-ovn/templates/monitor-deploy.yaml | 2 +- .../charts/kube-ovn/templates/ovn-CR.yaml | 86 +- .../kube-ovn/templates/ovn-dpdk-ds.yaml | 2 +- .../charts/kube-ovn/templates/ovncni-ds.yaml | 23 +- .../charts/kube-ovn/templates/ovsovn-ds.yaml | 15 +- .../charts/kube-ovn/templates/pinger-ds.yaml | 2 +- .../kube-ovn/templates/pre-delete-hook.yaml | 2 +- .../kube-ovn/templates/upgrade-ovs-ovn.yaml | 31 +- .../kube-ovn/templates/vpc-nat-config.yaml | 2 +- .../kubeovn/charts/kube-ovn/values.yaml | 14 +- packages/system/kubeovn/images/kubeovn.json | 4 + packages/system/kubeovn/images/kubeovn.tag | 1 + .../system/kubeovn/images/kubeovn/Dockerfile | 43 + .../system/kubeovn/patches/cozyconfig.diff | 97 + .../system/kubeovn/templates/_helpers.tpl | 3 + packages/system/kubeovn/values.yaml | 8 - 52 files changed, 359 insertions(+), 4713 deletions(-) delete mode 100644 packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml create mode 120000 packages/system/kubeovn/charts/kube-ovn/images delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml delete mode 100755 packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml delete mode 100644 packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml rename packages/system/kubeovn/charts/kube-ovn/{kube-ovn => }/templates/ic-controller-deploy.yaml (95%) rename packages/system/kubeovn/charts/kube-ovn/{kube-ovn => }/templates/kube-ovn-crd.yaml (98%) create mode 100644 packages/system/kubeovn/images/kubeovn.json create mode 100644 packages/system/kubeovn/images/kubeovn.tag create mode 100644 packages/system/kubeovn/images/kubeovn/Dockerfile create mode 100644 packages/system/kubeovn/patches/cozyconfig.diff create mode 100644 packages/system/kubeovn/templates/_helpers.tpl diff --git a/Makefile b/Makefile index e60ea514..0ef2d210 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ build: make -C packages/apps/http-cache image make -C packages/apps/kubernetes image + make -C packages/system/kubeovn image make -C packages/system/dashboard image make -C packages/core/installer image make manifests diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index 8ab3423c..9f0d8b98 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -1,9 +1,28 @@ +KUBEOVN_TAG = v1.13.0 + NAME=kubeovn NAMESPACE=cozy-$(NAME) +include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk update: rm -rf charts && mkdir -p charts/kube-ovn curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/heads/master.tar.gz | \ - tar -C charts/kube-ovn -xzvf - --strip 2 kube-ovn-master/charts + tar xzvf - --strip 1 kube-ovn-master/charts + patch -p4 --no-backup-if-mismatch < patches/cozyconfig.diff + ln -s ../../images charts/kube-ovn/images + sed -i '/image:/ s/{{.*}}/{{ include "kubeovn.image" . }}/g' `grep -rl image: charts/kube-ovn/templates/` + +image: + docker buildx build images/kubeovn \ + --provenance false \ + --tag $(REGISTRY)/kubeovn:$(call settag,$(TAG)) \ + --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)) \ + --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)-$(TAG)) \ + --cache-from type=registry,ref=$(REGISTRY)/kubeovn:latest \ + --cache-to type=inline \ + --metadata-file images/kubeovn.json \ + --push=$(PUSH) \ + --load=$(LOAD) + echo "$(REGISTRY)/kubeovn:$(call settag,$(TAG))" > images/kubeovn.tag diff --git a/packages/system/kubeovn/charts/kube-ovn/Chart.yaml b/packages/system/kubeovn/charts/kube-ovn/Chart.yaml index 1cb8212f..0978817b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/Chart.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/Chart.yaml @@ -15,10 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 1.13.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. appVersion: "1.13.0" + +kubeVersion: ">= 1.23.0-0" diff --git a/packages/system/kubeovn/charts/kube-ovn/README.md b/packages/system/kubeovn/charts/kube-ovn/README.md index f9295ca9..3af408e6 100644 --- a/packages/system/kubeovn/charts/kube-ovn/README.md +++ b/packages/system/kubeovn/charts/kube-ovn/README.md @@ -10,13 +10,13 @@ $ kubectl label node -lnode-role.kubernetes.io/control-plane kube-ovn/role=mast $ kubectl label node -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel --overwrite # standard install -$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0} +$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0} # high availability install -$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2} +$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} # upgrade to this version -$ helm upgrade --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2} +$ helm upgrade --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} ``` If `MASTER_NODES` unspecified Helm will take internal IPs of nodes with `kube-ovn/role=master` label @@ -32,7 +32,7 @@ machine: - name: openvswitch ``` -and use the following options for install this Helm-chart: +and use the following options to install this Helm-chart: ``` --set cni_conf.MOUNT_LOCAL_BIN_DIR=false diff --git a/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml b/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml deleted file mode 100644 index 2d545cc2..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/crds/crd.yaml +++ /dev/null @@ -1,2278 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpc-dnses.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vpc-dnses - singular: vpc-dns - shortNames: - - vpc-dns - kind: VpcDns - listKind: VpcDnsList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.active - name: Active - type: boolean - - jsonPath: .spec.vpc - name: Vpc - type: string - - jsonPath: .spec.subnet - name: Subnet - type: string - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - vpc: - type: string - subnet: - type: string - replicas: - type: integer - minimum: 1 - maximum: 3 - status: - type: object - properties: - active: - type: boolean - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: switch-lb-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: switch-lb-rules - singular: switch-lb-rule - shortNames: - - slr - kind: SwitchLBRule - listKind: SwitchLBRuleList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.vip - name: vip - type: string - - jsonPath: .status.ports - name: port(s) - type: string - - jsonPath: .status.service - name: service - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - namespace: - type: string - vip: - type: string - sessionAffinity: - type: string - ports: - items: - properties: - name: - type: string - port: - type: integer - minimum: 1 - maximum: 65535 - protocol: - type: string - targetPort: - type: integer - minimum: 1 - maximum: 65535 - type: object - type: array - selector: - items: - type: string - type: array - status: - type: object - properties: - ports: - type: string - service: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpc-nat-gateways.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vpc-nat-gateways - singular: vpc-nat-gateway - shortNames: - - vpc-nat-gw - kind: VpcNatGateway - listKind: VpcNatGatewayList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.vpc - name: Vpc - type: string - - jsonPath: .spec.subnet - name: Subnet - type: string - - jsonPath: .spec.lanIp - name: LanIP - type: string - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - lanIp: - type: string - subnet: - type: string - externalSubnets: - items: - type: string - type: array - vpc: - type: string - selector: - type: array - items: - type: string - tolerations: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - enum: - - Equal - - Exists - value: - type: string - effect: - type: string - enum: - - NoExecute - - NoSchedule - - PreferNoSchedule - tolerationSeconds: - type: integer - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-eips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-eips - singular: iptables-eip - shortNames: - - eip - kind: IptablesEIP - listKind: IptablesEIPList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.ip - name: IP - type: string - - jsonPath: .spec.macAddress - name: Mac - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .spec.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - ip: - type: string - nat: - type: string - redo: - type: string - qosPolicy: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - v4ip: - type: string - v6ip: - type: string - macAddress: - type: string - natGwDp: - type: string - qosPolicy: - type: string - externalSubnet: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-fip-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-fip-rules - singular: iptables-fip-rule - shortNames: - - fip - kind: IptablesFIPRule - listKind: IptablesFIPRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - internalIp: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - internalIp: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-dnat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-dnat-rules - singular: iptables-dnat-rule - shortNames: - - dnat - kind: IptablesDnatRule - listKind: IptablesDnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .spec.protocol - name: Protocol - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .spec.externalPort - name: ExternalPort - type: string - - jsonPath: .spec.internalPort - name: InternalPort - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - protocol: - type: string - internalIp: - type: string - internalPort: - type: string - externalPort: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - externalPort: - type: string - protocol: - type: string - internalIp: - type: string - internalPort: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-snat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-snat-rules - singular: iptables-snat-rule - shortNames: - - snat - kind: IptablesSnatRule - listKind: IptablesSnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: EIP - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalCIDR - name: InternalCIDR - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - internalCIDR: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - internalCIDR: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-eips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-eips - singular: ovn-eip - shortNames: - - oeip - kind: OvnEip - listKind: OvnEipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.v4Ip - name: V4IP - type: string - - jsonPath: .status.v6Ip - name: V6IP - type: string - - jsonPath: .status.macAddress - name: Mac - type: string - - jsonPath: .status.type - name: Type - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - type: - type: string - nat: - type: string - ready: - type: boolean - v4Ip: - type: string - v6Ip: - type: string - macAddress: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - externalSubnet: - type: string - type: - type: string - v4Ip: - type: string - v6Ip: - type: string - macAddress: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-fips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-fips - singular: ovn-fip - shortNames: - - ofip - kind: OvnFip - listKind: OvnFipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4Ip - name: V4Ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .spec.ipType - name: IpType - type: string - - jsonPath: .spec.ipName - name: IpName - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4Ip: - type: string - vpc: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - ipType: - type: string - ipName: - type: string - vpc: - type: string - v4Ip: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-snat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-snat-rules - singular: ovn-snat-rule - shortNames: - - osnat - kind: OvnSnatRule - listKind: OvnSnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4IpCidr - name: V4IpCidr - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4IpCidr: - type: string - vpc: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - vpcSubnet: - type: string - ipName: - type: string - vpc: - type: string - v4IpCidr: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-dnat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-dnat-rules - singular: ovn-dnat-rule - shortNames: - - odnat - kind: OvnDnatRule - listKind: OvnDnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .spec.ovnEip - name: Eip - type: string - - jsonPath: .status.protocol - name: Protocol - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4Ip - name: V4Ip - type: string - - jsonPath: .status.internalPort - name: InternalPort - type: string - - jsonPath: .status.externalPort - name: ExternalPort - type: string - - jsonPath: .spec.ipName - name: IpName - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4Ip: - type: string - vpc: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - ipName: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - ipType: - type: string - ipName: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - vpc: - type: string - v4Ip: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpcs.kubeovn.io -spec: - group: kubeovn.io - versions: - - additionalPrinterColumns: - - jsonPath: .status.enableExternal - name: EnableExternal - type: boolean - - jsonPath: .status.enableBfd - name: EnableBfd - type: boolean - - jsonPath: .status.standby - name: Standby - type: boolean - - jsonPath: .status.subnets - name: Subnets - type: string - - jsonPath: .status.extraExternalSubnets - name: ExtraExternalSubnets - type: string - - jsonPath: .spec.namespaces - name: Namespaces - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - enableExternal: - type: boolean - enableBfd: - type: boolean - namespaces: - items: - type: string - type: array - extraExternalSubnets: - items: - type: string - type: array - staticRoutes: - items: - properties: - policy: - type: string - cidr: - type: string - nextHopIP: - type: string - ecmpMode: - type: string - bfdId: - type: string - routeTable: - type: string - type: object - type: array - policyRoutes: - items: - properties: - priority: - type: integer - action: - type: string - match: - type: string - nextHopIP: - type: string - type: object - type: array - vpcPeerings: - items: - properties: - remoteVpc: - type: string - localConnectIP: - type: string - type: object - type: array - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - lastUpdateTime: - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - default: - type: boolean - defaultLogicalSwitch: - type: string - router: - type: string - standby: - type: boolean - enableExternal: - type: boolean - enableBfd: - type: boolean - subnets: - items: - type: string - type: array - extraExternalSubnets: - items: - type: string - type: array - vpcPeerings: - items: - type: string - type: array - tcpLoadBalancer: - type: string - tcpSessionLoadBalancer: - type: string - udpLoadBalancer: - type: string - udpSessionLoadBalancer: - type: string - sctpLoadBalancer: - type: string - sctpSessionLoadBalancer: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - names: - kind: Vpc - listKind: VpcList - plural: vpcs - shortNames: - - vpc - singular: vpc - scope: Cluster ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ips.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .spec.v4IpAddress - - name: V6IP - type: string - jsonPath: .spec.v6IpAddress - - name: Mac - type: string - jsonPath: .spec.macAddress - - name: Node - type: string - jsonPath: .spec.nodeName - - name: Subnet - type: string - jsonPath: .spec.subnet - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - podName: - type: string - namespace: - type: string - subnet: - type: string - attachSubnets: - type: array - items: - type: string - nodeName: - type: string - ipAddress: - type: string - v4IpAddress: - type: string - v6IpAddress: - type: string - attachIps: - type: array - items: - type: string - macAddress: - type: string - attachMacs: - type: array - items: - type: string - containerID: - type: string - podType: - type: string - scope: Cluster - names: - plural: ips - singular: ip - kind: IP - shortNames: - - ip ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vips - singular: vip - shortNames: - - vip - kind: Vip - listKind: VipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .status.v4ip - - name: V6IP - type: string - jsonPath: .status.v6ip - - name: Mac - type: string - jsonPath: .status.mac - - name: PMac - type: string - jsonPath: .spec.parentMac - - name: Subnet - type: string - jsonPath: .spec.subnet - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.type - name: Type - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - type: - type: string - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - mac: - type: string - pv4ip: - type: string - pv6ip: - type: string - pmac: - type: string - selector: - type: array - items: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - namespace: - type: string - subnet: - type: string - type: - type: string - attachSubnets: - type: array - items: - type: string - v4ip: - type: string - macAddress: - type: string - v6ip: - type: string - parentV4ip: - type: string - parentMac: - type: string - parentV6ip: - type: string - selector: - type: array - items: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: subnets.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Provider - type: string - jsonPath: .spec.provider - - name: Vpc - type: string - jsonPath: .spec.vpc - - name: Protocol - type: string - jsonPath: .spec.protocol - - name: CIDR - type: string - jsonPath: .spec.cidrBlock - - name: Private - type: boolean - jsonPath: .spec.private - - name: NAT - type: boolean - jsonPath: .spec.natOutgoing - - name: Default - type: boolean - jsonPath: .spec.default - - name: GatewayType - type: string - jsonPath: .spec.gatewayType - - name: V4Used - type: number - jsonPath: .status.v4usingIPs - - name: V4Available - type: number - jsonPath: .status.v4availableIPs - - name: V6Used - type: number - jsonPath: .status.v6usingIPs - - name: V6Available - type: number - jsonPath: .status.v6availableIPs - - name: ExcludeIPs - type: string - jsonPath: .spec.excludeIps - - name: U2OInterconnectionIP - type: string - jsonPath: .status.u2oInterconnectionIP - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - v4availableIPs: - type: number - v4usingIPs: - type: number - v6availableIPs: - type: number - v6usingIPs: - type: number - activateGateway: - type: string - dhcpV4OptionsUUID: - type: string - dhcpV6OptionsUUID: - type: string - u2oInterconnectionIP: - type: string - u2oInterconnectionVPC: - type: string - v4usingIPrange: - type: string - v4availableIPrange: - type: string - v6usingIPrange: - type: string - v6availableIPrange: - type: string - natOutgoingPolicyRules: - type: array - items: - type: object - properties: - ruleID: - type: string - action: - type: string - enum: - - nat - - forward - match: - type: object - properties: - srcIPs: - type: string - dstIPs: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - vpc: - type: string - default: - type: boolean - protocol: - type: string - enum: - - IPv4 - - IPv6 - - Dual - cidrBlock: - type: string - namespaces: - type: array - items: - type: string - gateway: - type: string - provider: - type: string - excludeIps: - type: array - items: - type: string - vips: - type: array - items: - type: string - gatewayType: - type: string - allowSubnets: - type: array - items: - type: string - gatewayNode: - type: string - natOutgoing: - type: boolean - externalEgressGateway: - type: string - policyRoutingPriority: - type: integer - minimum: 1 - maximum: 32765 - policyRoutingTableID: - type: integer - minimum: 1 - maximum: 2147483647 - not: - enum: - - 252 # compat - - 253 # default - - 254 # main - - 255 # local - mtu: - type: integer - minimum: 68 - maximum: 65535 - private: - type: boolean - vlan: - type: string - logicalGateway: - type: boolean - disableGatewayCheck: - type: boolean - disableInterConnection: - type: boolean - enableDHCP: - type: boolean - dhcpV4Options: - type: string - dhcpV6Options: - type: string - enableIPv6RA: - type: boolean - ipv6RAConfigs: - type: string - allowEWTraffic: - type: boolean - acls: - type: array - items: - type: object - properties: - direction: - type: string - enum: - - from-lport - - to-lport - priority: - type: integer - minimum: 0 - maximum: 32767 - match: - type: string - action: - type: string - enum: - - allow-related - - allow-stateless - - allow - - drop - - reject - natOutgoingPolicyRules: - type: array - items: - type: object - properties: - action: - type: string - enum: - - nat - - forward - match: - type: object - properties: - srcIPs: - type: string - dstIPs: - type: string - u2oInterconnection: - type: boolean - u2oInterconnectionIP: - type: string - enableLb: - type: boolean - enableEcmp: - type: boolean - enableMulticastSnoop: - type: boolean - routeTable: - type: string - scope: Cluster - names: - plural: subnets - singular: subnet - kind: Subnet - shortNames: - - subnet ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Subnet - type: string - jsonPath: .spec.subnet - - name: IPs - type: string - jsonPath: .spec.ips - - name: V4Used - type: number - jsonPath: .status.v4UsingIPs - - name: V4Available - type: number - jsonPath: .status.v4AvailableIPs - - name: V6Used - type: number - jsonPath: .status.v6UsingIPs - - name: V6Available - type: number - jsonPath: .status.v6AvailableIPs - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - subnet: - type: string - x-kubernetes-validations: - - rule: "self == oldSelf" - message: "This field is immutable." - namespaces: - type: array - x-kubernetes-list-type: set - items: - type: string - ips: - type: array - minItems: 1 - x-kubernetes-list-type: set - items: - type: string - anyOf: - - format: ipv4 - - format: ipv6 - - format: cidr - - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.\.(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ - - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))\.\.((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ - required: - - subnet - - ips - status: - type: object - properties: - v4AvailableIPs: - type: number - v4UsingIPs: - type: number - v6AvailableIPs: - type: number - v6UsingIPs: - type: number - v4AvailableIPRange: - type: string - v4UsingIPRange: - type: string - v6AvailableIPRange: - type: string - v6UsingIPRange: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ippool ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vlans.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - id: - type: integer - minimum: 0 - maximum: 4095 - provider: - type: string - vlanId: - type: integer - description: Deprecated in favor of id - providerInterfaceName: - type: string - description: Deprecated in favor of provider - required: - - provider - status: - type: object - properties: - subnets: - type: array - items: - type: string - additionalPrinterColumns: - - name: ID - type: string - jsonPath: .spec.id - - name: Provider - type: string - jsonPath: .spec.provider - scope: Cluster - names: - plural: vlans - singular: vlan - kind: Vlan - shortNames: - - vlan ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: provider-networks.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - metadata: - type: object - properties: - name: - type: string - maxLength: 12 - not: - enum: - - int - spec: - type: object - properties: - defaultInterface: - type: string - maxLength: 15 - pattern: '^[^/\s]+$' - customInterfaces: - type: array - items: - type: object - properties: - interface: - type: string - maxLength: 15 - pattern: '^[^/\s]+$' - nodes: - type: array - items: - type: string - exchangeLinkName: - type: boolean - excludeNodes: - type: array - items: - type: string - required: - - defaultInterface - status: - type: object - properties: - ready: - type: boolean - readyNodes: - type: array - items: - type: string - notReadyNodes: - type: array - items: - type: string - vlans: - type: array - items: - type: string - conditions: - type: array - items: - type: object - properties: - node: - type: string - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - additionalPrinterColumns: - - name: DefaultInterface - type: string - jsonPath: .spec.defaultInterface - - name: Ready - type: boolean - jsonPath: .status.ready - scope: Cluster - names: - plural: provider-networks - singular: provider-network - kind: ProviderNetwork - listKind: ProviderNetworkList ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: security-groups.kubeovn.io -spec: - group: kubeovn.io - names: - plural: security-groups - singular: security-group - shortNames: - - sg - kind: SecurityGroup - listKind: SecurityGroupList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ingressRules: - type: array - items: - type: object - properties: - ipVersion: - type: string - protocol: - type: string - priority: - type: integer - remoteType: - type: string - remoteAddress: - type: string - remoteSecurityGroup: - type: string - portRangeMin: - type: integer - portRangeMax: - type: integer - policy: - type: string - egressRules: - type: array - items: - type: object - properties: - ipVersion: - type: string - protocol: - type: string - priority: - type: integer - remoteType: - type: string - remoteAddress: - type: string - remoteSecurityGroup: - type: string - portRangeMin: - type: integer - portRangeMax: - type: integer - policy: - type: string - allowSameGroupTraffic: - type: boolean - status: - type: object - properties: - portGroup: - type: string - allowSameGroupTraffic: - type: boolean - ingressMd5: - type: string - egressMd5: - type: string - ingressLastSyncSuccess: - type: boolean - egressLastSyncSuccess: - type: boolean - subresources: - status: {} - conversion: - strategy: None ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: qos-policies.kubeovn.io -spec: - group: kubeovn.io - names: - plural: qos-policies - singular: qos-policy - shortNames: - - qos - kind: QoSPolicy - listKind: QoSPolicyList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.shared - name: Shared - type: string - - jsonPath: .spec.bindingType - name: BindingType - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - shared: - type: boolean - bindingType: - type: string - bandwidthLimitRules: - type: array - items: - type: object - properties: - name: - type: string - interface: - type: string - rateMax: - type: string - burstMax: - type: string - priority: - type: integer - direction: - type: string - matchType: - type: string - matchValue: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - shared: - type: boolean - bindingType: - type: string - bandwidthLimitRules: - type: array - items: - type: object - properties: - name: - type: string - interface: - type: string - rateMax: - type: string - burstMax: - type: string - priority: - type: integer - direction: - type: string - matchType: - type: string - matchValue: - type: string - required: - - name - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map diff --git a/packages/system/kubeovn/charts/kube-ovn/images b/packages/system/kubeovn/charts/kube-ovn/images new file mode 120000 index 00000000..5fa69870 --- /dev/null +++ b/packages/system/kubeovn/charts/kube-ovn/images @@ -0,0 +1 @@ +../../images \ No newline at end of file diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml deleted file mode 100644 index fce1b220..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: kube-ovn -description: Helm chart for Kube-OVN - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.13.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.13.0" diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md deleted file mode 100644 index 3af408e6..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/README.md +++ /dev/null @@ -1,42 +0,0 @@ -# Kube-OVN-helm - -Currently supported version: 1.9 - -Installation : - -```bash -$ kubectl label node -lbeta.kubernetes.io/os=linux kubernetes.io/os=linux --overwrite -$ kubectl label node -lnode-role.kubernetes.io/control-plane kube-ovn/role=master --overwrite -$ kubectl label node -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel --overwrite - -# standard install -$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0} - -# high availability install -$ helm install --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} - -# upgrade to this version -$ helm upgrade --debug kubeovn ./charts/kube-ovn --set MASTER_NODES=${Node0},${Node1},${Node2} -``` - -If `MASTER_NODES` unspecified Helm will take internal IPs of nodes with `kube-ovn/role=master` label - -### Talos Linux - -To install Kube-OVN on Talos Linux, declare openvswitch module in machine config: - -``` -machine: - kernel: - modules: - - name: openvswitch -``` - -and use the following options to install this Helm-chart: - -``` ---set cni_conf.MOUNT_LOCAL_BIN_DIR=false ---set OPENVSWITCH_DIR=/var/lib/openvswitch ---set OVN_DIR=/var/lib/ovn ---set DISABLE_MODULES_MANAGEMENT=true -``` diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl deleted file mode 100644 index 7b473941..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/_helpers.tpl +++ /dev/null @@ -1,54 +0,0 @@ -{{/* -Get IP-addresses of master nodes -*/}} -{{- define "kubeovn.nodeIPs" -}} -{{- $nodes := lookup "v1" "Node" "" "" -}} -{{- $ips := list -}} -{{- range $node := $nodes.items -}} - {{- $label := splitList "=" $.Values.MASTER_NODES_LABEL }} - {{- $key := index $label 0 }} - {{- $val := "" }} - {{- if eq (len $label) 2 }} - {{- $val = index $label 1 }} - {{- end }} - {{- if eq (index $node.metadata.labels $key) $val -}} - {{- range $address := $node.status.addresses -}} - {{- if eq $address.type "InternalIP" -}} - {{- $ips = append $ips $address.address -}} - {{- break -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{ join "," $ips }} -{{- end -}} - -{{/* -Number of master nodes -*/}} -{{- define "kubeovn.nodeCount" -}} - {{- len (split "," (.Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .))) }} -{{- end -}} - -{{- define "kubeovn.ovs-ovn.updateStrategy" -}} - {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}} - {{- if $ds -}} - {{- if eq $ds.spec.updateStrategy.type "RollingUpdate" -}} - RollingUpdate - {{- else -}} - {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}} - {{- $versionRegex := `^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)` -}} - {{- if regexMatch $versionRegex $imageVersion -}} - {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}} - RollingUpdate - {{- else -}} - OnDelete - {{- end -}} - {{- else -}} - OnDelete - {{- end -}} - {{- end -}} - {{- else -}} - RollingUpdate - {{- end -}} -{{- end -}} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml deleted file mode 100644 index 0f4044b4..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/central-deploy.yaml +++ /dev/null @@ -1,161 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: ovn-central - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - OVN components: northd, nb and sb. -spec: - replicas: {{ include "kubeovn.nodeCount" . }} - strategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - app: ovn-central - template: - metadata: - labels: - app: ovn-central - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: ovn-central - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: ovn-ovs - hostNetwork: true - containers: - - name: ovn-central - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /kube-ovn/start-db.sh - securityContext: - capabilities: - add: ["SYS_NICE"] - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: NODE_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - - name: PROBE_INTERVAL - value: "{{ .Values.networking.PROBE_INTERVAL }}" - - name: OVN_NORTHD_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_NORTHD_PROBE_INTERVAL}}" - - name: OVN_LEADER_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_LEADER_PROBE_INTERVAL }}" - - name: OVN_NORTHD_N_THREADS - value: "{{ .Values.networking.OVN_NORTHD_N_THREADS }}" - - name: ENABLE_COMPACT - value: "{{ .Values.networking.ENABLE_COMPACT }}" - {{- if include "kubeovn.ovs-ovn.updateStrategy" . | eq "OnDelete" }} - - name: OVN_VERSION_COMPATIBILITY - value: "21.06" - {{- end }} - resources: - requests: - cpu: {{ index .Values "ovn-central" "requests" "cpu" }} - memory: {{ index .Values "ovn-central" "requests" "memory" }} - limits: - cpu: {{ index .Values "ovn-central" "limits" "cpu" }} - memory: {{ index .Values "ovn-central" "limits" "memory" }} - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - periodSeconds: 15 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - initialDelaySeconds: 30 - periodSeconds: 15 - failureThreshold: 5 - timeoutSeconds: 45 - nodeSelector: - kubernetes.io/os: "linux" - {{- with splitList "=" .Values.MASTER_NODES_LABEL }} - {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" - {{- end }} - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml deleted file mode 100644 index cea79b7d..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-deploy.yaml +++ /dev/null @@ -1,190 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: kube-ovn-controller - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - kube-ovn controller -spec: - replicas: {{ include "kubeovn.nodeCount" . }} - selector: - matchLabels: - app: kube-ovn-controller - strategy: - rollingUpdate: - maxSurge: 0% - maxUnavailable: 100% - type: RollingUpdate - template: - metadata: - labels: - app: kube-ovn-controller - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: "ovn.kubernetes.io/ic-gw" - operator: NotIn - values: - - "true" - weight: 100 - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: kube-ovn-controller - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: ovn - hostNetwork: true - containers: - - name: kube-ovn-controller - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - /kube-ovn/start-controller.sh - - --default-ls={{ .Values.networking.DEFAULT_SUBNET }} - - --default-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_CIDR }} - {{- end }} - - --default-gateway= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_GATEWAY }} - {{- end }} - - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }} - - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }} - - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }} - - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }} - - --cluster-router={{ .Values.networking.DEFAULT_VPC }} - - --node-switch={{ .Values.networking.NODE_SUBNET }} - - --node-switch-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.JOIN_CIDR }} - {{- end }} - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} - - --network-type={{- .Values.networking.NETWORK_TYPE }} - - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }} - - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} - - --default-exchange-link-name={{- .Values.networking.EXCHANGE_LINK_NAME }} - - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }} - - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }} - - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }} - - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }} - - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }} - - --enable-lb={{- .Values.func.ENABLE_LB }} - - --enable-np={{- .Values.func.ENABLE_NP }} - - --enable-eip-snat={{- .Values.networking.ENABLE_EIP_SNAT }} - - --enable-external-vpc={{- .Values.func.ENABLE_EXTERNAL_VPC }} - - --enable-ecmp={{- .Values.networking.ENABLE_ECMP }} - - --logtostderr=false - - --alsologtostderr=true - - --gc-interval={{- .Values.performance.GC_INTERVAL }} - - --inspect-interval={{- .Values.performance.INSPECT_INTERVAL }} - - --log_file=/var/log/kube-ovn/kube-ovn-controller.log - - --log_file_max_size=0 - - --enable-lb-svc={{- .Values.func.ENABLE_LB_SVC }} - - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }} - - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }} - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - # ovn-ic log directory - - mountPath: /var/log/ovn - name: ovn-log - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - /kube-ovn/kube-ovn-controller-healthcheck - periodSeconds: 3 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - /kube-ovn/kube-ovn-controller-healthcheck - initialDelaySeconds: 300 - periodSeconds: 7 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: {{ index .Values "kube-ovn-controller" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-controller" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-controller" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-controller" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml deleted file mode 100644 index b4d39619..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/controller-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-controller - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-controller -spec: - selector: - app: kube-ovn-controller - ports: - - port: 10660 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml deleted file mode 100644 index b938ebfe..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-deploy.yaml +++ /dev/null @@ -1,139 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: kube-ovn-monitor - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - Metrics for OVN components: northd, nb and sb. -spec: - replicas: 1 - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - app: kube-ovn-monitor - template: - metadata: - labels: - app: kube-ovn-monitor - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: kube-ovn-monitor - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: kube-ovn-app - hostNetwork: true - containers: - - name: kube-ovn-monitor - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/kube-ovn/start-ovn-monitor.sh"] - args: - - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log - - --logtostderr=false - - --alsologtostderr=true - - --log_file_max_size=0 - securityContext: - runAsUser: 0 - privileged: false - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - resources: - requests: - cpu: {{ index .Values "kube-ovn-monitor" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-monitor" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }} - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/ovn - name: host-log-ovn - readOnly: true - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10661 - timeoutSeconds: 3 - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10661 - timeoutSeconds: 3 - nodeSelector: - kubernetes.io/os: "linux" - {{- with splitList "=" .Values.MASTER_NODES_LABEL }} - {{ index . 0 }}: "{{ if eq (len .) 2 }}{{ index . 1 }}{{ end }}" - {{- end }} - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml deleted file mode 100644 index 1ad1800d..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/monitor-svc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-monitor - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-monitor -spec: - ports: - - name: metrics - port: 10661 - type: ClusterIP - selector: - app: kube-ovn-monitor - sessionAffinity: None - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml deleted file mode 100644 index 43992e91..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/nb-svc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ovn-nb - namespace: {{ .Values.namespace }} -spec: - ports: - - name: ovn-nb - protocol: TCP - port: 6641 - targetPort: 6641 - type: ClusterIP - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} - selector: - app: ovn-central - ovn-nb-leader: "true" - sessionAffinity: None diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml deleted file mode 100644 index cec07233..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/northd-svc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ovn-northd - namespace: {{ .Values.namespace }} -spec: - ports: - - name: ovn-northd - protocol: TCP - port: 6643 - targetPort: 6643 - type: ClusterIP - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} - selector: - app: ovn-central - ovn-northd-leader: "true" - sessionAffinity: None diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml deleted file mode 100644 index 69d46ad9..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CR.yaml +++ /dev/null @@ -1,256 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn -rules: - - apiGroups: - - "kubeovn.io" - resources: - - vpcs - - vpcs/status - - vpc-nat-gateways - - vpc-nat-gateways/status - - subnets - - subnets/status - - ippools - - ippools/status - - ips - - vips - - vips/status - - vlans - - vlans/status - - provider-networks - - provider-networks/status - - security-groups - - security-groups/status - - iptables-eips - - iptables-fip-rules - - iptables-dnat-rules - - iptables-snat-rules - - iptables-eips/status - - iptables-fip-rules/status - - iptables-dnat-rules/status - - iptables-snat-rules/status - - ovn-eips - - ovn-fips - - ovn-snat-rules - - ovn-eips/status - - ovn-fips/status - - ovn-snat-rules/status - - ovn-dnat-rules - - ovn-dnat-rules/status - - switch-lb-rules - - switch-lb-rules/status - - vpc-dnses - - vpc-dnses/status - - qos-policies - - qos-policies/status - verbs: - - "*" - - apiGroups: - - "" - resources: - - pods - - namespaces - verbs: - - get - - list - - patch - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - apiGroups: - - "k8s.cni.cncf.io" - resources: - - network-attachment-definitions - verbs: - - get - - apiGroups: - - "" - - networking.k8s.io - resources: - - networkpolicies - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - apiGroups: - - "" - resources: - - services - - services/status - verbs: - - get - - list - - update - - create - - delete - - watch - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - update - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - - deployments - - deployments/scale - verbs: - - get - - list - - create - - delete - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - "*" - - apiGroups: - - "kubevirt.io" - resources: - - virtualmachines - - virtualmachineinstances - verbs: - - get - - list - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn-ovs -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - patch - - apiGroups: - - "" - resources: - - services - - endpoints - verbs: - - get - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - get - - list - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-cni -rules: - - apiGroups: - - "kubeovn.io" - - "" - resources: - - subnets - - provider-networks - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - - "kubeovn.io" - resources: - - ovn-eips - - ovn-eips/status - - nodes - verbs: - - get - - list - - patch - - watch - - apiGroups: - - "kubeovn.io" - resources: - - ips - verbs: - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-app -rules: - - apiGroups: - - "" - resources: - - pods - - nodes - verbs: - - get - - list - - apiGroups: - - apps - resources: - - daemonsets - verbs: - - get diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml deleted file mode 100644 index 9230d900..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-CRB.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn -roleRef: - name: system:ovn - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn - namespace: {{ .Values.namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-ovs -roleRef: - name: system:ovn-ovs - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn-ovs - namespace: {{ .Values.namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-cni -roleRef: - name: system:kube-ovn-cni - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-app -roleRef: - name: system:kube-ovn-app - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-app - namespace: {{ .Values.namespace }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml deleted file mode 100644 index 1d799899..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-dpdk-ds.yaml +++ /dev/null @@ -1,164 +0,0 @@ -{{- if .Values.HYBRID_DPDK }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn-dpdk - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: ovs-dpdk - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: ovs-dpdk - component: network - type: infra - spec: - tolerations: - - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}-dpdk - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/kube-ovn/start-ovs-dpdk-v2.sh"] - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HW_OFFLOAD - value: "{{- .Values.func.HW_OFFLOAD }}" - - name: TUNNEL_TYPE - value: "{{- .Values.networking.TUNNEL_TYPE }}" - - name: DPDK_TUNNEL_IFACE - value: "{{- .Values.networking.DPDK_TUNNEL_IFACE }}" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: OVN_REMOTE_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_PROBE_INTERVAL }}" - - name: OVN_REMOTE_OPENFLOW_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}" - volumeMounts: - - mountPath: /opt/ovs-config - name: host-config-ovs - - name: shareddir - mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - - name: hugepage - mountPath: /dev/hugepages - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - mountPropagation: HostToContainer - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - -c - - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovs-healthcheck.sh - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }} - memory: {{ index .Values "ovs-ovn" "requests" "memory" }} - limits: - cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }} - {{.Values.HUGEPAGE_SIZE_TYPE}}: {{.Values.HUGEPAGES}} - memory: {{ index .Values "ovs-ovn" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - ovn.kubernetes.io/ovs_dp_type: "userspace" - volumes: - - name: host-config-ovs - hostPath: - path: /opt/ovs-config - type: DirectoryOrCreate - - name: shareddir - hostPath: - path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - type: '' - - name: hugepage - emptyDir: - medium: HugePages - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -{{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml deleted file mode 100644 index 17b4a92f..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-sa.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn - namespace: {{ .Values.namespace }} -{{- if .Values.global.registry.imagePullSecrets }} -imagePullSecrets: -{{- range $index, $secret := .Values.global.registry.imagePullSecrets }} -{{- if $secret }} -- name: {{ $secret | quote}} -{{- end }} -{{- end }} -{{- end }} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn-ovs - namespace: {{ .Values.namespace }} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-app - namespace: {{ .Values.namespace }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml deleted file mode 100644 index dde40203..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovn-tls-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.networking.ENABLE_SSL }} -{{- $cn := "ovn" -}} -{{- $ca := genCA "ovn-ca" 3650 -}} ---- -apiVersion: v1 -kind: Secret -metadata: - name: kube-ovn-tls - namespace: {{ .Values.namespace }} -data: -{{- $existingSecret := lookup "v1" "Secret" .Values.namespace "kube-ovn-tls" }} - {{- if $existingSecret }} - cacert: {{ index $existingSecret.data "cacert" }} - cert: {{ index $existingSecret.data "cert" }} - key: {{ index $existingSecret.data "key" }} - {{- else }} - {{- with genSignedCert $cn nil nil 3650 $ca }} - cacert: {{ b64enc $ca.Cert }} - cert: {{ b64enc .Cert }} - key: {{ b64enc .Key }} - {{- end }} - {{- end }} -{{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml deleted file mode 100644 index 1dfedf1a..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-ds.yaml +++ /dev/null @@ -1,206 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the kube-ovn cni daemon. -spec: - selector: - matchLabels: - app: kube-ovn-cni - template: - metadata: - labels: - app: kube-ovn-cni - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: kube-ovn-cni - hostNetwork: true - hostPID: true - initContainers: - - name: install-cni - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/kube-ovn/install-cni.sh"] - securityContext: - runAsUser: 0 - privileged: true - volumeMounts: - - mountPath: /opt/cni/bin - name: cni-bin - {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - - mountPath: /usr/local/bin - name: local-bin - {{- end }} - containers: - - name: cni-server - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - bash - - /kube-ovn/start-cniserver.sh - args: - - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }} - - --mirror-iface={{- .Values.debug.MIRROR_IFACE }} - - --node-switch={{ .Values.networking.NODE_SUBNET }} - - --encap-checksum=true - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} - {{- if eq .Values.networking.NETWORK_TYPE "vlan" }} - - --iface= - {{- else}} - - --iface={{- .Values.networking.IFACE }} - {{- end }} - - --dpdk-tunnel-iface={{- .Values.networking.DPDK_TUNNEL_IFACE }} - - --network-type={{- .Values.networking.TUNNEL_TYPE }} - - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} - - --cni-conf-dir={{ .Values.cni_conf.CNI_CONF_DIR }} - - --cni-conf-file={{ .Values.cni_conf.CNI_CONF_FILE }} - - --cni-conf-name={{- .Values.cni_conf.CNI_CONFIG_PRIORITY -}}-kube-ovn.conflist - - --logtostderr=false - - --alsologtostderr=true - - --log_file=/var/log/kube-ovn/kube-ovn-cni.log - - --log_file_max_size=0 - - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - - --kubelet-dir={{ .Values.kubelet_conf.KUBELET_DIR }} - - --enable-tproxy={{ .Values.func.ENABLE_TPROXY }} - - --ovs-vsctl-concurrency={{ .Values.performance.OVS_VSCTL_CONCURRENCY }} - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - - name: DBUS_SYSTEM_BUS_ADDRESS - value: "unix:path=/host/var/run/dbus/system_bus_socket" - volumeMounts: - - name: host-modules - mountPath: /lib/modules - readOnly: true - - name: shared-dir - mountPath: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - - mountPath: /etc/openvswitch - name: systemid - readOnly: true - - mountPath: /etc/cni/net.d - name: cni-conf - - mountPath: /run/openvswitch - name: host-run-ovs - mountPropagation: Bidirectional - - mountPath: /run/ovn - name: host-run-ovn - - mountPath: /host/var/run/dbus - name: host-dbus - mountPropagation: HostToContainer - - mountPath: /var/run/netns - name: host-ns - mountPropagation: HostToContainer - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - readinessProbe: - failureThreshold: 3 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 - resources: - requests: - cpu: {{ index .Values "kube-ovn-cni" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-cni" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-cni" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-cni" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: shared-dir - hostPath: - path: {{ .Values.kubelet_conf.KUBELET_DIR }}/pods - - name: systemid - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: cni-conf - hostPath: - path: {{ .Values.cni_conf.CNI_CONF_DIR }} - - name: cni-bin - hostPath: - path: {{ .Values.cni_conf.CNI_BIN_DIR }} - - name: host-ns - hostPath: - path: /var/run/netns - - name: host-dbus - hostPath: - path: /var/run/dbus - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - - name: local-bin - hostPath: - path: {{ .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml deleted file mode 100644 index e1c47c80..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovncni-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-cni - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-cni -spec: - selector: - app: kube-ovn-cni - ports: - - port: 10665 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml deleted file mode 100644 index 72a5eb40..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ovsovn-ds.yaml +++ /dev/null @@ -1,221 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. - chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" -spec: - selector: - matchLabels: - app: ovs - updateStrategy: - type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }} - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: ovs - component: network - type: infra - annotations: - chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - {{- if .Values.DPDK }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }} - {{- else }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - {{- end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.DPDK }} - command: ["/kube-ovn/start-ovs-dpdk.sh"] - {{- else }} - command: - {{- if .Values.DISABLE_MODULES_MANAGEMENT }} - - /bin/sh - - -ec - - | - ln -sf /bin/true /usr/sbin/modprobe - ln -sf /bin/true /usr/sbin/modinfo - ln -sf /bin/true /usr/sbin/rmmod - exec /kube-ovn/start-ovs.sh - {{- else }} - - /kube-ovn/start-ovs.sh - {{- end }} - {{- end }} - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: HW_OFFLOAD - value: "{{- .Values.func.HW_OFFLOAD }}" - - name: TUNNEL_TYPE - value: "{{- .Values.networking.TUNNEL_TYPE }}" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - - name: OVN_REMOTE_PROBE_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_PROBE_INTERVAL }}" - - name: OVN_REMOTE_OPENFLOW_INTERVAL - value: "{{ .Values.networking.OVN_REMOTE_OPENFLOW_INTERVAL }}" - volumeMounts: - - mountPath: /var/run/netns - name: host-ns - mountPropagation: HostToContainer - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - - mountPath: /var/run/containerd - name: cruntime - readOnly: true - {{- if .Values.DPDK }} - - mountPath: /opt/ovs-config - name: host-config-ovs - - mountPath: /dev/hugepages - name: hugepage - {{- end }} - readinessProbe: - exec: - {{- if .Values.DPDK }} - command: - - bash - - /kube-ovn/ovs-dpdk-healthcheck.sh - {{- else }} - command: - - bash - - -c - - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh - {{- end }} - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - {{- if .Values.DPDK }} - command: - - bash - - /kube-ovn/ovs-dpdk-healthcheck.sh - {{- else }} - command: - - bash - - /kube-ovn/ovs-healthcheck.sh - {{- end }} - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - {{- if .Values.DPDK }} - cpu: {{ .Values.DPDK_CPU }} - memory: {{ .Values.DPDK_MEMORY }} - {{- else }} - cpu: {{ index .Values "ovs-ovn" "requests" "cpu" }} - memory: {{ index .Values "ovs-ovn" "requests" "memory" }} - {{- end }} - limits: - {{- if .Values.DPDK }} - cpu: {{ .Values.DPDK_CPU }} - memory: {{ .Values.DPDK_MEMORY }} - hugepages-1Gi: 1Gi - {{- else }} - cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }} - memory: {{ index .Values "ovs-ovn" "limits" "memory" }} - {{- end }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-config-ovn - hostPath: - path: {{ .Values.OVN_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - - name: host-ns - hostPath: - path: /var/run/netns - - hostPath: - path: /var/run/containerd - name: cruntime - {{- if .Values.DPDK }} - - name: host-config-ovs - hostPath: - path: /opt/ovs-config - type: DirectoryOrCreate - - name: hugepage - emptyDir: - medium: HugePages - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml deleted file mode 100644 index f54b276a..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-ds.yaml +++ /dev/null @@ -1,137 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: kube-ovn-pinger - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: kube-ovn-pinger - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: kube-ovn-pinger - component: network - type: infra - spec: - priorityClassName: system-node-critical - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - serviceAccountName: kube-ovn-app - hostPID: true - containers: - - name: pinger - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} - command: - - /kube-ovn/kube-ovn-pinger - args: - - --external-address= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.PINGER_EXTERNAL_ADDRESS }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.PINGER_EXTERNAL_ADDRESS }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.PINGER_EXTERNAL_ADDRESS }} - {{- end }} - - --external-dns= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.PINGER_EXTERNAL_DOMAIN }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.PINGER_EXTERNAL_DOMAIN }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.PINGER_EXTERNAL_DOMAIN }} - {{- end }} - - --ds-namespace={{ .Values.namespace }} - - --logtostderr=false - - --alsologtostderr=true - - --log_file=/var/log/kube-ovn/kube-ovn-pinger.log - - --log_file_max_size=0 - - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - runAsUser: 0 - privileged: false - env: - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /var/log/openvswitch - name: host-log-ovs - readOnly: true - - mountPath: /var/log/ovn - name: host-log-ovn - readOnly: true - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - resources: - requests: - cpu: {{ index .Values "kube-ovn-pinger" "requests" "cpu" }} - memory: {{ index .Values "kube-ovn-pinger" "requests" "memory" }} - limits: - cpu: {{ index .Values "kube-ovn-pinger" "limits" "cpu" }} - memory: {{ index .Values "kube-ovn-pinger" "limits" "memory" }} - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: {{ .Values.OPENVSWITCH_DIR }} - - name: host-log-ovs - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/openvswitch - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: host-log-ovn - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml deleted file mode 100644 index ef169e8e..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pinger-svc.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-pinger - namespace: {{ .Values.namespace }} - labels: - app: kube-ovn-pinger -spec: - selector: - app: kube-ovn-pinger - ports: - - port: 8080 - name: metrics - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml deleted file mode 100644 index d81c5ca2..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/pre-delete-hook.yaml +++ /dev/null @@ -1,123 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-pre-delete-hook - namespace: {{ .Values.namespace }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": hook-succeeded - name: system:kube-ovn-pre-delete-hook -rules: - - apiGroups: - - kubeovn.io - resources: - - subnets - verbs: - - get - - list - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-pre-delete-hook - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "3" - "helm.sh/hook-delete-policy": hook-succeeded -roleRef: - name: system:kube-ovn-pre-delete-hook - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-pre-delete-hook - namespace: {{ .Values.namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Chart.Name }}-pre-delete-hook" - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "4" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - completions: 1 - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: kube-ovn-pre-delete-hook - component: job - spec: - tolerations: - - key: "" - operator: "Exists" - effect: "NoSchedule" - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - kube-ovn-pre-delete-hook - - key: component - operator: In - values: - - job - restartPolicy: Never - hostNetwork: true - nodeSelector: - kubernetes.io/os: "linux" - serviceAccount: kube-ovn-pre-delete-hook - serviceAccountName: kube-ovn-pre-delete-hook - containers: - - name: remove-subnet-finalizer - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - command: - - sh - - -c - - /kube-ovn/remove-subnet-finalizer.sh 2>&1 | tee -a /var/log/kube-ovn/remove-subnet-finalizer.log - volumeMounts: - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - volumes: - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml deleted file mode 100644 index 36a4a27a..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/sb-svc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ovn-sb - namespace: {{ .Values.namespace }} -spec: - ports: - - name: ovn-sb - protocol: TCP - port: 6642 - targetPort: 6642 - type: ClusterIP - {{- if eq .Values.networking.NET_STACK "dual_stack" }} - ipFamilyPolicy: PreferDualStack - {{- end }} - selector: - app: ovn-central - ovn-sb-leader: "true" - sessionAffinity: None diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml deleted file mode 100644 index 94c175fa..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/upgrade-ovs-ovn.yaml +++ /dev/null @@ -1,163 +0,0 @@ -{{- if eq (include "kubeovn.ovs-ovn.updateStrategy" .) "OnDelete" }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovs-ovn-upgrade - namespace: {{ .Values.namespace }} - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": hook-succeeded - name: system:ovs-ovn-upgrade -rules: - - apiGroups: - - apps - resources: - - daemonsets - resourceNames: - - ovs-ovn - verbs: - - get - - apiGroups: - - apps - resources: - - deployments - resourceNames: - - ovn-central - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - apiGroups: - - "" - resources: - - pods - verbs: - - list - - get - - watch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovs-ovn-upgrade - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "3" - "helm.sh/hook-delete-policy": hook-succeeded -roleRef: - name: system:ovs-ovn-upgrade - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovs-ovn-upgrade - namespace: {{ .Values.namespace }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Chart.Name }}-post-upgrade-hook" - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - annotations: - # This is what defines this resource as a hook. Without this line, the - # job is considered part of the release. - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "4" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - completions: 1 - template: - metadata: - name: "{{ .Release.Name }}" - labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: post-upgrade - component: job - spec: - tolerations: - - key: "" - operator: "Exists" - effect: "NoSchedule" - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - post-upgrade - - key: component - operator: In - values: - - job - restartPolicy: Never - hostNetwork: true - nodeSelector: - kubernetes.io/os: "linux" - serviceAccount: ovs-ovn-upgrade - serviceAccountName: ovs-ovn-upgrade - containers: - - name: ovs-ovn-upgrade - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ENABLE_SSL - value: "{{ .Values.networking.ENABLE_SSL }}" - - name: OVN_DB_IPS - value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" - command: - - bash - - -eo - - pipefail - - -c - - /kube-ovn/upgrade-ovs.sh 2>&1 | tee -a /var/log/kube-ovn/upgrade-ovs.log - volumeMounts: - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /var/run/tls - name: kube-ovn-tls - volumes: - - name: kube-ovn-log - hostPath: - path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -{{ end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml deleted file mode 100755 index 0f9bd0f5..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/vpc-nat-config.yaml +++ /dev/null @@ -1,10 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: ovn-vpc-nat-config - namespace: {{ .Values.namespace }} - annotations: - kubernetes.io/description: | - kube-ovn vpc-nat common config -data: - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }} \ No newline at end of file diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml b/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml deleted file mode 100644 index e65c8a85..00000000 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/values.yaml +++ /dev/null @@ -1,181 +0,0 @@ -# Default values for kubeovn. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - registry: - address: docker.io/kubeovn - imagePullSecrets: [] - images: - kubeovn: - repository: kube-ovn - dpdkRepository: kube-ovn-dpdk - vpcRepository: vpc-nat-gateway - tag: v1.13.0 - support_arm: true - thirdparty: true - -image: - pullPolicy: IfNotPresent - -namespace: kube-system -MASTER_NODES: "" -MASTER_NODES_LABEL: "kube-ovn/role=master" - -networking: - # NET_STACK could be dual_stack, ipv4, ipv6 - NET_STACK: ipv4 - ENABLE_SSL: false - # network type could be geneve or vlan - NETWORK_TYPE: geneve - # tunnel type could be geneve, vxlan or stt - TUNNEL_TYPE: geneve - IFACE: "" - DPDK_TUNNEL_IFACE: "br-phy" - EXCLUDE_IPS: "" - POD_NIC_TYPE: "veth-pair" - vlan: - PROVIDER_NAME: "provider" - VLAN_INTERFACE_NAME: "" - VLAN_NAME: "ovn-vlan" - VLAN_ID: "100" - EXCHANGE_LINK_NAME: false - ENABLE_EIP_SNAT: true - DEFAULT_SUBNET: "ovn-default" - DEFAULT_VPC: "ovn-cluster" - NODE_SUBNET: "join" - ENABLE_ECMP: false - ENABLE_METRICS: true - NODE_LOCAL_DNS_IP: "" - PROBE_INTERVAL: 180000 - OVN_NORTHD_PROBE_INTERVAL: 5000 - OVN_LEADER_PROBE_INTERVAL: 5 - OVN_REMOTE_PROBE_INTERVAL: 10000 - OVN_REMOTE_OPENFLOW_INTERVAL: 180 - OVN_NORTHD_N_THREADS: 1 - ENABLE_COMPACT: false - -func: - ENABLE_LB: true - ENABLE_NP: true - ENABLE_EIP_SNAT: true - ENABLE_EXTERNAL_VPC: true - HW_OFFLOAD: false - ENABLE_LB_SVC: false - ENABLE_KEEP_VM_IP: true - LS_DNAT_MOD_DL_DST: true - LS_CT_SKIP_DST_LPORT_IPS: true - CHECK_GATEWAY: true - LOGICAL_GATEWAY: false - ENABLE_BIND_LOCAL_IP: true - U2O_INTERCONNECTION: false - ENABLE_TPROXY: false - ENABLE_IC: false - -ipv4: - POD_CIDR: "10.16.0.0/16" - POD_GATEWAY: "10.16.0.1" - SVC_CIDR: "10.96.0.0/12" - JOIN_CIDR: "100.64.0.0/16" - PINGER_EXTERNAL_ADDRESS: "1.1.1.1" - PINGER_EXTERNAL_DOMAIN: "alauda.cn." - -ipv6: - POD_CIDR: "fd00:10:16::/112" - POD_GATEWAY: "fd00:10:16::1" - SVC_CIDR: "fd00:10:96::/112" - JOIN_CIDR: "fd00:100:64::/112" - PINGER_EXTERNAL_ADDRESS: "2606:4700:4700::1111" - PINGER_EXTERNAL_DOMAIN: "google.com." - -dual_stack: - POD_CIDR: "10.16.0.0/16,fd00:10:16::/112" - POD_GATEWAY: "10.16.0.1,fd00:10:16::1" - SVC_CIDR: "10.96.0.0/12,fd00:10:96::/112" - JOIN_CIDR: "100.64.0.0/16,fd00:100:64::/112" - PINGER_EXTERNAL_ADDRESS: "1.1.1.1,2606:4700:4700::1111" - PINGER_EXTERNAL_DOMAIN: "google.com." - -performance: - GC_INTERVAL: 360 - INSPECT_INTERVAL: 20 - OVS_VSCTL_CONCURRENCY: 100 - -debug: - ENABLE_MIRROR: false - MIRROR_IFACE: "mirror0" - -cni_conf: - CNI_CONFIG_PRIORITY: "01" - CNI_CONF_DIR: "/etc/cni/net.d" - CNI_BIN_DIR: "/opt/cni/bin" - CNI_CONF_FILE: "/kube-ovn/01-kube-ovn.conflist" - LOCAL_BIN_DIR: "/usr/local/bin" - MOUNT_LOCAL_BIN_DIR: false - -kubelet_conf: - KUBELET_DIR: "/var/lib/kubelet" - -log_conf: - LOG_DIR: "/var/log" - -OPENVSWITCH_DIR: "/etc/origin/openvswitch" -OVN_DIR: "/etc/origin/ovn" -DISABLE_MODULES_MANAGEMENT: false - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -# hybrid dpdk -HYBRID_DPDK: false -HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default -HUGEPAGES: 1Gi - -# DPDK -DPDK: false -DPDK_VERSION: "19.11" -DPDK_CPU: "1000m" # Default CPU configuration -DPDK_MEMORY: "2Gi" # Default Memory configuration - -ovn-central: - requests: - cpu: "300m" - memory: "200Mi" - limits: - cpu: "3" - memory: "4Gi" -ovs-ovn: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "2" - memory: "1000Mi" -kube-ovn-controller: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "1000m" - memory: "1Gi" -kube-ovn-cni: - requests: - cpu: "100m" - memory: "100Mi" - limits: - cpu: "1000m" - memory: "1Gi" -kube-ovn-pinger: - requests: - cpu: "100m" - memory: "100Mi" - limits: - cpu: "200m" - memory: "400Mi" -kube-ovn-monitor: - requests: - cpu: "200m" - memory: "200Mi" - limits: - cpu: "200m" - memory: "200Mi" diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl b/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl index 8be2462d..9a216a38 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl +++ b/packages/system/kubeovn/charts/kube-ovn/templates/_helpers.tpl @@ -29,3 +29,28 @@ Number of master nodes {{- define "kubeovn.nodeCount" -}} {{- len (split "," (.Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .))) }} {{- end -}} + +{{- define "kubeovn.ovs-ovn.updateStrategy" -}} + {{- $ds := lookup "apps/v1" "DaemonSet" $.Values.namespace "ovs-ovn" -}} + {{- if $ds -}} + {{- if eq $ds.spec.updateStrategy.type "RollingUpdate" -}} + RollingUpdate + {{- else -}} + {{- $chartVersion := index $ds.metadata.annotations "chart-version" }} + {{- $newChartVersion := printf "%s-%s" .Chart.Name .Chart.Version }} + {{- $imageVersion := (index $ds.spec.template.spec.containers 0).image | splitList ":" | last | trimPrefix "v" -}} + {{- $versionRegex := `^(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)\.(?P0|[1-9]\d*)` -}} + {{- if and (ne $newChartVersion $chartVersion) (regexMatch $versionRegex $imageVersion) -}} + {{- if regexFind $versionRegex $imageVersion | semverCompare ">= 1.12.0" -}} + RollingUpdate + {{- else -}} + OnDelete + {{- end -}} + {{- else -}} + OnDelete + {{- end -}} + {{- end -}} + {{- else -}} + RollingUpdate + {{- end -}} +{{- end -}} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml index bf234e11..cd0d94f1 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/central-deploy.yaml @@ -42,7 +42,7 @@ spec: hostNetwork: true containers: - name: ovn-central - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /kube-ovn/start-db.sh @@ -74,12 +74,18 @@ spec: value: "{{- .Values.func.ENABLE_BIND_LOCAL_IP }}" - name: PROBE_INTERVAL value: "{{ .Values.networking.PROBE_INTERVAL }}" + - name: OVN_NORTHD_PROBE_INTERVAL + value: "{{ .Values.networking.OVN_NORTHD_PROBE_INTERVAL}}" - name: OVN_LEADER_PROBE_INTERVAL value: "{{ .Values.networking.OVN_LEADER_PROBE_INTERVAL }}" - name: OVN_NORTHD_N_THREADS value: "{{ .Values.networking.OVN_NORTHD_N_THREADS }}" - name: ENABLE_COMPACT value: "{{ .Values.networking.ENABLE_COMPACT }}" + {{- if include "kubeovn.ovs-ovn.updateStrategy" . | eq "OnDelete" }} + - name: OVN_VERSION_COMPATIBILITY + value: "21.06" + {{- end }} resources: requests: cpu: {{ index .Values "ovn-central" "requests" "cpu" }} @@ -92,9 +98,6 @@ spec: name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /etc/ovn @@ -136,9 +139,6 @@ spec: - name: host-run-ovn hostPath: path: /run/ovn - - name: host-sys - hostPath: - path: /sys - name: host-config-openvswitch hostPath: path: {{ .Values.OPENVSWITCH_DIR }} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml index 0e694945..80ecd53a 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml @@ -49,49 +49,22 @@ spec: hostNetwork: true containers: - name: kube-ovn-controller - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: + {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} - /kube-ovn/start-controller.sh - --default-ls={{ .Values.networking.DEFAULT_SUBNET }} - - --default-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_CIDR }} - {{- end }} - - --default-gateway= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.POD_GATEWAY }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.POD_GATEWAY }} - {{- end }} + - --default-cidr={{ index $cozyConfig.data "ipv4-pod-cidr" }} + - --default-gateway={{ index $cozyConfig.data "ipv4-pod-gateway" }} - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }} - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }} - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }} - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }} - --cluster-router={{ .Values.networking.DEFAULT_VPC }} - --node-switch={{ .Values.networking.NODE_SUBNET }} - - --node-switch-cidr= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.JOIN_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.JOIN_CIDR }} - {{- end }} - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} + - --node-switch-cidr={{ index $cozyConfig.data "ipv4-join-cidr" }} + - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} - --network-type={{- .Values.networking.NETWORK_TYPE }} - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }} - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} @@ -99,6 +72,7 @@ spec: - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }} - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }} - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }} + - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }} - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }} - --enable-lb={{- .Values.func.ENABLE_LB }} - --enable-np={{- .Values.func.ENABLE_NP }} @@ -113,7 +87,6 @@ spec: - --log_file_max_size=0 - --enable-lb-svc={{- .Values.func.ENABLE_LB_SVC }} - --keep-vm-ip={{- .Values.func.ENABLE_KEEP_VM_IP }} - - --pod-default-fip-type={{- .Values.networking.POD_DEFAULT_FIP_TYPE }} - --enable-metrics={{- .Values.networking.ENABLE_METRICS }} - --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }} env: diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml similarity index 95% rename from packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml rename to packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml index 0d0f225f..64b086c4 100644 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/ic-controller-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ic-controller-deploy.yaml @@ -43,7 +43,7 @@ spec: hostNetwork: true containers: - name: ovn-ic-controller - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/start-ic-controller.sh"] args: diff --git a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml similarity index 98% rename from packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml rename to packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml index a305a378..dd087552 100644 --- a/packages/system/kubeovn/charts/kube-ovn/kube-ovn/templates/kube-ovn-crd.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/kube-ovn-crd.yaml @@ -1268,9 +1268,15 @@ spec: - jsonPath: .status.v4Eip name: V4Eip type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string - jsonPath: .status.v4Ip name: V4Ip type: string + - jsonPath: .status.v6Ip + name: V6Ip + type: string - jsonPath: .status.ready name: Ready type: boolean @@ -1325,6 +1331,8 @@ spec: type: string v4Ip: type: string + v6Ip: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1353,9 +1361,15 @@ spec: - jsonPath: .status.v4Eip name: V4Eip type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string - jsonPath: .status.v4IpCidr name: V4IpCidr type: string + - jsonPath: .status.v6IpCidr + name: V6IpCidr + type: string - jsonPath: .status.ready name: Ready type: boolean @@ -1370,8 +1384,12 @@ spec: type: boolean v4Eip: type: string + v6Eip: + type: string v4IpCidr: type: string + v6IpCidr: + type: string vpc: type: string conditions: @@ -1404,6 +1422,8 @@ spec: type: string v4IpCidr: type: string + v6IpCidr: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1438,9 +1458,15 @@ spec: - jsonPath: .status.v4Eip name: V4Eip type: string + - jsonPath: .status.v6Eip + name: V6Eip + type: string - jsonPath: .status.v4Ip name: V4Ip type: string + - jsonPath: .status.v6Ip + name: V6Ip + type: string - jsonPath: .status.internalPort name: InternalPort type: string @@ -1512,6 +1538,8 @@ spec: type: string v4Ip: type: string + v6Ip: + type: string --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1873,6 +1901,9 @@ spec: - name: Vpc type: string jsonPath: .spec.vpc + - name: Vlan + type: string + jsonPath: .spec.vlan - name: Protocol type: string jsonPath: .spec.protocol @@ -1913,6 +1944,12 @@ spec: openAPIV3Schema: type: object properties: + metadata: + type: object + properties: + name: + type: string + pattern: ^[^0-9] status: type: object properties: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml index b938ebfe..af9bcfe9 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/monitor-deploy.yaml @@ -40,7 +40,7 @@ spec: hostNetwork: true containers: - name: kube-ovn-monitor - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/start-ovn-monitor.sh"] args: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml index 2aa39184..54e69a5b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-CR.yaml @@ -54,17 +54,28 @@ rules: - "" resources: - pods - - pods/exec - namespaces - - nodes - - configmaps verbs: - - create - get - list + - patch - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list - patch - update + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create - apiGroups: - "k8s.cni.cncf.io" resources: @@ -74,40 +85,53 @@ rules: - apiGroups: - "" - networking.k8s.io - - apps resources: - networkpolicies - - daemonsets + - configmaps verbs: - get - list - watch - apiGroups: - - "" - apps resources: - - services/status + - daemonsets verbs: - - update + - get - apiGroups: - "" - - networking.k8s.io - - apps - - extensions resources: - services + - services/status + verbs: + - get + - list + - update + - create + - delete + - watch + - apiGroups: + - "" + resources: - endpoints + verbs: + - create + - update + - get + - list + - watch + - apiGroups: + - apps + resources: - statefulsets - deployments - deployments/scale verbs: + - get + - list - create - delete - update - - patch - - get - - list - - watch - apiGroups: - "" resources: @@ -148,8 +172,6 @@ rules: - patch - apiGroups: - "" - - networking.k8s.io - - apps resources: - services - endpoints @@ -176,26 +198,30 @@ rules: resources: - subnets - provider-networks - - ovn-eips - - ovn-eips/status - - ips verbs: - get - list - - patch - - update - watch - apiGroups: - "" + - "kubeovn.io" resources: - - pods + - ovn-eips + - ovn-eips/status - nodes - - configmaps + - pods verbs: - get - list - patch - watch + - apiGroups: + - "kubeovn.io" + resources: + - ips + verbs: + - get + - update - apiGroups: - "" resources: @@ -204,6 +230,14 @@ rules: - create - patch - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -222,8 +256,6 @@ rules: - get - list - apiGroups: - - "" - - networking.k8s.io - apps resources: - daemonsets diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml index 1d799899..e1cb0a4b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovn-dpdk-ds.yaml @@ -31,7 +31,7 @@ spec: hostPID: true containers: - name: openvswitch - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}-dpdk + image: {{ include "kubeovn.image" . }}-dpdk imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/start-ovs-dpdk-v2.sh"] securityContext: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml index d9a9a676..94c0ebc2 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml @@ -30,7 +30,7 @@ spec: hostPID: true initContainers: - name: install-cni - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/kube-ovn/install-cni.sh"] securityContext: @@ -45,24 +45,18 @@ spec: {{- end }} containers: - name: cni-server - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - bash - /kube-ovn/start-cniserver.sh args: + {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }} - --mirror-iface={{- .Values.debug.MIRROR_IFACE }} - --node-switch={{ .Values.networking.NODE_SUBNET }} - --encap-checksum=true - - --service-cluster-ip-range= - {{- if eq .Values.networking.NET_STACK "dual_stack" -}} - {{ .Values.dual_stack.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv4" -}} - {{ .Values.ipv4.SVC_CIDR }} - {{- else if eq .Values.networking.NET_STACK "ipv6" -}} - {{ .Values.ipv6.SVC_CIDR }} - {{- end }} + - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} {{- if eq .Values.networking.NETWORK_TYPE "vlan" }} - --iface= {{- else}} @@ -96,10 +90,6 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - - name: MODULES - value: "{{- .Values.performance.MODULES }}" - - name: RPMS - value: "{{- .Values.performance.RPMS }}" - name: POD_IPS valueFrom: fieldRef: @@ -139,8 +129,6 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: /tmp - name: tmp readinessProbe: failureThreshold: 3 periodSeconds: 7 @@ -205,9 +193,6 @@ spec: - name: host-log-ovn hostPath: path: {{ .Values.log_conf.LOG_DIR }}/ovn - - name: tmp - hostPath: - path: /tmp {{- if .Values.cni_conf.MOUNT_LOCAL_BIN_DIR }} - name: local-bin hostPath: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml index 319d74a9..b7176d18 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovsovn-ds.yaml @@ -6,12 +6,13 @@ metadata: annotations: kubernetes.io/description: | This daemon set launches the openvswitch daemon. + chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" spec: selector: matchLabels: app: ovs updateStrategy: - type: RollingUpdate + type: {{ include "kubeovn.ovs-ovn.updateStrategy" . }} rollingUpdate: maxSurge: 1 maxUnavailable: 0 @@ -21,6 +22,8 @@ spec: app: ovs component: network type: infra + annotations: + chart-version: "{{ .Chart.Name }}-{{ .Chart.Version }}" spec: tolerations: - effect: NoSchedule @@ -36,9 +39,9 @@ spec: containers: - name: openvswitch {{- if .Values.DPDK }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.dpdkRepository }}:{{ .Values.DPDK_VERSION }}-{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} {{- else }} - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.DPDK }} @@ -100,9 +103,6 @@ spec: name: host-run-ovs - mountPath: /var/run/ovn name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - mountPath: /etc/openvswitch name: host-config-openvswitch - mountPath: /etc/ovn @@ -185,9 +185,6 @@ spec: - name: host-run-ovn hostPath: path: /run/ovn - - name: host-sys - hostPath: - path: /sys - name: host-config-openvswitch hostPath: path: {{ .Values.OPENVSWITCH_DIR }} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml index f54b276a..f6eb84fd 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/pinger-ds.yaml @@ -31,7 +31,7 @@ spec: hostPID: true containers: - name: pinger - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + image: {{ include "kubeovn.image" . }} command: - /kube-ovn/kube-ovn-pinger args: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml index d81c5ca2..f6dbca82 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/pre-delete-hook.yaml @@ -104,7 +104,7 @@ spec: serviceAccountName: kube-ovn-pre-delete-hook containers: - name: remove-subnet-finalizer - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" + image: "{{ include "kubeovn.image" . }}" env: - name: POD_NAMESPACE valueFrom: diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml index 980354e6..bfc5eede 100644 --- a/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/upgrade-ovs-ovn.yaml @@ -1,5 +1,4 @@ -{{ if (lookup "apps/v1" "DaemonSet" .Values.namespace "ovs-ovn") }} -{{ if eq (lookup "apps/v1" "DaemonSet" .Values.namespace "ovs-ovn").spec.updateStrategy.type "OnDelete" }} +{{- if eq (include "kubeovn.ovs-ovn.updateStrategy" .) "OnDelete" }} --- apiVersion: v1 kind: ServiceAccount @@ -33,6 +32,16 @@ rules: - ovs-ovn verbs: - get + - apiGroups: + - apps + resources: + - deployments + resourceNames: + - ovn-central + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -46,6 +55,7 @@ rules: verbs: - list - get + - watch - delete --- apiVersion: rbac.authorization.k8s.io/v1 @@ -121,22 +131,33 @@ spec: serviceAccountName: ovs-ovn-upgrade containers: - name: ovs-ovn-upgrade - image: "{{ .Values.global.registry.address}}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }}" + image: "{{ include "kubeovn.image" . }}" env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace + - name: ENABLE_SSL + value: "{{ .Values.networking.ENABLE_SSL }}" + - name: OVN_DB_IPS + value: "{{ .Values.MASTER_NODES | default (include "kubeovn.nodeIPs" .) }}" command: - - sh + - bash + - -eo + - pipefail - -c - /kube-ovn/upgrade-ovs.sh 2>&1 | tee -a /var/log/kube-ovn/upgrade-ovs.log volumeMounts: - mountPath: /var/log/kube-ovn name: kube-ovn-log + - mountPath: /var/run/tls + name: kube-ovn-tls volumes: - name: kube-ovn-log hostPath: path: {{ .Values.log_conf.LOG_DIR }}/kube-ovn -{{ end }} + - name: kube-ovn-tls + secret: + optional: true + secretName: kube-ovn-tls {{ end }} diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml index 0f9bd0f5..70460d2f 100755 --- a/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/templates/vpc-nat-config.yaml @@ -7,4 +7,4 @@ metadata: kubernetes.io/description: | kube-ovn vpc-nat common config data: - image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.vpcRepository }}:{{ .Values.global.images.kubeovn.tag }} \ No newline at end of file + image: {{ include "kubeovn.image" . }} \ No newline at end of file diff --git a/packages/system/kubeovn/charts/kube-ovn/values.yaml b/packages/system/kubeovn/charts/kube-ovn/values.yaml index bfffc4d7..77be5a8b 100644 --- a/packages/system/kubeovn/charts/kube-ovn/values.yaml +++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml @@ -40,7 +40,6 @@ networking: VLAN_ID: "100" EXCHANGE_LINK_NAME: false ENABLE_EIP_SNAT: true - POD_DEFAULT_FIP_TYPE: "" DEFAULT_SUBNET: "ovn-default" DEFAULT_VPC: "ovn-cluster" NODE_SUBNET: "join" @@ -48,6 +47,7 @@ networking: ENABLE_METRICS: true NODE_LOCAL_DNS_IP: "" PROBE_INTERVAL: 180000 + OVN_NORTHD_PROBE_INTERVAL: 5000 OVN_LEADER_PROBE_INTERVAL: 5 OVN_REMOTE_PROBE_INTERVAL: 10000 OVN_REMOTE_OPENFLOW_INTERVAL: 180 @@ -63,19 +63,17 @@ func: ENABLE_LB_SVC: false ENABLE_KEEP_VM_IP: true LS_DNAT_MOD_DL_DST: true + LS_CT_SKIP_DST_LPORT_IPS: true CHECK_GATEWAY: true LOGICAL_GATEWAY: false ENABLE_BIND_LOCAL_IP: true U2O_INTERCONNECTION: false ENABLE_TPROXY: false + ENABLE_IC: false ipv4: - POD_CIDR: "10.16.0.0/16" - POD_GATEWAY: "10.16.0.1" - SVC_CIDR: "10.96.0.0/12" - JOIN_CIDR: "100.64.0.0/16" PINGER_EXTERNAL_ADDRESS: "1.1.1.1" - PINGER_EXTERNAL_DOMAIN: "alauda.cn." + PINGER_EXTERNAL_DOMAIN: "kube-ovn.io." ipv6: POD_CIDR: "fd00:10:16::/112" @@ -94,8 +92,6 @@ dual_stack: PINGER_EXTERNAL_DOMAIN: "google.com." performance: - MODULES: "kube_ovn_fastpath.ko" - RPMS: "openvswitch-kmod" GC_INTERVAL: 360 INSPECT_INTERVAL: 20 OVS_VSCTL_CONCURRENCY: 100 @@ -149,7 +145,7 @@ ovs-ovn: cpu: "200m" memory: "200Mi" limits: - cpu: "1000m" + cpu: "2" memory: "1000Mi" kube-ovn-controller: requests: diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json new file mode 100644 index 00000000..f482cd71 --- /dev/null +++ b/packages/system/kubeovn/images/kubeovn.json @@ -0,0 +1,4 @@ +{ + "containerimage.config.digest": "sha256:f83db05cfc7228a02d1308721de535e90e355d1b147b2d36bb98e10a848c3ef6", + "containerimage.digest": "sha256:440075488baba3610d7f8be6283f89ab3862ff3a9556c51a0e99ec6d46315192" +} \ No newline at end of file diff --git a/packages/system/kubeovn/images/kubeovn.tag b/packages/system/kubeovn/images/kubeovn.tag new file mode 100644 index 00000000..13402f01 --- /dev/null +++ b/packages/system/kubeovn/images/kubeovn.tag @@ -0,0 +1 @@ +ghcr.io/aenix-io/cozystack/kubeovn:latest diff --git a/packages/system/kubeovn/images/kubeovn/Dockerfile b/packages/system/kubeovn/images/kubeovn/Dockerfile new file mode 100644 index 00000000..632a76da --- /dev/null +++ b/packages/system/kubeovn/images/kubeovn/Dockerfile @@ -0,0 +1,43 @@ +ARG VERSION=v1.13.0 +ARG BASE_TAG=$VERSION + +FROM golang:1.22-bookworm as builder + +ARG COMMIT_REF=e1310e1 + +WORKDIR /source + +RUN wget -O- https://github.com/kubeovn/kube-ovn/archive/${COMMIT_REF}.tar.gz | tar xzf - --strip-components=1 +RUN sed -i 's|-z now|-z now -static|' Makefile +RUN make build-go + +WORKDIR /source/dist/images + +# imported from https://github.com/kubeovn/kube-ovn/blob/master/dist/images/Dockerfile +FROM kubeovn/kube-ovn-base:$BASE_TAG + +COPY --from=builder /source/dist/images/*.sh /kube-ovn/ +COPY --from=builder /source/dist/images/kubectl-ko /kube-ovn/kubectl-ko +COPY --from=builder /source/dist/images/01-kube-ovn.conflist /kube-ovn/01-kube-ovn.conflist +COPY --from=builder /source/dist/images/logrotate/* /etc/logrotate.d/ +COPY --from=builder /source/dist/images/grace_stop_ovn_controller /usr/share/ovn/scripts/grace_stop_ovn_controller + +WORKDIR /kube-ovn + +RUN /kube-ovn/iptables-wrapper-installer.sh --no-sanity-check +RUN rm -f /usr/bin/nc &&\ + rm -f /usr/bin/netcat &&\ + rm -f /usr/lib/apt/methods/mirror +RUN deluser sync + +COPY --from=builder /source/dist/images/kube-ovn /kube-ovn/kube-ovn +COPY --from=builder /source/dist/images/kube-ovn-cmd /kube-ovn/kube-ovn-cmd +COPY --from=builder /source/dist/images/kube-ovn-webhook /kube-ovn/kube-ovn-webhook +RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-daemon && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-pinger && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller-healthcheck && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \ + ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller diff --git a/packages/system/kubeovn/patches/cozyconfig.diff b/packages/system/kubeovn/patches/cozyconfig.diff new file mode 100644 index 00000000..c5a14190 --- /dev/null +++ b/packages/system/kubeovn/patches/cozyconfig.diff @@ -0,0 +1,97 @@ + +diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml +index d9a9a67..b2e12dd 100644 +--- a/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml ++++ b/packages/system/kubeovn/charts/kube-ovn/templates/ovncni-ds.yaml +@@ -51,18 +51,12 @@ spec: + - bash + - /kube-ovn/start-cniserver.sh + args: ++ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} + - --enable-mirror={{- .Values.debug.ENABLE_MIRROR }} + - --mirror-iface={{- .Values.debug.MIRROR_IFACE }} + - --node-switch={{ .Values.networking.NODE_SUBNET }} + - --encap-checksum=true +- - --service-cluster-ip-range= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.SVC_CIDR }} +- {{- end }} ++ - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} + {{- if eq .Values.networking.NETWORK_TYPE "vlan" }} + - --iface= + {{- else}} +diff --git a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml +index 0e69494..756eb7c 100644 +--- a/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml ++++ b/packages/system/kubeovn/charts/kube-ovn/templates/controller-deploy.yaml +@@ -52,46 +52,19 @@ spec: + image: {{ .Values.global.registry.address }}/{{ .Values.global.images.kubeovn.repository }}:{{ .Values.global.images.kubeovn.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: ++ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} + - /kube-ovn/start-controller.sh + - --default-ls={{ .Values.networking.DEFAULT_SUBNET }} +- - --default-cidr= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.POD_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.POD_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.POD_CIDR }} +- {{- end }} +- - --default-gateway= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.POD_GATEWAY }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.POD_GATEWAY }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.POD_GATEWAY }} +- {{- end }} ++ - --default-cidr={{ index $cozyConfig.data "ipv4-pod-cidr" }} ++ - --default-gateway={{ index $cozyConfig.data "ipv4-pod-gateway" }} + - --default-gateway-check={{- .Values.func.CHECK_GATEWAY }} + - --default-logical-gateway={{- .Values.func.LOGICAL_GATEWAY }} + - --default-u2o-interconnection={{- .Values.func.U2O_INTERCONNECTION }} + - --default-exclude-ips={{- .Values.networking.EXCLUDE_IPS }} + - --cluster-router={{ .Values.networking.DEFAULT_VPC }} + - --node-switch={{ .Values.networking.NODE_SUBNET }} +- - --node-switch-cidr= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.JOIN_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.JOIN_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.JOIN_CIDR }} +- {{- end }} +- - --service-cluster-ip-range= +- {{- if eq .Values.networking.NET_STACK "dual_stack" -}} +- {{ .Values.dual_stack.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv4" -}} +- {{ .Values.ipv4.SVC_CIDR }} +- {{- else if eq .Values.networking.NET_STACK "ipv6" -}} +- {{ .Values.ipv6.SVC_CIDR }} +- {{- end }} ++ - --node-switch-cidr={{ index $cozyConfig.data "ipv4-join-cidr" }} ++ - --service-cluster-ip-range={{ index $cozyConfig.data "ipv4-svc-cidr" }} + - --network-type={{- .Values.networking.NETWORK_TYPE }} + - --default-provider-name={{ .Values.networking.vlan.PROVIDER_NAME }} + - --default-interface-name={{- .Values.networking.vlan.VLAN_INTERFACE_NAME }} +diff --git a/packages/system/kubeovn/charts/kube-ovn/values.yaml b/packages/system/kubeovn/charts/kube-ovn/values.yaml +index bfffc4d..b880749 100644 +--- a/packages/system/kubeovn/charts/kube-ovn/values.yaml ++++ b/packages/system/kubeovn/charts/kube-ovn/values.yaml +@@ -70,10 +70,6 @@ func: + ENABLE_TPROXY: false + + ipv4: +- POD_CIDR: "10.16.0.0/16" +- POD_GATEWAY: "10.16.0.1" +- SVC_CIDR: "10.96.0.0/12" +- JOIN_CIDR: "100.64.0.0/16" + PINGER_EXTERNAL_ADDRESS: "1.1.1.1" + PINGER_EXTERNAL_DOMAIN: "alauda.cn." + diff --git a/packages/system/kubeovn/templates/_helpers.tpl b/packages/system/kubeovn/templates/_helpers.tpl new file mode 100644 index 00000000..83e3b907 --- /dev/null +++ b/packages/system/kubeovn/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "kubeovn.image" -}} +{{ .Files.Get "images/kubeovn.tag" | trim }}@{{ index (.Files.Get "images/kubeovn.json" | fromJson) "containerimage.digest" }} +{{- end -}} diff --git a/packages/system/kubeovn/values.yaml b/packages/system/kubeovn/values.yaml index 26e9203f..cc904a5e 100644 --- a/packages/system/kubeovn/values.yaml +++ b/packages/system/kubeovn/values.yaml @@ -1,12 +1,4 @@ kube-ovn: - global: - registry: - address: ghcr.io/kvaps - images: - kubeovn: - repository: test - tag: kube-ovn-static-v1.13.0-cozystack2 - namespace: cozy-kubeovn func: From 6211f9d876e6d770518dfc038f33eebef935718d Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 27 May 2024 19:40:57 +0200 Subject: [PATCH 14/67] cilium: enforce device detection and enable image building (#151) Signed-off-by: Andrei Kvapil --- Makefile | 1 + packages/system/cilium/Makefile | 20 +- packages/system/cilium/charts/cilium/images | 1 + .../templates/cilium-agent/daemonset.yaml | 20 +- packages/system/cilium/images/cilium.json | 4 + packages/system/cilium/images/cilium.tag | 1 + .../system/cilium/images/cilium/Dockerfile | 16 ++ .../cilium/enforce-device-detection.diff | 244 ++++++++++++++++++ packages/system/cilium/templates/_helpers.tpl | 3 + packages/system/cilium/values.yaml | 7 + 10 files changed, 306 insertions(+), 11 deletions(-) create mode 120000 packages/system/cilium/charts/cilium/images create mode 100644 packages/system/cilium/images/cilium.json create mode 100644 packages/system/cilium/images/cilium.tag create mode 100644 packages/system/cilium/images/cilium/Dockerfile create mode 100644 packages/system/cilium/images/cilium/enforce-device-detection.diff create mode 100644 packages/system/cilium/templates/_helpers.tpl diff --git a/Makefile b/Makefile index 0ef2d210..9ac01626 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ build: make -C packages/apps/http-cache image make -C packages/apps/kubernetes image + make -C packages/system/cilium image make -C packages/system/kubeovn image make -C packages/system/dashboard image make -C packages/core/installer image diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index 038b767c..23e43516 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -1,6 +1,9 @@ +CILIUM_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) + NAME=cilium NAMESPACE=cozy-$(NAME) +include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk update: @@ -8,5 +11,20 @@ update: helm repo add cilium https://helm.cilium.io/ helm repo update cilium helm pull cilium/cilium --untar --untardir charts --version 1.15 + ln -s ../../images charts/cilium/images + sed -i 's/include "cilium.image" .Values.image/include "cilium.image" ./g' charts/cilium/templates/cilium-agent/daemonset.yaml sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml - patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch + version=$$(awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) && \ + sed -i "s/ARG VERSION=.*/ARG VERSION=v$${version}/" images/cilium/Dockerfile + +image: + docker buildx build images/cilium \ + --provenance false \ + --tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)) \ + --tag $(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG)-$(TAG)) \ + --cache-from type=registry,ref=$(REGISTRY)/cilium:latest \ + --cache-to type=inline \ + --metadata-file images/cilium.json \ + --push=$(PUSH) \ + --load=$(LOAD) + echo "$(REGISTRY)/cilium:$(call settag,$(TAG))" > images/cilium.tag diff --git a/packages/system/cilium/charts/cilium/images b/packages/system/cilium/charts/cilium/images new file mode 120000 index 00000000..5fa69870 --- /dev/null +++ b/packages/system/cilium/charts/cilium/images @@ -0,0 +1 @@ +../../images \ No newline at end of file diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index 144025e0..91b3fc02 100644 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -94,7 +94,7 @@ spec: {{- end }} containers: - name: cilium-agent - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.sleepAfterInit }} command: @@ -398,7 +398,7 @@ spec: {{- end }} {{- if .Values.monitor.enabled }} - name: cilium-monitor - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /bin/bash @@ -430,7 +430,7 @@ spec: {{- end }} initContainers: - name: config - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - cilium-dbg @@ -485,7 +485,7 @@ spec: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: CGROUP_ROOT @@ -531,7 +531,7 @@ spec: - ALL {{- end}} - name: apply-sysctl-overwrites - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -580,7 +580,7 @@ spec: # from a privileged container because the mount propagation bidirectional # only works from privileged containers. - name: mount-bpf-fs - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -605,7 +605,7 @@ spec: {{- end }} {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }} - name: wait-for-node-init - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -625,7 +625,7 @@ spec: mountPath: "/tmp/cilium-bootstrap.d" {{- end }} - name: clean-cilium-state - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - /init-container.sh @@ -697,7 +697,7 @@ spec: {{- end }} {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true")) }} - name: wait-for-kube-proxy - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.initResources }} resources: @@ -735,7 +735,7 @@ spec: {{- if .Values.cni.install }} # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - name: install-cni-binaries - image: {{ include "cilium.image" .Values.image | quote }} + image: {{ include "cilium.image" . | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: - "/install-plugin.sh" diff --git a/packages/system/cilium/images/cilium.json b/packages/system/cilium/images/cilium.json new file mode 100644 index 00000000..47ee9b16 --- /dev/null +++ b/packages/system/cilium/images/cilium.json @@ -0,0 +1,4 @@ +{ + "containerimage.config.digest": "sha256:5d7a65f2d5c41bd53cccaa55d4f5d28933c08f5294e732b9a00427d091c1d78f", + "containerimage.digest": "sha256:f9f46b6c57cbe9ccb2686be7e58236e3bfae0942c4be687f0bf16270832f09ab" +} \ No newline at end of file diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag new file mode 100644 index 00000000..ab03ee07 --- /dev/null +++ b/packages/system/cilium/images/cilium.tag @@ -0,0 +1 @@ +ghcr.io/aenix-io/cozystack/cilium:latest diff --git a/packages/system/cilium/images/cilium/Dockerfile b/packages/system/cilium/images/cilium/Dockerfile new file mode 100644 index 00000000..470f5c26 --- /dev/null +++ b/packages/system/cilium/images/cilium/Dockerfile @@ -0,0 +1,16 @@ +# syntax=docker/dockerfile:experimental + +ARG VERSION=v1.15.5 + +FROM golang:1.22-bookworm as builder + +WORKDIR /source + +COPY enforce-device-detection.diff /enforce-device-detection.diff + +RUN wget -O- https://github.com/cilium/cilium/archive/refs/tags/v1.15.5.tar.gz | tar xzf - --strip-components=1 +RUN git apply /enforce-device-detection.diff +RUN make build-agent + +FROM quay.io/cilium/cilium:${VERSION} +COPY --from=builder /source/daemon/cilium-agent /usr/bin/cilium-agent diff --git a/packages/system/cilium/images/cilium/enforce-device-detection.diff b/packages/system/cilium/images/cilium/enforce-device-detection.diff new file mode 100644 index 00000000..408ca784 --- /dev/null +++ b/packages/system/cilium/images/cilium/enforce-device-detection.diff @@ -0,0 +1,244 @@ +diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go +index 9435b2570b..416c34ed7a 100644 +--- a/daemon/cmd/daemon_main.go ++++ b/daemon/cmd/daemon_main.go +@@ -222,6 +222,9 @@ func InitGlobalFlags(cmd *cobra.Command, vp *viper.Viper) { + flags.StringSlice(option.Devices, []string{}, "List of devices facing cluster/external network (used for BPF NodePort, BPF masquerading and host firewall); supports '+' as wildcard in device name, e.g. 'eth+'") + option.BindEnv(vp, option.Devices) + ++ flags.Bool(option.EnforceDeviceDetection, false, "Enforces the auto-detection of devices, even if specific devices are explicitly listed") ++ option.BindEnv(vp, option.EnforceDeviceDetection) ++ + flags.String(option.DirectRoutingDevice, "", "Device name used to connect nodes in direct routing mode (used by BPF NodePort, BPF host routing; if empty, automatically set to a device with k8s InternalIP/ExternalIP or with a default route)") + option.BindEnv(vp, option.DirectRoutingDevice) + +diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md +index 6a92a83040..bf728ce32e 100644 +--- a/install/kubernetes/cilium/README.md ++++ b/install/kubernetes/cilium/README.md +@@ -309,6 +309,7 @@ contributors across the globe, there is almost always someone available to help. + | endpointHealthChecking.enabled | bool | `true` | Enable connectivity health checking between virtual endpoints. | + | endpointRoutes.enabled | bool | `false` | Enable use of per endpoint routes instead of routing via the cilium_host interface. | + | endpointStatus | object | `{"enabled":false,"status":""}` | Enable endpoint status. Status can be: policy, health, controllers, log and / or state. For 2 or more options use a space. | ++| enforceDeviceDetection | bool | `false` | Enforces the auto-detection of devices, even if specific devices are explicitly listed | + | eni.awsEnablePrefixDelegation | bool | `false` | Enable ENI prefix delegation | + | eni.awsReleaseExcessIPs | bool | `false` | Release IPs not used from the ENI | + | eni.ec2APIEndpoint | string | `""` | EC2 API endpoint to use | +diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml +index 9531ca18a8..1ce677f8ce 100644 +--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml ++++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml +@@ -688,6 +688,10 @@ data: + enable-runtime-device-detection: "true" + {{- end }} + ++{{- if .Values.enforceDeviceDetection }} ++ enforce-device-detection: "true" ++{{- end }} ++ + kube-proxy-replacement: {{ $kubeProxyReplacement | quote }} + + {{- if ne $kubeProxyReplacement "disabled" }} +diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml +index e81d3ebffd..2196bbb814 100644 +--- a/install/kubernetes/cilium/values.yaml ++++ b/install/kubernetes/cilium/values.yaml +@@ -690,6 +690,9 @@ daemon: + # be considered. + enableRuntimeDeviceDetection: false + ++# -- Enforces the auto-detection of devices, even if specific devices are explicitly listed ++enforceDeviceDetection: false ++ + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" + +diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl +index 679b4cac07..3ed0b8f88b 100644 +--- a/install/kubernetes/cilium/values.yaml.tmpl ++++ b/install/kubernetes/cilium/values.yaml.tmpl +@@ -687,6 +687,9 @@ daemon: + # be considered. + enableRuntimeDeviceDetection: false + ++# -- Enforces the auto-detection of devices, even if specific devices are explicitly listed ++enforceDeviceDetection: false ++ + # -- Chains to ignore when installing feeder rules. + # disableIptablesFeederRules: "" + +diff --git a/pkg/datapath/cells.go b/pkg/datapath/cells.go +index 69d6d71836..c0f4947d73 100644 +--- a/pkg/datapath/cells.go ++++ b/pkg/datapath/cells.go +@@ -114,7 +114,8 @@ var Cell = cell.Module( + // This is temporary until DevicesController takes ownership of the + // device-related configuration options. + return linuxdatapath.DevicesConfig{ +- Devices: cfg.GetDevices(), ++ Devices: cfg.GetDevices(), ++ EnforceDeviceDetection: option.Config.EnforceDeviceDetection, + } + }), + +diff --git a/pkg/datapath/linux/devices_controller.go b/pkg/datapath/linux/devices_controller.go +index fdfde8d4ec..cac3e44a32 100644 +--- a/pkg/datapath/linux/devices_controller.go ++++ b/pkg/datapath/linux/devices_controller.go +@@ -84,6 +84,9 @@ type DevicesConfig struct { + // If empty the devices are auto-detected according to rules defined + // by isSelectedDevice(). + Devices []string ++ // EnforceDeviceDetection forces the auto-detection of devices, ++ // even if user-specific devices are explicitly listed. ++ EnforceDeviceDetection bool + } + + type devicesControllerParams struct { +@@ -103,9 +106,10 @@ type devicesController struct { + params devicesControllerParams + log logrus.FieldLogger + +- initialized chan struct{} +- filter deviceFilter +- l3DevSupported bool ++ initialized chan struct{} ++ filter deviceFilter ++ enforceAutoDetection bool ++ l3DevSupported bool + + // deadLinkIndexes tracks the set of links that have been deleted. This is needed + // to avoid processing route or address updates after a link delete as they may +@@ -121,11 +125,12 @@ func newDevicesController(lc cell.Lifecycle, p devicesControllerParams) (*device + p.RouteTable, + ) + dc := &devicesController{ +- params: p, +- initialized: make(chan struct{}), +- filter: deviceFilter(p.Config.Devices), +- log: p.Log, +- deadLinkIndexes: sets.New[int](), ++ params: p, ++ initialized: make(chan struct{}), ++ filter: deviceFilter(p.Config.Devices), ++ enforceAutoDetection: p.Config.EnforceDeviceDetection, ++ log: p.Log, ++ deadLinkIndexes: sets.New[int](), + } + lc.Append(dc) + return dc, p.DeviceTable, p.RouteTable +@@ -529,12 +534,15 @@ func (dc *devicesController) isSelectedDevice(d *tables.Device, txn statedb.Writ + } + + // If user specified devices or wildcards, then skip the device if it doesn't match. +- // If the device does match, then skip further checks. ++ // If the device does match and user not requested auto detection, then skip further checks. ++ // If the device does match and user requested auto detection, then continue to further checks. + if dc.filter.nonEmpty() { + if dc.filter.match(d.Name) { + return true, "" + } +- return false, fmt.Sprintf("not matching user filter %v", dc.filter) ++ if !dc.enforceAutoDetection { ++ return false, fmt.Sprintf("not matching user filter %v", dc.filter) ++ } + } + + // Skip devices that have an excluded interface flag set. +diff --git a/pkg/datapath/linux/devices_test.go b/pkg/datapath/linux/devices_test.go +index cd9fdcc7ad..031894498f 100644 +--- a/pkg/datapath/linux/devices_test.go ++++ b/pkg/datapath/linux/devices_test.go +@@ -254,7 +254,36 @@ func (s *DevicesSuite) TestDetect(c *C) { + c.Assert(devices, checker.DeepEquals, []string{"bond0", "dummy0", "dummy1", "dummy_v6", "veth0"}) + option.Config.SetDevices([]string{}) + dm.Stop() ++ ++ // EnforceDeviceDetection enabled with specific devices ++ option.Config.SetDevices([]string{"dummy1"}) ++ option.Config.EnforceDeviceDetection = true ++ c.Assert(createDummy("dummy0", "192.168.0.1/24", false), IsNil) ++ c.Assert(createDummy("dummy1", "192.168.1.1/24", false), IsNil) ++ ++ dm, err = newDeviceManagerForTests() ++ c.Assert(err, IsNil) ++ devices, err = dm.Detect(true) ++ c.Assert(err, IsNil) ++ c.Assert(devices, checker.DeepEquals, []string{"dummy0", "dummy1"}) ++ option.Config.SetDevices([]string{}) ++ option.Config.DirectRoutingDevice = "" ++ dm.Stop() ++ ++ // EnforceDeviceDetection disabled with specific devices ++ option.Config.SetDevices([]string{"dummy1"}) ++ option.Config.EnforceDeviceDetection = false ++ ++ dm, err = newDeviceManagerForTests() ++ c.Assert(err, IsNil) ++ devices, err = dm.Detect(true) ++ c.Assert(err, IsNil) ++ c.Assert(devices, checker.DeepEquals, []string{"dummy1"}) ++ option.Config.SetDevices([]string{}) ++ option.Config.DirectRoutingDevice = "" ++ dm.Stop() + }) ++ + } + + func (s *DevicesSuite) TestExpandDevices(c *C) { +diff --git a/pkg/defaults/defaults.go b/pkg/defaults/defaults.go +index fe34caa624..f095ff9a42 100644 +--- a/pkg/defaults/defaults.go ++++ b/pkg/defaults/defaults.go +@@ -554,6 +554,10 @@ const ( + // identity in a numeric identity. Values > 255 will decrease the number of + // allocatable identities. + MaxConnectedClusters = 255 ++ ++ // EnforceDevicesDetection enforces the auto-detection of devices, ++ // even if specific devices are explicitly listed ++ EnforceDeviceDetection = false + ) + + var ( +diff --git a/pkg/option/config.go b/pkg/option/config.go +index 27c697d9e3..9ba4367b2e 100644 +--- a/pkg/option/config.go ++++ b/pkg/option/config.go +@@ -123,6 +123,9 @@ const ( + // Devices facing cluster/external network for attaching bpf_host + Devices = "devices" + ++ // Enforces the auto-detection of devices, even if specific devices are explicitly listed ++ EnforceDeviceDetection = "enforce-device-detection" ++ + // DirectRoutingDevice is the name of a device used to connect nodes in + // direct routing mode (only required by BPF NodePort) + DirectRoutingDevice = "direct-routing-device" +@@ -2447,6 +2450,10 @@ type DaemonConfig struct { + + // ServiceNoBackendResponse determines how we handle traffic to a service with no backends. + ServiceNoBackendResponse string ++ ++ // EnforceDeviceDetection forces the auto-detection of devices, ++ // even if specific devices are explicitly listed ++ EnforceDeviceDetection bool + } + + var ( +@@ -2490,6 +2497,7 @@ var ( + AllocatorListTimeout: defaults.AllocatorListTimeout, + EnableICMPRules: defaults.EnableICMPRules, + UseCiliumInternalIPForIPsec: defaults.UseCiliumInternalIPForIPsec, ++ EnforceDeviceDetection: defaults.EnforceDeviceDetection, + + K8sEnableLeasesFallbackDiscovery: defaults.K8sEnableLeasesFallbackDiscovery, + +@@ -3563,6 +3571,7 @@ func (c *DaemonConfig) Populate(vp *viper.Viper) { + c.UseCiliumInternalIPForIPsec = vp.GetBool(UseCiliumInternalIPForIPsec) + c.BypassIPAvailabilityUponRestore = vp.GetBool(BypassIPAvailabilityUponRestore) + c.EnableK8sTerminatingEndpoint = vp.GetBool(EnableK8sTerminatingEndpoint) ++ c.EnforceDeviceDetection = vp.GetBool(EnforceDeviceDetection) + + // Disable Envoy version check if L7 proxy is disabled. + c.DisableEnvoyVersionCheck = vp.GetBool(DisableEnvoyVersionCheck) diff --git a/packages/system/cilium/templates/_helpers.tpl b/packages/system/cilium/templates/_helpers.tpl new file mode 100644 index 00000000..d5406f98 --- /dev/null +++ b/packages/system/cilium/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "cilium.image" -}} +{{ .Files.Get "images/cilium.tag" | trim }}@{{ index (.Files.Get "images/cilium.json" | fromJson) "containerimage.digest" }} +{{- end -}} diff --git a/packages/system/cilium/values.yaml b/packages/system/cilium/values.yaml index 6e3a484f..63e386c4 100644 --- a/packages/system/cilium/values.yaml +++ b/packages/system/cilium/values.yaml @@ -24,4 +24,11 @@ cilium: configMap: cni-configuration routingMode: native enableIPv4Masquerade: false + enableIPv6Masquerade: false enableIdentityMark: false + enableRuntimeDeviceDetection: true + #enforceDeviceDetection: true + devices: ovn0 + extraEnv: + - name: CILIUM_ENFORCE_DEVICE_DETECTION + value: "true" From d7147c7fe19ad36d0ab30a98e081f1cd1d3ca7bf Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 27 May 2024 22:47:12 +0200 Subject: [PATCH 15/67] kube-ovn: disable cozystack image tag (#153) Signed-off-by: Andrei Kvapil --- packages/system/kubeovn/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index 9f0d8b98..d4e6884e 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -17,7 +17,6 @@ update: image: docker buildx build images/kubeovn \ --provenance false \ - --tag $(REGISTRY)/kubeovn:$(call settag,$(TAG)) \ --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)) \ --tag $(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG)-$(TAG)) \ --cache-from type=registry,ref=$(REGISTRY)/kubeovn:latest \ From d7cfa53cd4bca15b40e3a3691bd02f639a779894 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 29 May 2024 10:04:22 +0200 Subject: [PATCH 16/67] Prepare release v0.7.0 (#156) --- manifests/cozystack-installer.yaml | 4 ++-- packages/apps/http-cache/images/nginx-cache.json | 4 ++-- packages/core/installer/images/cozystack.json | 4 ++-- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/matchbox.json | 4 ++-- packages/system/cilium/images/cilium.tag | 2 +- packages/system/dashboard/images/dashboard.tag | 2 +- packages/system/dashboard/images/kubeapps-apis.json | 4 ++-- packages/system/dashboard/images/kubeapps-apis.tag | 2 +- packages/system/kubeovn/images/kubeovn.json | 4 ++-- packages/system/kubeovn/images/kubeovn.tag | 2 +- scripts/installer.sh | 2 +- scripts/migrations/3 | 12 ++++++++++++ 13 files changed, 30 insertions(+), 18 deletions(-) create mode 100755 scripts/migrations/3 diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index 742c7723..3112f1c6 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.6.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/http-cache/images/nginx-cache.json b/packages/apps/http-cache/images/nginx-cache.json index e0e737b3..395c34ca 100644 --- a/packages/apps/http-cache/images/nginx-cache.json +++ b/packages/apps/http-cache/images/nginx-cache.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:aa7a9874c35d7fac8668a623744acbf376b48aed2ef1dc4b3a19054fdcff99cf", - "containerimage.digest": "sha256:d825427d433dda95db40264c6559b44c7bbb726e69279e90fe73fe8fc9265abb" + "containerimage.config.digest": "sha256:31dedc466b9f92131f3e0f35b47d1f3771b6895d5b9a6cc089786b76b00c3a25", + "containerimage.digest": "sha256:86c7a8f2a11cbede492c778ffd67c759f722ab6958cab4a9df66af4035b1d7d9" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 68f3bc54..585f11e3 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:8726af130b534d259ae28a92d84fb866df045765739a59146974d85554e5f188", - "containerimage.digest": "sha256:bc9109b0ed072ecbb143ea74edb9bf8a801b4903e0b849aeaa79488c4a9fb7f2" + "containerimage.config.digest": "sha256:6d54a5b971e80fbaace664054d4e67f24fd1fbb7807ebaffd036d4ea7195df10", + "containerimage.digest": "sha256:a6b167235d8556ff7e45f4582c2491a2ad48292a46005dcf767908e2fb78e74e" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index 27f181d5..e8430b50 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.6.0 +ghcr.io/aenix-io/cozystack/cozystack:v0.7.0 diff --git a/packages/core/installer/images/matchbox.json b/packages/core/installer/images/matchbox.json index 2ff00e73..d5bf9ebe 100644 --- a/packages/core/installer/images/matchbox.json +++ b/packages/core/installer/images/matchbox.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:05f6f9ed2e662dde64ace18dbbd69001b39778841bda812d7b6b86e064270e64", - "containerimage.digest": "sha256:56ef77367394c4b073c862974726d882036c9b95d27a56a774987fe3244c35f6" + "containerimage.config.digest": "sha256:ed483d1187cdfeb92df319a30dde57141ceb1d4bafcc28ba006a1e60abc445ff", + "containerimage.digest": "sha256:000a46c2bffc3cf13909dc0ca570cdcea9692d85b1ef2a875afe08ea8136d2c2" } \ No newline at end of file diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag index ab03ee07..164d288a 100644 --- a/packages/system/cilium/images/cilium.tag +++ b/packages/system/cilium/images/cilium.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cilium:latest +ghcr.io/aenix-io/cozystack/cilium:v0.7.0 diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index 7f20ff19..b2afa3cc 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.6.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.7.0 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index f54437aa..8a5f4ced 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:79ac02f0fe54d2007b222efe05596a1bf35b8557e406d018f825a2334bd73249", - "containerimage.digest": "sha256:1c1dbee8e5c4be14e5df36a69be75a6a2907445564379e23b7f8fbea1afc7093" + "containerimage.config.digest": "sha256:44db4f7c92adb68c79eb3e152c95318e559e5c1ac0ba6e3d467596b1315f37a1", + "containerimage.digest": "sha256:b0c355cf5387b376e676a9e395fa0a11790409123a29e637a7080a413fe7f10d" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index 6cd70ddb..e6a5a538 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.6.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.7.0 diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json index f482cd71..b6bf0857 100644 --- a/packages/system/kubeovn/images/kubeovn.json +++ b/packages/system/kubeovn/images/kubeovn.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:f83db05cfc7228a02d1308721de535e90e355d1b147b2d36bb98e10a848c3ef6", - "containerimage.digest": "sha256:440075488baba3610d7f8be6283f89ab3862ff3a9556c51a0e99ec6d46315192" + "containerimage.config.digest": "sha256:b3d76d1764c8c470a32b4d3b19e48592eda547710e8e6508666930e1db1b4cb3", + "containerimage.digest": "sha256:e5275d3a367aba3b4a7ec0bf25583cc21241e320da2ffd86f5c9cf4a7f6fac77" } \ No newline at end of file diff --git a/packages/system/kubeovn/images/kubeovn.tag b/packages/system/kubeovn/images/kubeovn.tag index 13402f01..2236b16e 100644 --- a/packages/system/kubeovn/images/kubeovn.tag +++ b/packages/system/kubeovn/images/kubeovn.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeovn:latest +ghcr.io/aenix-io/cozystack/kubeovn:v0.7.0 diff --git a/scripts/installer.sh b/scripts/installer.sh index 5fd5b0be..078ef6cd 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -3,7 +3,7 @@ set -o pipefail set -e BUNDLE=$(set -x; kubectl get configmap -n cozy-system cozystack -o 'go-template={{index .data "bundle-name"}}') -VERSION=3 +VERSION=4 run_migrations() { if ! kubectl get configmap -n cozy-system cozystack-version; then diff --git a/scripts/migrations/3 b/scripts/migrations/3 new file mode 100755 index 00000000..008d6604 --- /dev/null +++ b/scripts/migrations/3 @@ -0,0 +1,12 @@ +#!/bin/sh +# Migration 3 --> 4 + +# Fix kubeovn crds +kubeovn_crds=$(kubectl get crd -o name | grep '\.kubeovn\.io$') +if [ -n "$kubeovn_crds" ]; then + kubectl annotate $kubeovn_crds meta.helm.sh/release-namespace=cozy-kubeovn meta.helm.sh/release-name=kubeovn + kubectl label $kubeovn_crds app.kubernetes.io/managed-by=Helm +fi + +# Write version to cozystack-version config +kubectl create configmap -n cozy-system cozystack-version --from-literal=version=4 --dry-run=client -o yaml | kubectl apply -f- From 8019256dfcca5425b5a00c737b65db57e483f40f Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 29 May 2024 17:57:03 +0200 Subject: [PATCH 17/67] Fix: clickhouse user login (#160) --- packages/apps/clickhouse/Chart.yaml | 2 +- packages/apps/clickhouse/templates/clickhouse.yaml | 1 + packages/apps/versions_map | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/apps/clickhouse/Chart.yaml b/packages/apps/clickhouse/Chart.yaml index 1b9862a0..d5ad8600 100644 --- a/packages/apps/clickhouse/Chart.yaml +++ b/packages/apps/clickhouse/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/clickhouse/templates/clickhouse.yaml b/packages/apps/clickhouse/templates/clickhouse.yaml index da754055..6c61ec14 100644 --- a/packages/apps/clickhouse/templates/clickhouse.yaml +++ b/packages/apps/clickhouse/templates/clickhouse.yaml @@ -14,6 +14,7 @@ spec: {{- range $name, $u := . }} {{ $name }}/password_sha256_hex: {{ sha256sum $u.password }} {{ $name }}/profile: {{ ternary "readonly" "default" (index $u "readonly" | default false) }} + {{ $name }}/networks/ip: ["::/0"] {{- end }} {{- end }} profiles: diff --git a/packages/apps/versions_map b/packages/apps/versions_map index bd195c9a..712c3014 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -1,5 +1,6 @@ clickhouse 0.1.0 ca79f72 -clickhouse 0.2.0 HEAD +clickhouse 0.2.0 7cd7de73 +clickhouse 0.2.1 HEAD http-cache 0.1.0 a956713 http-cache 0.2.0 HEAD kafka 0.1.0 760f86d2 From b30a9a6fcfb27b241c73bb0e9284ef62cdcd16a9 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 30 May 2024 22:54:39 +0200 Subject: [PATCH 18/67] fix: dependsOn kubeovn and cilium in -hosted bundles (#161) --- packages/core/platform/bundles/distro-hosted.yaml | 4 ++-- packages/core/platform/bundles/paas-hosted.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/core/platform/bundles/distro-hosted.yaml b/packages/core/platform/bundles/distro-hosted.yaml index f14b65b0..41d027fe 100644 --- a/packages/core/platform/bundles/distro-hosted.yaml +++ b/packages/core/platform/bundles/distro-hosted.yaml @@ -54,13 +54,13 @@ releases: releaseName: kafka-operator chart: cozy-kafka-operator namespace: cozy-kafka-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: clickhouse-operator releaseName: clickhouse-operator chart: cozy-clickhouse-operator namespace: cozy-clickhouse-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: rabbitmq-operator releaseName: rabbitmq-operator diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index bc9f86a1..a9c33818 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -54,13 +54,13 @@ releases: releaseName: kafka-operator chart: cozy-kafka-operator namespace: cozy-kafka-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: clickhouse-operator releaseName: clickhouse-operator chart: cozy-clickhouse-operator namespace: cozy-clickhouse-operator - dependsOn: [cilium,kubeovn] + dependsOn: [] - name: rabbitmq-operator releaseName: rabbitmq-operator From eedc4ebce158be35953516838435e72de8f6f506 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 12 Jun 2024 19:19:14 +0200 Subject: [PATCH 19/67] Add e2e tests Signed-off-by: Andrei Kvapil --- hack/e2e.sh | 305 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 305 insertions(+) create mode 100755 hack/e2e.sh diff --git a/hack/e2e.sh b/hack/e2e.sh new file mode 100755 index 00000000..90c8314d --- /dev/null +++ b/hack/e2e.sh @@ -0,0 +1,305 @@ +#!/bin/bash +if [ "$COZYSTACK_INSTALLER_YAML" = "" ]; then + echo 'COZYSTACK_INSTALLER_YAML variable is not set!' >&2 + echo 'please set it with following command:' >&2 + echo >&2 + echo 'export COZYSTACK_INSTALLER_YAML=$(helm template -n cozy-system installer packages/core/installer)' >&2 + echo >&2 + exit 1 +fi + +set -x +set -e + +kill `cat srv1/qemu.pid srv2/qemu.pid srv3/qemu.pid` || true + +ip link del cozy-br0 || true +ip link add cozy-br0 type bridge +ip link set cozy-br0 up +ip addr add 192.168.123.1/24 dev cozy-br0 + +rm -rf srv1 srv2 srv3 +mkdir -p srv1 srv2 srv3 + +# Prepare cloud-init +for i in 1 2 3; do + echo "local-hostname: srv$i" > "srv$i/meta-data" + echo '#cloud-config' > "srv$i/user-data" + cat > "srv$i/network-config" < patch.yaml <<\EOT +machine: + kubelet: + nodeIP: + validSubnets: + - 192.168.123.0/24 + extraConfig: + maxPods: 512 + kernel: + modules: + - name: openvswitch + - name: drbd + parameters: + - usermode_helper=disabled + - name: zfs + - name: spl + install: + image: ghcr.io/aenix-io/cozystack/talos:v1.7.1 + files: + - content: | + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + device_ownership_from_security_context = true + path: /etc/cri/conf.d/20-customization.part + op: create + +cluster: + network: + cni: + name: none + dnsDomain: cozy.local + podSubnets: + - 10.244.0.0/16 + serviceSubnets: + - 10.96.0.0/16 +EOT + +cat > patch-controlplane.yaml <<\EOT +machine: + network: + interfaces: + - interface: eth0 + vip: + ip: 192.168.123.10 +cluster: + allowSchedulingOnControlPlanes: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + apiServer: + certSANs: + - 127.0.0.1 + proxy: + disabled: true + discovery: + enabled: false + etcd: + advertisedSubnets: + - 192.168.123.0/24 +EOT + +# Gen configuration +if [ ! -f secrets.yaml ]; then + talosctl gen secrets +fi + +rm -f controlplane.yaml worker.yaml talosconfig kubeconfig +talosctl gen config --with-secrets secrets.yaml cozystack https://192.168.123.10:6443 --config-patch=@patch.yaml --config-patch-control-plane @patch-controlplane.yaml +export TALOSCONFIG=$PWD/talosconfig + +# Apply configuration +talosctl apply -f controlplane.yaml -n 192.168.123.11 -e 192.168.123.11 -i +talosctl apply -f controlplane.yaml -n 192.168.123.12 -e 192.168.123.12 -i +talosctl apply -f controlplane.yaml -n 192.168.123.13 -e 192.168.123.13 -i + +# Wait for VM to be configured +timeout 60 sh -c 'until nc -nzv 192.168.123.11 50000 && nc -nzv 192.168.123.12 50000 && nc -nzv 192.168.123.13 50000; do sleep 1; done' + +# Bootstrap +talosctl bootstrap -n 192.168.123.11 -e 192.168.123.11 + +# Wait for etcd +timeout 120 sh -c 'while talosctl etcd members -n 192.168.123.11,192.168.123.12,192.168.123.13 -e 192.168.123.10 2>&1 | grep "rpc error"; do sleep 1; done' + +rm -f kubeconfig +talosctl kubeconfig kubeconfig -e 192.168.123.10 -n 192.168.123.10 +export KUBECONFIG=$PWD/kubeconfig + +# Wait for kubernetes nodes appear +timeout 60 sh -c 'until [ $(kubectl get node -o name | wc -l) = 3 ]; do sleep 1; done' +kubectl create ns cozy-system +kubectl create -f - <<\EOT +apiVersion: v1 +kind: ConfigMap +metadata: + name: cozystack + namespace: cozy-system +data: + bundle-name: "paas-full" + ipv4-pod-cidr: "10.244.0.0/16" + ipv4-pod-gateway: "10.244.0.1" + ipv4-svc-cidr: "10.96.0.0/16" + ipv4-join-cidr: "100.64.0.0/16" +EOT + +# +echo "$COZYSTACK_INSTALLER_YAML" | kubectl apply -f - + +# wait for cozystack pod to start +kubectl wait deploy --timeout=1m --for=condition=available -n cozy-system cozystack + +# wait for helmreleases appear +timeout 60 sh -c 'until kubectl get hr -A | grep cozy; do sleep 1; done' + +sleep 5 + +kubectl get hr -A | awk 'NR>1 {print "kubectl wait --timeout=15m --for=condition=ready -n " $1 " hr/" $2 " &"} END{print "wait"}' | sh -x +# Wait for linstor controller +kubectl wait deploy --timeout=5m --for=condition=available -n cozy-linstor linstor-controller + +# Wait for all linstor nodes become Online +timeout 60 sh -c 'until [ $(kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor node list | grep -c Online) = 3 ]; do sleep 1; done' + +kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv1 /dev/vdc --pool-name data --storage-pool data +kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv2 /dev/vdc --pool-name data --storage-pool data +kubectl exec -n cozy-linstor deploy/linstor-controller -- linstor ps cdp zfs srv3 /dev/vdc --pool-name data --storage-pool data + +kubectl create -f- < Date: Fri, 14 Jun 2024 15:28:10 +0200 Subject: [PATCH 20/67] Allow specify externalIPs for nginx-ingress (#164) --- packages/extra/ingress/Chart.yaml | 2 +- packages/extra/ingress/README.md | 7 +++--- packages/extra/ingress/config.json | 23 +++++++++++++++++++ .../ingress/templates/nginx-ingress.yaml | 10 ++++++++ packages/extra/ingress/values.schema.json | 8 +++++++ packages/extra/ingress/values.yaml | 11 +++++++++ packages/extra/versions_map | 3 ++- 7 files changed, 59 insertions(+), 5 deletions(-) create mode 100644 packages/extra/ingress/config.json diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index d6011181..e9d3511f 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -3,4 +3,4 @@ name: ingress description: NGINX Ingress Controller icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg type: application -version: 1.0.0 +version: 1.1.0 diff --git a/packages/extra/ingress/README.md b/packages/extra/ingress/README.md index ceac2640..6167256a 100644 --- a/packages/extra/ingress/README.md +++ b/packages/extra/ingress/README.md @@ -4,6 +4,7 @@ ### Common parameters -| Name | Description | Value | -| ---------- | -------------------------------- | ----- | -| `replicas` | Number of ingress-nginx replicas | `2` | +| Name | Description | Value | +| ------------- | -------------------------------- | ----- | +| `replicas` | Number of ingress-nginx replicas | `2` | +| `externalIPs` | List of externalIPs for service. | `[]` | diff --git a/packages/extra/ingress/config.json b/packages/extra/ingress/config.json new file mode 100644 index 00000000..b2f956f3 --- /dev/null +++ b/packages/extra/ingress/config.json @@ -0,0 +1,23 @@ +{ + "comments": { + "format": "##" + }, + "tags": { + "param": "@param", + "section": "@section", + "descriptionStart": "@descriptionStart", + "descriptionEnd": "@descriptionEnd", + "skip": "@skip", + "extra": "@extra" + }, + "modifiers": { + "array": "array", + "object": "object", + "string": "string", + "nullable": "nullable", + "default": "default" + }, + "regexp": { + "paramsSectionTitle": "Parameters" + } +} diff --git a/packages/extra/ingress/templates/nginx-ingress.yaml b/packages/extra/ingress/templates/nginx-ingress.yaml index 68a5c18c..816327f0 100644 --- a/packages/extra/ingress/templates/nginx-ingress.yaml +++ b/packages/extra/ingress/templates/nginx-ingress.yaml @@ -27,3 +27,13 @@ spec: admissionWebhooks: enabled: false {{- end }} + service: + {{- if .Values.externalIPs }} + externalIPs: + {{- toYaml .Values.externalIPs | nindent 12 }} + type: ClusterIP + externalTrafficPolicy: Cluster + {{- else }} + type: LoadBalancer + externalTrafficPolicy: Local + {{- end }} diff --git a/packages/extra/ingress/values.schema.json b/packages/extra/ingress/values.schema.json index 05987fd2..48b05272 100644 --- a/packages/extra/ingress/values.schema.json +++ b/packages/extra/ingress/values.schema.json @@ -6,6 +6,14 @@ "type": "number", "description": "Number of ingress-nginx replicas", "default": 2 + }, + "externalIPs": { + "type": "array", + "description": "List of externalIPs for service.", + "default": "[]", + "items": { + "type": "string" + } } } } \ No newline at end of file diff --git a/packages/extra/ingress/values.yaml b/packages/extra/ingress/values.yaml index bf98d04c..85b78e6f 100644 --- a/packages/extra/ingress/values.yaml +++ b/packages/extra/ingress/values.yaml @@ -3,3 +3,14 @@ ## @param replicas Number of ingress-nginx replicas ## replicas: 2 + +## @param externalIPs [array] List of externalIPs for service. +## Optional. If not specified will use LoadBalancer service by default. +## +## e.g: +## externalIPs: +## - "11.22.33.44" +## - "11.22.33.45" +## - "11.22.33.46" +## +externalIPs: [] diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 6bc2b2f9..7b373bf8 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -2,5 +2,6 @@ etcd 1.0.0 f7eaab0 etcd 2.0.0 a6d0f7cf etcd 2.0.1 6fc1cc7d etcd 2.1.0 HEAD -ingress 1.0.0 HEAD +ingress 1.0.0 f642698 +ingress 1.1.0 HEAD monitoring 1.0.0 HEAD From 54017b6e3e1c1635ed5a5d959f318e8914aa116c Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Mon, 17 Jun 2024 09:58:13 -0400 Subject: [PATCH 21/67] Migrate from fluxcd-community charts to Flux-Operator (#166) Signed-off-by: Kingdon Barrett --- packages/core/fluxcd/Makefile | 11 +- .../{flux2 => flux-operator}/.helmignore | 3 +- .../fluxcd/charts/flux-operator/Chart.yaml | 30 + .../fluxcd/charts/flux-operator/README.md | 56 + .../charts/flux-operator/templates/NOTES.txt | 1 + .../flux-operator/templates/_helpers.tpl | 58 + .../flux-operator/templates/clusterrole.yaml | 21 + .../charts/flux-operator/templates/crds.yaml | 420 +++ .../flux-operator/templates/deployment.yaml | 94 + .../flux-operator/templates/service.yaml | 22 + .../templates/serviceaccount.yaml | 15 + .../charts/flux-operator/values.schema.json | 303 ++ .../fluxcd/charts/flux-operator/values.yaml | 95 + packages/core/fluxcd/charts/flux2/Chart.yaml | 11 - packages/core/fluxcd/charts/flux2/README.md | 174 - .../fluxcd/charts/flux2/templates/_helper.tpl | 7 - .../templates/aggregate-clusterroles.yaml | 47 - ...cluster-reconciler-clusterrolebinding.yaml | 26 - ...r-reconciler-impersonator-clusterrole.yaml | 19 - ...ciler-impersonator-clusterrolebinding.yaml | 26 - .../templates/crd-controller-clusterrole.yaml | 82 - .../crd-controller-clusterrolebinding.yaml | 38 - .../flux2/templates/extra-manifests.yaml | 4 - .../flux2/templates/helm-controller-sa.yaml | 18 - .../flux2/templates/helm-controller.crds.yaml | 2268 ------------ .../flux2/templates/helm-controller.yaml | 133 - .../image-automation-controller-sa.yaml | 18 - .../image-automation-controller.crds.yaml | 326 -- .../image-automation-controller.yaml | 135 - .../image-reflector-controller-sa.yaml | 18 - .../image-reflector-controller.crds.yaml | 901 ----- .../templates/image-reflector-controller.yaml | 139 - .../templates/kustomize-controller-sa.yaml | 18 - .../kustomize-controller-secret.yaml | 18 - .../templates/kustomize-controller.crds.yaml | 1640 -------- .../flux2/templates/kustomize-controller.yaml | 158 - .../notification-controller-ingress.yaml | 49 - .../templates/notification-controller-sa.yaml | 18 - .../notification-controller-service.yaml | 29 - ...tification-controller-webhook-service.yaml | 26 - .../notification-controller.crds.yaml | 1790 --------- .../templates/notification-controller.yaml | 136 - .../charts/flux2/templates/podmonitor.yaml | 32 - .../charts/flux2/templates/policies.yaml | 63 - .../pre-install-job-serviceaccount.yaml | 14 - .../flux2/templates/pre-install-job.yaml | 72 - .../templates/source-controller-service.yaml | 29 - .../source-controller-serviceaccount.yaml | 18 - .../templates/source-controller.crds.yaml | 3291 ----------------- .../flux2/templates/source-controller.yaml | 140 - packages/core/fluxcd/charts/flux2/values.yaml | 327 -- .../core/fluxcd/templates/flux-instance.yaml | 15 + packages/core/fluxcd/values.yaml | 13 + packages/core/fluxcd/valuesFile.yaml | 11 + .../core/platform/templates/namespaces.yaml | 2 +- scripts/installer.sh | 25 +- 56 files changed, 1180 insertions(+), 12273 deletions(-) rename packages/core/fluxcd/charts/{flux2 => flux-operator}/.helmignore (95%) create mode 100644 packages/core/fluxcd/charts/flux-operator/Chart.yaml create mode 100644 packages/core/fluxcd/charts/flux-operator/README.md create mode 100644 packages/core/fluxcd/charts/flux-operator/templates/NOTES.txt create mode 100644 packages/core/fluxcd/charts/flux-operator/templates/_helpers.tpl create mode 100644 packages/core/fluxcd/charts/flux-operator/templates/clusterrole.yaml create mode 100644 packages/core/fluxcd/charts/flux-operator/templates/crds.yaml create mode 100644 packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml create mode 100644 packages/core/fluxcd/charts/flux-operator/templates/service.yaml create mode 100644 packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml create mode 100644 packages/core/fluxcd/charts/flux-operator/values.schema.json create mode 100644 packages/core/fluxcd/charts/flux-operator/values.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/Chart.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/README.md delete mode 100644 packages/core/fluxcd/charts/flux2/templates/_helper.tpl delete mode 100644 packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/policies.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/values.yaml create mode 100644 packages/core/fluxcd/templates/flux-instance.yaml create mode 100644 packages/core/fluxcd/values.yaml create mode 100644 packages/core/fluxcd/valuesFile.yaml diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile index 9a44bd14..15494d2d 100644 --- a/packages/core/fluxcd/Makefile +++ b/packages/core/fluxcd/Makefile @@ -7,14 +7,13 @@ show: helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) apply: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f- + helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml \ + --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f- diff: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- + helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml \ + --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- update: rm -rf charts - helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts - helm repo update fluxcd-community - helm pull fluxcd-community/flux2 --untar --untardir charts - sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts` + helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts diff --git a/packages/core/fluxcd/charts/flux2/.helmignore b/packages/core/fluxcd/charts/flux-operator/.helmignore similarity index 95% rename from packages/core/fluxcd/charts/flux2/.helmignore rename to packages/core/fluxcd/charts/flux-operator/.helmignore index 98229532..f24ae1c9 100644 --- a/packages/core/fluxcd/charts/flux2/.helmignore +++ b/packages/core/fluxcd/charts/flux-operator/.helmignore @@ -21,5 +21,4 @@ .idea/ *.tmproj .vscode/ - -tests/ +helmdocs.gotmpl diff --git a/packages/core/fluxcd/charts/flux-operator/Chart.yaml b/packages/core/fluxcd/charts/flux-operator/Chart.yaml new file mode 100644 index 00000000..695e3a09 --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + artifacthub.io/license: AGPL-3.0 + artifacthub.io/links: | + - name: Documentation + url: https://fluxcd.control-plane.io/operator + - name: Chart Source + url: https://github.com/controlplaneio-fluxcd/charts + - name: Upstream Project + url: https://github.com/controlplaneio-fluxcd/flux-operator +apiVersion: v2 +appVersion: v0.4.0 +description: 'A Helm chart for deploying the Flux Operator. ' +home: https://github.com/controlplaneio-fluxcd +icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png +keywords: +- flux +- fluxcd +- gitops +kubeVersion: '>=1.22.0-0' +maintainers: +- email: stefan.prodan@control-plane.io + name: Stefan Prodan +- name: Soule Ba + url: soule.ba@control-plane.io +name: flux-operator +sources: +- https://github.com/controlplaneio-fluxcd/flux-operator +- https://github.com/controlplaneio-fluxcd/charts +type: application +version: 0.4.0 diff --git a/packages/core/fluxcd/charts/flux-operator/README.md b/packages/core/fluxcd/charts/flux-operator/README.md new file mode 100644 index 00000000..2fccc5fe --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/README.md @@ -0,0 +1,56 @@ +# flux-operator + +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.0](https://img.shields.io/badge/AppVersion-v0.4.0-informational?style=flat-square) + +The [Flux Operator](https://github.com/controlplaneio-fluxcd) provides a declarative API +for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the +ControlPlane [enterprise distribution](https://control-plane.io/enterprise-for-flux-cd/). + +The operator automates the patching for hotfixes and CVEs affecting the Flux controllers container images +and enables the configuration of multi-tenancy lockdown on Kubernetes and OpenShift clusters. + +## Prerequisites + +- Kubernetes 1.22+ +- Helm 3.8+ + +## Installing the Chart + +To install the operator in the `flux-system` namespace: + +```console +helm install flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \ + --namespace flux-system \ + --create-namespace \ + --wait +``` + +To deploy the Flux controllers and to configure automated updates, +see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/). + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}` | Pod affinity and anti-affinity settings. | +| commonAnnotations | object | `{}` | Common annotations to add to all deployed objects including pods. | +| commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. | +| fullnameOverride | string | `""` | | +| hostNetwork | bool | `false` | If `true`, start flux-operator in hostNetwork mode. | +| image | object | `{"pullSecrets":[],"repository":"ghcr.io/controlplaneio-fluxcd/flux-operator","tag":""}` | Container image settings. The image tag defaults to the chart appVersion. | +| installCRDs | bool | `true` | Install and upgrade the custom resource definitions. | +| livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}` | Container liveness probe settings. | +| marketplace | object | `{"account":"","license":""}` | Marketplace settings. | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | Pod security context settings. | +| priorityClassName | string | `""` | Pod priority class name. Recommended value is system-cluster-critical. | +| readinessProbe | object | `{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}` | Container readiness probe settings. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | Container resources requests and limits settings. | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context settings. The default is compliant with the pod security restricted profile. | +| serviceAccount | object | `{"automount":true,"name":""}` | Pod service account settings. The name of the service account defaults to the release name. | +| tolerations | list | `[]` | Pod tolerations settings. | + +## Source Code + +* +* diff --git a/packages/core/fluxcd/charts/flux-operator/templates/NOTES.txt b/packages/core/fluxcd/charts/flux-operator/templates/NOTES.txt new file mode 100644 index 00000000..b09e5e52 --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/templates/NOTES.txt @@ -0,0 +1 @@ +Documentation at https://fluxcd.control-plane.io/operator/ diff --git a/packages/core/fluxcd/charts/flux-operator/templates/_helpers.tpl b/packages/core/fluxcd/charts/flux-operator/templates/_helpers.tpl new file mode 100644 index 00000000..996d71d6 --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "flux-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "flux-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "flux-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "flux-operator.labels" -}} +helm.sh/chart: {{ include "flux-operator.chart" . }} +{{ include "flux-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "flux-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "flux-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "flux-operator.serviceAccountName" -}} +{{- default (include "flux-operator.fullname" .) .Values.serviceAccount.name }} +{{- end }} diff --git a/packages/core/fluxcd/charts/flux-operator/templates/clusterrole.yaml b/packages/core/fluxcd/charts/flux-operator/templates/clusterrole.yaml new file mode 100644 index 00000000..6a09fa77 --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "flux-operator.fullname" . }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "flux-operator.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml b/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml new file mode 100644 index 00000000..6a61979e --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml @@ -0,0 +1,420 @@ +{{- if and .Values.installCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: '{{ .Chart.Name }}' + app.kubernetes.io/version: '{{ .Chart.AppVersion }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + name: fluxinstances.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: FluxInstance + listKind: FluxInstanceList + plural: fluxinstances + singular: fluxinstance + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .status.lastAttemptedRevision + name: Revision + type: string + name: v1 + schema: + openAPIV3Schema: + description: FluxInstance is the Schema for the fluxinstances API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FluxInstanceSpec defines the desired state of FluxInstance + properties: + cluster: + description: Cluster holds the specification of the Kubernetes cluster. + properties: + domain: + default: cluster.local + description: |- + Domain is the cluster domain used for generating the FQDN of services. + Defaults to 'cluster.local'. + type: string + multitenant: + description: Multitenant enables the multitenancy lockdown. + type: boolean + networkPolicy: + default: true + description: |- + NetworkPolicy restricts network access to the current namespace. + Defaults to true. + type: boolean + type: + default: kubernetes + description: |- + Type specifies the distro of the Kubernetes cluster. + Defaults to 'kubernetes'. + enum: + - kubernetes + - openshift + - aws + - azure + - gcp + type: string + required: + - domain + - networkPolicy + type: object + components: + description: |- + Components is the list of controllers to install. + Defaults to all controllers. + items: + description: Component is the name of a controller to install. + enum: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller + type: string + type: array + distribution: + description: Distribution specifies the version and container registry + to pull images from. + properties: + imagePullSecret: + description: |- + ImagePullSecret is the name of the Kubernetes secret + to use for pulling images. + type: string + registry: + description: |- + Registry address to pull the distribution images from + e.g. 'ghcr.io/fluxcd'. + type: string + version: + description: Version semver expression e.g. '2.x', '2.3.x'. + type: string + required: + - registry + - version + type: object + kustomize: + description: |- + Kustomize holds a set of patches that can be applied to the + Flux installation, to customize the way Flux operates. + properties: + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch + document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + type: object + storage: + description: |- + Storage holds the specification of the source-controller + persistent volume claim. + properties: + class: + description: Class is the storage class to use for the PVC. + type: string + size: + description: Size is the size of the PVC. + type: string + required: + - class + - size + type: object + sync: + description: |- + Sync specifies the source for the cluster sync operation. + When set, a Flux source (GitRepository, OCIRepository or Bucket) + and Flux Kustomization are created to sync the cluster state + with the source repository. + properties: + interval: + default: 1m + description: Interval is the time between syncs. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kind: + description: Kind is the kind of the source. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + path: + description: |- + Path is the path to the source directory containing + the kustomize overlay or plain Kubernetes manifests. + type: string + pullSecret: + description: |- + PullSecret specifies the Kubernetes Secret containing the + authentication credentials for the source. + For Git over HTTP/S sources, the secret must contain username and password fields. + For Git over SSH sources, the secret must contain known_hosts and identity fields. + For OCI sources, the secret must be of type kubernetes.io/dockerconfigjson. + For Bucket sources, the secret must contain accesskey and secretkey fields. + type: string + ref: + description: |- + Ref is the source reference, can be a Git ref name e.g. 'refs/heads/main', + an OCI tag e.g. 'latest' or a bucket name e.g. 'flux'. + type: string + url: + description: |- + URL is the source URL, can be a Git repository HTTP/S or SSH address, + an OCI repository address or a Bucket endpoint. + type: string + required: + - kind + - path + - ref + - url + type: object + wait: + default: true + description: |- + Wait instructs the controller to check the health of all the reconciled + resources. Defaults to true. + type: boolean + required: + - distribution + - wait + type: object + status: + description: FluxInstanceStatus defines the observed state of FluxInstance + properties: + components: + description: Components contains the container images used by the + components. + items: + description: ComponentImage represents a container image used by + a component. + properties: + digest: + description: Digest of the container image. + type: string + name: + description: Name of the component. + type: string + repository: + description: Repository address of the container image. + type: string + tag: + description: Tag of the container image. + type: string + required: + - name + - repository + - tag + type: object + type: array + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: |- + Inventory contains a list of Kubernetes resource object references + last applied on the cluster. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: |- + LastAppliedRevision is the version and digest of the + distribution config that was last reconcile. + type: string + lastAttemptedRevision: + description: |- + LastAttemptedRevision is the version and digest of the + distribution config that was last attempted to reconcile. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml new file mode 100644 index 00000000..a1b1fa1f --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "flux-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "flux-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "flux-operator.labels" . | nindent 8 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "flux-operator.fullname" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: true + {{- end }} + containers: + - name: manager + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.marketplace.account }} + - name: MARKETPLACE_ACCOUNT + value: {{ . }} + {{- end }} + {{- with .Values.marketplace.license }} + - name: MARKETPLACE_LICENSE + value: {{ . }} + {{- end }} + {{- if .Values.extraEnvs }} + {{- toYaml .Values.extraEnvs | nindent 12 }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: IfNotPresent + ports: + - name: http-metrics + containerPort: 8080 + protocol: TCP + - name: http + containerPort: 8081 + protocol: TCP + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: temp + mountPath: /tmp + volumes: + - name: temp + emptyDir: {} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packages/core/fluxcd/charts/flux-operator/templates/service.yaml b/packages/core/fluxcd/charts/flux-operator/templates/service.yaml new file mode 100644 index 00000000..37ad04c2 --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/templates/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "flux-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - port: 8080 + targetPort: http-metrics + protocol: TCP + name: http + selector: + {{- include "flux-operator.selectorLabels" . | nindent 4 }} diff --git a/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml b/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml new file mode 100644 index 00000000..b2dcb45f --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "flux-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} diff --git a/packages/core/fluxcd/charts/flux-operator/values.schema.json b/packages/core/fluxcd/charts/flux-operator/values.schema.json new file mode 100644 index 00000000..c00230f7 --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/values.schema.json @@ -0,0 +1,303 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "properties": { + "affinity": { + "default": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchExpressions": [ + { + "key": "kubernetes.io/os", + "operator": "In", + "values": [ + "linux" + ] + } + ] + } + ] + } + } + }, + "properties": { + "nodeAffinity": { + "properties": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "commonAnnotations": { + "properties": {}, + "type": "object" + }, + "commonLabels": { + "properties": {}, + "type": "object" + }, + "extraEnvs": { + "items": { + "type": "object" + }, + "type": "array", + "uniqueItems": true + }, + "fullnameOverride": { + "type": "string" + }, + "hostNetwork": { + "default": false, + "type": "boolean" + }, + "image": { + "properties": { + "pullSecrets": { + "items": { + "type": "object" + }, + "type": "array", + "uniqueItems": true + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "repository" + ], + "type": "object" + }, + "installCRDs": { + "default": true, + "type": "boolean" + }, + "livenessProbe": { + "default": { + "httpGet": { + "path": "/healthz", + "port": 8081 + }, + "initialDelaySeconds": 15, + "periodSeconds": 20 + }, + "properties": { + "httpGet": { + "properties": { + "path": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "marketplace": { + "properties": { + "account": { + "type": "string" + }, + "license": { + "type": "string" + } + }, + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "podSecurityContext": { + "default": { + "fsGroup": 1337 + }, + "properties": {}, + "type": "object" + }, + "priorityClassName": { + "default": "system-cluster-critical", + "type": "string" + }, + "readinessProbe": { + "default": { + "httpGet": { + "path": "/readyz", + "port": 8081 + }, + "initialDelaySeconds": 5, + "periodSeconds": 10 + }, + "properties": { + "httpGet": { + "properties": { + "path": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resources": { + "properties": { + "limits": { + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "type": "object" + }, + "requests": { + "default": { + "cpu": "100m", + "memory": "64Mi" + }, + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "default": false, + "type": "boolean" + }, + "capabilities": { + "default": { + "drop": [ + "ALL" + ] + }, + "properties": { + "drop": { + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": true + } + }, + "type": "object" + }, + "readOnlyRootFilesystem": { + "default": true, + "type": "boolean" + }, + "runAsNonRoot": { + "default": true, + "type": "boolean" + }, + "seccompProfile": { + "default": { + "type": "RuntimeDefault" + }, + "properties": { + "type": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "serviceAccount": { + "default": { + "automount": true, + "create": true, + "name": "" + }, + "properties": { + "automount": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "tolerations": { + "items": { + "type": "object" + }, + "type": "array", + "uniqueItems": true + } + }, + "required": [ + "resources", + "securityContext" + ], + "type": "object" +} diff --git a/packages/core/fluxcd/charts/flux-operator/values.yaml b/packages/core/fluxcd/charts/flux-operator/values.yaml new file mode 100644 index 00000000..83d7eec5 --- /dev/null +++ b/packages/core/fluxcd/charts/flux-operator/values.yaml @@ -0,0 +1,95 @@ +# Default values for flux-operator. + +nameOverride: "" +fullnameOverride: "" + +# -- Install and upgrade the custom resource definitions. +installCRDs: true # @schema default: true + +# -- Common annotations to add to all deployed objects including pods. +commonAnnotations: { } + +# -- Common labels to add to all deployed objects including pods. +commonLabels: { } + +# -- Container image settings. +# The image tag defaults to the chart appVersion. +image: + repository: ghcr.io/controlplaneio-fluxcd/flux-operator # @schema required: true + tag: "" + pullSecrets: [ ] # @schema item: object ; uniqueItems: true + +# -- Pod priority class name. +# Recommended value is system-cluster-critical. +priorityClassName: "" # @schema default: "system-cluster-critical" + +# -- Container resources requests and limits settings. +resources: # @schema required: true + limits: + cpu: 1000m + memory: 1Gi + requests: # @schema default: {"cpu":"100m","memory":"64Mi"} + cpu: 100m + memory: 64Mi + +# -- Container liveness probe settings. +livenessProbe: # @schema default: {"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20} + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + +# -- Container readiness probe settings. +readinessProbe: # @schema default: {"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10} + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + +# -- Pod service account settings. +# The name of the service account defaults to the release name. +serviceAccount: # @schema default: {"create":true,"automount":true,"name":""} + automount: true + name: "" + +# -- Pod security context settings. +podSecurityContext: { } # @schema default: {"fsGroup":1337} + +# -- Container security context settings. +# The default is compliant with the pod security restricted profile. +securityContext: # @schema required: true + runAsNonRoot: true # @schema default: true + readOnlyRootFilesystem: true # @schema default: true + allowPrivilegeEscalation: false # @schema default: false + capabilities: # @schema default: {"drop":["ALL"]} + drop: # @schema item: string ; uniqueItems: true + - "ALL" + seccompProfile: # @schema default: {"type":"RuntimeDefault"} + type: "RuntimeDefault" + +# -- Pod affinity and anti-affinity settings. +affinity: # @schema default: {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + +# -- Pod tolerations settings. +tolerations: [ ] # @schema item: object ; uniqueItems: true + +# -- Marketplace settings. +marketplace: + license: "" + account: "" + +# -- If `true`, start flux-operator in hostNetwork mode. +hostNetwork: false + +# -- Add environment variables eg. for kubeprism KUBERNETES_SERVICE_HOST and _PORT +extraEnvs: [ ] diff --git a/packages/core/fluxcd/charts/flux2/Chart.yaml b/packages/core/fluxcd/charts/flux2/Chart.yaml deleted file mode 100644 index 8e37f2cb..00000000 --- a/packages/core/fluxcd/charts/flux2/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -annotations: - artifacthub.io/changes: | - - "[Chore]: Update App Version to upstream 2.2.3" -apiVersion: v2 -appVersion: 2.2.3 -description: A Helm chart for flux2 -name: flux2 -sources: -- https://github.com/fluxcd-community/helm-charts -type: application -version: 2.12.4 diff --git a/packages/core/fluxcd/charts/flux2/README.md b/packages/core/fluxcd/charts/flux2/README.md deleted file mode 100644 index 3aa73fa7..00000000 --- a/packages/core/fluxcd/charts/flux2/README.md +++ /dev/null @@ -1,174 +0,0 @@ -# flux2 - -![Version: 2.12.4](https://img.shields.io/badge/Version-2.12.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.3](https://img.shields.io/badge/AppVersion-2.2.3-informational?style=flat-square) - -A Helm chart for flux2 - -This helm chart is maintained and released by the fluxcd-community on a best effort basis. - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cli.affinity | object | `{}` | | -| cli.annotations | object | `{}` | | -| cli.image | string | `"ghcr.io/fluxcd/flux-cli"` | | -| cli.nodeSelector | object | `{}` | | -| cli.serviceAccount.automount | bool | `true` | | -| cli.tag | string | `"v2.2.3"` | | -| cli.tolerations | list | `[]` | | -| clusterDomain | string | `"cluster.local"` | | -| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep | -| extraObjects | list | `[]` | Array of extra K8s manifests to deploy | -| helmController.affinity | object | `{}` | | -| helmController.annotations."prometheus.io/port" | string | `"8080"` | | -| helmController.annotations."prometheus.io/scrape" | string | `"true"` | | -| helmController.container.additionalArgs | list | `[]` | | -| helmController.create | bool | `true` | | -| helmController.extraEnv | list | `[]` | | -| helmController.image | string | `"ghcr.io/fluxcd/helm-controller"` | | -| helmController.imagePullPolicy | string | `""` | | -| helmController.labels | object | `{}` | | -| helmController.nodeSelector | object | `{}` | | -| helmController.priorityClassName | string | `""` | | -| helmController.resources.limits | object | `{}` | | -| helmController.resources.requests.cpu | string | `"100m"` | | -| helmController.resources.requests.memory | string | `"64Mi"` | | -| helmController.serviceAccount.annotations | object | `{}` | | -| helmController.serviceAccount.automount | bool | `true` | | -| helmController.serviceAccount.create | bool | `true` | | -| helmController.tag | string | `"v0.37.4"` | | -| helmController.tolerations | list | `[]` | | -| imageAutomationController.affinity | object | `{}` | | -| imageAutomationController.annotations."prometheus.io/port" | string | `"8080"` | | -| imageAutomationController.annotations."prometheus.io/scrape" | string | `"true"` | | -| imageAutomationController.container.additionalArgs | list | `[]` | | -| imageAutomationController.create | bool | `true` | | -| imageAutomationController.extraEnv | list | `[]` | | -| imageAutomationController.image | string | `"ghcr.io/fluxcd/image-automation-controller"` | | -| imageAutomationController.imagePullPolicy | string | `""` | | -| imageAutomationController.labels | object | `{}` | | -| imageAutomationController.nodeSelector | object | `{}` | | -| imageAutomationController.priorityClassName | string | `""` | | -| imageAutomationController.resources.limits | object | `{}` | | -| imageAutomationController.resources.requests.cpu | string | `"100m"` | | -| imageAutomationController.resources.requests.memory | string | `"64Mi"` | | -| imageAutomationController.serviceAccount.annotations | object | `{}` | | -| imageAutomationController.serviceAccount.automount | bool | `true` | | -| imageAutomationController.serviceAccount.create | bool | `true` | | -| imageAutomationController.tag | string | `"v0.37.1"` | | -| imageAutomationController.tolerations | list | `[]` | | -| imagePullSecrets | list | `[]` | contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers | -| imageReflectionController.affinity | object | `{}` | | -| imageReflectionController.annotations."prometheus.io/port" | string | `"8080"` | | -| imageReflectionController.annotations."prometheus.io/scrape" | string | `"true"` | | -| imageReflectionController.container.additionalArgs | list | `[]` | | -| imageReflectionController.create | bool | `true` | | -| imageReflectionController.extraEnv | list | `[]` | | -| imageReflectionController.image | string | `"ghcr.io/fluxcd/image-reflector-controller"` | | -| imageReflectionController.imagePullPolicy | string | `""` | | -| imageReflectionController.labels | object | `{}` | | -| imageReflectionController.nodeSelector | object | `{}` | | -| imageReflectionController.priorityClassName | string | `""` | | -| imageReflectionController.resources.limits | object | `{}` | | -| imageReflectionController.resources.requests.cpu | string | `"100m"` | | -| imageReflectionController.resources.requests.memory | string | `"64Mi"` | | -| imageReflectionController.serviceAccount.annotations | object | `{}` | | -| imageReflectionController.serviceAccount.automount | bool | `true` | | -| imageReflectionController.serviceAccount.create | bool | `true` | | -| imageReflectionController.tag | string | `"v0.31.2"` | | -| imageReflectionController.tolerations | list | `[]` | | -| installCRDs | bool | `true` | | -| kustomizeController.affinity | object | `{}` | | -| kustomizeController.annotations."prometheus.io/port" | string | `"8080"` | | -| kustomizeController.annotations."prometheus.io/scrape" | string | `"true"` | | -| kustomizeController.container.additionalArgs | list | `[]` | | -| kustomizeController.create | bool | `true` | | -| kustomizeController.envFrom | object | `{"map":{"name":""},"secret":{"name":""}}` | Defines envFrom using a configmap and/or secret. | -| kustomizeController.extraEnv | list | `[]` | | -| kustomizeController.extraSecretMounts | list | `[]` | Defines additional mounts with secrets. Secrets must be manually created in the namespace or with kustomizeController.secret | -| kustomizeController.image | string | `"ghcr.io/fluxcd/kustomize-controller"` | | -| kustomizeController.imagePullPolicy | string | `""` | | -| kustomizeController.labels | object | `{}` | | -| kustomizeController.nodeSelector | object | `{}` | | -| kustomizeController.priorityClassName | string | `""` | | -| kustomizeController.resources.limits | object | `{}` | | -| kustomizeController.resources.requests.cpu | string | `"100m"` | | -| kustomizeController.resources.requests.memory | string | `"64Mi"` | | -| kustomizeController.secret.create | bool | `false` | Create a secret to use it with extraSecretMounts. Defaults to false. | -| kustomizeController.secret.data | object | `{}` | | -| kustomizeController.secret.name | string | `""` | | -| kustomizeController.serviceAccount.annotations | object | `{}` | | -| kustomizeController.serviceAccount.automount | bool | `true` | | -| kustomizeController.serviceAccount.create | bool | `true` | | -| kustomizeController.tag | string | `"v1.2.2"` | | -| kustomizeController.tolerations | list | `[]` | | -| logLevel | string | `"info"` | | -| multitenancy.defaultServiceAccount | string | `"default"` | All Kustomizations and HelmReleases which don’t have spec.serviceAccountName specified, will use the default account from the tenant’s namespace. Tenants have to specify a service account in their Flux resources to be able to deploy workloads in their namespaces as the default account has no permissions. | -| multitenancy.enabled | bool | `false` | Implement the patches for Multi-tenancy lockdown. See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown | -| multitenancy.privileged | bool | `true` | Both kustomize-controller and helm-controller service accounts run privileged with cluster-admin ClusterRoleBinding. Disable if you want to run them with a minimum set of permissions. | -| notificationController.affinity | object | `{}` | | -| notificationController.annotations."prometheus.io/port" | string | `"8080"` | | -| notificationController.annotations."prometheus.io/scrape" | string | `"true"` | | -| notificationController.container.additionalArgs | list | `[]` | | -| notificationController.create | bool | `true` | | -| notificationController.extraEnv | list | `[]` | | -| notificationController.image | string | `"ghcr.io/fluxcd/notification-controller"` | | -| notificationController.imagePullPolicy | string | `""` | | -| notificationController.labels | object | `{}` | | -| notificationController.nodeSelector | object | `{}` | | -| notificationController.priorityClassName | string | `""` | | -| notificationController.resources.limits | object | `{}` | | -| notificationController.resources.requests.cpu | string | `"100m"` | | -| notificationController.resources.requests.memory | string | `"64Mi"` | | -| notificationController.service.annotations | object | `{}` | | -| notificationController.service.labels | object | `{}` | | -| notificationController.serviceAccount.annotations | object | `{}` | | -| notificationController.serviceAccount.automount | bool | `true` | | -| notificationController.serviceAccount.create | bool | `true` | | -| notificationController.tag | string | `"v1.2.4"` | | -| notificationController.tolerations | list | `[]` | | -| notificationController.webhookReceiver.ingress.annotations | object | `{}` | | -| notificationController.webhookReceiver.ingress.create | bool | `false` | | -| notificationController.webhookReceiver.ingress.hosts[0].host | string | `"flux-webhook.example.com"` | | -| notificationController.webhookReceiver.ingress.hosts[0].paths[0].path | string | `"/"` | | -| notificationController.webhookReceiver.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| notificationController.webhookReceiver.ingress.labels | object | `{}` | | -| notificationController.webhookReceiver.ingress.tls | list | `[]` | | -| notificationController.webhookReceiver.service.annotations | object | `{}` | | -| notificationController.webhookReceiver.service.labels | object | `{}` | | -| policies.create | bool | `true` | | -| prometheus.podMonitor.create | bool | `false` | Enables podMonitor endpoint | -| prometheus.podMonitor.podMetricsEndpoints[0].port | string | `"http-prom"` | | -| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` | | -| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` | | -| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` | | -| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep | -| rbac.create | bool | `true` | | -| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources | -| sourceController.affinity | object | `{}` | | -| sourceController.annotations."prometheus.io/port" | string | `"8080"` | | -| sourceController.annotations."prometheus.io/scrape" | string | `"true"` | | -| sourceController.container.additionalArgs | list | `[]` | | -| sourceController.create | bool | `true` | | -| sourceController.extraEnv | list | `[]` | | -| sourceController.image | string | `"ghcr.io/fluxcd/source-controller"` | | -| sourceController.imagePullPolicy | string | `""` | | -| sourceController.labels | object | `{}` | | -| sourceController.nodeSelector | object | `{}` | | -| sourceController.priorityClassName | string | `""` | | -| sourceController.resources.limits | object | `{}` | | -| sourceController.resources.requests.cpu | string | `"100m"` | | -| sourceController.resources.requests.memory | string | `"64Mi"` | | -| sourceController.service.annotations | object | `{}` | | -| sourceController.service.labels | object | `{}` | | -| sourceController.serviceAccount.annotations | object | `{}` | | -| sourceController.serviceAccount.automount | bool | `true` | | -| sourceController.serviceAccount.create | bool | `true` | | -| sourceController.tag | string | `"v1.2.4"` | | -| sourceController.tolerations | list | `[]` | | -| watchAllNamespaces | bool | `true` | | diff --git a/packages/core/fluxcd/charts/flux2/templates/_helper.tpl b/packages/core/fluxcd/charts/flux2/templates/_helper.tpl deleted file mode 100644 index 6a36293e..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/_helper.tpl +++ /dev/null @@ -1,7 +0,0 @@ -{{- define "template.image" -}} -{{- if eq (substr 0 7 .tag) "sha256:" -}} -{{- printf "%s@%s" .image .tag -}} -{{- else -}} -{{- printf "%s:%s" .image .tag -}} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml b/packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml deleted file mode 100644 index 432895b2..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.rbac.createAggregation }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: flux-edit - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: ["*"] - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: flux-view - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: ["*"] - verbs: - - get - - list - - watch -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml b/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml deleted file mode 100644 index 63dc8572..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: cluster-reconciler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.rbac.roleRef.name }} -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: {{ .Release.Namespace }} -- kind: ServiceAccount - name: helm-controller - namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file diff --git a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml b/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml deleted file mode 100644 index e77c13ea..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: cluster-reconciler-impersonator - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -rules: -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["impersonate"] -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml b/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml deleted file mode 100644 index 588c7d49..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: cluster-reconciler-impersonator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reconciler-impersonator -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: {{ .Release.Namespace }} -- kind: ServiceAccount - name: helm-controller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml b/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml deleted file mode 100644 index cea0a1ca..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if and .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: crd-controller - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -rules: -- apiGroups: ['source.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['kustomize.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['helm.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['notification.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['image.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: - - "" - resources: - - namespaces - - secrets - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -# required by leader election -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml b/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml deleted file mode 100644 index 51e716f0..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if and .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: crd-controller - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: crd-controller -subjects: - - kind: ServiceAccount - name: kustomize-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: helm-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: source-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: notification-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: image-reflector-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: image-automation-controller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml b/packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml deleted file mode 100644 index a9bb3b6b..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ tpl (toYaml .) $ }} -{{ end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml deleted file mode 100644 index 9d4ff589..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.helmController.create}} -{{- if .Values.helmController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: helm-controller - {{- with .Values.helmController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml deleted file mode 100644 index 0a930d37..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml +++ /dev/null @@ -1,2268 +0,0 @@ -{{- if and .Values.installCRDs .Values.helmController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: helmreleases.helm.toolkit.fluxcd.io -spec: - group: helm.toolkit.fluxcd.io - names: - kind: HelmRelease - listKind: HelmReleaseList - plural: helmreleases - shortNames: - - hr - singular: helmrelease - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v2beta1 HelmRelease is deprecated, upgrade to v2beta2 - name: v2beta1 - schema: - openAPIV3Schema: - description: HelmRelease is the Schema for the helmreleases API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmReleaseSpec defines the desired state of a Helm release. - properties: - chart: - description: Chart defines the template of the v1beta2.HelmChart that - should be created for this HelmRelease. - properties: - metadata: - description: ObjectMeta holds the template for metadata like labels - and annotations. - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map - stored with a resource that may be set by external tools - to store and retrieve arbitrary metadata. They are not queryable - and should be preserved when modifying objects. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/' - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used - to organize and categorize (scope and select) objects. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/' - type: object - type: object - spec: - description: Spec holds the template for the v1beta2.HelmChartSpec - for this HelmRelease. - properties: - chart: - description: The name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which to check the v1beta2.Source - for updates. Defaults to 'HelmReleaseSpec.Interval'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new - artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on - their behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The name and namespace of the v1beta2.Source - the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace of the referent. - maxLength: 63 - minLength: 1 - type: string - required: - - name - type: object - valuesFile: - description: Alternative values file to use as the default - chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file defined here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the - chart values (values.yaml is not included by default), expected - to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding - the first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the - trusted public keys used to verify the signature and specifies - which provider to use to check whether OCI image is authentic. - This field is only supported for OCI sources. Chart dependencies, - which are not bundled in the umbrella chart artifact, are - not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to - sign the OCI Helm chart. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret - containing the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version semver expression, ignored for charts - from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults - to latest when omitted. - type: string - required: - - chart - - sourceRef - type: object - required: - - spec - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to HelmRelease resources that must be ready - before this HelmRelease can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - driftDetection: - description: "DriftDetection holds the configuration for detecting - and handling differences between the manifest in the Helm storage - and the resources currently existing in the cluster. \n Note: this - field is provisional to the v2beta2 API, and not actively used by - v2beta1 HelmReleases." - properties: - ignore: - description: Ignore contains a list of rules for specifying which - changes to ignore during diffing. - items: - description: IgnoreRule defines a rule to selectively disregard - specific changes during the drift detection process. - properties: - paths: - description: Paths is a list of JSON Pointer (RFC 6901) - paths to be excluded from consideration in a Kubernetes - object. - items: - type: string - type: array - target: - description: Target is a selector for specifying Kubernetes - objects to which this rule applies. If Target is not set, - the Paths will be ignored for all Kubernetes objects within - the manifest of the Helm release. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - paths - type: object - type: array - mode: - description: Mode defines how differences should be handled between - the Helm manifest and the manifest currently applied to the - cluster. If not explicitly set, it defaults to DiffModeDisabled. - enum: - - enabled - - warn - - disabled - type: string - type: object - install: - description: Install holds the configuration for Helm install actions - for this HelmRelease. - properties: - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Create` - and if omitted CRDs are installed but not updated. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are applied (installed) during Helm install action. With this - option users can opt-in to CRD replace existing CRDs on Helm - install actions, which is not (yet) natively supported by Helm. - https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - createNamespace: - description: CreateNamespace tells the Helm install action to - create the HelmReleaseSpec.TargetNamespace if it does not exist - yet. On uninstall, the namespace will not be garbage collected. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm install action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm install - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm install has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm install has been performed. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm install action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an install - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false'. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - an uninstall, is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - type: object - replace: - description: Replace tells the Helm install action to re-use the - 'ReleaseName', but only if that name is a deleted release which - remains in the history. - type: boolean - skipCRDs: - description: "SkipCRDs tells the Helm install action to not install - any CRDs. By default, CRDs are installed if not already present. - \n Deprecated use CRD policy (`crds`) attribute with value `Skip` - instead." - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - interval: - description: Interval at which to reconcile the Helm release. This - interval is approximate and may be subject to jitter to ensure efficient - use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: KubeConfig for reconciling the HelmRelease on a remote - cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - maxHistory: - description: MaxHistory is the number of revisions saved by Helm for - this HelmRelease. Use '0' for an unlimited number of revisions; - defaults to '10'. - type: integer - persistentClient: - description: "PersistentClient tells the controller to use a persistent - Kubernetes client for this release. When enabled, the client will - be reused for the duration of the reconciliation, instead of being - created and destroyed for each (step of a) Helm action. \n This - can improve performance, but may cause issues with some Helm charts - that for example do create Custom Resource Definitions during installation - outside Helm's CRD lifecycle hooks, which are then not observed - to be available by e.g. post-install hooks. \n If not set, it defaults - to true." - type: boolean - postRenderers: - description: PostRenderers holds an array of Helm PostRenderers, which - will be applied in order of their definition. - items: - description: PostRenderer contains a Helm PostRenderer specification. - properties: - kustomize: - description: Kustomization to apply as PostRenderer. - properties: - images: - description: Images is a list of (image name, new name, - new tag or digest) for changing image names, tags or digests. - This can also be achieved with a patch, but this operator - is simpler to specify. - items: - description: Image contains an image name, a new name, - a new tag or digest, which will replace the original - name and tag. - properties: - digest: - description: Digest is the value used to replace the - original image tag. If digest is present NewTag - value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace - the original name. - type: string - newTag: - description: NewTag is the value used to replace the - original tag. - type: string - required: - - name - type: object - type: array - patches: - description: Strategic merge and JSON patches, defined as - inline YAML objects, capable of targeting objects based - on kind, label and annotation selectors. - items: - description: Patch contains an inline StrategicMerge or - JSON6902 patch, and the target the patch should be applied - to. - properties: - patch: - description: Patch contains an inline StrategicMerge - patch or an inline JSON6902 patch with an array - of operation objects. - type: string - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and - the target the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document - with an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. - https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value - that references a location within the target - document where the operation is performed. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - type: string - op: - description: Op indicates the operation to perform. - Its value MUST be one of "add", "remove", - "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer - value that references a location within the - target document where the operation is performed. - The meaning of the value depends on the value - of Op. - type: string - value: - description: Value contains a valid JSON structure. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline - YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - type: array - releaseName: - description: ReleaseName used for the Helm release. Defaults to a - composition of '[TargetNamespace-]Name'. - maxLength: 53 - minLength: 1 - type: string - rollback: - description: Rollback holds the configuration for Helm rollback actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm rollback action when it fails. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm rollback has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm rollback has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - recreate: - description: Recreate performs pod restarts for the resource if - applicable. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this HelmRelease. - type: string - storageNamespace: - description: StorageNamespace used for the Helm storage. Defaults - to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - suspend: - description: Suspend tells the controller to suspend reconciliation - for this HelmRelease, it does not apply to already started reconciliations. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace to target when performing operations - for the HelmRelease. Defaults to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - test: - description: Test holds the configuration for Helm test actions for - this HelmRelease. - properties: - enable: - description: Enable enables Helm test actions for this HelmRelease - after an Helm install or upgrade action has been performed. - type: boolean - ignoreFailures: - description: IgnoreFailures tells the controller to skip remediation - when the Helm tests are run but fail. Can be overwritten for - tests run after install or upgrade actions in 'Install.IgnoreTestFailures' - and 'Upgrade.IgnoreTestFailures'. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation during the performance of a Helm test action. Defaults - to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a Helm - action. Defaults to '5m0s'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - uninstall: - description: Uninstall holds the configuration for Helm uninstall - actions for this HelmRelease. - properties: - deletionPropagation: - default: background - description: DeletionPropagation specifies the deletion propagation - policy when a Helm uninstall is performed. - enum: - - background - - foreground - - orphan - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables waiting for all the resources - to be deleted after a Helm uninstall is performed. - type: boolean - keepHistory: - description: KeepHistory tells Helm to remove all associated resources - and mark the release as deleted, but retain the release history. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - upgrade: - description: Upgrade holds the configuration for Helm upgrade actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm upgrade action when it fails. - type: boolean - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and - if omitted CRDs are neither installed nor upgraded. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are not applied during Helm upgrade action. With this option - users can opt-in to CRD upgrade, which is not (yet) natively - supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm upgrade action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm upgrade - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm upgrade has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm upgrade has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - preserveValues: - description: PreserveValues will make Helm reuse the last release's - values and merge in overrides from 'Values'. Setting this flag - makes the HelmRelease non-declarative. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm upgrade action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an upgrade - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false' unless 'Retries' is greater than 0. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - 'Strategy', is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - strategy: - description: Strategy to use for failure remediation. Defaults - to 'rollback'. - enum: - - rollback - - uninstall - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - values: - description: Values holds the values for this Helm release. - x-kubernetes-preserve-unknown-fields: true - valuesFrom: - description: ValuesFrom holds references to resources containing Helm - values for this HelmRelease, and information about how they should - be merged. - items: - description: ValuesReference contains a reference to a resource - containing Helm values, and optionally the key they can be found - at. - properties: - kind: - description: Kind of the values referent, valid values are ('Secret', - 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside in the - same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - description: Optional marks this ValuesReference as optional. - When set, a not found error for the values reference is ignored, - but any ValuesKey, TargetPath or transient error will still - result in a reconciliation failure. - type: boolean - targetPath: - description: TargetPath is the YAML dot notation path the value - should be merged at. When set, the ValuesKey is expected to - be a single flat value. Defaults to 'None', which results - in the values getting merged at the root. - maxLength: 250 - pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ - type: string - valuesKey: - description: ValuesKey is the data key where the values.yaml - or a specific value can be found at. Defaults to 'values.yaml'. - When set, must be a valid Data Key, consisting of alphanumeric - characters, '-', '_' or '.'. - maxLength: 253 - pattern: ^[\-._a-zA-Z0-9]+$ - type: string - required: - - kind - - name - type: object - type: array - required: - - chart - - interval - type: object - status: - default: - observedGeneration: -1 - description: HelmReleaseStatus defines the observed state of a HelmRelease. - properties: - conditions: - description: Conditions holds the conditions for the HelmRelease. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - failures: - description: Failures is the reconciliation failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - helmChart: - description: HelmChart is the namespaced name of the HelmChart resource - created by the controller for the HelmRelease. - type: string - history: - description: "History holds the history of Helm releases performed - for this HelmRelease up to the last successfully completed release. - \n Note: this field is provisional to the v2beta2 API, and not actively - used by v2beta1 HelmReleases." - items: - description: Snapshot captures a point-in-time copy of the status - information for a Helm release, as managed by the controller. - properties: - apiVersion: - description: 'APIVersion is the API version of the Snapshot. - Provisional: when the calculation method of the Digest field - is changed, this field will be used to distinguish between - the old and new methods.' - type: string - chartName: - description: ChartName is the chart name of the release object - in storage. - type: string - chartVersion: - description: ChartVersion is the chart version of the release - object in storage. - type: string - configDigest: - description: ConfigDigest is the checksum of the config (better - known as "values") of the release object in storage. It has - the format of `:`. - type: string - deleted: - description: Deleted is when the release was deleted. - format: date-time - type: string - digest: - description: Digest is the checksum of the release object in - storage. It has the format of `:`. - type: string - firstDeployed: - description: FirstDeployed is when the release was first deployed. - format: date-time - type: string - lastDeployed: - description: LastDeployed is when the release was last deployed. - format: date-time - type: string - name: - description: Name is the name of the release. - type: string - namespace: - description: Namespace is the namespace the release is deployed - to. - type: string - status: - description: Status is the current state of the release. - type: string - testHooks: - additionalProperties: - description: TestHookStatus holds the status information for - a test hook as observed to be run by the controller. - properties: - lastCompleted: - description: LastCompleted is the time the test hook last - completed. - format: date-time - type: string - lastStarted: - description: LastStarted is the time the test hook was - last started. - format: date-time - type: string - phase: - description: Phase the test hook was observed to be in. - type: string - type: object - description: TestHooks is the list of test hooks for the release - as observed to be run by the controller. - type: object - version: - description: Version is the version of the release object in - storage. - type: integer - required: - - chartName - - chartVersion - - configDigest - - digest - - firstDeployed - - lastDeployed - - name - - namespace - - status - - version - type: object - type: array - installFailures: - description: InstallFailures is the install failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - lastAppliedRevision: - description: LastAppliedRevision is the revision of the last successfully - applied source. - type: string - lastAttemptedConfigDigest: - description: "LastAttemptedConfigDigest is the digest for the config - (better known as \"values\") of the last reconciliation attempt. - \n Note: this field is provisional to the v2beta2 API, and not actively - used by v2beta1 HelmReleases." - type: string - lastAttemptedGeneration: - description: "LastAttemptedGeneration is the last generation the controller - attempted to reconcile. \n Note: this field is provisional to the - v2beta2 API, and not actively used by v2beta1 HelmReleases." - format: int64 - type: integer - lastAttemptedReleaseAction: - description: "LastAttemptedReleaseAction is the last release action - performed for this HelmRelease. It is used to determine the active - remediation strategy. \n Note: this field is provisional to the - v2beta2 API, and not actively used by v2beta1 HelmReleases." - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastAttemptedValuesChecksum: - description: LastAttemptedValuesChecksum is the SHA1 checksum of the - values of the last reconciliation attempt. - type: string - lastHandledForceAt: - description: "LastHandledForceAt holds the value of the most recent - force request value, so a change of the annotation value can be - detected. \n Note: this field is provisional to the v2beta2 API, - and not actively used by v2beta1 HelmReleases." - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastHandledResetAt: - description: "LastHandledResetAt holds the value of the most recent - reset request value, so a change of the annotation value can be - detected. \n Note: this field is provisional to the v2beta2 API, - and not actively used by v2beta1 HelmReleases." - type: string - lastReleaseRevision: - description: LastReleaseRevision is the revision of the last successful - Helm release. - type: integer - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - storageNamespace: - description: "StorageNamespace is the namespace of the Helm release - storage for the current release. \n Note: this field is provisional - to the v2beta2 API, and not actively used by v2beta1 HelmReleases." - type: string - upgradeFailures: - description: UpgradeFailures is the upgrade failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v2beta2 - schema: - openAPIV3Schema: - description: HelmRelease is the Schema for the helmreleases API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmReleaseSpec defines the desired state of a Helm release. - properties: - chart: - description: Chart defines the template of the v1beta2.HelmChart that - should be created for this HelmRelease. - properties: - metadata: - description: ObjectMeta holds the template for metadata like labels - and annotations. - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map - stored with a resource that may be set by external tools - to store and retrieve arbitrary metadata. They are not queryable - and should be preserved when modifying objects. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/' - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used - to organize and categorize (scope and select) objects. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/' - type: object - type: object - spec: - description: Spec holds the template for the v1beta2.HelmChartSpec - for this HelmRelease. - properties: - chart: - description: The name or path the Helm chart is available - at in the SourceRef. - maxLength: 2048 - minLength: 1 - type: string - interval: - description: Interval at which to check the v1.Source for - updates. Defaults to 'HelmReleaseSpec.Interval'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new - artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on - their behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The name and namespace of the v1.Source the chart - is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace of the referent. - maxLength: 63 - minLength: 1 - type: string - required: - - name - type: object - valuesFile: - description: Alternative values file to use as the default - chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file defined here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the - chart values (values.yaml is not included by default), expected - to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding - the first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the - trusted public keys used to verify the signature and specifies - which provider to use to check whether OCI image is authentic. - This field is only supported for OCI sources. Chart dependencies, - which are not bundled in the umbrella chart artifact, are - not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to - sign the OCI Helm chart. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret - containing the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version semver expression, ignored for charts - from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults - to latest when omitted. - type: string - required: - - chart - - sourceRef - type: object - required: - - spec - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to HelmRelease resources that must be ready - before this HelmRelease can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - driftDetection: - description: DriftDetection holds the configuration for detecting - and handling differences between the manifest in the Helm storage - and the resources currently existing in the cluster. - properties: - ignore: - description: Ignore contains a list of rules for specifying which - changes to ignore during diffing. - items: - description: IgnoreRule defines a rule to selectively disregard - specific changes during the drift detection process. - properties: - paths: - description: Paths is a list of JSON Pointer (RFC 6901) - paths to be excluded from consideration in a Kubernetes - object. - items: - type: string - type: array - target: - description: Target is a selector for specifying Kubernetes - objects to which this rule applies. If Target is not set, - the Paths will be ignored for all Kubernetes objects within - the manifest of the Helm release. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - paths - type: object - type: array - mode: - description: Mode defines how differences should be handled between - the Helm manifest and the manifest currently applied to the - cluster. If not explicitly set, it defaults to DiffModeDisabled. - enum: - - enabled - - warn - - disabled - type: string - type: object - install: - description: Install holds the configuration for Helm install actions - for this HelmRelease. - properties: - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Create` - and if omitted CRDs are installed but not updated. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are applied (installed) during Helm install action. With this - option users can opt in to CRD replace existing CRDs on Helm - install actions, which is not (yet) natively supported by Helm. - https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - createNamespace: - description: CreateNamespace tells the Helm install action to - create the HelmReleaseSpec.TargetNamespace if it does not exist - yet. On uninstall, the namespace will not be garbage collected. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm install action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm install - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm install has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm install has been performed. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm install action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an install - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false'. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - an uninstall, is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - type: object - replace: - description: Replace tells the Helm install action to re-use the - 'ReleaseName', but only if that name is a deleted release which - remains in the history. - type: boolean - skipCRDs: - description: "SkipCRDs tells the Helm install action to not install - any CRDs. By default, CRDs are installed if not already present. - \n Deprecated use CRD policy (`crds`) attribute with value `Skip` - instead." - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - interval: - description: Interval at which to reconcile the Helm release. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: KubeConfig for reconciling the HelmRelease on a remote - cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - maxHistory: - description: MaxHistory is the number of revisions saved by Helm for - this HelmRelease. Use '0' for an unlimited number of revisions; - defaults to '5'. - type: integer - persistentClient: - description: "PersistentClient tells the controller to use a persistent - Kubernetes client for this release. When enabled, the client will - be reused for the duration of the reconciliation, instead of being - created and destroyed for each (step of a) Helm action. \n This - can improve performance, but may cause issues with some Helm charts - that for example do create Custom Resource Definitions during installation - outside Helm's CRD lifecycle hooks, which are then not observed - to be available by e.g. post-install hooks. \n If not set, it defaults - to true." - type: boolean - postRenderers: - description: PostRenderers holds an array of Helm PostRenderers, which - will be applied in order of their definition. - items: - description: PostRenderer contains a Helm PostRenderer specification. - properties: - kustomize: - description: Kustomization to apply as PostRenderer. - properties: - images: - description: Images is a list of (image name, new name, - new tag or digest) for changing image names, tags or digests. - This can also be achieved with a patch, but this operator - is simpler to specify. - items: - description: Image contains an image name, a new name, - a new tag or digest, which will replace the original - name and tag. - properties: - digest: - description: Digest is the value used to replace the - original image tag. If digest is present NewTag - value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace - the original name. - type: string - newTag: - description: NewTag is the value used to replace the - original tag. - type: string - required: - - name - type: object - type: array - patches: - description: Strategic merge and JSON patches, defined as - inline YAML objects, capable of targeting objects based - on kind, label and annotation selectors. - items: - description: Patch contains an inline StrategicMerge or - JSON6902 patch, and the target the patch should be applied - to. - properties: - patch: - description: Patch contains an inline StrategicMerge - patch or an inline JSON6902 patch with an array - of operation objects. - type: string - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: 'JSON 6902 patches, defined as inline YAML - objects. Deprecated: use Patches instead.' - items: - description: JSON6902Patch contains a JSON6902 patch and - the target the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document - with an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. - https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value - that references a location within the target - document where the operation is performed. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - type: string - op: - description: Op indicates the operation to perform. - Its value MUST be one of "add", "remove", - "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer - value that references a location within the - target document where the operation is performed. - The meaning of the value depends on the value - of Op. - type: string - value: - description: Value contains a valid JSON structure. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: 'Strategic merge patches, defined as inline - YAML objects. Deprecated: use Patches instead.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - type: array - releaseName: - description: ReleaseName used for the Helm release. Defaults to a - composition of '[TargetNamespace-]Name'. - maxLength: 53 - minLength: 1 - type: string - rollback: - description: Rollback holds the configuration for Helm rollback actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm rollback action when it fails. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm rollback has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm rollback has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - recreate: - description: Recreate performs pod restarts for the resource if - applicable. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this HelmRelease. - maxLength: 253 - minLength: 1 - type: string - storageNamespace: - description: StorageNamespace used for the Helm storage. Defaults - to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - suspend: - description: Suspend tells the controller to suspend reconciliation - for this HelmRelease, it does not apply to already started reconciliations. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace to target when performing operations - for the HelmRelease. Defaults to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - test: - description: Test holds the configuration for Helm test actions for - this HelmRelease. - properties: - enable: - description: Enable enables Helm test actions for this HelmRelease - after an Helm install or upgrade action has been performed. - type: boolean - filters: - description: Filters is a list of tests to run or exclude from - running. - items: - description: Filter holds the configuration for individual Helm - test filters. - properties: - exclude: - description: Exclude specifies whether the named test should - be excluded. - type: boolean - name: - description: Name is the name of the test. - maxLength: 253 - minLength: 1 - type: string - required: - - name - type: object - type: array - ignoreFailures: - description: IgnoreFailures tells the controller to skip remediation - when the Helm tests are run but fail. Can be overwritten for - tests run after install or upgrade actions in 'Install.IgnoreTestFailures' - and 'Upgrade.IgnoreTestFailures'. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation during the performance of a Helm test action. Defaults - to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a Helm - action. Defaults to '5m0s'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - uninstall: - description: Uninstall holds the configuration for Helm uninstall - actions for this HelmRelease. - properties: - deletionPropagation: - default: background - description: DeletionPropagation specifies the deletion propagation - policy when a Helm uninstall is performed. - enum: - - background - - foreground - - orphan - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables waiting for all the resources - to be deleted after a Helm uninstall is performed. - type: boolean - keepHistory: - description: KeepHistory tells Helm to remove all associated resources - and mark the release as deleted, but retain the release history. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - upgrade: - description: Upgrade holds the configuration for Helm upgrade actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm upgrade action when it fails. - type: boolean - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and - if omitted CRDs are neither installed nor upgraded. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are not applied during Helm upgrade action. With this option - users can opt-in to CRD upgrade, which is not (yet) natively - supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm upgrade action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm upgrade - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm upgrade has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm upgrade has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - preserveValues: - description: PreserveValues will make Helm reuse the last release's - values and merge in overrides from 'Values'. Setting this flag - makes the HelmRelease non-declarative. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm upgrade action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an upgrade - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false' unless 'Retries' is greater than 0. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - 'Strategy', is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - strategy: - description: Strategy to use for failure remediation. Defaults - to 'rollback'. - enum: - - rollback - - uninstall - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - values: - description: Values holds the values for this Helm release. - x-kubernetes-preserve-unknown-fields: true - valuesFrom: - description: ValuesFrom holds references to resources containing Helm - values for this HelmRelease, and information about how they should - be merged. - items: - description: ValuesReference contains a reference to a resource - containing Helm values, and optionally the key they can be found - at. - properties: - kind: - description: Kind of the values referent, valid values are ('Secret', - 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside in the - same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - description: Optional marks this ValuesReference as optional. - When set, a not found error for the values reference is ignored, - but any ValuesKey, TargetPath or transient error will still - result in a reconciliation failure. - type: boolean - targetPath: - description: TargetPath is the YAML dot notation path the value - should be merged at. When set, the ValuesKey is expected to - be a single flat value. Defaults to 'None', which results - in the values getting merged at the root. - maxLength: 250 - pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ - type: string - valuesKey: - description: ValuesKey is the data key where the values.yaml - or a specific value can be found at. Defaults to 'values.yaml'. - maxLength: 253 - pattern: ^[\-._a-zA-Z0-9]+$ - type: string - required: - - kind - - name - type: object - type: array - required: - - chart - - interval - type: object - status: - default: - observedGeneration: -1 - description: HelmReleaseStatus defines the observed state of a HelmRelease. - properties: - conditions: - description: Conditions holds the conditions for the HelmRelease. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - failures: - description: Failures is the reconciliation failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - helmChart: - description: HelmChart is the namespaced name of the HelmChart resource - created by the controller for the HelmRelease. - type: string - history: - description: History holds the history of Helm releases performed - for this HelmRelease up to the last successfully completed release. - items: - description: Snapshot captures a point-in-time copy of the status - information for a Helm release, as managed by the controller. - properties: - apiVersion: - description: 'APIVersion is the API version of the Snapshot. - Provisional: when the calculation method of the Digest field - is changed, this field will be used to distinguish between - the old and new methods.' - type: string - chartName: - description: ChartName is the chart name of the release object - in storage. - type: string - chartVersion: - description: ChartVersion is the chart version of the release - object in storage. - type: string - configDigest: - description: ConfigDigest is the checksum of the config (better - known as "values") of the release object in storage. It has - the format of `:`. - type: string - deleted: - description: Deleted is when the release was deleted. - format: date-time - type: string - digest: - description: Digest is the checksum of the release object in - storage. It has the format of `:`. - type: string - firstDeployed: - description: FirstDeployed is when the release was first deployed. - format: date-time - type: string - lastDeployed: - description: LastDeployed is when the release was last deployed. - format: date-time - type: string - name: - description: Name is the name of the release. - type: string - namespace: - description: Namespace is the namespace the release is deployed - to. - type: string - status: - description: Status is the current state of the release. - type: string - testHooks: - additionalProperties: - description: TestHookStatus holds the status information for - a test hook as observed to be run by the controller. - properties: - lastCompleted: - description: LastCompleted is the time the test hook last - completed. - format: date-time - type: string - lastStarted: - description: LastStarted is the time the test hook was - last started. - format: date-time - type: string - phase: - description: Phase the test hook was observed to be in. - type: string - type: object - description: TestHooks is the list of test hooks for the release - as observed to be run by the controller. - type: object - version: - description: Version is the version of the release object in - storage. - type: integer - required: - - chartName - - chartVersion - - configDigest - - digest - - firstDeployed - - lastDeployed - - name - - namespace - - status - - version - type: object - type: array - installFailures: - description: InstallFailures is the install failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - lastAppliedRevision: - description: 'LastAppliedRevision is the revision of the last successfully - applied source. Deprecated: the revision can now be found in the - History.' - type: string - lastAttemptedConfigDigest: - description: LastAttemptedConfigDigest is the digest for the config - (better known as "values") of the last reconciliation attempt. - type: string - lastAttemptedGeneration: - description: LastAttemptedGeneration is the last generation the controller - attempted to reconcile. - format: int64 - type: integer - lastAttemptedReleaseAction: - description: LastAttemptedReleaseAction is the last release action - performed for this HelmRelease. It is used to determine the active - remediation strategy. - enum: - - install - - upgrade - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the Source revision of the last - reconciliation attempt. - type: string - lastAttemptedValuesChecksum: - description: 'LastAttemptedValuesChecksum is the SHA1 checksum for - the values of the last reconciliation attempt. Deprecated: Use LastAttemptedConfigDigest - instead.' - type: string - lastHandledForceAt: - description: LastHandledForceAt holds the value of the most recent - force request value, so a change of the annotation value can be - detected. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastHandledResetAt: - description: LastHandledResetAt holds the value of the most recent - reset request value, so a change of the annotation value can be - detected. - type: string - lastReleaseRevision: - description: 'LastReleaseRevision is the revision of the last successful - Helm release. Deprecated: Use History instead.' - type: integer - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - storageNamespace: - description: StorageNamespace is the namespace of the Helm release - storage for the current release. - maxLength: 63 - minLength: 1 - type: string - upgradeFailures: - description: UpgradeFailures is the upgrade failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml deleted file mode 100644 index 8177c17c..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{- if and .Values.helmController.create}} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.helmController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: helm-controller -spec: - {{- if kindIs "invalid" .Values.helmController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.helmController.replicas }} - {{- end}} - selector: - matchLabels: - app: helm-controller - template: - metadata: - {{- with .Values.helmController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: helm-controller -{{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }} - {{- if .Values.helmController.initContainers}} - initContainers: - {{- toYaml .Values.helmController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.helmController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.helmController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.helmController }} - {{- if .Values.helmController.imagePullPolicy }} - imagePullPolicy: {{ .Values.helmController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.helmController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.helmController.securityContext }} - securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.helmController.volumeMounts }} - {{- toYaml .Values.helmController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.helmController.priorityClassName }} - priorityClassName: {{ .Values.helmController.priorityClassName | quote }} - {{- end }} - {{- if .Values.helmController.podSecurityContext }} - securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }} - {{- end }} - serviceAccountName: helm-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 600 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.helmController.volumes }} - {{- toYaml .Values.helmController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.helmController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.helmController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.helmController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml deleted file mode 100644 index ac41e696..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.imageAutomationController.create }} -{{- if .Values.imageAutomationController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: image-automation-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: image-automation-controller - {{- with .Values.imageAutomationController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml deleted file mode 100644 index 53b711ee..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml +++ /dev/null @@ -1,326 +0,0 @@ -{{- if and .Values.installCRDs .Values.imageAutomationController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: image-automation-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: imageupdateautomations.image.toolkit.fluxcd.io -spec: - group: image.toolkit.fluxcd.io - names: - kind: ImageUpdateAutomation - listKind: ImageUpdateAutomationList - plural: imageupdateautomations - singular: imageupdateautomation - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastAutomationRunTime - name: Last run - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ImageUpdateAutomation is the Schema for the imageupdateautomations - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation - properties: - git: - description: GitSpec contains all the git-specific definitions. This - is technically optional, but in practice mandatory until there are - other kinds of source allowed. - properties: - checkout: - description: Checkout gives the parameters for cloning the git - repository, ready to make changes. If not present, the `spec.ref` - field from the referenced `GitRepository` or its default will - be used. - properties: - ref: - description: Reference gives a branch, tag or commit to clone - from the Git repository. - properties: - branch: - description: Branch to check out, defaults to 'master' - if no other field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence - over all reference fields. \n This can be combined with - Branch to shallow clone the branch, in which the commit - is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes - precedence over Branch, Tag and SemVer. \n It must be - a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description - Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\", - \"refs/pull/420/head\", \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes - precedence over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - required: - - ref - type: object - commit: - description: Commit specifies how to commit to the git repository. - properties: - author: - description: Author gives the email and optionally the name - to use as the author of commits. - properties: - email: - description: Email gives the email to provide when making - a commit. - type: string - name: - description: Name gives the name to provide when making - a commit. - type: string - required: - - email - type: object - messageTemplate: - description: MessageTemplate provides a template for the commit - message, into which will be interpolated the details of - the change made. - type: string - signingKey: - description: SigningKey provides the option to sign commits - with a GPG key - properties: - secretRef: - description: SecretRef holds the name to a secret that - contains a 'git.asc' key corresponding to the ASCII - Armored file containing the GPG signing keypair as the - value. It must be in the same namespace as the ImageUpdateAutomation. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - type: object - required: - - author - type: object - push: - description: Push specifies how and where to push commits made - by the automation. If missing, commits are pushed (back) to - `.spec.checkout.branch` or its default. - properties: - branch: - description: Branch specifies that commits should be pushed - to the branch named. The branch is created using `.spec.checkout.branch` - as the starting point, if it doesn't already exist. - type: string - options: - additionalProperties: - type: string - description: 'Options specifies the push options that are - sent to the Git server when performing a push operation. - For details, see: https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt' - type: object - refspec: - description: 'Refspec specifies the Git Refspec to use for - a push operation. If both Branch and Refspec are provided, - then the commit is pushed to the branch and also using the - specified refspec. For more details about Git Refspecs, - see: https://git-scm.com/book/en/v2/Git-Internals-The-Refspec' - type: string - type: object - required: - - commit - type: object - interval: - description: Interval gives an lower bound for how often the automation - run should be attempted. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - sourceRef: - description: SourceRef refers to the resource giving access details - to a git repository. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - default: GitRepository - description: Kind of the referent. - enum: - - GitRepository - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: Suspend tells the controller to not run this automation, - until it is unset (or set to false). Defaults to false. - type: boolean - update: - default: - strategy: Setters - description: Update gives the specification for how to update the - files in the repository. This can be left empty, to use the default - value. - properties: - path: - description: Path to the directory containing the manifests to - be updated. Defaults to 'None', which translates to the root - path of the GitRepositoryRef. - type: string - strategy: - default: Setters - description: Strategy names the strategy to be used. - enum: - - Setters - type: string - required: - - strategy - type: object - required: - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: ImageUpdateAutomationStatus defines the observed state of - ImageUpdateAutomation - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAutomationRunTime: - description: LastAutomationRunTime records the last time the controller - ran this automation through to completion (even if no updates were - made). - format: date-time - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastPushCommit: - description: LastPushCommit records the SHA1 of the last commit made - by the controller, for this automation object - type: string - lastPushTime: - description: LastPushTime records the time of the last pushed change. - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml deleted file mode 100644 index 40e4da8d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{- if and .Values.imageAutomationController.create}} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: image-automation-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.imageAutomationController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: image-automation-controller -spec: - {{- if kindIs "invalid" .Values.imageAutomationController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.imageAutomationController.replicas }} - {{- end}} - selector: - matchLabels: - app: image-automation-controller - template: - metadata: - {{- with .Values.imageAutomationController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: image-automation-controller -{{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }} - {{- if .Values.imageAutomationController.initContainers}} - initContainers: - {{- toYaml .Values.imageAutomationController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.imageAutomationController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.imageAutomationController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.imageAutomationController }} - {{- if .Values.imageAutomationController.imagePullPolicy }} - imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.imageAutomationController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.imageAutomationController.securityContext }} - securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.imageAutomationController.volumeMounts }} - {{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.imageAutomationController.priorityClassName }} - priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }} - {{- end }} - {{- if .Values.imageAutomationController.podSecurityContext }} - securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: image-automation-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.imageAutomationController.volumes }} - {{- toYaml .Values.imageAutomationController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.imageAutomationController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageAutomationController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageAutomationController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml deleted file mode 100644 index 16f9cb9d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.imageReflectionController.create }} -{{- if .Values.imageReflectionController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: image-reflector-controller - {{- with .Values.imageReflectionController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml deleted file mode 100644 index 1bf92fae..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml +++ /dev/null @@ -1,901 +0,0 @@ -{{- if and .Values.installCRDs .Values.imageReflectionController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: imagepolicies.image.toolkit.fluxcd.io -spec: - group: image.toolkit.fluxcd.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.latestImage - name: LatestImage - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ImagePolicy is the Schema for the imagepolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImagePolicySpec defines the parameters for calculating the - ImagePolicy - properties: - filterTags: - description: FilterTags enables filtering for only a subset of tags - based on a set of rules. If no rules are provided, all the tags - from the repository will be ordered and compared. - properties: - extract: - description: Extract allows a capture group to be extracted from - the specified regular expression pattern, useful before tag - evaluation. - type: string - pattern: - description: Pattern specifies a regular expression pattern used - to filter for image tags. - type: string - type: object - imageRepositoryRef: - description: ImageRepositoryRef points at the object specifying the - image being scanned - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - policy: - description: Policy gives the particulars of the policy to be followed - in selecting the most recent image - properties: - alphabetical: - description: Alphabetical set of rules to use for alphabetical - ordering of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the letters of the alphabet as tags, ascending order - would select Z, and descending order would select A. - enum: - - asc - - desc - type: string - type: object - numerical: - description: Numerical set of rules to use for numerical ordering - of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the integer values from 0 to 9 as tags, ascending - order would select 9, and descending order would select - 0. - enum: - - asc - - desc - type: string - type: object - semver: - description: SemVer gives a semantic version range to check against - the tags available. - properties: - range: - description: Range gives a semver range for the image tag; - the highest version within the range that's a tag yields - the latest image. - type: string - required: - - range - type: object - type: object - required: - - imageRepositoryRef - - policy - type: object - status: - default: - observedGeneration: -1 - description: ImagePolicyStatus defines the observed state of ImagePolicy - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - latestImage: - description: LatestImage gives the first in the list of images scanned - by the image repository, when filtered and ordered according to - the policy. - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.latestImage - name: LatestImage - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: ImagePolicy is the Schema for the imagepolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImagePolicySpec defines the parameters for calculating the - ImagePolicy. - properties: - filterTags: - description: FilterTags enables filtering for only a subset of tags - based on a set of rules. If no rules are provided, all the tags - from the repository will be ordered and compared. - properties: - extract: - description: Extract allows a capture group to be extracted from - the specified regular expression pattern, useful before tag - evaluation. - type: string - pattern: - description: Pattern specifies a regular expression pattern used - to filter for image tags. - type: string - type: object - imageRepositoryRef: - description: ImageRepositoryRef points at the object specifying the - image being scanned - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - policy: - description: Policy gives the particulars of the policy to be followed - in selecting the most recent image - properties: - alphabetical: - description: Alphabetical set of rules to use for alphabetical - ordering of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the letters of the alphabet as tags, ascending order - would select Z, and descending order would select A. - enum: - - asc - - desc - type: string - type: object - numerical: - description: Numerical set of rules to use for numerical ordering - of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the integer values from 0 to 9 as tags, ascending - order would select 9, and descending order would select - 0. - enum: - - asc - - desc - type: string - type: object - semver: - description: SemVer gives a semantic version range to check against - the tags available. - properties: - range: - description: Range gives a semver range for the image tag; - the highest version within the range that's a tag yields - the latest image. - type: string - required: - - range - type: object - type: object - required: - - imageRepositoryRef - - policy - type: object - status: - default: - observedGeneration: -1 - description: ImagePolicyStatus defines the observed state of ImagePolicy - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - latestImage: - description: LatestImage gives the first in the list of images scanned - by the image repository, when filtered and ordered according to - the policy. - type: string - observedGeneration: - format: int64 - type: integer - observedPreviousImage: - description: ObservedPreviousImage is the observed previous LatestImage. - It is used to keep track of the previous and current images. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: imagerepositories.image.toolkit.fluxcd.io -spec: - group: image.toolkit.fluxcd.io - names: - kind: ImageRepository - listKind: ImageRepositoryList - plural: imagerepositories - singular: imagerepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastScanResult.scanTime - name: Last scan - type: string - - jsonPath: .status.lastScanResult.tagCount - name: Tags - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ImageRepository is the Schema for the imagerepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImageRepositorySpec defines the parameters for scanning an - image repository, e.g., `fluxcd/flux`. - properties: - accessFrom: - description: AccessFrom defines an ACL for allowing cross-namespace - references to the ImageRepository object based on the caller's namespace - labels. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - certSecretRef: - description: "CertSecretRef can be given the name of a secret containing - either or both of \n - a PEM-encoded client certificate (`certFile`) - and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - exclusionList: - description: ExclusionList is a list of regex strings used to exclude - certain tags from being stored in the database. - items: - type: string - type: array - image: - description: Image is the name of the image repository - type: string - interval: - description: Interval is the length of time to wait between scans - of the image repository. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - secretRef: - description: SecretRef can be given the name of a secret containing - credentials to use for the image registry. The secret should be - created with `kubectl create secret docker-registry`, or the equivalent. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. - maxLength: 253 - type: string - suspend: - description: This flag tells the controller to suspend subsequent - image scans. It does not apply to already started scans. Defaults - to false. - type: boolean - timeout: - description: Timeout for image scanning. Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: object - status: - default: - observedGeneration: -1 - description: ImageRepositoryStatus defines the observed state of ImageRepository - properties: - canonicalImageName: - description: CanonicalName is the name of the image repository with - all the implied bits made explicit; e.g., `docker.io/library/alpine` - rather than `alpine`. - type: string - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastScanResult: - description: LastScanResult contains the number of fetched tags. - properties: - scanTime: - format: date-time - type: string - tagCount: - type: integer - required: - - tagCount - type: object - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.lastScanResult.scanTime - name: Last scan - type: string - - jsonPath: .status.lastScanResult.tagCount - name: Tags - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: ImageRepository is the Schema for the imagerepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImageRepositorySpec defines the parameters for scanning an - image repository, e.g., `fluxcd/flux`. - properties: - accessFrom: - description: AccessFrom defines an ACL for allowing cross-namespace - references to the ImageRepository object based on the caller's namespace - labels. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n Note: Support for the `caFile`, `certFile` and `keyFile` keys - has been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - exclusionList: - default: - - ^.*\.sig$ - description: ExclusionList is a list of regex strings used to exclude - certain tags from being stored in the database. - items: - type: string - maxItems: 25 - type: array - image: - description: Image is the name of the image repository - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. - type: boolean - interval: - description: Interval is the length of time to wait between scans - of the image repository. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - provider: - default: generic - description: The provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. When not specified, defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - secretRef: - description: SecretRef can be given the name of a secret containing - credentials to use for the image registry. The secret should be - created with `kubectl create secret docker-registry`, or the equivalent. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. - maxLength: 253 - type: string - suspend: - description: This flag tells the controller to suspend subsequent - image scans. It does not apply to already started scans. Defaults - to false. - type: boolean - timeout: - description: Timeout for image scanning. Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: object - status: - default: - observedGeneration: -1 - description: ImageRepositoryStatus defines the observed state of ImageRepository - properties: - canonicalImageName: - description: CanonicalName is the name of the image repository with - all the implied bits made explicit; e.g., `docker.io/library/alpine` - rather than `alpine`. - type: string - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastScanResult: - description: LastScanResult contains the number of fetched tags. - properties: - latestTags: - items: - type: string - type: array - scanTime: - format: date-time - type: string - tagCount: - type: integer - required: - - tagCount - type: object - observedExclusionList: - description: ObservedExclusionList is a list of observed exclusion - list. It reflects the exclusion rules used for the observed scan - result in spec.lastScanResult. - items: - type: string - type: array - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml deleted file mode 100644 index 6be9c3e1..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml +++ /dev/null @@ -1,139 +0,0 @@ -{{- if and .Values.imageReflectionController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.imageReflectionController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: image-reflector-controller -spec: - {{- if kindIs "invalid" .Values.imageReflectionController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.imageReflectionController.replicas }} - {{- end}} - selector: - matchLabels: - app: image-reflector-controller - template: - metadata: - {{- with .Values.imageReflectionController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: image-reflector-controller -{{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }} - {{- if .Values.imageReflectionController.initContainers}} - initContainers: - {{- toYaml .Values.imageReflectionController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.imageReflectionController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.imageReflectionController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.imageReflectionController }} - {{- if .Values.imageReflectionController.imagePullPolicy }} - imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.imageReflectionController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.imageReflectionController.securityContext }} - securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - - mountPath: /data - name: data - {{- if .Values.imageReflectionController.volumeMounts }} - {{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.imageReflectionController.priorityClassName }} - priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }} - {{- end }} - {{- if .Values.imageReflectionController.podSecurityContext }} - securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: image-reflector-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp - - emptyDir: {} - name: data - {{- if .Values.imageReflectionController.volumes }} - {{- toYaml .Values.imageReflectionController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.imageReflectionController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageReflectionController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageReflectionController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml deleted file mode 100644 index 140c30b1..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.kustomizeController.create }} -{{- if .Values.kustomizeController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: kustomize-controller - {{- with .Values.kustomizeController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml deleted file mode 100644 index 8a547043..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.kustomizeController.secret.create }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.kustomizeController.secret.name }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -type: Opaque -data: - {{- range $key, $value := .Values.kustomizeController.secret.data }} - {{ $key }}: {{ $value | toString | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml deleted file mode 100644 index 433cce66..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml +++ /dev/null @@ -1,1640 +0,0 @@ -{{- if and .Values.installCRDs .Values.kustomizeController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: kustomizations.kustomize.toolkit.fluxcd.io -spec: - group: kustomize.toolkit.fluxcd.io - names: - kind: Kustomization - listKind: KustomizationList - plural: kustomizations - shortNames: - - ks - singular: kustomization - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - This interval is approximate and may be subject to jitter to ensure - efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names, and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 Kustomization is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the desired state of a kustomization. - properties: - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When specified, KubeConfig takes precedence over - ServiceAccountName. - properties: - secretRef: - description: SecretRef holds the name to a secret that contains - a 'value' key with the kubeconfig file as the value. It must - be in the same namespace as the Kustomization. It is recommended - that the kubeconfig is self-contained, and the secret is regularly - updated if credentials such as a cloud-access-token expire. - Cloud specific `cmd-path` auth helpers will not function without - adding binaries and credentials to the Pod that is responsible - for reconciling the Kustomization. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - GitRepository - - Bucket - type: string - name: - description: Name of the referent - type: string - namespace: - description: Namespace of the referent, defaults to the Kustomization - namespace - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - type: string - validation: - description: Validate the Kubernetes objects before applying them - on the cluster. The validation strategy can be 'client' (local dry-run), - 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', - validation will fallback to 'client' if set to 'server' because - server-side validation is not supported in this scenario. - enum: - - none - - client - - server - type: string - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAppliedRevision: - description: The last successfully applied revision. The revision - format for Git sources is /. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - snapshot: - description: The last successfully applied revision metadata. - properties: - checksum: - description: The manifests sha1 checksum. - type: string - entries: - description: A list of Kubernetes kinds grouped by namespace. - items: - description: Snapshot holds the metadata of namespaced Kubernetes - objects - properties: - kinds: - additionalProperties: - type: string - description: The list of Kubernetes kinds. - type: object - namespace: - description: The namespace of this entry. - type: string - required: - - kinds - type: object - type: array - required: - - checksum - - entries - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Kustomization is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: 'JSON 6902 patches, defined as inline YAML objects. Deprecated: - Use Patches instead.' - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: 'Strategic merge patches, defined as inline YAML objects. - Deprecated: Use Patches instead.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - validation: - description: 'Deprecated: Not used in v1beta2.' - enum: - - none - - client - - server - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml deleted file mode 100644 index 6473dbe0..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{- if and .Values.kustomizeController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.kustomizeController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: kustomize-controller -spec: - {{- if kindIs "invalid" .Values.kustomizeController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.kustomizeController.replicas }} - {{- end}} - selector: - matchLabels: - app: kustomize-controller - template: - metadata: - {{- with .Values.kustomizeController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: kustomize-controller -{{ with .Values.kustomizeController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.kustomizeController.serviceAccount.automount }} - {{- if .Values.kustomizeController.initContainers}} - initContainers: - {{- toYaml .Values.kustomizeController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.kustomizeController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.kustomizeController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if or (.Values.kustomizeController.envFrom.map.name) (.Values.kustomizeController.envFrom.secret.name) }} - envFrom: - {{- if .Values.kustomizeController.envFrom.map.name }} - - configMapRef: - name: {{ .Values.kustomizeController.envFrom.map.name }} - {{- end }} - {{- if .Values.kustomizeController.envFrom.secret.name }} - - secretRef: - name: {{ .Values.kustomizeController.envFrom.secret.name }} - {{- end }} - {{- end }} - image: {{ template "template.image" .Values.kustomizeController }} - {{- if .Values.kustomizeController.imagePullPolicy }} - imagePullPolicy: {{ .Values.kustomizeController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.kustomizeController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.kustomizeController.securityContext }} - securityContext: {{ toYaml .Values.kustomizeController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.kustomizeController.volumeMounts }} - {{- toYaml .Values.kustomizeController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.kustomizeController.priorityClassName }} - priorityClassName: {{ .Values.kustomizeController.priorityClassName | quote }} - {{- end }} - {{- range .Values.kustomizeController.extraSecretMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- if .Values.kustomizeController.podSecurityContext }} - securityContext: {{ toYaml .Values.kustomizeController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: kustomize-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.kustomizeController.volumes }} - {{- toYaml .Values.kustomizeController.volumes | nindent 6 }} - {{- end}} - {{- range .Values.kustomizeController.extraSecretMounts }} - - name: {{ .name }} - secret: - secretName: {{ .secretName }} - {{- end }} - {{- with .Values.kustomizeController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.kustomizeController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.kustomizeController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml deleted file mode 100644 index 942cd68c..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }} - {{- with .Values.notificationController.webhookReceiver.ingress.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} - name: webhook-receiver -spec: - {{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }} - ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }} - {{- end -}} - {{- if .Values.notificationController.webhookReceiver.ingress.tls }} - tls: - {{- range .Values.notificationController.webhookReceiver.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.notificationController.webhookReceiver.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - pathType: {{ .pathType }} - backend: - service: - name: webhook-receiver - port: - number: 80 - {{- end }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml deleted file mode 100644 index b44e8dac..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.notificationController.create -}} -{{- if .Values.notificationController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: notification-controller - {{- with .Values.notificationController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml deleted file mode 100644 index 79b12dc6..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if and .Values.notificationController.create }} -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} - name: notification-controller - {{- with .Values.notificationController.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - {{- if .Values.notificationController.service.ports }} - {{- toYaml .Values.notificationController.service.ports | nindent 2 }} - {{- end}} - selector: - app: notification-controller - type: ClusterIP -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml deleted file mode 100644 index 3d71034a..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.notificationController.create }} -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} - name: webhook-receiver - {{- with .Values.notificationController.webhookReceiver.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 9292 - selector: - app: notification-controller - type: ClusterIP -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml deleted file mode 100644 index b6dbf6ed..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml +++ /dev/null @@ -1,1790 +0,0 @@ -{{- if and .Values.installCRDs .Values.notificationController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: alerts.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Alert - listKind: AlertList - plural: alerts - singular: alert - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Alert is deprecated, upgrade to v1beta3 - name: v1beta1 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects - properties: - eventSeverity: - default: info - description: Filter events based on severity, defaults to ('info'). - If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: Filter events based on the involved objects. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - exclusionList: - description: A list of Golang regular expressions to be used for excluding - messages. - items: - type: string - type: array - providerRef: - description: Send events using this provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Short description of the impact and affected cluster. - type: string - suspend: - description: This flag tells the controller to suspend subsequent - events dispatching. Defaults to false. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of Alert - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Alert is deprecated, upgrade to v1beta3 - name: v1beta2 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects. - properties: - eventMetadata: - additionalProperties: - type: string - description: EventMetadata is an optional field for adding metadata - to events dispatched by the controller. This can be used for enhancing - the context of the event. If a field would override one already - present on the original event as generated by the emitter, then - the override doesn't happen, i.e. the original value is preserved, - and an info log is printed. - type: object - eventSeverity: - default: info - description: EventSeverity specifies how to filter events based on - severity. If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: EventSources specifies how to filter events based on - the involved object kind, name and namespace. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - exclusionList: - description: ExclusionList specifies a list of Golang regular expressions - to be used for excluding messages. - items: - type: string - type: array - inclusionList: - description: InclusionList specifies a list of Golang regular expressions - to be used for including messages. - items: - type: string - type: array - providerRef: - description: ProviderRef specifies which Provider this Alert should - use. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Summary holds a short description of the impact and affected - cluster. - maxLength: 255 - type: string - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Alert. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of the Alert. - properties: - conditions: - description: Conditions holds the conditions for the Alert. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta3 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects. - properties: - eventMetadata: - additionalProperties: - type: string - description: EventMetadata is an optional field for adding metadata - to events dispatched by the controller. This can be used for enhancing - the context of the event. If a field would override one already - present on the original event as generated by the emitter, then - the override doesn't happen, i.e. the original value is preserved, - and an info log is printed. - type: object - eventSeverity: - default: info - description: EventSeverity specifies how to filter events based on - severity. If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: EventSources specifies how to filter events based on - the involved object kind, name and namespace. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - exclusionList: - description: ExclusionList specifies a list of Golang regular expressions - to be used for excluding messages. - items: - type: string - type: array - inclusionList: - description: InclusionList specifies a list of Golang regular expressions - to be used for including messages. - items: - type: string - type: array - providerRef: - description: ProviderRef specifies which Provider this Alert should - use. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Summary holds a short description of the impact and affected - cluster. - maxLength: 255 - type: string - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Alert. - type: boolean - required: - - eventSources - - providerRef - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: providers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Provider - listKind: ProviderList - plural: providers - singular: provider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Provider is deprecated, upgrade to v1beta3 - name: v1beta1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of Provider - properties: - address: - description: HTTP/S webhook address of this provider - pattern: ^(http|https):// - type: string - certSecretRef: - description: CertSecretRef can be given the name of a secret containing - a PEM-encoded CA certificate (`caFile`) - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Alert channel for this provider - type: string - proxy: - description: HTTP/S address of the proxy - pattern: ^(http|https):// - type: string - secretRef: - description: Secret reference containing the provider webhook URL - using "address" as data key - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - timeout: - description: Timeout for sending alerts to the provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of provider - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - azuredevops - - googlechat - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - type: string - username: - description: Bot username for this provider - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of Provider - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Provider is deprecated, upgrade to v1beta3 - name: v1beta2 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of the Provider. - properties: - address: - description: Address specifies the endpoint, in a generic sense, to - where alerts are sent. What kind of endpoint depends on the specific - Provider type being used. For the generic Provider, for example, - this is an HTTP/S address. For other Provider types this could be - a project ID or a namespace. - maxLength: 2048 - type: string - certSecretRef: - description: "CertSecretRef specifies the Secret containing a PEM-encoded - CA certificate (in the `ca.crt` key). \n Note: Support for the `caFile` - key has been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Channel specifies the destination channel where events - should be posted. - maxLength: 2048 - type: string - interval: - description: Interval at which to reconcile the Provider with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxy: - description: Proxy the HTTP/S address of the proxy server. - maxLength: 2048 - pattern: ^(http|https)://.*$ - type: string - secretRef: - description: SecretRef specifies the Secret containing the authentication - credentials for this Provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Provider. - type: boolean - timeout: - description: Timeout for sending alerts to the Provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type specifies which Provider implementation to use. - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - gitea - - bitbucketserver - - bitbucket - - azuredevops - - googlechat - - googlepubsub - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - - pagerduty - - datadog - type: string - username: - description: Username specifies the name under which events are posted. - maxLength: 2048 - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of the Provider. - properties: - conditions: - description: Conditions holds the conditions for the Provider. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta3 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of the Provider. - properties: - address: - description: Address specifies the endpoint, in a generic sense, to - where alerts are sent. What kind of endpoint depends on the specific - Provider type being used. For the generic Provider, for example, - this is an HTTP/S address. For other Provider types this could be - a project ID or a namespace. - maxLength: 2048 - type: string - certSecretRef: - description: "CertSecretRef specifies the Secret containing a PEM-encoded - CA certificate (in the `ca.crt` key). \n Note: Support for the `caFile` - key has been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Channel specifies the destination channel where events - should be posted. - maxLength: 2048 - type: string - interval: - description: Interval at which to reconcile the Provider with its - Secret references. Deprecated and not used in v1beta3. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxy: - description: Proxy the HTTP/S address of the proxy server. - maxLength: 2048 - pattern: ^(http|https)://.*$ - type: string - secretRef: - description: SecretRef specifies the Secret containing the authentication - credentials for this Provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Provider. - type: boolean - timeout: - description: Timeout for sending alerts to the Provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type specifies which Provider implementation to use. - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - gitea - - bitbucketserver - - bitbucket - - azuredevops - - googlechat - - googlepubsub - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - - pagerduty - - datadog - - nats - type: string - username: - description: Username specifies the name under which events are posted. - maxLength: 2048 - type: string - required: - - type - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: receivers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Receiver - listKind: ReceiverList - plural: receivers - singular: receiver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - default: 10m - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - secretRef - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Receiver is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of Receiver - properties: - events: - description: A list of events to handle, e.g. 'push' for GitHub or - 'Push Hook' for GitLab. - items: - type: string - type: array - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - secretRef: - description: Secret reference containing the token used to validate - the payload authenticity - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of Receiver - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: Generated webhook URL in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Receiver is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - url: - description: 'URL is the generated incoming webhook address in the - format of ''/hook/sha256sum(token+name+namespace)''. Deprecated: - Replaced by WebhookPath.' - type: string - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml deleted file mode 100644 index d4d6772d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml +++ /dev/null @@ -1,136 +0,0 @@ -{{- if and .Values.notificationController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: notification-controller -spec: - {{- if kindIs "invalid" .Values.notificationController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.notificationController.replicas }} - {{- end}} - selector: - matchLabels: - app: notification-controller - template: - metadata: - {{- with .Values.notificationController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: notification-controller -{{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }} - {{- if .Values.notificationController.initContainers}} - initContainers: - {{- toYaml .Values.notificationController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.notificationController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.notificationController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.notificationController }} - {{- if .Values.notificationController.imagePullPolicy }} - imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 9292 - name: http-webhook - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.notificationController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.notificationController.securityContext }} - securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.notificationController.volumeMounts }} - {{- toYaml .Values.notificationController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.notificationController.priorityClassName }} - priorityClassName: {{ .Values.notificationController.priorityClassName | quote }} - {{- end }} - {{- if .Values.notificationController.podSecurityContext }} - securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }} - {{- end }} - serviceAccountName: notification-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.notificationController.volumes }} - {{- toYaml .Values.notificationController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.notificationController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.notificationController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.notificationController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml b/packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml deleted file mode 100644 index 3db75272..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{ if .Values.prometheus.podMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ .Release.Name }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - {{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchExpressions: - - key: app - operator: In - values: - - helm-controller - - source-controller - - kustomize-controller - - notification-controller - - image-automation-controller - - image-reflector-controller - podMetricsEndpoints: -{{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/policies.yaml b/packages/core/fluxcd/charts/flux2/templates/policies.yaml deleted file mode 100644 index 731e2980..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/policies.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if and .Values.policies.create}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: allow-egress -spec: - egress: - - {} - ingress: - - from: - - podSelector: {} - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: allow-scraping -spec: - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8080 - protocol: TCP - podSelector: {} - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: allow-webhooks -spec: - ingress: - - from: - - namespaceSelector: {} - podSelector: - matchLabels: - app: notification-controller - policyTypes: - - Ingress -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml b/packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml deleted file mode 100644 index f6348698..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: "{{ .Release.Name }}-flux-check" - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "-10" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml b/packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml deleted file mode 100644 index 2c2541f5..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Release.Name }}-flux-check" - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - backoffLimit: 1 - template: - metadata: - name: "{{ .Release.Name }}" - {{- with .Values.cli.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - spec: - restartPolicy: Never - serviceAccountName: "{{ .Release.Name }}-flux-check" - automountServiceAccountToken: {{ .Values.cli.serviceAccount.automount }} - containers: - - name: flux-cli - image: {{ template "template.image" .Values.cli }} - command: ["/usr/local/bin/flux", "check", "--pre", "--namespace", {{ .Release.Namespace }}] - {{- with .Values.cli.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.cli.securityContext }} - securityContext: {{ toYaml .Values.cli.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - {{- if .Values.cli.volumeMounts }} - volumeMounts: - {{- toYaml .Values.cli.volumeMounts | nindent 10 }} - {{- end}} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - {{- with .Values.cli.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.cli.volumes }} - volumes: - {{- toYaml .Values.cli.volumes | nindent 8 }} - {{- end}} - {{- with .Values.cli.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.cli.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml deleted file mode 100644 index 25caae35..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.sourceController.create }} -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} - name: source-controller - {{- with .Values.sourceController.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - {{- if .Values.sourceController.service.ports }} - {{- toYaml .Values.sourceController.service.ports | nindent 2 }} - {{- end}} - selector: - app: source-controller - type: ClusterIP -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml deleted file mode 100644 index 286a625f..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.sourceController.create -}} -{{- if .Values.sourceController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: source-controller - {{- with .Values.sourceController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml deleted file mode 100644 index d4fccd6d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml +++ /dev/null @@ -1,3291 +0,0 @@ -{{- if and .Values.installCRDs .Values.sourceController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: buckets.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: Bucket - listKind: BucketList - plural: buckets - singular: bucket - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec defines the desired state of an S3 compatible - bucket - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: The bucket name. - type: string - endpoint: - description: The bucket endpoint address. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. - type: boolean - interval: - description: The interval at which to check for bucket updates. - type: string - provider: - default: generic - description: The S3 compatible storage provider name, default ('generic'). - enum: - - generic - - aws - - gcp - type: string - region: - description: The bucket region. - type: string - secretRef: - description: The name of the secret containing authentication credentials - for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for download operations, defaults to 60s. - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus defines the observed state of a bucket - properties: - artifact: - description: Artifact represents the output of the last successful - Bucket sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last Bucket sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec specifies the required configuration to produce - an Artifact for an object storage bucket. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: BucketName is the name of the object storage bucket. - type: string - endpoint: - description: Endpoint is the object storage address the BucketName - is located at. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP Endpoint. - type: boolean - interval: - description: Interval at which the Bucket Endpoint is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - prefix: - description: Prefix to use for server-side filtering of files in the - Bucket. - type: string - provider: - default: generic - description: Provider of the object storage bucket. Defaults to 'generic', - which expects an S3 (API) compatible object storage. - enum: - - generic - - aws - - gcp - - azure - type: string - region: - description: Region of the Endpoint where the BucketName is located - in. - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this Bucket. - type: boolean - timeout: - default: 60s - description: Timeout for fetch operations, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus records the observed state of a Bucket. - properties: - artifact: - description: Artifact represents the last successful Bucket reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Bucket object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: gitrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: GitRepository - listKind: GitRepositoryList - plural: gitrepositories - shortNames: - - gitrepo - singular: gitrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which the GitRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxySecretRef: - description: ProxySecretRef specifies the Secret containing the proxy - configuration to use while communicating with the Git server. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - default: HEAD - description: "Mode specifies which Git object(s) should be verified. - \n The variants \"head\" and \"HEAD\" both imply the same thing, - i.e. verify the commit that the HEAD of the Git repository points - to. The variant \"head\" solely exists to ensure backwards compatibility." - enum: - - head - - HEAD - - Tag - - TagAndHEAD - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - sourceVerificationMode: - description: SourceVerificationMode is the last used verification - mode indicating which Git object(s) have been verified. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec defines the desired state of a Git repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: Determines which git client library to use. Defaults - to go-git, valid values are ('go-git', 'libgit2'). - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Extra git repositories to map into the repository - items: - description: GitRepositoryInclude defines a source with a from and - to path. - properties: - fromPath: - description: The path to copy contents from, defaults to the - root directory. - type: string - repository: - description: Reference to a GitRepository to include. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: The path to copy contents to, defaults to the name - of the source ref. - type: string - required: - - repository - type: object - type: array - interval: - description: The interval at which to check for repository updates. - type: string - recurseSubmodules: - description: When enabled, after the clone is created, initializes - all submodules within, using their default settings. This option - is available only when using the 'go-git' GitImplementation. - type: boolean - ref: - description: The Git reference to checkout and monitor for changes, - defaults to master branch. - properties: - branch: - description: The Git branch to checkout, defaults to master. - type: string - commit: - description: The Git commit SHA to checkout, if specified Tag - filters will be ignored. - type: string - semver: - description: The Git tag semver expression, takes precedence over - Tag. - type: string - tag: - description: The Git tag to checkout, takes precedence over Branch. - type: string - type: object - secretRef: - description: The secret name containing the Git credentials. For HTTPS - repositories the secret must contain username and password fields. - For SSH repositories the secret must contain identity and known_hosts - fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote Git operations like cloning, defaults - to 60s. - type: string - url: - description: The repository URL, can be a HTTP/S or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verify OpenPGP signature for the Git commit HEAD points - to. - properties: - mode: - description: Mode describes what git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: The secret name containing the public keys of all - trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus defines the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts represents the included artifacts from - the last successful repository sync. - items: - description: Artifact represents the output of a source synchronisation. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last repository sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: 'GitImplementation specifies which Git client library - implementation to use. Defaults to ''go-git'', valid values are - (''go-git'', ''libgit2''). Deprecated: gitImplementation is deprecated - now that ''go-git'' is the only supported implementation.' - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which to check the GitRepository for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - description: Mode specifies what Git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.recurseSubmodules - .spec.included and the checksum of the - included artifacts observed in .status.observedGeneration version - of the object. This can be used to determine if the content of the - included repository has changed. It has the format of `:`, - for example: `sha256:`. \n Deprecated: Replaced with explicit - fields for observed artifact content config in the status." - type: string - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise GitRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: helmcharts.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmChart - listKind: HelmChartList - plural: helmcharts - shortNames: - - hc - singular: helmchart - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec defines the desired state of a Helm chart. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: The name or path the Helm chart is available at in the - SourceRef. - type: string - interval: - description: The interval at which to check the Source for updates. - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new artifact. - Valid values are ('ChartVersion', 'Revision'). See the documentation - of the values for an explanation on their behavior. Defaults to - ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The reference to the Source the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: Alternative values file to use as the default chart values, - expected to be a relative path in the SourceRef. Deprecated in favor - of ValuesFiles, for backwards compatibility the file defined here - is merged before the ValuesFiles items. Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the chart - values (values.yaml is not included by default), expected to be - a relative path in the SourceRef. Values files are merged in the - order of this list with the last file overriding the first. Ignored - when omitted. - items: - type: string - type: array - version: - default: '*' - description: The chart version semver expression, ignored for charts - from GitRepository and Bucket sources. Defaults to latest when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus defines the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - chart sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last chart pulled. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec specifies the desired state of a Helm chart. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: Chart is the name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which the HelmChart SourceRef is checked - for updates. This interval is approximate and may be subject to - jitter to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: ReconcileStrategy determines what enables the creation - of a new artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on their - behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: SourceRef is the reference to the Source the chart is - available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: ValuesFile is an alternative values file to use as the - default chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file specified here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: ValuesFiles is an alternative list of values files to - use as the chart values (values.yaml is not included by default), - expected to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding the - first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. This field is only - supported when using HelmRepository source with spec.type 'oci'. - Chart dependencies, which are not bundled in the umbrella chart - artifact, are not verified. - properties: - matchOIDCIdentity: - description: MatchOIDCIdentity specifies the identity matching - criteria to use while verifying an OCI artifact which was signed - using Cosign keyless signing. The artifact's identity is deemed - to be verified if any of the specified matchers match against - the identity. - items: - description: OIDCIdentityMatch specifies options for verifying - the certificate identity, i.e. the issuer and the subject - of the certificate. - properties: - issuer: - description: Issuer specifies the regex pattern to match - against to verify the OIDC issuer in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - subject: - description: Subject specifies the regex pattern to match - against to verify the identity subject in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - required: - - issuer - - subject - type: object - type: array - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version is the chart version semver expression, ignored - for charts from GitRepository and Bucket sources. Defaults to latest - when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus records the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedChartName: - description: ObservedChartName is the last observed chart name as - specified by the resolved chart reference. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmChart object. - format: int64 - type: integer - observedSourceArtifactRevision: - description: ObservedSourceArtifactRevision is the last observed Artifact.Revision - of the HelmChartSpec.SourceRef. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: helmrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmRepository - listKind: HelmRepositoryList - plural: helmrepositories - shortNames: - - helmrepo - singular: helmrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec defines the reference to a Helm repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - interval: - description: The interval at which to check the upstream for updates. - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - secretRef: - description: The name of the secret containing authentication credentials - for the Helm repository. For HTTP/S basic auth the secret must contain - username and password fields. For TLS the secret must contain a - certFile and keyFile, and/or caFile fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout of index downloading, defaults to 60s. - type: string - url: - description: The Helm repository URL, a valid URL contains at least - a protocol and host. - type: string - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus defines the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last index fetched. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec specifies the required configuration to - produce an Artifact for a Helm repository index YAML. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n It takes precedence over the values specified in the Secret referred - to by `.spec.secretRef`." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. This field is only taken into account if the .spec.type - field is set to 'oci'. - type: boolean - interval: - description: Interval at which the HelmRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - provider: - default: generic - description: Provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. This field is optional, and only taken into - account if the .spec.type field is set to 'oci'. When not specified, - defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the HelmRepository. For HTTP/S basic auth the secret - must contain 'username' and 'password' fields. Support for TLS auth - using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated. - Please use `.spec.certSecretRef` instead. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this HelmRepository. - type: boolean - timeout: - description: Timeout is used for the index fetch operation for an - HTTPS helm repository, and for remote OCI Repository operations - like pulling for an OCI helm chart by the associated HelmChart. - Its default value is 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of the HelmRepository. When this field is set to "oci", - the URL field value must be prefixed with "oci://". - enum: - - default - - oci - type: string - url: - description: URL of the Helm repository, a valid URL contains at least - a protocol and host. - pattern: ^(http|https|oci)://.*$ - type: string - required: - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus records the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the last successful HelmRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmRepository object. - format: int64 - type: integer - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: ocirepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: OCIRepository - listKind: OCIRepositoryList - plural: ocirepositories - shortNames: - - ocirepo - singular: ocirepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: OCIRepository is the Schema for the ocirepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: OCIRepositorySpec defines the desired state of OCIRepository - properties: - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n Note: Support for the `caFile`, `certFile` and `keyFile` keys - have been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. - type: boolean - interval: - description: Interval at which the OCIRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - layerSelector: - description: LayerSelector specifies which layer should be extracted - from the OCI artifact. When not specified, the first layer found - in the artifact is selected. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - provider: - default: generic - description: The provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. When not specified, defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - ref: - description: The OCI reference to pull and monitor for changes, defaults - to the latest tag. - properties: - digest: - description: Digest is the image digest to pull, takes precedence - over SemVer. The value should be in the format 'sha256:'. - type: string - semver: - description: SemVer is the range of tags to pull selecting the - latest within the range, takes precedence over Tag. - type: string - tag: - description: Tag is the image tag to pull, defaults to latest. - type: string - type: object - secretRef: - description: SecretRef contains the secret name containing the registry - login credentials to resolve image metadata. The secret must be - of type kubernetes.io/dockerconfigjson. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account' - type: string - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote OCI Repository operations like - pulling, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL is a reference to an OCI artifact repository hosted - on a remote container registry. - pattern: ^oci://.*$ - type: string - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. - properties: - matchOIDCIdentity: - description: MatchOIDCIdentity specifies the identity matching - criteria to use while verifying an OCI artifact which was signed - using Cosign keyless signing. The artifact's identity is deemed - to be verified if any of the specified matchers match against - the identity. - items: - description: OIDCIdentityMatch specifies options for verifying - the certificate identity, i.e. the issuer and the subject - of the certificate. - properties: - issuer: - description: Issuer specifies the regex pattern to match - against to verify the OIDC issuer in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - subject: - description: Subject specifies the regex pattern to match - against to verify the identity subject in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - required: - - issuer - - subject - type: object - type: array - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: OCIRepositoryStatus defines the observed state of OCIRepository - properties: - artifact: - description: Artifact represents the output of the last successful - OCI Repository sync. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the OCIRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.layerSelector observed in .status.observedGeneration version - of the object. This can be used to determine if the content configuration - has changed and the artifact needs to be rebuilt. It has the format - of `:`, for example: `sha256:`. \n Deprecated: - Replaced with explicit fields for observed artifact content config - in the status." - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedLayerSelector: - description: ObservedLayerSelector is the observed layer selector - used for constructing the source artifact. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - url: - description: URL is the download link for the artifact output of the - last OCI Repository sync. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml deleted file mode 100644 index 517b54bd..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml +++ /dev/null @@ -1,140 +0,0 @@ -{{- if .Values.sourceController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.sourceController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: source-controller -spec: - replicas: 1 - selector: - matchLabels: - app: source-controller - strategy: - type: Recreate - template: - metadata: - {{- with .Values.sourceController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: source-controller -{{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }} - {{- if .Values.sourceController.initContainers}} - initContainers: - {{- toYaml .Values.sourceController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - - --storage-path=/data - - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc - {{- range .Values.sourceController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.sourceController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.sourceController }} - {{- if .Values.sourceController.imagePullPolicy }} - imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: / - port: http - {{- with .Values.sourceController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.sourceController.securityContext }} - securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - {{- if .Values.sourceController.volumeMounts }} - {{- toYaml .Values.sourceController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.sourceController.priorityClassName }} - priorityClassName: {{ .Values.sourceController.priorityClassName | quote }} - {{- end }} - {{- if .Values.sourceController.podSecurityContext }} - securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: source-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - {{- if .Values.sourceController.volumes }} - {{- toYaml .Values.sourceController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.sourceController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.sourceController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.sourceController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/values.yaml b/packages/core/fluxcd/charts/flux2/values.yaml deleted file mode 100644 index 379c07e8..00000000 --- a/packages/core/fluxcd/charts/flux2/values.yaml +++ /dev/null @@ -1,327 +0,0 @@ -# global - -installCRDs: true -crds: - # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep - annotations: {} - -multitenancy: - # -- Implement the patches for Multi-tenancy lockdown. - # See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown - enabled: false - # -- All Kustomizations and HelmReleases which don’t have spec.serviceAccountName - # specified, will use the default account from the tenant’s namespace. - # Tenants have to specify a service account in their Flux resources to be able - # to deploy workloads in their namespaces as the default account has no permissions. - defaultServiceAccount: "default" - # -- Both kustomize-controller and helm-controller service accounts run privileged - # with cluster-admin ClusterRoleBinding. Disable if you want to run them with a - # minimum set of permissions. - privileged: true - -clusterDomain: cluster.local - -cli: - image: ghcr.io/fluxcd/flux-cli - tag: v2.2.3 - nodeSelector: {} - affinity: {} - tolerations: [] - annotations: {} - serviceAccount: - automount: true - -# controllers - -helmController: - create: true - image: ghcr.io/fluxcd/helm-controller - tag: v0.37.4 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - nodeSelector: {} - # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core - # for example: - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: foo.bar.com/role - # operator: In - # values: - # - master - - affinity: {} - # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core - # for example: - # tolerations: - # - key: foo.bar.com/role - # operator: Equal - # value: master - # effect: NoSchedule - - tolerations: [] - -imageAutomationController: - create: true - image: ghcr.io/fluxcd/image-automation-controller - tag: v0.37.1 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - nodeSelector: {} - affinity: {} - tolerations: [] - -imageReflectionController: - create: true - image: ghcr.io/fluxcd/image-reflector-controller - tag: v0.31.2 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - nodeSelector: {} - affinity: {} - tolerations: [] - -kustomizeController: - create: true - image: ghcr.io/fluxcd/kustomize-controller - tag: v1.2.2 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - secret: - # -- Create a secret to use it with extraSecretMounts. Defaults to false. - create: false - name: "" - data: {} - # -- Defines envFrom using a configmap and/or secret. - envFrom: - map: - name: "" - secret: - name: "" - # -- Defines additional mounts with secrets. - # Secrets must be manually created in the namespace or with kustomizeController.secret - extraSecretMounts: [] - # - name: secret-files - # mountPath: /etc/secrets - # subPath: "" - # secretName: secret-files - # readOnly: true - - nodeSelector: {} - affinity: {} - tolerations: [] - -notificationController: - create: true - image: ghcr.io/fluxcd/notification-controller - tag: v1.2.4 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - service: - labels: {} - annotations: {} - webhookReceiver: - service: - labels: {} - annotations: {} - ingress: - create: false - # ingressClassName: nginx - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - hosts: - - host: flux-webhook.example.com - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: flux-webhook-tls - # hosts: - # - flux-webhook.example.com - - - nodeSelector: {} - affinity: {} - tolerations: [] - -sourceController: - create: true - image: ghcr.io/fluxcd/source-controller - tag: v1.2.4 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - service: - labels: {} - annotations: {} - nodeSelector: {} - affinity: {} - tolerations: [] - extraEnv: [] - -policies: - create: true - -rbac: - create: true - # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources - createAggregation: true - # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep - annotations: {} - roleRef: - name: cluster-admin - -logLevel: info -watchAllNamespaces: true - -# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers -imagePullSecrets: [] - -# -- Array of extra K8s manifests to deploy -extraObjects: [] -# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication -# - apiVersion: source.toolkit.fluxcd.io/v1beta2 -# kind: Bucket -# metadata: -# name: podinfo -# namespace: default -# spec: -# interval: 1m -# provider: generic -# bucketName: podinfo -# endpoint: minio.minio.svc.cluster.local:9000 -# insecure: true -# secretRef: -# name: minio-credentials -# - apiVersion: v1 -# kind: Secret -# metadata: -# name: minio-credentials -# namespace: default -# type: Opaque -# data: -# accesskey: -# secretkey: - -# Enables podMonitor creation for the Prometheus Operator -prometheus: - podMonitor: - # -- Enables podMonitor endpoint - create: false - podMetricsEndpoints: - - port: http-prom - relabelings: - # https://github.com/prometheus-operator/prometheus-operator/issues/4816 - - sourceLabels: [__meta_kubernetes_pod_phase] - action: keep - regex: Running diff --git a/packages/core/fluxcd/templates/flux-instance.yaml b/packages/core/fluxcd/templates/flux-instance.yaml new file mode 100644 index 00000000..b3b08d08 --- /dev/null +++ b/packages/core/fluxcd/templates/flux-instance.yaml @@ -0,0 +1,15 @@ +apiVersion: fluxcd.controlplane.io/v1 +kind: FluxInstance +metadata: + name: flux +spec: + cluster: + domain: {{ .Values.fluxInstance.cluster.domain }} + distribution: + version: {{ .Values.fluxInstance.distribution.version }} + registry: {{ .Values.fluxInstance.distribution.registry }} + components: + {{- if .Values.fluxInstance.components }} + {{- toYaml .Values.fluxInstance.components | nindent 4 }} + {{- end }} + diff --git a/packages/core/fluxcd/values.yaml b/packages/core/fluxcd/values.yaml new file mode 100644 index 00000000..9650a9b9 --- /dev/null +++ b/packages/core/fluxcd/values.yaml @@ -0,0 +1,13 @@ +fluxInstance: + cluster: + domain: cozy.local + distribution: + version: 2.2.x + registry: ghcr.io/fluxcd + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller diff --git a/packages/core/fluxcd/valuesFile.yaml b/packages/core/fluxcd/valuesFile.yaml new file mode 100644 index 00000000..23694817 --- /dev/null +++ b/packages/core/fluxcd/valuesFile.yaml @@ -0,0 +1,11 @@ +flux-operator: + tolerations: + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoSchedule + hostNetwork: true + extraEnvs: + - name: KUBERNETES_SERVICE_HOST + value: localhost + - name: KUBERNETES_SERVICE_PORT + value: "7445" diff --git a/packages/core/platform/templates/namespaces.yaml b/packages/core/platform/templates/namespaces.yaml index fd3a58e0..3f25361c 100644 --- a/packages/core/platform/templates/namespaces.yaml +++ b/packages/core/platform/templates/namespaces.yaml @@ -16,7 +16,7 @@ {{/* Add extra namespaces */}} {{- $_ := set $namespaces "cozy-public" false }} -{{- $_ := set $namespaces "cozy-fluxcd" false }} +{{- $_ := set $namespaces "cozy-fluxcd" true }} {{- range $namespace, $privileged := $namespaces }} --- diff --git a/scripts/installer.sh b/scripts/installer.sh index 078ef6cd..d5edba38 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -18,7 +18,16 @@ run_migrations() { done } -flux_is_ok() { + +flux_operator_is_ok() { + kubectl wait --for=condition=available -n cozy-fluxcd deploy/fluxcd-flux-operator --timeout=1m +} + +flux_instance_is_ok() { + kubectl wait --for=condition=ready -n cozy-fluxcd fluxinstance/flux --timeout=5m +} + +flux_controllers_ok() { kubectl wait --for=condition=available -n cozy-fluxcd deploy/source-controller deploy/helm-controller --timeout=10s } @@ -39,20 +48,24 @@ run_migrations # Install namespaces make -C packages/core/platform namespaces-apply -# Install fluxcd -make -C packages/core/fluxcd apply +# Install fluxcd twice (once it will fail, since CRDs can't be ordered) +make -C packages/core/fluxcd apply || make -C packages/core/fluxcd apply -# Reconcile Helm repositories -kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite +if flux_operator_is_ok; then + echo "Flux operator is installed and FluxInstance CRD is ready" +fi # Install platform chart make -C packages/core/platform apply # Install basic system charts (should be after platform chart applied) -if ! flux_is_ok; then +if ! flux_controllers_ok; then install_basic_charts fi +# Reconcile Helm repositories +kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite + # Reconcile platform chart trap 'exit' INT TERM while true; do From 931e39fb5c6779cbd5175f8e7fb4b8f28fe751c1 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Mon, 17 Jun 2024 10:02:32 -0400 Subject: [PATCH 22/67] Upgrade to Flux 2.3.x (#167) Signed-off-by: Kingdon Barrett Co-authored-by: Andrei Kvapil --- .../templates/helmreleases/cilium.yaml | 2 +- .../templates/helmreleases/csi.yaml | 2 +- packages/apps/tenant/templates/etcd.yaml | 2 +- packages/apps/tenant/templates/ingress.yaml | 2 +- .../apps/tenant/templates/monitoring.yaml | 2 +- packages/core/fluxcd/Makefile | 4 +-- packages/core/fluxcd/flux-customizations.yaml | 35 +++++++++++++++++++ .../core/fluxcd/templates/flux-instance.yaml | 11 ++++-- packages/core/fluxcd/values.yaml | 8 ++--- packages/core/platform/bundles/paas-full.yaml | 4 +-- .../core/platform/bundles/paas-hosted.yaml | 4 +-- packages/core/platform/templates/apps.yaml | 6 ++-- .../core/platform/templates/helmreleases.yaml | 2 +- .../core/platform/templates/helmrepos.yaml | 6 ++-- .../ingress/templates/nginx-ingress.yaml | 2 +- .../templates/oncall/oncall-release.yaml | 2 +- 16 files changed, 68 insertions(+), 26 deletions(-) create mode 100644 packages/core/fluxcd/flux-customizations.yaml diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml index 14577407..4f23ed21 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: {{ .Release.Name }}-cilium diff --git a/packages/apps/kubernetes/templates/helmreleases/csi.yaml b/packages/apps/kubernetes/templates/helmreleases/csi.yaml index 55169278..5ced4163 100644 --- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: {{ .Release.Name }}-csi diff --git a/packages/apps/tenant/templates/etcd.yaml b/packages/apps/tenant/templates/etcd.yaml index 917cf4b4..17b66683 100644 --- a/packages/apps/tenant/templates/etcd.yaml +++ b/packages/apps/tenant/templates/etcd.yaml @@ -1,5 +1,5 @@ {{- if .Values.etcd }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: etcd diff --git a/packages/apps/tenant/templates/ingress.yaml b/packages/apps/tenant/templates/ingress.yaml index 7c413db5..b93ae0fa 100644 --- a/packages/apps/tenant/templates/ingress.yaml +++ b/packages/apps/tenant/templates/ingress.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: ingress diff --git a/packages/apps/tenant/templates/monitoring.yaml b/packages/apps/tenant/templates/monitoring.yaml index d0db03b5..93772546 100644 --- a/packages/apps/tenant/templates/monitoring.yaml +++ b/packages/apps/tenant/templates/monitoring.yaml @@ -1,5 +1,5 @@ {{- if .Values.monitoring }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: monitoring diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile index 15494d2d..f8bab3e7 100644 --- a/packages/core/fluxcd/Makefile +++ b/packages/core/fluxcd/Makefile @@ -7,11 +7,11 @@ show: helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) apply: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml \ + helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml -f flux-customizations.yaml \ --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f- diff: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml \ + helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml -f flux-customizations.yaml \ --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- update: diff --git a/packages/core/fluxcd/flux-customizations.yaml b/packages/core/fluxcd/flux-customizations.yaml new file mode 100644 index 00000000..faacac59 --- /dev/null +++ b/packages/core/fluxcd/flux-customizations.yaml @@ -0,0 +1,35 @@ +fluxInstance: + kustomize: + patches: + - target: + kind: Deployment + name: "(kustomize-controller|helm-controller|source-controller)" + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=20 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + - op: replace + path: /spec/template/spec/containers/0/resources/limits + value: + cpu: 2000m + memory: 2048Mi + - target: + kind: Deployment + name: source-controller + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --storage-adv-addr=source-controller + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller/ + - target: + kind: Deployment + name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller) + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller/ diff --git a/packages/core/fluxcd/templates/flux-instance.yaml b/packages/core/fluxcd/templates/flux-instance.yaml index b3b08d08..12999f66 100644 --- a/packages/core/fluxcd/templates/flux-instance.yaml +++ b/packages/core/fluxcd/templates/flux-instance.yaml @@ -3,8 +3,12 @@ kind: FluxInstance metadata: name: flux spec: + {{- with .Values.fluxInstance.cluster }} cluster: - domain: {{ .Values.fluxInstance.cluster.domain }} + {{- with .domain }} + domain: {{ . }} + {{- end }} + {{- end }} distribution: version: {{ .Values.fluxInstance.distribution.version }} registry: {{ .Values.fluxInstance.distribution.registry }} @@ -12,4 +16,7 @@ spec: {{- if .Values.fluxInstance.components }} {{- toYaml .Values.fluxInstance.components | nindent 4 }} {{- end }} - + kustomize: + {{- if .Values.fluxInstance.kustomize }} + {{- toYaml .Values.fluxInstance.kustomize | nindent 4 }} + {{- end }} \ No newline at end of file diff --git a/packages/core/fluxcd/values.yaml b/packages/core/fluxcd/values.yaml index 9650a9b9..8e13df1c 100644 --- a/packages/core/fluxcd/values.yaml +++ b/packages/core/fluxcd/values.yaml @@ -1,8 +1,8 @@ fluxInstance: - cluster: - domain: cozy.local + # cluster: + # domain: cozy.local distribution: - version: 2.2.x + version: 2.3.x registry: ghcr.io/fluxcd components: - source-controller @@ -10,4 +10,4 @@ fluxInstance: - helm-controller - notification-controller - image-reflector-controller - - image-automation-controller + - image-automation-controller \ No newline at end of file diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 6ee2ad41..a39931a1 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -153,8 +153,8 @@ releases: chart: cozy-dashboard namespace: cozy-dashboard dependsOn: [cilium,kubeovn] - {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }} - {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }} + {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }} + {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }} values: kubeapps: redis: diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index a9c33818..5d6ce1a5 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -91,8 +91,8 @@ releases: chart: cozy-dashboard namespace: cozy-dashboard dependsOn: [] - {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }} - {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }} + {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }} + {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }} values: kubeapps: redis: diff --git a/packages/core/platform/templates/apps.yaml b/packages/core/platform/templates/apps.yaml index 2ba4f8ed..073edbdb 100644 --- a/packages/core/platform/templates/apps.yaml +++ b/packages/core/platform/templates/apps.yaml @@ -3,8 +3,8 @@ {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }} {{- $host := "example.org" }} {{- $tenantRoot := list }} -{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }} -{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }} +{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }} +{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }} {{- end }} {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }} {{- $host = $tenantRoot.spec.values.host }} @@ -22,7 +22,7 @@ metadata: namespace.cozystack.io/host: "{{ $host }}" name: tenant-root --- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: tenant-root diff --git a/packages/core/platform/templates/helmreleases.yaml b/packages/core/platform/templates/helmreleases.yaml index 5834c0be..bf7e1748 100644 --- a/packages/core/platform/templates/helmreleases.yaml +++ b/packages/core/platform/templates/helmreleases.yaml @@ -12,7 +12,7 @@ {{- range $x := $bundle.releases }} {{- if not (has $x.name $disabledComponents) }} --- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: {{ $x.name }} diff --git a/packages/core/platform/templates/helmrepos.yaml b/packages/core/platform/templates/helmrepos.yaml index 3e061e41..69f77534 100644 --- a/packages/core/platform/templates/helmrepos.yaml +++ b/packages/core/platform/templates/helmrepos.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cozystack-system @@ -10,7 +10,7 @@ spec: interval: 5m0s url: http://cozystack.cozy-system.svc/repos/system --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cozystack-apps @@ -22,7 +22,7 @@ spec: interval: 5m0s url: http://cozystack.cozy-system.svc/repos/apps --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cozystack-extra diff --git a/packages/extra/ingress/templates/nginx-ingress.yaml b/packages/extra/ingress/templates/nginx-ingress.yaml index 816327f0..43a3a9a6 100644 --- a/packages/extra/ingress/templates/nginx-ingress.yaml +++ b/packages/extra/ingress/templates/nginx-ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: ingress-nginx diff --git a/packages/extra/monitoring/templates/oncall/oncall-release.yaml b/packages/extra/monitoring/templates/oncall/oncall-release.yaml index 46d124e4..48416776 100644 --- a/packages/extra/monitoring/templates/oncall/oncall-release.yaml +++ b/packages/extra/monitoring/templates/oncall/oncall-release.yaml @@ -1,7 +1,7 @@ {{- if .Values.oncall.enabled }} {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: grafana-oncall From 3a0bad04b9fdc6827ba3b73105a33a2d7f1e75bc Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 17 Jun 2024 17:37:24 +0200 Subject: [PATCH 23/67] add check for forwarding and masquerading Signed-off-by: Andrei Kvapil --- hack/e2e.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hack/e2e.sh b/hack/e2e.sh index 90c8314d..db86d04f 100755 --- a/hack/e2e.sh +++ b/hack/e2e.sh @@ -8,6 +8,15 @@ if [ "$COZYSTACK_INSTALLER_YAML" = "" ]; then exit 1 fi +if [ "$(cat /proc/sys/net/ipv4/ip_forward)" != 1 ]; then + echo "IPv4 forwarding is not enabled!" >&2 + echo 'please enable forwarding with the following command:' >&2 + echo >&2 + echo 'echo 1 > /proc/sys/net/ipv4/ip_forward' >&2 + echo >&2 + exit 1 +fi + set -x set -e @@ -18,6 +27,10 @@ ip link add cozy-br0 type bridge ip link set cozy-br0 up ip addr add 192.168.123.1/24 dev cozy-br0 +# Enable masquerading +iptables -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE || true +iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE + rm -rf srv1 srv2 srv3 mkdir -p srv1 srv2 srv3 From 2dd2b079b2b4c061404b854532119798cdd8371d Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 17 Jun 2024 15:55:48 +0200 Subject: [PATCH 24/67] Update flux-plugin for dashboard Signed-off-by: Andrei Kvapil --- packages/core/installer/images/cozystack.json | 4 +- packages/core/installer/images/cozystack.tag | 2 +- .../dashboard/images/kubeapps-apis.json | 4 +- .../system/dashboard/images/kubeapps-apis.tag | 2 +- .../dashboard/images/kubeapps-apis/Dockerfile | 12 +- .../images/kubeapps-apis/fluxcd.diff | 3196 +++++++++++++++++ .../images/kubeapps-apis/labels.diff | 10 +- .../kubeapps-apis/reconcile-strategy.diff | 2 +- 8 files changed, 3210 insertions(+), 22 deletions(-) create mode 100644 packages/system/dashboard/images/kubeapps-apis/fluxcd.diff diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 585f11e3..3dda1a27 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:6d54a5b971e80fbaace664054d4e67f24fd1fbb7807ebaffd036d4ea7195df10", - "containerimage.digest": "sha256:a6b167235d8556ff7e45f4582c2491a2ad48292a46005dcf767908e2fb78e74e" + "containerimage.config.digest": "sha256:c5641297fd8c314272047ae02461871e73c6eb3bdf64d5acd7f971917a28d48e", + "containerimage.digest": "sha256:e4838be7d0032f45213ccd0044deae263cd79f87cb1aa1c2a5c1efcc8337aad8" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index e8430b50..602d7b26 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.7.0 +ghcr.io/aenix-io/cozystack/cozystack:latest diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index 8a5f4ced..b7460aa0 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,4 @@ { - "containerimage.config.digest": "sha256:44db4f7c92adb68c79eb3e152c95318e559e5c1ac0ba6e3d467596b1315f37a1", - "containerimage.digest": "sha256:b0c355cf5387b376e676a9e395fa0a11790409123a29e637a7080a413fe7f10d" + "containerimage.config.digest": "sha256:3fbaba7f41e9055839ecb30c1f0d505be732f79433fefdcfd352052d4ce52a19", + "containerimage.digest": "sha256:b33011eaf4dfe775287103f66b667b2976a053a59711103f405c6a5c5cc841bc" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index e6a5a538..b87bc749 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.7.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:latest diff --git a/packages/system/dashboard/images/kubeapps-apis/Dockerfile b/packages/system/dashboard/images/kubeapps-apis/Dockerfile index b53ee603..99e7e56a 100644 --- a/packages/system/dashboard/images/kubeapps-apis/Dockerfile +++ b/packages/system/dashboard/images/kubeapps-apis/Dockerfile @@ -8,8 +8,10 @@ ARG VERSION=v2.10.0 RUN apk add --no-cache patch WORKDIR /source RUN wget -O- https://github.com/vmware-tanzu/kubeapps/archive/refs/tags/${VERSION}.tar.gz | tar xzf - --strip-components=1 +COPY fluxcd.diff /patches/fluxcd.diff COPY labels.diff /patches/labels.diff COPY reconcile-strategy.diff /patches/reconcile-strategy.diff +RUN patch -p1 < /patches/fluxcd.diff RUN patch -p1 < /patches/labels.diff RUN patch -p1 < /patches/reconcile-strategy.diff @@ -70,15 +72,6 @@ RUN --mount=type=cache,target=/go/pkg/mod \ -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \ ./cmd/kubeapps-apis -# Build 'kapp-controller' plugin, version 'v1alpha1' -RUN --mount=type=cache,target=/go/pkg/mod \ - --mount=type=cache,target=/root/.cache/go-build \ - GOPROXY="https://proxy.golang.org,direct" \ - go build \ - -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \ - -o /kapp-controller-packages-v1alpha1-plugin.so -buildmode=plugin \ - ./cmd/kubeapps-apis/plugins/kapp_controller/packages/v1alpha1/*.go - ## Build 'fluxv2' plugin, version 'v1alpha1' RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ @@ -111,7 +104,6 @@ RUN --mount=type=cache,target=/go/pkg/mod \ FROM bitnami/minideb:bookworm COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /go/src/github.com/vmware-tanzu/kubeapps/kubeapps-apis /kubeapps-apis -COPY --from=builder /kapp-controller-packages-v1alpha1-plugin.so /plugins/kapp-controller-packages/ COPY --from=builder /fluxv2-packages-v1alpha1-plugin.so /plugins/fluxv2-packages/ COPY --from=builder /helm-packages-v1alpha1-plugin.so /plugins/helm-packages/ COPY --from=builder /resources-v1alpha1-plugin.so /plugins/resources/ diff --git a/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff b/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff new file mode 100644 index 00000000..eb073c6c --- /dev/null +++ b/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff @@ -0,0 +1,3196 @@ +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go +index fa38d6ba6..f57d6f65c 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go +@@ -131,7 +131,7 @@ type NamespacedResourceWatcherCacheConfig struct { + OnResyncFunc ResyncFunc + + // These funcs are needed to manipulate API-specific objects, such as flux's +- // sourcev1beta2.HelmRepository, in a generic fashion ++ // sourcev1.HelmRepository, in a generic fashion + NewObjFunc NewObjectFunc + NewListFunc NewObjectListFunc + ListItemsFunc GetListItemsFunc +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go +index 58aae6e88..c0d62a9a7 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go +@@ -12,7 +12,7 @@ import ( + "strings" + + "github.com/bufbuild/connect-go" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common" +@@ -27,12 +27,12 @@ import ( + "sigs.k8s.io/yaml" + ) + +-func (s *Server) getChartInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1beta2.HelmChart, error) { ++func (s *Server) getChartInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1.HelmChart, error) { + client, err := s.getClient(headers, key.Namespace) + if err != nil { + return nil, err + } +- var chartObj sourcev1beta2.HelmChart ++ var chartObj sourcev1.HelmChart + if err = client.Get(ctx, key, &chartObj); err != nil { + return nil, connecterror.FromK8sError("get", "HelmChart", key.String(), err) + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go +index 2c16c88ec..95455476f 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go +@@ -12,7 +12,7 @@ import ( + "testing" + "time" + +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + fluxplugin "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/plugins/fluxv2/packages/v1alpha1" +@@ -329,12 +329,12 @@ func TestKindClusterRepoAndChartRBAC(t *testing.T) { + rules := map[string][]rbacv1.PolicyRule{ + names[1].Namespace: { + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{fluxHelmRepositories}, + Verbs: []string{"get", "list"}, + }, + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{"helmcharts"}, + Verbs: []string{"get", "list"}, + }, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go +index 7641d5c77..362fc82ef 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go +@@ -16,7 +16,7 @@ import ( + "github.com/bufbuild/connect-go" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redismock/v8" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache" +@@ -187,7 +187,7 @@ func TestGetAvailablePackageDetail(t *testing.T) { + } + defer ts2.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, secretObjs) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, secretObjs) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -291,7 +291,7 @@ func TestTransientHttpFailuresAreRetriedForChartCache(t *testing.T) { + } + defer ts2.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -468,7 +468,7 @@ func TestNonExistingRepoOrInvalidPkgVersionGetAvailablePackageDetail(t *testing. + } + defer ts2.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -649,7 +649,7 @@ func TestGetAvailablePackageVersions(t *testing.T) { + } + defer ts.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -736,7 +736,7 @@ func TestGetOciAvailablePackageVersions(t *testing.T) { + t.Fatal(err) + } + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, tc.charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, tc.charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -979,12 +979,12 @@ func TestChartWithRelativeURL(t *testing.T) { + } + })) + +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: ts.URL, + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -1003,7 +1003,7 @@ func TestChartWithRelativeURL(t *testing.T) { + defer ts.Close() + + s, mock, err := newServerWithRepos(t, +- []sourcev1beta2.HelmRepository{repo}, ++ []sourcev1.HelmRepository{repo}, + []testSpecChartWithUrl{ + { + chartID: fmt.Sprintf("%s/airflow", repoName), +@@ -1073,7 +1073,7 @@ func TestGetOciAvailablePackageDetail(t *testing.T) { + t.Fatal(err) + } + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, tc.charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, tc.charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -1129,8 +1129,8 @@ func TestGetOciAvailablePackageDetail(t *testing.T) { + } + } + +-func newChart(name, namespace string, spec *sourcev1beta2.HelmChartSpec, status *sourcev1beta2.HelmChartStatus) sourcev1beta2.HelmChart { +- helmChart := sourcev1beta2.HelmChart{ ++func newChart(name, namespace string, spec *sourcev1.HelmChartSpec, status *sourcev1.HelmChartStatus) sourcev1.HelmChart { ++ helmChart := sourcev1.HelmChart{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Generation: int64(1), +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go +index cdb3611b0..5d5f5433b 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go +@@ -24,8 +24,8 @@ import ( + "github.com/bufbuild/connect-go" + "github.com/docker/cli/cli/config" + "github.com/docker/cli/cli/config/credentials" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redis/v8" + "github.com/google/go-containerregistry/pkg/authn" + plugins "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/plugins/v1alpha1" +@@ -68,20 +68,20 @@ func init() { + } + + repositoriesGvr = schema.GroupVersionResource{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, + Resource: "helmrepositories", + } + + chartsGvr = schema.GroupVersionResource{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, + Resource: "helmcharts", + } + + releasesGvr = schema.GroupVersionResource{ +- Group: helmv2beta2.GroupVersion.Group, +- Version: helmv2beta2.GroupVersion.Version, ++ Group: helmv2.GroupVersion.Group, ++ Version: helmv2.GroupVersion.Version, + Resource: "helmreleases", + } + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go +index e3c1880a5..556516068 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go +@@ -10,10 +10,10 @@ import ( + + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/k8sutils" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/plugins/fluxv2/packages/v1alpha1" + "google.golang.org/protobuf/types/known/anypb" +@@ -1006,33 +1006,33 @@ var ( + }, + } + +- add_repo_1 = sourcev1beta2.HelmRepository{ ++ add_repo_1 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, + } + +- add_repo_2 = sourcev1beta2.HelmRepository{ ++ add_repo_2 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +@@ -1040,17 +1040,17 @@ var ( + }, + } + +- add_repo_3 = sourcev1beta2.HelmRepository{ ++ add_repo_3 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +@@ -1058,17 +1058,17 @@ var ( + }, + } + +- add_repo_4 = sourcev1beta2.HelmRepository{ ++ add_repo_4 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +@@ -1077,51 +1077,51 @@ var ( + }, + } + +- add_repo_5 = sourcev1beta2.HelmRepository{ ++ add_repo_5 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + PassCredentials: true, + }, + } + +- add_repo_6 = sourcev1beta2.HelmRepository{ ++ add_repo_6 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: github_stefanprodan_podinfo_oci_registry_url, + Interval: metav1.Duration{Duration: 10 * time.Minute}, + Type: "oci", + }, + } + +- add_repo_7 = sourcev1beta2.HelmRepository{ ++ add_repo_7 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: github_stefanprodan_podinfo_oci_registry_url, + Interval: metav1.Duration{Duration: 10 * time.Minute}, + Type: "oci", +@@ -1129,10 +1129,10 @@ var ( + }, + } + +- add_repo_8 = sourcev1beta2.HelmRepository{ ++ add_repo_8 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", +@@ -1140,7 +1140,7 @@ var ( + ResourceVersion: "1", + Annotations: map[string]string{k8sutils.AnnotationDescriptionKey: "repo desc"}, + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +@@ -1831,7 +1831,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1844,7 +1844,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -1886,7 +1886,7 @@ var ( + releaseSuspend: true, + releaseServiceAccountName: "foo", + releaseValues: &v1.JSON{Raw: redis_existing_spec_completed_with_values_and_reconciliation_options_values_bytes}, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1899,7 +1899,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -1923,20 +1923,20 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.InstallFailedReason, ++ Reason: helmv2.InstallFailedReason, + Message: "install retries exhausted", + }, + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.InstallFailedReason, ++ Reason: helmv2.InstallFailedReason, + Message: "Helm install failed: unable to build kubernetes objects from release manifest: error validating \"\": error validating data: ValidationError(Deployment.spec.replicas): invalid type for io.k8s.api.apps.v1.DeploymentSpec.replicas: got \"string\", expected \"integer\"", + }, + }, +@@ -1961,13 +1961,13 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.GetLastReleaseFailedReason, ++ Reason: helmv2.GetLastReleaseFailedReason, + Message: "failed to get last release revision", + }, + }, +@@ -1990,13 +1990,13 @@ var ( + Namespace: "test", + Generation: 2, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.GetLastReleaseFailedReason, ++ Reason: helmv2.GetLastReleaseFailedReason, + Message: "failed to get last release revision", + }, + }, +@@ -2027,7 +2027,7 @@ var ( + Namespace: "namespace-2", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2040,7 +2040,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2064,7 +2064,7 @@ var ( + Namespace: "namespace-2", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2077,7 +2077,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2101,7 +2101,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2130,13 +2130,13 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.ArtifactFailedReason, ++ Reason: helmv2.ArtifactFailedReason, + Message: "HelmChart 'default/kubeapps-my-redis' is not ready", + }, + }, +@@ -2168,7 +2168,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2181,7 +2181,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2275,41 +2275,41 @@ var ( + PostInstallationNotes: "some notes", + } + +- flux_helm_release_basic = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_basic = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_semver_constraint = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_semver_constraint = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + Version: "> 5", + }) + +- flux_helm_release_reconcile_options = &helmv2beta2.HelmRelease{ ++ flux_helm_release_reconcile_options = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-podinfo", + Namespace: "test", + ResourceVersion: "1", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, +@@ -2327,22 +2327,22 @@ var ( + "message": "what we do in the shadows", + }}) + +- flux_helm_release_values = &helmv2beta2.HelmRelease{ ++ flux_helm_release_values = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-podinfo", + Namespace: "test", + ResourceVersion: "1", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, +@@ -2357,10 +2357,10 @@ var ( + InstalledPackageRef: installedRef("my-podinfo", "test"), + } + +- flux_helm_release_updated_1 = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_1 = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2368,12 +2368,12 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2384,10 +2384,10 @@ var ( + }, + } + +- flux_helm_release_updated_2 = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_2 = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2395,12 +2395,12 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2424,7 +2424,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2437,7 +2437,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2457,10 +2457,10 @@ var ( + status: release.StatusDeployed, + } + +- flux_helm_release_updated_target_ns_is_set = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_target_ns_is_set = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2468,12 +2468,12 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2661,50 +2661,50 @@ var ( + }, + } + +- flux_helm_release_upgrade_policy_none = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_none = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: "5.2.1", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_upgrade_policy_major = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_major = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: ">=5.2.1", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_upgrade_policy_minor = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_minor = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: ">=5.2.1 <6.0.0", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_upgrade_policy_patch = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_patch = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: ">=5.2.1 <5.3.0", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_updated_upgrade_major = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_upgrade_major = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2712,13 +2712,13 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Version: ">=14.4.0", + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2728,10 +2728,10 @@ var ( + }, + } + +- flux_helm_release_updated_upgrade_minor = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_upgrade_minor = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2739,13 +2739,13 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Version: ">=14.4.0 <15.0.0", + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2755,10 +2755,10 @@ var ( + }, + } + +- flux_helm_release_updated_upgrade_patch = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_upgrade_patch = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2766,13 +2766,13 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Version: ">=14.4.0 <14.5.0", + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -3230,13 +3230,13 @@ var ( + } + + get_summaries_repo_1 = newRepo("bar", "foo", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 + SecretRef: &fluxmeta.LocalObjectReference{}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -3257,11 +3257,11 @@ var ( + }) + + get_summaries_repo_2 = newRepo("zot", "xyz", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -3282,19 +3282,19 @@ var ( + }) + + get_summaries_repo_3 = newRepo("pending", "xyz", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ObservedGeneration: -1}, ++ &sourcev1.HelmRepositoryStatus{ObservedGeneration: -1}, + ) + + get_summaries_repo_4 = newRepo("failed", "xyz", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -4027,19 +4027,19 @@ var ( + } + } + +- newFluxHelmRelease = func(chartSpec helmv2beta2.HelmChartTemplateSpec) *helmv2beta2.HelmRelease { +- return &helmv2beta2.HelmRelease{ ++ newFluxHelmRelease = func(chartSpec helmv2.HelmChartTemplateSpec) *helmv2.HelmRelease { ++ return &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-podinfo", + Namespace: "test", + ResourceVersion: "1", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ + Spec: chartSpec, + }, + Interval: metav1.Duration{Duration: 1 * time.Minute}, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go +index 672b8140d..be0270f16 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go +@@ -18,9 +18,9 @@ import ( + "testing" + "time" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redis/v8" + "github.com/vmware-tanzu/kubeapps/cmd/apprepository-controller/pkg/client/clientset/versioned/scheme" + plugins "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/plugins/v1alpha1" +@@ -143,7 +143,7 @@ func checkEnv(t *testing.T) (fluxplugin.FluxV2PackagesServiceClient, fluxplugin. + } + + // Check for helmrepositories left over from manual testing. This has caused me a lot grief +- var l *sourcev1beta2.HelmRepositoryList ++ var l *sourcev1.HelmRepositoryList + var names []string + const maxWait = 25 + for i := 0; i <= maxWait; i++ { +@@ -251,12 +251,12 @@ func kubeAddHelmRepository(t *testing.T, name types.NamespacedName, typ, url, se + if interval <= 0 { + interval = time.Duration(10 * time.Minute) + } +- repo := sourcev1beta2.HelmRepository{ ++ repo := sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: name.Name, + Namespace: name.Namespace, + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: url, + Interval: metav1.Duration{Duration: interval}, + }, +@@ -297,7 +297,7 @@ func kubeAddHelmRepositoryAndCleanup(t *testing.T, name types.NamespacedName, ty + return err + } + +-func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1beta2.HelmRepository, error) { ++func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1.HelmRepository, error) { + t.Logf("+kubeGetHelmRepository(%s)", name) + + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) +@@ -305,7 +305,7 @@ func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1be + if ifc, err := kubeGetCtrlClient(); err != nil { + return nil, err + } else { +- var repo sourcev1beta2.HelmRepository ++ var repo sourcev1.HelmRepository + if err := ifc.Get(ctx, name, &repo); err != nil { + return nil, err + } +@@ -313,7 +313,7 @@ func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1be + } + } + +-func kubeListAllHelmRepositories(t *testing.T) (*sourcev1beta2.HelmRepositoryList, error) { ++func kubeListAllHelmRepositories(t *testing.T) (*sourcev1.HelmRepositoryList, error) { + t.Logf("+kubeListAllHelmRepositories()") + + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) +@@ -321,7 +321,7 @@ func kubeListAllHelmRepositories(t *testing.T) (*sourcev1beta2.HelmRepositoryLis + if ifc, err := kubeGetCtrlClient(); err != nil { + return nil, err + } else { +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + if err := ifc.List(ctx, &repoList); err != nil { + return nil, err + } +@@ -340,7 +340,7 @@ func kubeWaitUntilHelmRepositoryIsReady(t *testing.T, name types.NamespacedName) + } else { + ctx, cancel := context.WithTimeout(context.Background(), 90*time.Second) + defer cancel() +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + if watcher, err := ifc.Watch(ctx, &repoList); err != nil { + return err + } else { +@@ -357,8 +357,8 @@ func kubeWaitUntilHelmRepositoryIsReady(t *testing.T, name types.NamespacedName) + } + switch event.Type { + case watch.Added, watch.Modified: +- if repo, ok := event.Object.(*sourcev1beta2.HelmRepository); !ok { +- return errors.New("Could not cast to *sourcev1beta2.HelmRepository") ++ if repo, ok := event.Object.(*sourcev1.HelmRepository); !ok { ++ return errors.New("Could not cast to *sourcev1.HelmRepository") + } else { + hour, minute, second := time.Now().Clock() + complete, success, reason := isHelmRepositoryReady(*repo) +@@ -381,7 +381,7 @@ func kubeWaitUntilHelmRepositoryIsReady(t *testing.T, name types.NamespacedName) + // this should eventually be replaced with flux plugin's DeleteRepository() + func kubeDeleteHelmRepository(t *testing.T, name types.NamespacedName) error { + t.Logf("+kubeDeleteHelmRepository(%s)", name) +- repo := &sourcev1beta2.HelmRepository{ ++ repo := &sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: name.Name, + Namespace: name.Namespace, +@@ -400,7 +400,7 @@ func kubeExistsHelmRepository(t *testing.T, name types.NamespacedName) (bool, er + t.Logf("+kubeExistsHelmRepository(%s)", name) + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) + defer cancel() +- var repo sourcev1beta2.HelmRepository ++ var repo sourcev1.HelmRepository + if ifc, err := kubeGetCtrlClient(); err != nil { + return false, err + } else if err = ifc.Get(ctx, name, &repo); err == nil { +@@ -414,7 +414,7 @@ func kubeDeleteHelmRelease(t *testing.T, name types.NamespacedName) error { + t.Logf("+kubeDeleteHelmRelease(%s)", name) + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) + defer cancel() +- release := &helmv2beta2.HelmRelease{ ++ release := &helmv2.HelmRelease{ + ObjectMeta: metav1.ObjectMeta{ + Name: name.Name, + Namespace: name.Namespace, +@@ -431,7 +431,7 @@ func kubeExistsHelmRelease(t *testing.T, name types.NamespacedName) (bool, error + t.Logf("+kubeExistsHelmRelease(%s)", name) + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) + defer cancel() +- var rel helmv2beta2.HelmRelease ++ var rel helmv2.HelmRelease + if ifc, err := kubeGetCtrlClient(); err != nil { + return false, err + } else if err = ifc.Get(ctx, name, &rel); err == nil { +@@ -826,7 +826,7 @@ func kubeCreateSecret(t *testing.T, secret *apiv1.Secret) error { + return err + } + +-func kubeSetKubeappsManagedSecretOwnerRef(t *testing.T, secretName types.NamespacedName, ownerRepo *sourcev1beta2.HelmRepository) error { ++func kubeSetKubeappsManagedSecretOwnerRef(t *testing.T, secretName types.NamespacedName, ownerRepo *sourcev1.HelmRepository) error { + t.Logf("+kubeSetKubeappsManagedSecretOwnerRef(%s, %s)", secretName, ownerRepo.Name) + typedClient, err := kubeGetTypedClient() + if err != nil { +@@ -852,9 +852,9 @@ func kubeSetKubeappsManagedSecretOwnerRef(t *testing.T, secretName types.Namespa + *metav1.NewControllerRef( + ownerRepo, + schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmRepositoryKind, + }), + } + +@@ -1029,11 +1029,11 @@ func kubeGetCtrlClient() (ctrlclient.WithWatch, error) { + return nil, err + } else { + scheme := runtime.NewScheme() +- err = sourcev1beta2.AddToScheme(scheme) ++ err = sourcev1.AddToScheme(scheme) + if err != nil { + return nil, err + } +- err = helmv2beta2.AddToScheme(scheme) ++ err = helmv2.AddToScheme(scheme) + if err != nil { + return nil, err + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go +index 67bfa5480..149f904c4 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go +@@ -47,7 +47,7 @@ import ( + + "github.com/fluxcd/pkg/oci/auth/login" + "github.com/fluxcd/pkg/version" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + + // OCI Registry As a Storage (ORAS) + orasregistryauthv2 "oras.land/oras-go/v2/registry/remote/auth" +@@ -386,7 +386,7 @@ func newRegistryClient(isLogin bool, tlsConfig *tls.Config, getterOpts []getter. + // OCI Helm repository, which defines a source, does not produce an Artifact + // ref https://fluxcd.io/docs/components/source/helmrepositories/#helm-oci-repository + +-func (s *repoEventSink) onAddOciRepo(repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onAddOciRepo(repo sourcev1.HelmRepository) ([]byte, bool, error) { + log.V(4).Infof("+onAddOciRepo(%s)", common.PrettyPrint(repo)) + defer log.V(4).Info("-onAddOciRepo") + +@@ -444,7 +444,7 @@ func (s *repoEventSink) onAddOciRepo(repo sourcev1beta2.HelmRepository) ([]byte, + return buf.Bytes(), true, nil + } + +-func (s *repoEventSink) onModifyOciRepo(key string, oldValue interface{}, repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onModifyOciRepo(key string, oldValue interface{}, repo sourcev1.HelmRepository) ([]byte, bool, error) { + log.Infof("+onModifyOciRepo(%s)", common.PrettyPrint(repo)) + defer log.Info("-onModifyOciRepo") + +@@ -576,12 +576,12 @@ func (r *OCIChartRepository) shortRepoName(fullRepoName string) (string, error) + } + } + +-func (s *Server) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1beta2.HelmRepository) (*OCIChartRepository, error) { ++func (s *Server) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1.HelmRepository) (*OCIChartRepository, error) { + sink := s.newRepoEventSink() + return sink.newOCIChartRepositoryAndLogin(ctx, repo) + } + +-func (s *repoEventSink) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1beta2.HelmRepository) (*OCIChartRepository, error) { ++func (s *repoEventSink) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1.HelmRepository) (*OCIChartRepository, error) { + if loginOpts, getterOpts, cred, err := s.clientOptionsForOciRepo(ctx, repo); err != nil { + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Failed to create registry client: %w", err)) + } else { +@@ -649,7 +649,7 @@ func (s *repoEventSink) newOCIChartRepositoryAndLoginWithOptions(registryURL str + return ociRepo, nil + } + +-func (s *repoEventSink) clientOptionsForOciRepo(ctx context.Context, repo sourcev1beta2.HelmRepository) ([]registry.LoginOption, []getter.Option, *orasregistryauthv2.Credential, error) { ++func (s *repoEventSink) clientOptionsForOciRepo(ctx context.Context, repo sourcev1.HelmRepository) ([]registry.LoginOption, []getter.Option, *orasregistryauthv2.Credential, error) { + var loginOpts []registry.LoginOption + var cred *orasregistryauthv2.Credential + getterOpts := []getter.Option{ +@@ -680,7 +680,7 @@ func (s *repoEventSink) clientOptionsForOciRepo(ctx context.Context, repo source + } + } + +- if repo.Spec.Provider != "" && repo.Spec.Provider != sourcev1beta2.GenericOCIProvider { ++ if repo.Spec.Provider != "" && repo.Spec.Provider != "generic" { + ctxTimeout, cancel := context.WithTimeout(ctx, repo.Spec.Timeout.Duration) + defer cancel() + +@@ -734,7 +734,7 @@ func downloadChartWithHelmGetter(tlsConfig *tls.Config, getterOptions []getter.O + return buf, err + } + +-func getOciChartModels(appNames []string, allTags map[string]TagList, ociChartRepo *OCIChartRepository, repo *sourcev1beta2.HelmRepository) ([]models.Chart, error) { ++func getOciChartModels(appNames []string, allTags map[string]TagList, ociChartRepo *OCIChartRepository, repo *sourcev1.HelmRepository) ([]models.Chart, error) { + charts := []models.Chart{} + for _, fullAppName := range appNames { + appName, err := ociChartRepo.shortRepoName(fullAppName) +@@ -756,7 +756,7 @@ func getOciChartModels(appNames []string, allTags map[string]TagList, ociChartRe + return charts, nil + } + +-func getOciChartModel(appName string, tags TagList, ociChartRepo *OCIChartRepository, repo *sourcev1beta2.HelmRepository) (*models.Chart, error) { ++func getOciChartModel(appName string, tags TagList, ociChartRepo *OCIChartRepository, repo *sourcev1.HelmRepository) (*models.Chart, error) { + // Encode repository names to store them in the database. + encodedAppName := url.PathEscape(appName) + chartID := path.Join(repo.Name, encodedAppName) +@@ -870,8 +870,8 @@ func downloadOCIChartFn(ociRepo *OCIChartRepository) func(chartID, chartUrl, cha + } + + // oidcAuth generates the OIDC credential authenticator based on the specified cloud provider. +-func oidcAuth(ctx context.Context, repo sourcev1beta2.HelmRepository) (*orasregistryauthv2.Credential, error) { +- url := strings.TrimPrefix(repo.Spec.URL, sourcev1beta2.OCIRepositoryPrefix) ++func oidcAuth(ctx context.Context, repo sourcev1.HelmRepository) (*orasregistryauthv2.Credential, error) { ++ url := strings.TrimPrefix(repo.Spec.URL, "oci://") + ref, err := name.ParseReference(url) + if err != nil { + return nil, fmt.Errorf("failed to parse URL '%s': %w", repo.Spec.URL, err) +@@ -888,11 +888,11 @@ func oidcAuth(ctx context.Context, repo sourcev1beta2.HelmRepository) (*orasregi + func loginWithManager(ctx context.Context, provider, url string, ref name.Reference) (*orasregistryauthv2.Credential, error) { + opts := login.ProviderOptions{} + switch provider { +- case sourcev1beta2.AmazonOCIProvider: ++ case "amazon": + opts.AwsAutoLogin = true +- case sourcev1beta2.AzureOCIProvider: ++ case "azure": + opts.AzureAutoLogin = true +- case sourcev1beta2.GoogleOCIProvider: ++ case "gcp": + opts.GcpAutoLogin = true + } + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +index c489cb6ca..37593c166 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +@@ -12,9 +12,9 @@ import ( + "time" + + "github.com/bufbuild/connect-go" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/connecterror" +@@ -40,7 +40,7 @@ var ( + ) + + // namespace maybe "", in which case releases from all namespaces are returned +-func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, namespace string) ([]helmv2beta2.HelmRelease, error) { ++func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, namespace string) ([]helmv2.HelmRelease, error) { + client, err := s.getClient(headers, namespace) + if err != nil { + return nil, err +@@ -53,7 +53,7 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, + // 2) there is a "consistent snapshot" problem, where the client doesn't want to + // see any results created/updated/deleted after the first request is issued + // To fix this, we must make use of resourceVersion := relList.GetResourceVersion() +- var relList helmv2beta2.HelmReleaseList ++ var relList helmv2.HelmReleaseList + if err = client.List(ctx, &relList); err != nil { + return nil, connecterror.FromK8sError("list", "HelmRelease", namespace+"/*", err) + } else { +@@ -61,13 +61,13 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, + } + } + +-func (s *Server) getReleaseInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*helmv2beta2.HelmRelease, error) { ++func (s *Server) getReleaseInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*helmv2.HelmRelease, error) { + client, err := s.getClient(headers, key.Namespace) + if err != nil { + return nil, err + } + +- var rel helmv2beta2.HelmRelease ++ var rel helmv2.HelmRelease + if err = client.Get(ctx, key, &rel); err != nil { + return nil, connecterror.FromK8sError("get", "HelmRelease", key.String(), err) + } +@@ -106,7 +106,7 @@ func (s *Server) paginatedInstalledPkgSummaries(ctx context.Context, headers htt + return installedPkgSummaries, nil + } + +-func (s *Server) installedPkgSummaryFromRelease(ctx context.Context, headers http.Header, rel helmv2beta2.HelmRelease) (*corev1.InstalledPackageSummary, error) { ++func (s *Server) installedPkgSummaryFromRelease(ctx context.Context, headers http.Header, rel helmv2.HelmRelease) (*corev1.InstalledPackageSummary, error) { + name, err := common.NamespacedName(&rel) + if err != nil { + return nil, err +@@ -236,11 +236,7 @@ func (s *Server) installedPackageDetail(ctx context.Context, headers http.Header + + // this will only be present if install/upgrade succeeded + // TODO(agamez): flux upgrade - migrate to Status.History, see https://github.com/fluxcd/flux2/releases/tag/v2.2.0 +- pkgVersion := rel.Status.LastAppliedRevision +- if pkgVersion == "" { +- // this is the back-up option: will be there if the reconciliation is in progress or has failed +- pkgVersion = rel.Status.LastAttemptedRevision +- } ++ pkgVersion := rel.Status.LastAttemptedRevision + + availablePackageRef, err := installedPackageAvailablePackageRef(rel) + if err != nil { +@@ -288,7 +284,7 @@ func (s *Server) installedPackageDetail(ctx context.Context, headers http.Header + }, nil + } + +-func (s *Server) getReleaseViaHelmApi(headers http.Header, key types.NamespacedName, rel *helmv2beta2.HelmRelease) (*release.Release, error) { ++func (s *Server) getReleaseViaHelmApi(headers http.Header, key types.NamespacedName, rel *helmv2.HelmRelease) (*release.Release, error) { + // post installation notes can only be retrieved via helm APIs, flux doesn't do it + // see discussion in https://cloud-native.slack.com/archives/CLAJ40HV3/p1629244025187100 + if s.actionConfigGetter == nil { +@@ -458,7 +454,7 @@ func (s *Server) updateRelease(ctx context.Context, headers http.Header, package + // process and the current status no longer applies. metadata and spec I want + // to keep, as they may have had added labels and/or annotations and/or + // even other changes made by the user. +- rel.Status = helmv2beta2.HelmReleaseStatus{} ++ rel.Status = helmv2.HelmReleaseStatus{} + + client, err := s.getClient(headers, packageRef.Context.Namespace) + if err != nil { +@@ -489,7 +485,7 @@ func (s *Server) deleteRelease(ctx context.Context, headers http.Header, package + + log.V(4).Infof("Deleting release: [%s]", packageRef.Identifier) + +- rel := &helmv2beta2.HelmRelease{ ++ rel := &helmv2.HelmRelease{ + ObjectMeta: metav1.ObjectMeta{ + Name: packageRef.Identifier, + Namespace: packageRef.Context.Namespace, +@@ -507,19 +503,19 @@ func (s *Server) deleteRelease(ctx context.Context, headers http.Header, package + // 2. metadata.namespace, where this HelmRelease CRD will exist, same as (3) below + // per https://github.com/vmware-tanzu/kubeapps/pull/3640#issuecomment-949315105 + // 3. spec.targetNamespace, where flux will install any artifacts from the release +-func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.NamespacedName, versionExpr string, reconcile *corev1.ReconciliationOptions, values map[string]interface{}) (*helmv2beta2.HelmRelease, error) { +- fluxRelease := &helmv2beta2.HelmRelease{ ++func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.NamespacedName, versionExpr string, reconcile *corev1.ReconciliationOptions, values map[string]interface{}) (*helmv2.HelmRelease, error) { ++ fluxRelease := &helmv2.HelmRelease{ + ObjectMeta: metav1.ObjectMeta{ + Name: targetName.Name, + Namespace: targetName.Namespace, + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: &helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: chart.Name, +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ ++ SourceRef: helmv2.CrossNamespaceObjectReference{ + Name: chart.Repo.Name, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Kind: sourcev1.HelmRepositoryKind, + Namespace: chart.Repo.Namespace, + }, + }, +@@ -581,7 +577,7 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp + // when install completes with success + // - "reason" field: failure only when flux returns "InstallFailed" reason + // otherwise pending or unspecified when there are no status conditions to go by +-func isHelmReleaseReady(rel helmv2beta2.HelmRelease) (ready bool, status corev1.InstalledPackageStatus_StatusReason, userReason string) { ++func isHelmReleaseReady(rel helmv2.HelmRelease) (ready bool, status corev1.InstalledPackageStatus_StatusReason, userReason string) { + if !checkReleaseGeneration(rel) { + // according to https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties + // observedGeneration represents the .metadata.generation that the condition was set based upon. +@@ -601,9 +597,8 @@ func isHelmReleaseReady(rel helmv2beta2.HelmRelease) (ready bool, status corev1. + // "reason": "InstallFailed" + // i.e. not super useful + userReason = readyCond.Reason +- if userReason == helmv2beta2.InstallFailedReason || +- userReason == helmv2beta2.UpgradeFailedReason || +- userReason == helmv2beta2.GetLastReleaseFailedReason { ++ if userReason == helmv2.InstallFailedReason || ++ userReason == helmv2.UpgradeFailedReason { + isInstallFailed = true + } + } +@@ -627,7 +622,7 @@ func isHelmReleaseReady(rel helmv2beta2.HelmRelease) (ready bool, status corev1. + return false, corev1.InstalledPackageStatus_STATUS_REASON_PENDING, userReason + } + +-func installedPackageStatus(rel helmv2beta2.HelmRelease) *corev1.InstalledPackageStatus { ++func installedPackageStatus(rel helmv2.HelmRelease) *corev1.InstalledPackageStatus { + ready, reason, userReason := isHelmReleaseReady(rel) + return &corev1.InstalledPackageStatus{ + Ready: ready, +@@ -636,7 +631,7 @@ func installedPackageStatus(rel helmv2beta2.HelmRelease) *corev1.InstalledPackag + } + } + +-func installedPackageReconciliationOptions(rel *helmv2beta2.HelmRelease) *corev1.ReconciliationOptions { ++func installedPackageReconciliationOptions(rel *helmv2.HelmRelease) *corev1.ReconciliationOptions { + reconciliationOptions := &corev1.ReconciliationOptions{} + reconciliationOptions.Interval = pkgutils.FromDuration(&rel.Spec.Interval) + reconciliationOptions.Suspend = rel.Spec.Suspend +@@ -644,7 +639,7 @@ func installedPackageReconciliationOptions(rel *helmv2beta2.HelmRelease) *corev1 + return reconciliationOptions + } + +-func installedPackageAvailablePackageRef(rel *helmv2beta2.HelmRelease) (*corev1.AvailablePackageReference, error) { ++func installedPackageAvailablePackageRef(rel *helmv2.HelmRelease) (*corev1.AvailablePackageReference, error) { + repoName := rel.Spec.Chart.Spec.SourceRef.Name + if repoName == "" { + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Missing required field spec.chart.spec.sourceRef.name")) +@@ -670,7 +665,7 @@ func installedPackageAvailablePackageRef(rel *helmv2beta2.HelmRelease) (*corev1. + } + + // ref https://fluxcd.io/docs/components/helm/helmreleases/ +-func helmReleaseName(key types.NamespacedName, rel *helmv2beta2.HelmRelease) types.NamespacedName { ++func helmReleaseName(key types.NamespacedName, rel *helmv2.HelmRelease) types.NamespacedName { + helmReleaseName := rel.Spec.ReleaseName + // according to docs ReleaseName is optional and defaults to a composition of + // '[TargetNamespace-]Name'. +@@ -691,7 +686,7 @@ func helmReleaseName(key types.NamespacedName, rel *helmv2beta2.HelmRelease) typ + return types.NamespacedName{Name: helmReleaseName, Namespace: helmReleaseNamespace} + } + +-func checkReleaseGeneration(rel helmv2beta2.HelmRelease) bool { ++func checkReleaseGeneration(rel helmv2.HelmRelease) bool { + generation := rel.GetGeneration() + observedGeneration := rel.Status.ObservedGeneration + return generation > 0 && generation == observedGeneration +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go +index ba46e9633..dd5507e60 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go +@@ -12,8 +12,8 @@ import ( + "testing" + "time" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -949,7 +949,7 @@ func TestKindClusterRBAC_ReadRelease(t *testing.T) { + rules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get", "list"}, + }, +@@ -1044,14 +1044,14 @@ func TestKindClusterRBAC_ReadRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns1: { + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{"helmcharts"}, + Verbs: []string{"get", "list"}, + }, + }, + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get", "list"}, + }, +@@ -1188,7 +1188,7 @@ func TestKindClusterRBAC_CreateRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"create"}, + }, +@@ -1218,14 +1218,14 @@ func TestKindClusterRBAC_CreateRelease(t *testing.T) { + nsToRules = map[string][]rbacv1.PolicyRule{ + ns1: { + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{"helmcharts"}, + Verbs: []string{"get"}, + }, + }, + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"create"}, + }, +@@ -1335,7 +1335,7 @@ func TestKindClusterRBAC_UpdateRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get"}, + }, +@@ -1368,7 +1368,7 @@ func TestKindClusterRBAC_UpdateRelease(t *testing.T) { + nsToRules = map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get", "update"}, + }, +@@ -1476,7 +1476,7 @@ func TestKindClusterRBAC_DeleteRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"delete"}, + }, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go +index 824afc678..8827ccdbe 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go +@@ -12,10 +12,10 @@ import ( + "time" + + "github.com/bufbuild/connect-go" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -43,7 +43,7 @@ type testSpecGetInstalledPackages struct { + releaseValues *v1.JSON + releaseSuspend bool + releaseServiceAccountName string +- releaseStatus helmv2beta2.HelmReleaseStatus ++ releaseStatus helmv2.HelmReleaseStatus + // only used to test edge cases now, most tests should not set this + targetNamespace string + } +@@ -511,7 +511,7 @@ func TestCreateInstalledPackage(t *testing.T) { + existingObjs testSpecCreateInstalledPackage + expectedStatusCode codes.Code + expectedResponse *corev1.CreateInstalledPackageResponse +- expectedRelease *helmv2beta2.HelmRelease ++ expectedRelease *helmv2.HelmRelease + defaultUpgradePolicyStr string + }{ + { +@@ -637,7 +637,7 @@ func TestCreateInstalledPackage(t *testing.T) { + } + defer ts.Close() + +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{*repo}) + if err != nil { + t.Fatal(err) + } +@@ -686,12 +686,12 @@ func TestCreateInstalledPackage(t *testing.T) { + t.Fatal(err) + } else { + key := types.NamespacedName{Namespace: tc.request.TargetContext.Namespace, Name: tc.request.Name} +- var actualRel helmv2beta2.HelmRelease ++ var actualRel helmv2.HelmRelease + if err = ctrlClient.Get(context.Background(), key, &actualRel); err != nil { + t.Fatal(err) + } else { + // Values are JSON string and need to be compared as such +- opts = cmpopts.IgnoreFields(helmv2beta2.HelmReleaseSpec{}, "Values") ++ opts = cmpopts.IgnoreFields(helmv2.HelmReleaseSpec{}, "Values") + + // Manually setting TypeMeta, as the fakeclient doesn't do it anymore: + // https://github.com/kubernetes-sigs/controller-runtime/pull/2633 +@@ -714,7 +714,7 @@ func TestUpdateInstalledPackage(t *testing.T) { + existingK8sObjs *testSpecGetInstalledPackages + expectedErrorCode connect.Code + expectedResponse *corev1.UpdateInstalledPackageResponse +- expectedRelease *helmv2beta2.HelmRelease ++ expectedRelease *helmv2.HelmRelease + defaultUpgradePolicyStr string + }{ + { +@@ -894,7 +894,7 @@ func TestUpdateInstalledPackage(t *testing.T) { + Name: tc.expectedResponse.InstalledPackageRef.Identifier, + } + ctx := context.Background() +- var actualRel helmv2beta2.HelmRelease ++ var actualRel helmv2.HelmRelease + if ctrlClient, err := s.clientGetter.ControllerRuntime(http.Header{}, s.kubeappsCluster); err != nil { + t.Fatal(err) + } else if err = ctrlClient.Get(ctx, key, &actualRel); err != nil { +@@ -902,7 +902,7 @@ func TestUpdateInstalledPackage(t *testing.T) { + } + + // Values are JSON string and need to be compared as such +- opts = cmpopts.IgnoreFields(helmv2beta2.HelmReleaseSpec{}, "Values") ++ opts = cmpopts.IgnoreFields(helmv2.HelmReleaseSpec{}, "Values") + + // Manually setting TypeMeta, as the fakeclient doesn't do it anymore: + // https://github.com/kubernetes-sigs/controller-runtime/pull/2633 +@@ -985,7 +985,7 @@ func TestDeleteInstalledPackage(t *testing.T) { + Name: tc.request.InstalledPackageRef.Identifier, + } + ctx := context.Background() +- var actualRel helmv2beta2.HelmRelease ++ var actualRel helmv2.HelmRelease + if ctrlClient, err := s.clientGetter.ControllerRuntime(http.Header{}, s.kubeappsCluster); err != nil { + t.Fatal(err) + } else if err = ctrlClient.Get(ctx, key, &actualRel); !errors.IsNotFound(err) { +@@ -1129,15 +1129,15 @@ func TestGetInstalledPackageResourceRefs(t *testing.T) { + } + } + +-func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPackages) (charts []sourcev1beta2.HelmChart, releases []helmv2beta2.HelmRelease, cleanup func()) { ++func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPackages) (charts []sourcev1.HelmChart, releases []helmv2.HelmRelease, cleanup func()) { + httpServers := []*httptest.Server{} + cleanup = func() { + for _, ts := range httpServers { + ts.Close() + } + } +- charts = []sourcev1beta2.HelmChart{} +- releases = []helmv2beta2.HelmRelease{} ++ charts = []sourcev1.HelmChart{} ++ releases = []helmv2.HelmRelease{} + + for _, existing := range existingK8sObjs { + tarGzBytes, err := os.ReadFile(existing.chartTarGz) +@@ -1155,24 +1155,24 @@ func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPa + })) + httpServers = append(httpServers, ts) + +- chartSpec := &sourcev1beta2.HelmChartSpec{ ++ chartSpec := &sourcev1.HelmChartSpec{ + Chart: existing.chartName, +- SourceRef: sourcev1beta2.LocalHelmChartSourceReference{ ++ SourceRef: sourcev1.LocalHelmChartSourceReference{ + Name: existing.repoName, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Kind: sourcev1.HelmRepositoryKind, + }, + Version: existing.chartSpecVersion, + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } + +- chartStatus := &sourcev1beta2.HelmChartStatus{ ++ chartStatus := &sourcev1.HelmChartStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Message: "Fetched revision: " + existing.chartSpecVersion, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionTrue, +- Reason: sourcev1beta2.ChartPullSucceededReason, ++ Reason: sourcev1.ChartPullSucceededReason, + }, + }, + Artifact: &sourcev1.Artifact{ +@@ -1183,14 +1183,14 @@ func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPa + chart := newChart(existing.chartName, existing.repoNamespace, chartSpec, chartStatus) + charts = append(charts, chart) + +- releaseSpec := &helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ releaseSpec := &helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: existing.chartName, + Version: existing.chartSpecVersion, +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ ++ SourceRef: helmv2.CrossNamespaceObjectReference{ + Name: existing.repoName, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Kind: sourcev1.HelmRepositoryKind, + Namespace: existing.repoNamespace, + }, + }, +@@ -1217,8 +1217,8 @@ func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPa + return charts, releases, cleanup + } + +-func newRelease(meta metav1.ObjectMeta, spec *helmv2beta2.HelmReleaseSpec, status *helmv2beta2.HelmReleaseStatus) helmv2beta2.HelmRelease { +- helmRelease := helmv2beta2.HelmRelease{ ++func newRelease(meta metav1.ObjectMeta, spec *helmv2.HelmReleaseSpec, status *helmv2.HelmReleaseStatus) helmv2.HelmRelease { ++ helmRelease := helmv2.HelmRelease{ + ObjectMeta: meta, + } + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go +index 790b21514..5154ed7f7 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go +@@ -18,7 +18,7 @@ import ( + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/k8sutils" + + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/plugins/fluxv2/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache" +@@ -52,7 +52,7 @@ var ( + // returns a list of HelmRepositories from specified namespace. + // ns can be "", in which case all namespaces (cluster-wide), excluding + // the ones that the caller has no read access to +-func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, ns string) ([]sourcev1beta2.HelmRepository, error) { ++func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, ns string) ([]sourcev1.HelmRepository, error) { + // the actual List(...) call will be executed in the context of + // kubeapps-internal-kubeappsapis service account + // ref https://github.com/vmware-tanzu/kubeapps/issues/4390 for explanation +@@ -62,7 +62,7 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, + return nil, err + } + +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + listOptions := ctrlclient.ListOptions{ + Namespace: ns, + } +@@ -83,7 +83,7 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, + return nil, err + } + } +- items := []sourcev1beta2.HelmRepository{} ++ items := []sourcev1.HelmRepository{} + for _, item := range repoList.Items { + if allowedNamespaces.Has(item.GetNamespace()) { + items = append(items, item) +@@ -93,7 +93,7 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, + } + } + +-func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1beta2.HelmRepository, error) { ++func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1.HelmRepository, error) { + // unlike List(), there is no need to execute Get() in the context of + // kubeapps-internal-kubeappsapis service account and then filter out results based on + // whether or not the caller hasAccessToNamespace(). We can just pass the caller +@@ -103,7 +103,7 @@ func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key + if err != nil { + return nil, err + } +- var repo sourcev1beta2.HelmRepository ++ var repo sourcev1.HelmRepository + if err = client.Get(ctx, key, &repo); err != nil { + return nil, connecterror.FromK8sError("get", "HelmRepository", key.String(), err) + } +@@ -111,7 +111,7 @@ func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key + } + + // regexp expressions are used for matching actual names against expected patters +-func (s *Server) filterReadyReposByName(repoList []sourcev1beta2.HelmRepository, match []string) (sets.Set[string], error) { ++func (s *Server) filterReadyReposByName(repoList []sourcev1.HelmRepository, match []string) (sets.Set[string], error) { + if s.repoCache == nil { + return nil, connect.NewError(connect.CodeFailedPrecondition, fmt.Errorf("Server cache has not been properly initialized")) + } +@@ -232,7 +232,7 @@ func (s *Server) newRepo(ctx context.Context, request *connect.Request[corev1.Ad + } + + typ := request.Msg.GetType() +- if typ != "helm" && typ != sourcev1beta2.HelmRepositoryTypeOCI { ++ if typ != "helm" && typ != sourcev1.HelmRepositoryTypeOCI { + return nil, connect.NewError(connect.CodeUnimplemented, fmt.Errorf("Repository type [%s] not supported", typ)) + } + +@@ -323,7 +323,7 @@ func (s *Server) repoDetail(ctx context.Context, headers http.Header, repoRef *c + // will have a FluxPackageRepositoryCustomDetail in it. Flux spec already clearly states + // If you do not specify .spec.provider, it defaults to generic. + // https://fluxcd.io/flux/components/source/helmrepositories/#provider +- if repo.Spec.Provider != "" && repo.Spec.Provider != sourcev1beta2.GenericOCIProvider { ++ if repo.Spec.Provider != "" && repo.Spec.Provider != "generic" { + if customDetail, err = anypb.New(&v1alpha1.FluxPackageRepositoryCustomDetail{ + Provider: repo.Spec.Provider, + }); err != nil { +@@ -357,7 +357,7 @@ func (s *Server) repoDetail(ctx context.Context, headers http.Header, repoRef *c + + func (s *Server) repoSummaries(ctx context.Context, headers http.Header, ns string) ([]*corev1.PackageRepositorySummary, error) { + summaries := []*corev1.PackageRepositorySummary{} +- var repos []sourcev1beta2.HelmRepository ++ var repos []sourcev1.HelmRepository + var err error + if ns == apiv1.NamespaceAll { + if repos, err = s.listReposInNamespace(ctx, headers, ns); err != nil { +@@ -368,7 +368,7 @@ func (s *Server) repoSummaries(ctx context.Context, headers http.Header, ns stri + // namely, if a specific namespace is passed in, we need to list repos in that namespace + // and if the caller happens not to have 'read' access to that namespace, a PermissionDenied + // error should be raised, as opposed to returning an empty list with no error +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + var client ctrlclient.Client + if client, err = s.getClient(headers, ns); err != nil { + return nil, err +@@ -491,7 +491,7 @@ func (s *Server) updateRepo(ctx context.Context, repoRef *corev1.PackageReposito + // process and the current status no longer applies. metadata and spec I want + // to keep, as they may have had added labels and/or annotations and/or + // even other changes made by the user. +- repo.Status = sourcev1beta2.HelmRepositoryStatus{} ++ repo.Status = sourcev1.HelmRepositoryStatus{} + + if client, err := s.getClient(request.Header(), key.Namespace); err != nil { + return nil, err +@@ -529,7 +529,7 @@ func (s *Server) deleteRepo(ctx context.Context, headers http.Header, repoRef *c + // For kubeapps-managed secrets environment secrets will be deleted (garbage-collected) + // when the owner repo is deleted + +- repo := &sourcev1beta2.HelmRepository{ ++ repo := &sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: repoRef.Identifier, + Namespace: repoRef.Context.Namespace, +@@ -562,10 +562,10 @@ func (s *repoEventSink) onAddRepo(key string, obj ctrlclient.Object) (interface{ + log.V(4).Infof("+onAddRepo(%s)", key) + defer log.V(4).Info("-onAddRepo()") + +- if repo, ok := obj.(*sourcev1beta2.HelmRepository); !ok { +- return nil, false, fmt.Errorf("expected an instance of *sourcev1beta2.HelmRepository, got: %T", obj) ++ if repo, ok := obj.(*sourcev1.HelmRepository); !ok { ++ return nil, false, fmt.Errorf("expected an instance of *sourcev1.HelmRepository, got: %T", obj) + } else if isRepoReady(*repo) { +- if repo.Spec.Type == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI { + return s.onAddOciRepo(*repo) + } else { + return s.onAddHttpRepo(*repo) +@@ -579,7 +579,7 @@ func (s *repoEventSink) onAddRepo(key string, obj ctrlclient.Object) (interface{ + } + + // ref https://fluxcd.io/docs/components/source/helmrepositories/#status +-func (s *repoEventSink) onAddHttpRepo(repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onAddHttpRepo(repo sourcev1.HelmRepository) ([]byte, bool, error) { + if artifact := repo.GetArtifact(); artifact != nil { + if checksum := artifact.Digest; checksum == "" { + return nil, false, connect.NewError(connect.CodeInternal, +@@ -595,7 +595,7 @@ func (s *repoEventSink) onAddHttpRepo(repo sourcev1beta2.HelmRepository) ([]byte + } + } + +-func (s *repoEventSink) indexAndEncode(checksum string, repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) indexAndEncode(checksum string, repo sourcev1.HelmRepository) ([]byte, bool, error) { + charts, err := s.indexOneRepo(repo) + if err != nil { + return nil, false, err +@@ -637,7 +637,7 @@ func (s *repoEventSink) indexAndEncode(checksum string, repo sourcev1beta2.HelmR + + // it is assumed the caller has already checked that this repo is ready + // At present, there is only one caller of indexOneRepo() and this check is already done by it +-func (s *repoEventSink) indexOneRepo(repo sourcev1beta2.HelmRepository) ([]models.Chart, error) { ++func (s *repoEventSink) indexOneRepo(repo sourcev1.HelmRepository) ([]models.Chart, error) { + startTime := time.Now() + + // ref https://fluxcd.io/docs/components/source/helmrepositories/#status +@@ -698,12 +698,12 @@ func (s *repoEventSink) indexOneRepo(repo sourcev1beta2.HelmRepository) ([]model + + // onModifyRepo essentially tells the cache whether or not to and what to store for a given key + func (s *repoEventSink) onModifyRepo(key string, obj ctrlclient.Object, oldValue interface{}) (interface{}, bool, error) { +- if repo, ok := obj.(*sourcev1beta2.HelmRepository); !ok { +- return nil, false, fmt.Errorf("expected an instance of *sourcev1beta2.HelmRepository, got: %T", obj) ++ if repo, ok := obj.(*sourcev1.HelmRepository); !ok { ++ return nil, false, fmt.Errorf("expected an instance of *sourcev1.HelmRepository, got: %T", obj) + } else if isRepoReady(*repo) { + // first check the repo is ready + +- if repo.Spec.Type == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI { + return s.onModifyOciRepo(key, oldValue, *repo) + } else { + return s.onModifyHttpRepo(key, oldValue, *repo) +@@ -716,7 +716,7 @@ func (s *repoEventSink) onModifyRepo(key string, obj ctrlclient.Object, oldValue + } + } + +-func (s *repoEventSink) onModifyHttpRepo(key string, oldValue interface{}, repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onModifyHttpRepo(key string, oldValue interface{}, repo sourcev1.HelmRepository) ([]byte, bool, error) { + // We should to compare checksums on what's stored in the cache + // vs the modified object to see if the contents has really changed before embarking on + // expensive operation indexOneRepo() below. +@@ -796,7 +796,7 @@ func (s *repoEventSink) fromKey(key string) (*types.NamespacedName, error) { + return &types.NamespacedName{Namespace: parts[1], Name: parts[2]}, nil + } + +-func (s *repoEventSink) getRepoSecret(ctx context.Context, repo sourcev1beta2.HelmRepository) (*apiv1.Secret, error) { ++func (s *repoEventSink) getRepoSecret(ctx context.Context, repo sourcev1.HelmRepository) (*apiv1.Secret, error) { + if repo.Spec.SecretRef == nil { + return nil, nil + } +@@ -825,7 +825,7 @@ func (s *repoEventSink) getRepoSecret(ctx context.Context, repo sourcev1beta2.He + + // The reason I do this here is to set up auth that may be needed to fetch chart tarballs by + // ChartCache +-func (s *repoEventSink) clientOptionsForHttpRepo(ctx context.Context, repo sourcev1beta2.HelmRepository) (*common.HttpClientOptions, error) { ++func (s *repoEventSink) clientOptionsForHttpRepo(ctx context.Context, repo sourcev1.HelmRepository) (*common.HttpClientOptions, error) { + if secret, err := s.getRepoSecret(ctx, repo); err == nil && secret != nil { + return common.HttpClientOptionsFromSecret(*secret) + } else { +@@ -837,7 +837,7 @@ func (s *repoEventSink) clientOptionsForHttpRepo(ctx context.Context, repo sourc + // repo-related utilities + // + +-func isRepoReady(repo sourcev1beta2.HelmRepository) bool { ++func isRepoReady(repo sourcev1.HelmRepository) bool { + // see docs at https://fluxcd.io/docs/components/source/helmrepositories/ + // Confirm the state we are observing is for the current generation + if !checkRepoGeneration(repo) { +@@ -854,7 +854,7 @@ func isRepoReady(repo sourcev1beta2.HelmRepository) bool { + // - reason: if present + // docs: + // 1. https://fluxcd.io/docs/components/source/helmrepositories/#status-examples +-func isHelmRepositoryReady(repo sourcev1beta2.HelmRepository) (complete bool, success bool, reason string) { ++func isHelmRepositoryReady(repo sourcev1.HelmRepository) (complete bool, success bool, reason string) { + // flux source-controller v1beta2 API made a change so that we can no longer + // rely on a simple "metadata.generation" vs "status.observedGeneration" check for a + // quick answer. The resource may now exist with "observedGeneration": -1 either in +@@ -882,7 +882,7 @@ func isHelmRepositoryReady(repo sourcev1beta2.HelmRepository) (complete bool, su + return false, false, reason + } + +-func repoStatus(repo sourcev1beta2.HelmRepository) *corev1.PackageRepositoryStatus { ++func repoStatus(repo sourcev1.HelmRepository) *corev1.PackageRepositoryStatus { + complete, success, reason := isHelmRepositoryReady(repo) + s := &corev1.PackageRepositoryStatus{ + Ready: complete && success, +@@ -899,7 +899,7 @@ func repoStatus(repo sourcev1beta2.HelmRepository) *corev1.PackageRepositoryStat + return s + } + +-func checkRepoGeneration(repo sourcev1beta2.HelmRepository) bool { ++func checkRepoGeneration(repo sourcev1.HelmRepository) bool { + generation := repo.GetGeneration() + observedGeneration := repo.Status.ObservedGeneration + return generation > 0 && generation == observedGeneration +@@ -914,7 +914,7 @@ func newFluxHelmRepo( + interval string, + secret *apiv1.Secret, + passCredentials bool, +- provider string) (*sourcev1beta2.HelmRepository, error) { ++ provider string) (*sourcev1.HelmRepository, error) { + pollInterval := defaultPollInterval + if interval != "" { + if duration, err := pkgutils.ToDuration(interval); err != nil { +@@ -923,18 +923,18 @@ func newFluxHelmRepo( + pollInterval = *duration + } + } +- fluxRepo := &sourcev1beta2.HelmRepository{ ++ fluxRepo := &sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: targetName.Name, + Namespace: targetName.Namespace, + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: url, + Interval: pollInterval, + }, + } +- if typ == sourcev1beta2.HelmRepositoryTypeOCI { +- fluxRepo.Spec.Type = sourcev1beta2.HelmRepositoryTypeOCI ++ if typ == sourcev1.HelmRepositoryTypeOCI { ++ fluxRepo.Spec.Type = sourcev1.HelmRepositoryTypeOCI + } + if desc != "" { + k8sutils.SetDescription(&fluxRepo.ObjectMeta, desc) +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go +index 517a503ec..f811e0297 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go +@@ -10,7 +10,7 @@ import ( + "net/http" + + "github.com/bufbuild/connect-go" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/connecterror" + "github.com/vmware-tanzu/kubeapps/pkg/kube" +@@ -79,7 +79,7 @@ func (s *Server) handleRepoSecretForCreate( + func (s *Server) handleRepoSecretForUpdate( + ctx context.Context, + headers http.Header, +- repo *sourcev1beta2.HelmRepository, ++ repo *sourcev1.HelmRepository, + newTlsConfig *corev1.PackageRepositoryTlsConfig, + newAuth *corev1.PackageRepositoryAuth) (updatedSecret *apiv1.Secret, isKubeappsManagedSecret bool, isSecretUpdated bool, err error) { + +@@ -208,7 +208,7 @@ func (s *Server) validateUserManagedRepoSecret( + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Specified secret [%s] missing fields 'username' and/or 'password'", secretRef)) + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_TLS: +- if repoType == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType == sourcev1.HelmRepositoryTypeOCI { + // ref https://fluxcd.io/flux/components/source/helmrepositories/#tls-authentication + // Note: TLS authentication is not yet supported by OCI Helm repositories. + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Package repository authentication type %q is not supported for OCI repositories", auth.Type)) +@@ -218,7 +218,7 @@ func (s *Server) validateUserManagedRepoSecret( + } + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_DOCKER_CONFIG_JSON: +- if repoType == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType == sourcev1.HelmRepositoryTypeOCI { + if secret.Data[apiv1.DockerConfigJsonKey] == nil { + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Specified secret [%s] missing field '%s'", secretRef, apiv1.DockerConfigJsonKey)) + } +@@ -251,7 +251,7 @@ func (s *Server) setOwnerReferencesForRepoSecret( + ctx context.Context, + headers http.Header, + secret *apiv1.Secret, +- repo *sourcev1beta2.HelmRepository) error { ++ repo *sourcev1.HelmRepository) error { + + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 + if repo.Spec.SecretRef != nil && secret != nil { +@@ -263,9 +263,9 @@ func (s *Server) setOwnerReferencesForRepoSecret( + *metav1.NewControllerRef( + repo, + schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmRepositoryKind, + }), + } + if _, err := secretsInterface.Update(ctx, secret, metav1.UpdateOptions{}); err != nil { +@@ -276,7 +276,7 @@ func (s *Server) setOwnerReferencesForRepoSecret( + return nil + } + +-func (s *Server) getRepoTlsConfigAndAuth(ctx context.Context, headers http.Header, repo sourcev1beta2.HelmRepository) (*corev1.PackageRepositoryTlsConfig, *corev1.PackageRepositoryAuth, error) { ++func (s *Server) getRepoTlsConfigAndAuth(ctx context.Context, headers http.Header, repo sourcev1.HelmRepository) (*corev1.PackageRepositoryTlsConfig, *corev1.PackageRepositoryAuth, error) { + var tlsConfig *corev1.PackageRepositoryTlsConfig + var auth *corev1.PackageRepositoryAuth + +@@ -385,7 +385,7 @@ func newSecretFromTlsConfigAndAuth(repoName types.NamespacedName, + } + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_TLS: +- if repoType == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType == sourcev1.HelmRepositoryTypeOCI { + // ref https://fluxcd.io/flux/components/source/helmrepositories/#tls-authentication + // Note: TLS authentication is not yet supported by OCI Helm repositories. + return nil, false, connect.NewError(connect.CodeInternal, fmt.Errorf("Package repository authentication type %q is not supported for OCI repositories", auth.Type)) +@@ -413,7 +413,7 @@ func newSecretFromTlsConfigAndAuth(repoName types.NamespacedName, + } + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_DOCKER_CONFIG_JSON: +- if repoType != sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType != sourcev1.HelmRepositoryTypeOCI { + return nil, false, connect.NewError(connect.CodeInternal, fmt.Errorf("Unsupported package repository authentication type: %q", auth.Type)) + } + +@@ -569,7 +569,7 @@ func getRepoTlsConfigAndAuthWithKubeappsManagedSecrets(secret *apiv1.Secret) (*c + return tlsConfig, auth, nil + } + +-func isSecretKubeappsManaged(secret *apiv1.Secret, repo *sourcev1beta2.HelmRepository) bool { ++func isSecretKubeappsManaged(secret *apiv1.Secret, repo *sourcev1.HelmRepository) bool { + if !metav1.IsControlledBy(secret, repo) { + return false + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go +index e90758d47..23d9e3e68 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go +@@ -19,7 +19,7 @@ import ( + "github.com/bufbuild/connect-go" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redismock/v8" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" +@@ -414,7 +414,7 @@ func TestGetAvailablePackageSummariesWithoutPagination(t *testing.T) { + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { +- repos := []sourcev1beta2.HelmRepository{} ++ repos := []sourcev1.HelmRepository{} + + for _, rs := range tc.repos { + ts2, repo, err := newHttpRepoAndServeIndex(rs.index, rs.name, rs.namespace, nil, "") +@@ -479,7 +479,7 @@ func TestGetAvailablePackageSummariesWithPagination(t *testing.T) { + index: testYaml("index-with-categories.yaml"), + }, + } +- repos := []sourcev1beta2.HelmRepository{} ++ repos := []sourcev1.HelmRepository{} + for _, rs := range existingRepos { + ts2, repo, err := newHttpRepoAndServeIndex(rs.index, rs.name, rs.namespace, nil, "") + if err != nil { +@@ -616,12 +616,12 @@ func TestGetAvailablePackageSummaryAfterRepoIndexUpdate(t *testing.T) { + })) + defer ts.Close() + +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -640,7 +640,7 @@ func TestGetAvailablePackageSummaryAfterRepoIndexUpdate(t *testing.T) { + repoName := types.NamespacedName{Namespace: "ns2", Name: "testrepo"} + repo := newRepo(repoName.Name, repoName.Namespace, repoSpec, repoStatus) + +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{repo}) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -752,7 +752,7 @@ func TestGetAvailablePackageSummaryAfterFluxHelmRepoDelete(t *testing.T) { + } + defer ts.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -847,7 +847,7 @@ func TestGetAvailablePackageSummaryAfterCacheResync(t *testing.T) { + } + defer ts2.Close() + +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{*repo}) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -932,7 +932,7 @@ func TestGetAvailablePackageSummariesAfterCacheResyncQueueNotIdle(t *testing.T) + } + + // first, I'd like to fill up the work queue with a whole bunch of work items +- repos := []*sourcev1beta2.HelmRepository{} ++ repos := []*sourcev1.HelmRepository{} + mapReposCached := make(map[string][]byte) + keysInOrder := []string{} + +@@ -1181,7 +1181,7 @@ func TestAddPackageRepository(t *testing.T) { + name string + request *corev1.AddPackageRepositoryRequest + expectedResponse *corev1.AddPackageRepositoryResponse +- expectedRepo *sourcev1beta2.HelmRepository ++ expectedRepo *sourcev1.HelmRepository + errorCode connect.Code + existingSecret *apiv1.Secret + expectedCreatedSecret *apiv1.Secret +@@ -1411,7 +1411,7 @@ func TestAddPackageRepository(t *testing.T) { + if ctrlClient, err := s.clientGetter.ControllerRuntime(http.Header{}, s.kubeappsCluster); err != nil { + t.Fatal(err) + } else { +- var actualRepo sourcev1beta2.HelmRepository ++ var actualRepo sourcev1.HelmRepository + if err = ctrlClient.Get(ctx, nsname, &actualRepo); err != nil { + t.Fatal(err) + } else { +@@ -1429,7 +1429,7 @@ func TestAddPackageRepository(t *testing.T) { + } + } else { + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +- opt1 := cmpopts.IgnoreFields(sourcev1beta2.HelmRepositorySpec{}, "SecretRef") ++ opt1 := cmpopts.IgnoreFields(sourcev1.HelmRepositorySpec{}, "SecretRef") + + // Manually setting TypeMeta, as the fakeclient doesn't do it anymore: + // https://github.com/kubernetes-sigs/controller-runtime/pull/2633 +@@ -1637,7 +1637,7 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + secretRef = tc.repoSecret.Name + secrets = append(secrets, tc.repoSecret) + } +- var repo *sourcev1beta2.HelmRepository ++ var repo *sourcev1.HelmRepository + if !tc.pending && !tc.failed { + var ts *httptest.Server + var err error +@@ -1647,11 +1647,11 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + } + defer ts.Close() + } else if tc.pending { +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1665,11 +1665,11 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + repo1 := newRepo(tc.repoName, tc.repoNamespace, repoSpec, repoStatus) + repo = &repo1 + } else { // failed +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1686,7 +1686,7 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + + // the index.yaml will contain links to charts but for the purposes + // of this test they do not matter +- s, _, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, secrets) ++ s, _, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, secrets) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -1744,7 +1744,7 @@ func TestGetOciPackageRepositoryDetail(t *testing.T) { + t.Fatal(err) + } + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, nil) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -1786,7 +1786,7 @@ func TestGetPackageRepositorySummaries(t *testing.T) { + testCases := []struct { + name string + request *corev1.GetPackageRepositorySummariesRequest +- existingRepos []sourcev1beta2.HelmRepository ++ existingRepos []sourcev1.HelmRepository + expectedErrorCode connect.Code + expectedResponse *corev1.GetPackageRepositorySummariesResponse + }{ +@@ -1795,7 +1795,7 @@ func TestGetPackageRepositorySummaries(t *testing.T) { + request: &corev1.GetPackageRepositorySummariesRequest{ + Context: &corev1.Context{}, + }, +- existingRepos: []sourcev1beta2.HelmRepository{ ++ existingRepos: []sourcev1.HelmRepository{ + get_summaries_repo_1, + get_summaries_repo_2, + get_summaries_repo_3, +@@ -1815,7 +1815,7 @@ func TestGetPackageRepositorySummaries(t *testing.T) { + request: &corev1.GetPackageRepositorySummariesRequest{ + Context: &corev1.Context{Namespace: "foo"}, + }, +- existingRepos: []sourcev1beta2.HelmRepository{ ++ existingRepos: []sourcev1.HelmRepository{ + get_summaries_repo_1, + get_summaries_repo_2, + get_summaries_repo_3, +@@ -2124,7 +2124,7 @@ func TestUpdatePackageRepository(t *testing.T) { + if tc.newRepoSecret != nil { + secrets = append(secrets, tc.newRepoSecret) + } +- var repo *sourcev1beta2.HelmRepository ++ var repo *sourcev1.HelmRepository + if !tc.pending { + var ts *httptest.Server + var err error +@@ -2134,11 +2134,11 @@ func TestUpdatePackageRepository(t *testing.T) { + } + defer ts.Close() + } else { +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2156,7 +2156,7 @@ func TestUpdatePackageRepository(t *testing.T) { + + // the index.yaml will contain links to charts but for the purposes + // of this test they do not matter +- s, _, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, secrets) ++ s, _, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, secrets) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -2219,7 +2219,7 @@ func TestUpdatePackageRepository(t *testing.T) { + + // check the created/updated secret + if tc.expectedCreatedSecret != nil { +- var actualRepo sourcev1beta2.HelmRepository ++ var actualRepo sourcev1.HelmRepository + if err = ctrlClient.Get(ctx, types.NamespacedName{Namespace: tc.repoNamespace, Name: tc.repoName}, &actualRepo); err != nil { + t.Fatal(err) + } +@@ -2285,7 +2285,7 @@ func TestDeletePackageRepository(t *testing.T) { + if tc.newRepoSecret != nil { + secrets = append(secrets, tc.newRepoSecret) + } +- var repo *sourcev1beta2.HelmRepository ++ var repo *sourcev1.HelmRepository + if !tc.pending { + var ts *httptest.Server + var err error +@@ -2295,11 +2295,11 @@ func TestDeletePackageRepository(t *testing.T) { + } + defer ts.Close() + } else { +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2317,7 +2317,7 @@ func TestDeletePackageRepository(t *testing.T) { + + // the index.yaml will contain links to charts but for the purposes + // of this test they do not matter +- s, _, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, secrets) ++ s, _, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, secrets) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -2331,7 +2331,7 @@ func TestDeletePackageRepository(t *testing.T) { + Namespace: tc.request.PackageRepoRef.Context.Namespace, + Name: tc.request.PackageRepoRef.Identifier, + } +- var actualRepo sourcev1beta2.HelmRepository ++ var actualRepo sourcev1.HelmRepository + if tc.expectedErrorCode == 0 { + if err = ctrlClient.Get(ctx, nsname, &actualRepo); err != nil { + t.Fatal(err) +@@ -2414,7 +2414,7 @@ func TestGetOciAvailablePackageSummariesWithoutPagination(t *testing.T) { + t.Run(tc.name, func(t *testing.T) { + initOciFakeClientBuilder(t, *tc.seedData) + +- repos := []sourcev1beta2.HelmRepository{} ++ repos := []sourcev1.HelmRepository{} + + for _, rs := range tc.repos { + repo, err := newOciRepo(rs.repoName, rs.repoNamespace, rs.repoUrl) +@@ -2451,8 +2451,8 @@ func TestGetOciAvailablePackageSummariesWithoutPagination(t *testing.T) { + } + } + +-func newRepo(name string, namespace string, spec *sourcev1beta2.HelmRepositorySpec, status *sourcev1beta2.HelmRepositoryStatus) sourcev1beta2.HelmRepository { +- helmRepository := sourcev1beta2.HelmRepository{ ++func newRepo(name string, namespace string, spec *sourcev1.HelmRepositorySpec, status *sourcev1.HelmRepositoryStatus) sourcev1.HelmRepository { ++ helmRepository := sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Generation: 1, +@@ -2489,7 +2489,7 @@ func newRepo(name string, namespace string, spec *sourcev1beta2.HelmRepositorySp + + // these functions should affect only unit test, not production code + // does a series of mock.ExpectGet(...) +-func (s *Server) redisMockExpectGetFromRepoCache(mock redismock.ClientMock, filterOptions *corev1.FilterOptions, repos ...sourcev1beta2.HelmRepository) error { ++func (s *Server) redisMockExpectGetFromRepoCache(mock redismock.ClientMock, filterOptions *corev1.FilterOptions, repos ...sourcev1.HelmRepository) error { + mapVals := make(map[string][]byte) + ociRepoKeys := sets.Set[string]{} + for _, r := range repos { +@@ -2532,7 +2532,7 @@ func (s *Server) redisMockExpectGetFromRepoCache(mock redismock.ClientMock, filt + return nil + } + +-func (s *Server) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1beta2.HelmRepository, oldValue []byte) (key string, bytes []byte, err error) { ++func (s *Server) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1.HelmRepository, oldValue []byte) (key string, bytes []byte, err error) { + bg := &clientgetter.FixedClusterClientProvider{ClientsFunc: func(ctx context.Context) (*clientgetter.ClientGetter, error) { + return s.clientGetter.GetClients(http.Header{}, s.kubeappsCluster) + }} +@@ -2540,7 +2540,7 @@ func (s *Server) redisMockSetValueForRepo(mock redismock.ClientMock, repo source + return sinkNoCache.redisMockSetValueForRepo(mock, repo, oldValue) + } + +-func (sink *repoEventSink) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1beta2.HelmRepository, oldValue []byte) (key string, newValue []byte, err error) { ++func (sink *repoEventSink) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1.HelmRepository, oldValue []byte) (key string, newValue []byte, err error) { + if key, newValue, err = sink.redisKeyValueForRepo(repo); err != nil { + if oldValue == nil { + mock.ExpectGet(key).RedisNil() +@@ -2565,7 +2565,7 @@ func redisMockSetValueForRepo(mock redismock.ClientMock, key string, newValue, o + mock.ExpectInfo("memory").SetVal("used_memory_rss_human:NA\r\nmaxmemory_human:NA") + } + +-func (s *Server) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) (key string, byteArray []byte, err error) { ++func (s *Server) redisKeyValueForRepo(r sourcev1.HelmRepository) (key string, byteArray []byte, err error) { + cg := &clientgetter.FixedClusterClientProvider{ClientsFunc: func(ctx context.Context) (*clientgetter.ClientGetter, error) { + return s.clientGetter.GetClients(http.Header{}, s.kubeappsCluster) + }} +@@ -2573,7 +2573,7 @@ func (s *Server) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) (key strin + return sinkNoChartCache.redisKeyValueForRepo(r) + } + +-func (sink *repoEventSink) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) (key string, byteArray []byte, err error) { ++func (sink *repoEventSink) redisKeyValueForRepo(r sourcev1.HelmRepository) (key string, byteArray []byte, err error) { + if key, err = redisKeyForRepo(r); err != nil { + return key, nil, err + } else { +@@ -2591,7 +2591,7 @@ func (sink *repoEventSink) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) + } + } + +-func redisKeyForRepo(r sourcev1beta2.HelmRepository) (string, error) { ++func redisKeyForRepo(r sourcev1.HelmRepository) (string, error) { + // redis convention on key format + // https://redis.io/topics/data-types-intro + // Try to stick with a schema. For instance "object-type:id" is a good idea, as in "user:1000". +@@ -2612,7 +2612,7 @@ func redisKeyForRepoNamespacedName(name types.NamespacedName) (string, error) { + return fmt.Sprintf("%s:%s:%s", fluxHelmRepositories, name.Namespace, name.Name), nil + } + +-func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replaceUrls map[string]string, secretRef string) (*httptest.Server, *sourcev1beta2.HelmRepository, error) { ++func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replaceUrls map[string]string, secretRef string) (*httptest.Server, *sourcev1.HelmRepository, error) { + indexYAMLBytes, err := os.ReadFile(repoIndex) + if err != nil { + return nil, nil, err +@@ -2631,7 +2631,7 @@ func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replace + fmt.Fprintln(w, string(indexYAMLBytes)) + })) + +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +@@ -2644,7 +2644,7 @@ func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replace + revision := "651f952130ea96823711d08345b85e82be011dc6" + sz := int64(31989) + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Path: fmt.Sprintf("helmrepository/%s/%s/index-%s.yaml", repoNamespace, repoName, revision), + Digest: revision, +@@ -2669,16 +2669,16 @@ func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replace + return ts, &repo, nil + } + +-func newOciRepo(repoName, repoNamespace, repoUrl string) (*sourcev1beta2.HelmRepository, error) { ++func newOciRepo(repoName, repoNamespace, repoUrl string) (*sourcev1.HelmRepository, error) { + timeout := metav1.Duration{Duration: 60 * time.Second} +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: repoUrl, + Interval: metav1.Duration{Duration: 1 * time.Minute}, + Timeout: &timeout, + Type: "oci", + } + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go +index 53fac6474..ef3d506b3 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go +@@ -13,8 +13,8 @@ import ( + + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/helm" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + authorizationv1 "k8s.io/api/authorization/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +@@ -89,11 +89,11 @@ func NewServer(configGetter core.KubernetesConfigGetter, kubeappsCluster string, + + // register the GitOps Toolkit schema definitions + scheme := runtime.NewScheme() +- err = sourcev1beta2.AddToScheme(scheme) ++ err = sourcev1.AddToScheme(scheme) + if err != nil { + log.Fatalf("%s", err) + } +- err = helmv2beta2.AddToScheme(scheme) ++ err = helmv2.AddToScheme(scheme) + if err != nil { + log.Fatalf("%s", err) + } +@@ -112,11 +112,11 @@ func NewServer(configGetter core.KubernetesConfigGetter, kubeappsCluster string, + OnGetFunc: s.onGetRepo, + OnDeleteFunc: s.onDeleteRepo, + OnResyncFunc: s.onResync, +- NewObjFunc: func() ctrlclient.Object { return &sourcev1beta2.HelmRepository{} }, +- NewListFunc: func() ctrlclient.ObjectList { return &sourcev1beta2.HelmRepositoryList{} }, ++ NewObjFunc: func() ctrlclient.Object { return &sourcev1.HelmRepository{} }, ++ NewListFunc: func() ctrlclient.ObjectList { return &sourcev1.HelmRepositoryList{} }, + ListItemsFunc: func(ol ctrlclient.ObjectList) []ctrlclient.Object { +- if hl, ok := ol.(*sourcev1beta2.HelmRepositoryList); !ok { +- log.Errorf("Expected: *sourcev1beta2.HelmRepositoryList, got: %T", ol) ++ if hl, ok := ol.(*sourcev1.HelmRepositoryList); !ok { ++ log.Errorf("Expected: *sourcev1.HelmRepositoryList, got: %T", ol) + return nil + } else { + ret := make([]ctrlclient.Object, len(hl.Items)) +@@ -619,7 +619,7 @@ func (s *Server) GetPackageRepositoryPermissions(ctx context.Context, request *c + } + + resource := schema.GroupResource{ +- Group: sourcev1beta2.GroupVersion.Group, ++ Group: sourcev1.GroupVersion.Group, + Resource: fluxHelmRepositories, + } + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go +index abed61c06..14278399e 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go +@@ -13,9 +13,9 @@ import ( + "time" + + "github.com/bufbuild/connect-go" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redis/v8" + "github.com/go-redis/redismock/v8" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -46,13 +46,13 @@ import ( + func TestGetAvailablePackagesStatus(t *testing.T) { + testCases := []struct { + name string +- repo sourcev1beta2.HelmRepository ++ repo sourcev1.HelmRepository + statusCode codes.Code + }{ + { + name: "returns without error if response status does not contain conditions", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +@@ -62,21 +62,21 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + { + name: "returns without error if response status does not contain conditions (2)", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{}), ++ &sourcev1.HelmRepositoryStatus{}), + statusCode: codes.OK, + }, + { + name: "returns without error if response does not contain ready repos", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -91,7 +91,7 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + name: "returns without error if repo object does not contain namespace", + repo: newRepo("test", "", + nil, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -106,7 +106,7 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + name: "returns without error if repo object contains default spec", + repo: newRepo("test", "default", + nil, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -120,8 +120,8 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + { + name: "returns without error if repo object does not contain spec url", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{}, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositorySpec{}, ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -135,11 +135,11 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + { + name: "returns without error if repo object does not contain status url", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -154,7 +154,7 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{tc.repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{tc.repo}) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -204,11 +204,11 @@ type testSpecChartWithUrl struct { + numRetries int + } + +-func newSimpleServerWithRepos(t *testing.T, repos []sourcev1beta2.HelmRepository) (*Server, redismock.ClientMock, error) { ++func newSimpleServerWithRepos(t *testing.T, repos []sourcev1.HelmRepository) (*Server, redismock.ClientMock, error) { + return newServerWithRepos(t, repos, nil, nil) + } + +-func newServerWithRepos(t *testing.T, repos []sourcev1beta2.HelmRepository, charts []testSpecChartWithUrl, secrets []runtime.Object) (*Server, redismock.ClientMock, error) { ++func newServerWithRepos(t *testing.T, repos []sourcev1.HelmRepository, charts []testSpecChartWithUrl, secrets []runtime.Object) (*Server, redismock.ClientMock, error) { + typedClient := typfake.NewSimpleClientset(secrets...) + + // ref https://stackoverflow.com/questions/68794562/kubernetes-fake-client-doesnt-handle-generatename-in-objectmeta/68794563#68794563 +@@ -243,7 +243,7 @@ func newServerWithRepos(t *testing.T, repos []sourcev1beta2.HelmRepository, char + return newServer(t, clientGetter, nil, repos, charts) + } + +-func newServerWithChartsAndReleases(t *testing.T, actionConfig *action.Configuration, charts []sourcev1beta2.HelmChart, releases []helmv2beta2.HelmRelease) (*Server, redismock.ClientMock, error) { ++func newServerWithChartsAndReleases(t *testing.T, actionConfig *action.Configuration, charts []sourcev1.HelmChart, releases []helmv2.HelmRelease) (*Server, redismock.ClientMock, error) { + typedClient := typfake.NewSimpleClientset() + // Creating an authorized clientGetter + typedClient.PrependReactor("create", "selfsubjectaccessreviews", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) { +@@ -316,7 +316,7 @@ func newHelmActionConfig(t *testing.T, namespace string, rels []helmReleaseStub) + func newServer(t *testing.T, + clientGetter clientgetter.ClientProviderInterface, + actionConfig *action.Configuration, +- repos []sourcev1beta2.HelmRepository, ++ repos []sourcev1.HelmRepository, + charts []testSpecChartWithUrl) (*Server, redismock.ClientMock, error) { + + stopCh := make(chan struct{}) +@@ -360,11 +360,11 @@ func newServer(t *testing.T, + OnGetFunc: sink.onGetRepo, + OnDeleteFunc: sink.onDeleteRepo, + OnResyncFunc: sink.onResync, +- NewObjFunc: func() ctrlclient.Object { return &sourcev1beta2.HelmRepository{} }, +- NewListFunc: func() ctrlclient.ObjectList { return &sourcev1beta2.HelmRepositoryList{} }, ++ NewObjFunc: func() ctrlclient.Object { return &sourcev1.HelmRepository{} }, ++ NewListFunc: func() ctrlclient.ObjectList { return &sourcev1.HelmRepositoryList{} }, + ListItemsFunc: func(ol ctrlclient.ObjectList) []ctrlclient.Object { +- if hl, ok := ol.(*sourcev1beta2.HelmRepositoryList); !ok { +- t.Fatalf("Expected: *sourcev1beta2.HelmRepositoryList, got: %T", ol) ++ if hl, ok := ol.(*sourcev1.HelmRepositoryList); !ok { ++ t.Fatalf("Expected: *sourcev1.HelmRepositoryList, got: %T", ol) + return nil + } else { + ret := make([]ctrlclient.Object, len(hl.Items)) +@@ -410,8 +410,8 @@ func newServer(t *testing.T, + func seedRepoCacheWithRepos(t *testing.T, + mock redismock.ClientMock, + sink repoEventSink, +- repos []sourcev1beta2.HelmRepository) map[string]sourcev1beta2.HelmRepository { +- okRepos := make(map[string]sourcev1beta2.HelmRepository) ++ repos []sourcev1.HelmRepository) map[string]sourcev1.HelmRepository { ++ okRepos := make(map[string]sourcev1.HelmRepository) + for _, r := range repos { + key, err := redisKeyForRepo(r) + if err != nil { +@@ -441,7 +441,7 @@ func seedChartCacheWithCharts(t *testing.T, + mock redismock.ClientMock, + sink repoEventSink, + stopCh <-chan struct{}, +- repos map[string]sourcev1beta2.HelmRepository, ++ repos map[string]sourcev1.HelmRepository, + charts []testSpecChartWithUrl) (*cache.ChartCache, func(), error) { + t.Logf("+seedChartCacheWithCharts(%v)", charts) + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go +index dfbcb10c8..8109f3f2f 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go +@@ -19,8 +19,8 @@ import ( + + k8stesting "k8s.io/client-go/testing" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -305,8 +305,8 @@ func setSecretOwnerRef(repoName string, secret *apiv1.Secret) *apiv1.Secret { + tRue := true + secret.OwnerReferences = []metav1.OwnerReference{ + { +- APIVersion: sourcev1beta2.GroupVersion.String(), +- Kind: sourcev1beta2.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, + Name: repoName, + Controller: &tRue, + BlockOwnerDeletion: &tRue, +@@ -353,45 +353,45 @@ func repoRef(id, namespace string) *corev1.PackageRepositoryReference { + } + } + +-func newCtrlClient(repos []sourcev1beta2.HelmRepository, charts []sourcev1beta2.HelmChart, releases []helmv2beta2.HelmRelease) withWatchWrapper { ++func newCtrlClient(repos []sourcev1.HelmRepository, charts []sourcev1.HelmChart, releases []helmv2.HelmRelease) withWatchWrapper { + // register the flux GitOps Toolkit schema definitions + scheme := runtime.NewScheme() +- err := sourcev1beta2.AddToScheme(scheme) ++ err := sourcev1.AddToScheme(scheme) + if err != nil { + log.Fatal(err) + } +- err = helmv2beta2.AddToScheme(scheme) ++ err = helmv2.AddToScheme(scheme) + if err != nil { + log.Fatal(err) + } + +- rm := apimeta.NewDefaultRESTMapper([]schema.GroupVersion{sourcev1beta2.GroupVersion, helmv2beta2.GroupVersion}) ++ rm := apimeta.NewDefaultRESTMapper([]schema.GroupVersion{sourcev1.GroupVersion, helmv2.GroupVersion}) + rm.Add(schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmRepositoryKind}, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmRepositoryKind}, + apimeta.RESTScopeNamespace) + rm.Add(schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmChartKind}, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmChartKind}, + apimeta.RESTScopeNamespace) + rm.Add(schema.GroupVersionKind{ +- Group: helmv2beta2.GroupVersion.Group, +- Version: helmv2beta2.GroupVersion.Version, +- Kind: helmv2beta2.HelmReleaseKind}, ++ Group: helmv2.GroupVersion.Group, ++ Version: helmv2.GroupVersion.Version, ++ Kind: helmv2.HelmReleaseKind}, + apimeta.RESTScopeNamespace) + + ctrlClientBuilder := ctrlfake.NewClientBuilder().WithScheme(scheme).WithRESTMapper(rm) + initLists := []client.ObjectList{} + if len(repos) > 0 { +- initLists = append(initLists, &sourcev1beta2.HelmRepositoryList{Items: repos}) ++ initLists = append(initLists, &sourcev1.HelmRepositoryList{Items: repos}) + } + if len(charts) > 0 { +- initLists = append(initLists, &sourcev1beta2.HelmChartList{Items: charts}) ++ initLists = append(initLists, &sourcev1.HelmChartList{Items: charts}) + } + if len(releases) > 0 { +- initLists = append(initLists, &helmv2beta2.HelmReleaseList{Items: releases}) ++ initLists = append(initLists, &helmv2.HelmReleaseList{Items: releases}) + } + if len(initLists) > 0 { + ctrlClientBuilder = ctrlClientBuilder.WithLists(initLists...) +diff --git a/go.mod b/go.mod +index fe893591e..6d380a0cf 100644 +--- a/go.mod ++++ b/go.mod +@@ -3,7 +3,9 @@ + + module github.com/vmware-tanzu/kubeapps + +-go 1.22 ++go 1.22.0 ++ ++toolchain go1.22.2 + + require ( + carvel.dev/vendir v0.40.0 +@@ -18,11 +20,11 @@ require ( + github.com/disintegration/imaging v1.6.2 + github.com/distribution/reference v0.6.0 + github.com/docker/cli v26.0.0+incompatible +- github.com/fluxcd/helm-controller/api v0.37.4 +- github.com/fluxcd/pkg/apis/meta v1.4.0 +- github.com/fluxcd/pkg/oci v0.36.0 +- github.com/fluxcd/pkg/version v0.3.0 +- github.com/fluxcd/source-controller/api v1.2.5 ++ github.com/fluxcd/helm-controller/api v1.0.1 ++ github.com/fluxcd/pkg/apis/meta v1.5.0 ++ github.com/fluxcd/pkg/oci v0.37.1 ++ github.com/fluxcd/pkg/version v0.4.0 ++ github.com/fluxcd/source-controller/api v1.3.0 + github.com/go-redis/redis/v8 v8.11.5 + github.com/go-redis/redismock/v8 v8.11.5 + github.com/google/go-cmp v0.6.0 +@@ -52,28 +54,28 @@ require ( + google.golang.org/protobuf v1.33.0 + gopkg.in/yaml.v3 v3.0.1 + helm.sh/helm/v3 v3.14.3 +- k8s.io/api v0.29.3 +- k8s.io/apiextensions-apiserver v0.29.3 +- k8s.io/apimachinery v0.29.3 +- k8s.io/apiserver v0.29.3 ++ k8s.io/api v0.30.0 ++ k8s.io/apiextensions-apiserver v0.30.0 ++ k8s.io/apimachinery v0.30.0 ++ k8s.io/apiserver v0.30.0 + k8s.io/cli-runtime v0.29.3 +- k8s.io/client-go v0.29.3 ++ k8s.io/client-go v0.30.0 + k8s.io/klog/v2 v2.120.1 + k8s.io/kubectl v0.29.3 + k8s.io/utils v0.0.0-20240310230437-4693a0247e57 + oras.land/oras-go v1.2.5 + oras.land/oras-go/v2 v2.5.0 +- sigs.k8s.io/controller-runtime v0.17.2 ++ sigs.k8s.io/controller-runtime v0.18.1 + sigs.k8s.io/yaml v1.4.0 + ) + + require ( + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect +- github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0 // indirect +- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect ++ github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect ++ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect +- github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect ++ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect + github.com/BurntSushi/toml v1.3.2 // indirect + github.com/MakeNowJust/heredoc v1.0.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect +@@ -82,8 +84,8 @@ require ( + github.com/Microsoft/hcsshim v0.11.4 // indirect + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect +- github.com/aws/aws-sdk-go-v2/config v1.27.10 // indirect +- github.com/aws/aws-sdk-go-v2/credentials v1.17.10 // indirect ++ github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect ++ github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect +@@ -91,7 +93,7 @@ require ( + github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect +- github.com/aws/aws-sdk-go-v2/service/sso v1.20.4 // indirect ++ github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect + github.com/aws/smithy-go v1.20.2 // indirect +@@ -113,13 +115,13 @@ require ( + github.com/docker/go-metrics v0.0.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch v5.7.0+incompatible // indirect +- github.com/evanphx/json-patch/v5 v5.8.0 // indirect ++ github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect + github.com/fatih/camelcase v1.0.0 // indirect + github.com/fatih/color v1.15.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect +- github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect +- github.com/fluxcd/pkg/apis/kustomize v1.3.0 // indirect ++ github.com/fluxcd/pkg/apis/acl v0.3.0 // indirect ++ github.com/fluxcd/pkg/apis/kustomize v1.5.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fvbommel/sortorder v1.1.0 // indirect + github.com/go-errors/errors v1.4.2 // indirect +@@ -131,7 +133,7 @@ require ( + github.com/go-openapi/swag v0.22.4 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/gogo/protobuf v1.3.2 // indirect +- github.com/golang-jwt/jwt/v5 v5.2.0 // indirect ++ github.com/golang-jwt/jwt/v5 v5.2.1 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/btree v1.1.2 // indirect +@@ -217,19 +219,18 @@ require ( + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect + golang.org/x/image v0.10.0 // indirect +- golang.org/x/oauth2 v0.17.0 // indirect ++ golang.org/x/oauth2 v0.19.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/term v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.5.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect +- google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect +- k8s.io/component-base v0.29.3 // indirect +- k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e // indirect ++ k8s.io/component-base v0.30.0 // indirect ++ k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect + sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect +diff --git a/go.sum b/go.sum +index 4e1af959d..0d7a395a6 100644 +--- a/go.sum ++++ b/go.sum +@@ -50,16 +50,16 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 + dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= +-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0 h1:U/kwEXj0Y+1REAkV4kV8VO1CsEp8tSaQDG/7qC5XuqQ= +-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= +-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= ++github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= ++github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= ++github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 h1:FDif4R1+UUR+00q6wquyX90K7A8dN+R5E8GEadoP7sU= ++github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2/go.mod h1:aiYBYui4BJ/BJCAIKs92XiPyQfTaBWqvHujDwKb6CBU= + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +-github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 h1:DzHpqpoJVaCgOUdVHxE8QB52S6NiVdDQvGlny1qvPqA= +-github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= ++github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= ++github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= + github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= + github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= + github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +@@ -103,10 +103,10 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= + github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= + github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +-github.com/aws/aws-sdk-go-v2/config v1.27.10 h1:PS+65jThT0T/snC5WjyfHHyUgG+eBoupSDV+f838cro= +-github.com/aws/aws-sdk-go-v2/config v1.27.10/go.mod h1:BePM7Vo4OBpHreKRUMuDXX+/+JWP38FLkzl5m27/Jjs= +-github.com/aws/aws-sdk-go-v2/credentials v1.17.10 h1:qDZ3EA2lv1KangvQB6y258OssCHD0xvaGiEDkG4X/10= +-github.com/aws/aws-sdk-go-v2/credentials v1.17.10/go.mod h1:6t3sucOaYDwDssHQa0ojH1RpmVmF5/jArkye1b2FKMI= ++github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= ++github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= ++github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= ++github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +@@ -121,8 +121,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1x + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= +-github.com/aws/aws-sdk-go-v2/service/sso v1.20.4 h1:WzFol5Cd+yDxPAdnzTA5LmpHYSWinhmSj4rQChV0ee8= +-github.com/aws/aws-sdk-go-v2/service/sso v1.20.4/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= ++github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= ++github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= +@@ -243,8 +243,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 + github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= + github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= + github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +-github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +-github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= ++github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= ++github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= + github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= +@@ -256,20 +256,20 @@ github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= + github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= + github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= + github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +-github.com/fluxcd/helm-controller/api v0.37.4 h1:rkBMqYXexyf1s5BS8QpxGi691DsCi+yugIFCM5fNKLU= +-github.com/fluxcd/helm-controller/api v0.37.4/go.mod h1:KFdP5Lbrc4Vv+Jt4xRj6UUo3qiwdBqBPl1xiiAnBe9c= +-github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q= +-github.com/fluxcd/pkg/apis/acl v0.1.0/go.mod h1:zfEZzz169Oap034EsDhmCAGgnWlcWmIObZjYMusoXS8= +-github.com/fluxcd/pkg/apis/kustomize v1.3.0 h1:qvB46CfaOWcL1SyR2RiVWN/j7/035D0OtB1ltLN7rgI= +-github.com/fluxcd/pkg/apis/kustomize v1.3.0/go.mod h1:PCXf5kktTzNav0aH2Ns3jsowqwmA9xTcsrEOoPzx/K8= +-github.com/fluxcd/pkg/apis/meta v1.4.0 h1:nNdgB6FFHP3cubxZCViaCFDUVlAbpq9+hvKEIveOGMg= +-github.com/fluxcd/pkg/apis/meta v1.4.0/go.mod h1:81sZ01ShTuLc1C3M1dFJNkINareBysvmrO1b8zJFFKs= +-github.com/fluxcd/pkg/oci v0.36.0 h1:bC+Qkm6p8rN72McArNwYFjI9bt7M2vn6mnt7i/vOWv0= +-github.com/fluxcd/pkg/oci v0.36.0/go.mod h1:ocWsg1tjhjlIpdpdw0xZz7q9YQH8YzcrN1wi+Az0t7E= +-github.com/fluxcd/pkg/version v0.3.0 h1:+GSU3QKQK66Y09+cQMAEoyh7j4S0ZimXF6MyGgJwZB4= +-github.com/fluxcd/pkg/version v0.3.0/go.mod h1:NO3/EuKNn9g6aw9NN85Hdrz+5CVx90KZC6rPsOmgvVI= +-github.com/fluxcd/source-controller/api v1.2.5 h1:MgGrOfPh7Grhl40GUM9lEs+lmgTx3hLAwI0MVqaJkQ8= +-github.com/fluxcd/source-controller/api v1.2.5/go.mod h1:j3QSHpIPBP5sjaGIkVtsgWCx8JcOmcsutRmdJmRMOZg= ++github.com/fluxcd/helm-controller/api v1.0.1 h1:Gn9qEVuif6D5+gHmVwTEZkR4+nmLOcOhKx4Sw2gL2EA= ++github.com/fluxcd/helm-controller/api v1.0.1/go.mod h1:/6AD5a2qjo/ttxVM8GR33syLZwqigta60DCLdy8GrME= ++github.com/fluxcd/pkg/apis/acl v0.3.0 h1:UOrKkBTOJK+OlZX7n8rWt2rdBmDCoTK+f5TY2LcZi8A= ++github.com/fluxcd/pkg/apis/acl v0.3.0/go.mod h1:WVF9XjSMVBZuU+HTTiSebGAWMgM7IYexFLyVWbK9bNY= ++github.com/fluxcd/pkg/apis/kustomize v1.5.0 h1:ah4sfqccnio+/5Edz/tVz6LetFhiBoDzXAElj6fFCzU= ++github.com/fluxcd/pkg/apis/kustomize v1.5.0/go.mod h1:nEzhnhHafhWOUUV8VMFLojUOH+HHDEsL75y54mt/c30= ++github.com/fluxcd/pkg/apis/meta v1.5.0 h1:/G82d2Az5D9op3F+wJUpD8jw/eTV0suM6P7+cSURoUM= ++github.com/fluxcd/pkg/apis/meta v1.5.0/go.mod h1:Y3u7JomuuKtr5fvP1Iji2/50FdRe5GcBug2jawNVkdM= ++github.com/fluxcd/pkg/oci v0.37.1 h1:p4rfCHZlBWL+Q5Xey51iiBRmoje0IevCBT0/r8iae3M= ++github.com/fluxcd/pkg/oci v0.37.1/go.mod h1:LrVuX6VACenJ5ycQJxec+I7YJegCsE4nzRUV+6RuxcY= ++github.com/fluxcd/pkg/version v0.4.0 h1:3F6oeIZ+ug/f7pALIBhcUhfURel37EPPOn7nsGfsnOg= ++github.com/fluxcd/pkg/version v0.4.0/go.mod h1:izVsSDxac81qWRmpOL9qcxZYx+zAN1ajoP5SidGP6PA= ++github.com/fluxcd/source-controller/api v1.3.0 h1:Z5Lq0aJY87yg0cQDEuwGLKS60GhdErCHtsi546HUt10= ++github.com/fluxcd/source-controller/api v1.3.0/go.mod h1:+tfd0vltjcVs/bbnq9AlYR9AAHSVfM/Z4v4TpQmdJf4= + github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= + github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= + github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +@@ -332,8 +332,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x + github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= + github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= + github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +-github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +-github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= ++github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= ++github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= + github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= + github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= + github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +@@ -650,14 +650,14 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv + github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= + github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= + github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +-github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= +-github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= ++github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= ++github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= + github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= + github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= + github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= + github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= +-github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk= +-github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg= ++github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= ++github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= + github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= + github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= + github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +@@ -931,8 +931,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= + golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= + golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= ++golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= ++golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= + golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= + golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= + golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +@@ -999,8 +999,8 @@ golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ + golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= + golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= + golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +-golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= +-golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= ++golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= ++golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= + golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +@@ -1119,7 +1119,6 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= + golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +@@ -1188,8 +1187,8 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= + golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= + golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= + golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= ++golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= ++golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= + golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= + golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= + golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +@@ -1236,8 +1235,6 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww + google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= + google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= + google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= + google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= + google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= + google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +@@ -1393,24 +1390,24 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh + honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= + honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= + honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +-k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= +-k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= +-k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI= +-k8s.io/apiextensions-apiserver v0.29.3/go.mod h1:po0XiY5scnpJfFizNGo6puNU6Fq6D70UJY2Cb2KwAVc= +-k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU= +-k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU= +-k8s.io/apiserver v0.29.3 h1:xR7ELlJ/BZSr2n4CnD3lfA4gzFivh0wwfNfz9L0WZcE= +-k8s.io/apiserver v0.29.3/go.mod h1:hrvXlwfRulbMbBgmWRQlFru2b/JySDpmzvQwwk4GUOs= ++k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= ++k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= ++k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= ++k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= ++k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= ++k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= ++k8s.io/apiserver v0.30.0 h1:QCec+U72tMQ+9tR6A0sMBB5Vh6ImCEkoKkTDRABWq6M= ++k8s.io/apiserver v0.30.0/go.mod h1:smOIBq8t0MbKZi7O7SyIpjPsiKJ8qa+llcFCluKyqiY= + k8s.io/cli-runtime v0.29.3 h1:r68rephmmytoywkw2MyJ+CxjpasJDQY7AGc3XY2iv1k= + k8s.io/cli-runtime v0.29.3/go.mod h1:aqVUsk86/RhaGJwDhHXH0jcdqBrgdF3bZWk4Z9D4mkM= +-k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg= +-k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0= +-k8s.io/component-base v0.29.3 h1:Oq9/nddUxlnrCuuR2K/jp6aflVvc0uDvxMzAWxnGzAo= +-k8s.io/component-base v0.29.3/go.mod h1:Yuj33XXjuOk2BAaHsIGHhCKZQAgYKhqIxIjIr2UXYio= ++k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= ++k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= ++k8s.io/component-base v0.30.0 h1:cj6bp38g0ainlfYtaOQuRELh5KSYjhKxM+io7AUIk4o= ++k8s.io/component-base v0.30.0/go.mod h1:V9x/0ePFNaKeKYA3bOvIbrNoluTSG+fSJKjLdjOoeXQ= + k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= + k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +-k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e h1:snPmy96t93RredGRjKfMFt+gvxuVAncqSAyBveJtr4Q= +-k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= ++k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= ++k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= + k8s.io/kubectl v0.29.3 h1:RuwyyIU42MAISRIePaa8Q7A3U74Q9P4MoJbDFz9o3us= + k8s.io/kubectl v0.29.3/go.mod h1:yCxfY1dbwgVdEt2zkJ6d5NNLOhhWgTyrqACIoFhpdd4= + k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY= +@@ -1422,8 +1419,8 @@ oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZH + rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= + rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= + rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +-sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0= +-sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= ++sigs.k8s.io/controller-runtime v0.18.1 h1:RpWbigmuiylbxOCLy0tGnq1cU1qWPwNIQzoJk+QeJx4= ++sigs.k8s.io/controller-runtime v0.18.1/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= + sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= diff --git a/packages/system/dashboard/images/kubeapps-apis/labels.diff b/packages/system/dashboard/images/kubeapps-apis/labels.diff index 23bcdc93..e3b1823f 100644 --- a/packages/system/dashboard/images/kubeapps-apis/labels.diff +++ b/packages/system/dashboard/images/kubeapps-apis/labels.diff @@ -16,7 +16,7 @@ index c489cb6ca..8884a6484 100644 @@ -54,7 +56,10 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, // see any results created/updated/deleted after the first request is issued // To fix this, we must make use of resourceVersion := relList.GetResourceVersion() - var relList helmv2beta2.HelmReleaseList + var relList helmv2.HelmReleaseList - if err = client.List(ctx, &relList); err != nil { + listOptions := ctrlclient.ListOptions{ + LabelSelector: labels.SelectorFromSet(labels.Set{"cozystack.io/ui": "true"}), @@ -33,8 +33,8 @@ index c489cb6ca..8884a6484 100644 + "cozystack.io/ui": "true", + }, }, - Spec: helmv2beta2.HelmReleaseSpec{ - Chart: helmv2beta2.HelmChartTemplate{ + Spec: helmv2.HelmReleaseSpec{ + Chart: helmv2.HelmChartTemplate{ diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go index 790b21514..539276a17 100644 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go @@ -49,7 +49,7 @@ index 790b21514..539276a17 100644 log "k8s.io/klog/v2" @@ -64,7 +65,8 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, - var repoList sourcev1beta2.HelmRepositoryList + var repoList sourcev1.HelmRepositoryList listOptions := ctrlclient.ListOptions{ - Namespace: ns, + Namespace: ns, @@ -65,5 +65,5 @@ index 790b21514..539276a17 100644 + "cozystack.io/ui": "true", + }, }, - Spec: sourcev1beta2.HelmRepositorySpec{ + Spec: sourcev1.HelmRepositorySpec{ URL: url, diff --git a/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff b/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff index f4f9b20a..74e3e738 100644 --- a/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff +++ b/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff @@ -3,7 +3,7 @@ index 8884a6484..4bf77071c 100644 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go @@ -530,6 +530,7 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp - Kind: sourcev1beta2.HelmRepositoryKind, + Kind: sourcev1.HelmRepositoryKind, Namespace: chart.Repo.Namespace, }, + ReconcileStrategy: "Revision", From bcd1ee1b4f7e5c0a21bdbc4392a74387bba5852c Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Mon, 17 Jun 2024 19:13:54 +0200 Subject: [PATCH 25/67] Add masquerade --- hack/e2e.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/e2e.sh b/hack/e2e.sh index db86d04f..86278beb 100755 --- a/hack/e2e.sh +++ b/hack/e2e.sh @@ -27,9 +27,9 @@ ip link add cozy-br0 type bridge ip link set cozy-br0 up ip addr add 192.168.123.1/24 dev cozy-br0 -# Enable masquerading -iptables -t nat -D POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE || true -iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE +# Enable forward & masquerading +echo 1 > /proc/sys/net/ipv4/ip_forward +iptables -t nat -A POSTROUTING -s 192.168.123.0/24 -j MASQUERADE rm -rf srv1 srv2 srv3 mkdir -p srv1 srv2 srv3 From 02a41e126bd1927fda7e395fcb6d81e5fcd12939 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 19 Jun 2024 16:55:16 +0200 Subject: [PATCH 26/67] fix kubeovn and cilium tags (#174) * fix: kube-ovn tag * fix: cilium tag --- packages/system/cilium/Makefile | 2 +- packages/system/cilium/images/cilium.tag | 2 +- packages/system/kubeovn/Makefile | 2 +- packages/system/kubeovn/images/kubeovn.tag | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index 23e43516..a5caba3b 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -27,4 +27,4 @@ image: --metadata-file images/cilium.json \ --push=$(PUSH) \ --load=$(LOAD) - echo "$(REGISTRY)/cilium:$(call settag,$(TAG))" > images/cilium.tag + echo "$(REGISTRY)/cilium:$(call settag,$(CILIUM_TAG))" > images/cilium.tag diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag index 164d288a..ab03ee07 100644 --- a/packages/system/cilium/images/cilium.tag +++ b/packages/system/cilium/images/cilium.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cilium:v0.7.0 +ghcr.io/aenix-io/cozystack/cilium:latest diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index d4e6884e..783005ba 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -24,4 +24,4 @@ image: --metadata-file images/kubeovn.json \ --push=$(PUSH) \ --load=$(LOAD) - echo "$(REGISTRY)/kubeovn:$(call settag,$(TAG))" > images/kubeovn.tag + echo "$(REGISTRY)/kubeovn:$(call settag,$(KUBEOVN_TAG))" > images/kubeovn.tag diff --git a/packages/system/kubeovn/images/kubeovn.tag b/packages/system/kubeovn/images/kubeovn.tag index 2236b16e..f5b70b27 100644 --- a/packages/system/kubeovn/images/kubeovn.tag +++ b/packages/system/kubeovn/images/kubeovn.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeovn:v0.7.0 +ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0 From f12e2c300a8b824726f790d2150dd943b2b44a50 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 20 Jun 2024 13:43:04 +0200 Subject: [PATCH 27/67] add initial arm support Signed-off-by: Andrei Kvapil --- packages/core/installer/Makefile | 1 + packages/core/installer/images/cozystack.json | 10 ++++++++-- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/cozystack/Dockerfile | 5 ++++- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/packages/core/installer/Makefile b/packages/core/installer/Makefile index 7cea7ed7..090cb4b0 100644 --- a/packages/core/installer/Makefile +++ b/packages/core/installer/Makefile @@ -25,6 +25,7 @@ image-cozystack: --provenance false \ --tag $(REGISTRY)/cozystack:$(call settag,$(TAG)) \ --cache-from type=registry,ref=$(REGISTRY)/cozystack:latest \ + --platform linux/amd64,linux/arm64 \ --cache-to type=inline \ --metadata-file images/cozystack.json \ --push=$(PUSH) \ diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 585f11e3..63a732c3 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,4 +1,10 @@ { - "containerimage.config.digest": "sha256:6d54a5b971e80fbaace664054d4e67f24fd1fbb7807ebaffd036d4ea7195df10", - "containerimage.digest": "sha256:a6b167235d8556ff7e45f4582c2491a2ad48292a46005dcf767908e2fb78e74e" + "buildx.build.ref": "youthful_hertz/youthful_hertz0/aafwjh8j28i98f59smgh3qe86", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", + "digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", + "size": 685 + }, + "containerimage.digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", + "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index e8430b50..602d7b26 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.7.0 +ghcr.io/aenix-io/cozystack/cozystack:latest diff --git a/packages/core/installer/images/cozystack/Dockerfile b/packages/core/installer/images/cozystack/Dockerfile index 6618cd00..7c9652b3 100644 --- a/packages/core/installer/images/cozystack/Dockerfile +++ b/packages/core/installer/images/cozystack/Dockerfile @@ -3,12 +3,15 @@ FROM golang:alpine3.19 as k8s-await-election-builder ARG K8S_AWAIT_ELECTION_GITREPO=https://github.com/LINBIT/k8s-await-election ARG K8S_AWAIT_ELECTION_VERSION=0.4.1 +# TARGETARCH is a docker special variable: https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope +ARG TARGETARCH + RUN apk add --no-cache git make RUN git clone ${K8S_AWAIT_ELECTION_GITREPO} /usr/local/go/k8s-await-election/ \ && cd /usr/local/go/k8s-await-election \ && git reset --hard v${K8S_AWAIT_ELECTION_VERSION} \ && make \ - && mv ./out/k8s-await-election-amd64 /k8s-await-election + && mv ./out/k8s-await-election-${TARGETARCH} /k8s-await-election FROM alpine:3.19 AS builder From 995dea6f5cbec81990eb302574b23af6bdb34511 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 21 Jun 2024 10:10:11 +0200 Subject: [PATCH 28/67] postgres: option to enable quorum-based replication Signed-off-by: Andrei Kvapil --- packages/apps/postgres/Chart.yaml | 2 +- packages/apps/postgres/README.md | 12 +++++++----- packages/apps/postgres/templates/db.yaml | 3 +++ packages/apps/postgres/values.schema.json | 17 ++++++++++++++++- packages/apps/postgres/values.yaml | 9 ++++++++- packages/apps/versions_map | 3 ++- 6 files changed, 37 insertions(+), 9 deletions(-) diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml index 89dee73f..eb9ab8cc 100644 --- a/packages/apps/postgres/Chart.yaml +++ b/packages/apps/postgres/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.1 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/postgres/README.md b/packages/apps/postgres/README.md index 5bdf290f..6fbfc582 100644 --- a/packages/apps/postgres/README.md +++ b/packages/apps/postgres/README.md @@ -35,11 +35,13 @@ more details: ### Common parameters -| Name | Description | Value | -| ---------- | ----------------------------------------------- | ------- | -| `external` | Enable external access from outside the cluster | `false` | -| `size` | Persistent Volume size | `10Gi` | -| `replicas` | Number of MariaDB replicas | `2` | +| Name | Description | Value | +| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- | +| `external` | Enable external access from outside the cluster | `false` | +| `size` | Persistent Volume size | `10Gi` | +| `replicas` | Number of Postgres replicas | `2` | +| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed. | `0` | +| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0` | ### Configuration parameters diff --git a/packages/apps/postgres/templates/db.yaml b/packages/apps/postgres/templates/db.yaml index 7c7d5b9e..7c1483a1 100644 --- a/packages/apps/postgres/templates/db.yaml +++ b/packages/apps/postgres/templates/db.yaml @@ -11,6 +11,9 @@ spec: parameters: max_wal_senders: "30" + minSyncReplicas: {{ .Values.quorum.minSyncReplicas }} + maxSyncReplicas: {{ .Values.quorum.maxSyncReplicas }} + monitoring: enablePodMonitor: true diff --git a/packages/apps/postgres/values.schema.json b/packages/apps/postgres/values.schema.json index 11e09d44..51b81336 100644 --- a/packages/apps/postgres/values.schema.json +++ b/packages/apps/postgres/values.schema.json @@ -14,9 +14,24 @@ }, "replicas": { "type": "number", - "description": "Number of MariaDB replicas", + "description": "Number of Postgres replicas", "default": 2 }, + "quorum": { + "type": "object", + "properties": { + "minSyncReplicas": { + "type": "number", + "description": "Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed.", + "default": 0 + }, + "maxSyncReplicas": { + "type": "number", + "description": "Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances).", + "default": 0 + } + } + }, "databases": { "type": "object", "description": "Databases configuration", diff --git a/packages/apps/postgres/values.yaml b/packages/apps/postgres/values.yaml index 2b7b49c1..0fdd8c19 100644 --- a/packages/apps/postgres/values.yaml +++ b/packages/apps/postgres/values.yaml @@ -2,12 +2,19 @@ ## @param external Enable external access from outside the cluster ## @param size Persistent Volume size -## @param replicas Number of MariaDB replicas +## @param replicas Number of Postgres replicas ## external: false size: 10Gi replicas: 2 +## Configuration for the quorum-based synchronous replication +## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed. +## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). +quorum: + minSyncReplicas: 0 + maxSyncReplicas: 0 + ## @section Configuration parameters ## @param users [object] Users configuration diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 712c3014..5d5d46b8 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -14,7 +14,8 @@ mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD postgres 0.1.0 f642698 postgres 0.2.0 7cd7de73 -postgres 0.2.1 HEAD +postgres 0.2.1 4a97e297 +postgres 0.3.0 HEAD rabbitmq 0.1.0 f642698 rabbitmq 0.2.0 HEAD redis 0.1.1 f642698 From b8e5309fc4b718147417e90297243e3e16e4bda5 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 24 Jun 2024 13:14:11 +0200 Subject: [PATCH 29/67] Refactor fluxcd 2.3 update (#172) Signed-off-by: Andrei Kvapil --- packages/core/fluxcd/Makefile | 6 ++- .../flux-operator/templates/deployment.yaml | 4 +- .../charts/flux-operator/values.schema.json | 7 --- .../fluxcd/charts/flux-operator/values.yaml | 3 -- packages/core/fluxcd/flux-customizations.yaml | 35 ------------- packages/core/fluxcd/patches/hostNetwork.diff | 52 +++++++++++++++++++ .../core/fluxcd/patches/kubernetesEnvs.diff | 12 +++++ packages/core/fluxcd/templates/_helpers.tpl | 13 +++++ packages/core/fluxcd/values.yaml | 43 ++++++++++++++- packages/core/fluxcd/valuesFile.yaml | 11 ---- .../templates/allow-from-kubeapps.yaml | 14 ----- 11 files changed, 124 insertions(+), 76 deletions(-) delete mode 100644 packages/core/fluxcd/flux-customizations.yaml create mode 100644 packages/core/fluxcd/patches/hostNetwork.diff create mode 100644 packages/core/fluxcd/patches/kubernetesEnvs.diff create mode 100644 packages/core/fluxcd/templates/_helpers.tpl delete mode 100644 packages/core/fluxcd/valuesFile.yaml delete mode 100644 packages/system/dashboard/templates/allow-from-kubeapps.yaml diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile index f8bab3e7..fb20faf1 100644 --- a/packages/core/fluxcd/Makefile +++ b/packages/core/fluxcd/Makefile @@ -7,13 +7,15 @@ show: helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) apply: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml -f flux-customizations.yaml \ + helm template -n $(NAMESPACE) $(NAME) . --no-hooks \ --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f- diff: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks -f valuesFile.yaml -f flux-customizations.yaml \ + helm template -n $(NAMESPACE) $(NAME) . --no-hooks \ --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- update: rm -rf charts helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts + patch -p1 --no-backup-if-mismatch < patches/hostNetwork.diff + patch -p1 --no-backup-if-mismatch < patches/kubernetesEnvs.diff diff --git a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml index a1b1fa1f..5ad96a88 100644 --- a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml +++ b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml @@ -58,9 +58,7 @@ spec: - name: MARKETPLACE_LICENSE value: {{ . }} {{- end }} - {{- if .Values.extraEnvs }} - {{- toYaml .Values.extraEnvs | nindent 12 }} - {{- end }} + {{- include "cozy.kubernetes_envs" . | nindent 12 }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" diff --git a/packages/core/fluxcd/charts/flux-operator/values.schema.json b/packages/core/fluxcd/charts/flux-operator/values.schema.json index c00230f7..64270a70 100644 --- a/packages/core/fluxcd/charts/flux-operator/values.schema.json +++ b/packages/core/fluxcd/charts/flux-operator/values.schema.json @@ -71,13 +71,6 @@ "properties": {}, "type": "object" }, - "extraEnvs": { - "items": { - "type": "object" - }, - "type": "array", - "uniqueItems": true - }, "fullnameOverride": { "type": "string" }, diff --git a/packages/core/fluxcd/charts/flux-operator/values.yaml b/packages/core/fluxcd/charts/flux-operator/values.yaml index 83d7eec5..7ecefc00 100644 --- a/packages/core/fluxcd/charts/flux-operator/values.yaml +++ b/packages/core/fluxcd/charts/flux-operator/values.yaml @@ -90,6 +90,3 @@ marketplace: # -- If `true`, start flux-operator in hostNetwork mode. hostNetwork: false - -# -- Add environment variables eg. for kubeprism KUBERNETES_SERVICE_HOST and _PORT -extraEnvs: [ ] diff --git a/packages/core/fluxcd/flux-customizations.yaml b/packages/core/fluxcd/flux-customizations.yaml deleted file mode 100644 index faacac59..00000000 --- a/packages/core/fluxcd/flux-customizations.yaml +++ /dev/null @@ -1,35 +0,0 @@ -fluxInstance: - kustomize: - patches: - - target: - kind: Deployment - name: "(kustomize-controller|helm-controller|source-controller)" - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --concurrent=20 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --requeue-dependency=5s - - op: replace - path: /spec/template/spec/containers/0/resources/limits - value: - cpu: 2000m - memory: 2048Mi - - target: - kind: Deployment - name: source-controller - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --storage-adv-addr=source-controller - - op: add - path: /spec/template/spec/containers/0/args/- - value: --events-addr=http://notification-controller/ - - target: - kind: Deployment - name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller) - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --events-addr=http://notification-controller/ diff --git a/packages/core/fluxcd/patches/hostNetwork.diff b/packages/core/fluxcd/patches/hostNetwork.diff new file mode 100644 index 00000000..89766ab0 --- /dev/null +++ b/packages/core/fluxcd/patches/hostNetwork.diff @@ -0,0 +1,52 @@ +diff --git a/charts/flux-operator/README.md b/charts/flux-operator/README.md +index 071e024..2fccc5f 100644 +--- a/charts/flux-operator/README.md ++++ b/charts/flux-operator/README.md +@@ -36,6 +36,7 @@ see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/) + | commonAnnotations | object | `{}` | Common annotations to add to all deployed objects including pods. | + | commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. | + | fullnameOverride | string | `""` | | ++| hostNetwork | bool | `false` | If `true`, start flux-operator in hostNetwork mode. | + | image | object | `{"pullSecrets":[],"repository":"ghcr.io/controlplaneio-fluxcd/flux-operator","tag":""}` | Container image settings. The image tag defaults to the chart appVersion. | + | installCRDs | bool | `true` | Install and upgrade the custom resource definitions. | + | livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}` | Container liveness probe settings. | +diff --git a/charts/flux-operator/templates/deployment.yaml b/charts/flux-operator/templates/deployment.yaml +index 2d75821..8ffd8d8 100644 +--- a/charts/flux-operator/templates/deployment.yaml ++++ b/charts/flux-operator/templates/deployment.yaml +@@ -40,6 +40,9 @@ spec: + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} ++ {{- if .Values.hostNetwork }} ++ hostNetwork: true ++ {{- end }} + containers: + - name: manager + env: +diff --git a/charts/flux-operator/values.schema.json b/charts/flux-operator/values.schema.json +index 85e4d02..64270a7 100644 +--- a/charts/flux-operator/values.schema.json ++++ b/charts/flux-operator/values.schema.json +@@ -74,6 +74,10 @@ + "fullnameOverride": { + "type": "string" + }, ++ "hostNetwork": { ++ "default": false, ++ "type": "boolean" ++ }, + "image": { + "properties": { + "pullSecrets": { +diff --git a/charts/flux-operator/values.yaml b/charts/flux-operator/values.yaml +index 59b8a23..7ecefc0 100644 +--- a/charts/flux-operator/values.yaml ++++ b/charts/flux-operator/values.yaml +@@ -87,3 +87,6 @@ tolerations: [ ] # @schema item: object ; uniqueItems: true + marketplace: + license: "" + account: "" ++ ++# -- If `true`, start flux-operator in hostNetwork mode. ++hostNetwork: false diff --git a/packages/core/fluxcd/patches/kubernetesEnvs.diff b/packages/core/fluxcd/patches/kubernetesEnvs.diff new file mode 100644 index 00000000..12c00fff --- /dev/null +++ b/packages/core/fluxcd/patches/kubernetesEnvs.diff @@ -0,0 +1,12 @@ +diff --git a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml +index 8ffd8d8..5ad96a8 100644 +--- a/charts/flux-operator/templates/deployment.yaml ++++ b/charts/flux-operator/templates/deployment.yaml +@@ -58,6 +58,7 @@ spec: + - name: MARKETPLACE_LICENSE + value: {{ . }} + {{- end }} ++ {{- include "cozy.kubernetes_envs" . | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" diff --git a/packages/core/fluxcd/templates/_helpers.tpl b/packages/core/fluxcd/templates/_helpers.tpl new file mode 100644 index 00000000..e22979ba --- /dev/null +++ b/packages/core/fluxcd/templates/_helpers.tpl @@ -0,0 +1,13 @@ +{{- define "cozy.kubernetes_envs" }} +{{- $cozyDeployment := lookup "apps/v1" "Deployment" "cozy-system" "cozystack" }} +{{- $cozyContainers := dig "spec" "template" "spec" "containers" dict $cozyDeployment }} +{{- range $cozyContainers }} +{{- if eq .name "cozystack" }} +{{- range .env }} +{{- if has .name (list "KUBERNETES_SERVICE_HOST" "KUBERNETES_SERVICE_PORT") }} +- {{ toJson . }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/core/fluxcd/values.yaml b/packages/core/fluxcd/values.yaml index 8e13df1c..0bc3466d 100644 --- a/packages/core/fluxcd/values.yaml +++ b/packages/core/fluxcd/values.yaml @@ -1,3 +1,10 @@ +flux-operator: + tolerations: + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoSchedule + hostNetwork: true + fluxInstance: # cluster: # domain: cozy.local @@ -10,4 +17,38 @@ fluxInstance: - helm-controller - notification-controller - image-reflector-controller - - image-automation-controller \ No newline at end of file + - image-automation-controller + kustomize: + patches: + - target: + kind: Deployment + name: "(kustomize-controller|helm-controller|source-controller)" + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=20 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + - op: replace + path: /spec/template/spec/containers/0/resources/limits + value: + cpu: 2000m + memory: 2048Mi + - target: + kind: Deployment + name: source-controller + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --storage-adv-addr=source-controller.cozy-fluxcd.svc + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ + - target: + kind: Deployment + name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller) + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ diff --git a/packages/core/fluxcd/valuesFile.yaml b/packages/core/fluxcd/valuesFile.yaml deleted file mode 100644 index 23694817..00000000 --- a/packages/core/fluxcd/valuesFile.yaml +++ /dev/null @@ -1,11 +0,0 @@ -flux-operator: - tolerations: - - key: node.kubernetes.io/not-ready - operator: Exists - effect: NoSchedule - hostNetwork: true - extraEnvs: - - name: KUBERNETES_SERVICE_HOST - value: localhost - - name: KUBERNETES_SERVICE_PORT - value: "7445" diff --git a/packages/system/dashboard/templates/allow-from-kubeapps.yaml b/packages/system/dashboard/templates/allow-from-kubeapps.yaml deleted file mode 100644 index c8850d88..00000000 --- a/packages/system/dashboard/templates/allow-from-kubeapps.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-from-dashboard - namespace: cozy-fluxcd -spec: - ingress: - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: cozy-dashboard - podSelector: {} - policyTypes: - - Ingress From 73b6f7f962dd3633f3fa4248e7317885f957a1a6 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Mon, 24 Jun 2024 07:24:37 -0400 Subject: [PATCH 30/67] Flux Operator 0.6 (#178) This PR upgrades to Flux-Operator 0.6 released this morning, also includes: * #170 which is an aggregate PR, so #171 #172 etc. I think this PR now basically subsumes #170 and can replace it. I have at least 80% confidence there are no errors in this PR. It also restores the networkPolicy default and the deleted cozy-dashboard network policy, which we will see fixed (restored to install NetworkPolicy resources by default) in the next `flux-operator` release. Ref: https://github.com/controlplaneio-fluxcd/flux-operator/pull/52 Signed-off-by: Andrei Kvapil --- packages/core/fluxcd/Makefile | 1 - .../fluxcd/charts/flux-operator/Chart.yaml | 4 +- .../fluxcd/charts/flux-operator/README.md | 9 +- .../charts/flux-operator/templates/crds.yaml | 284 ++++++++++++++++++ .../flux-operator/templates/deployment.yaml | 9 +- .../templates/serviceaccount.yaml | 2 + .../charts/flux-operator/values.schema.json | 13 + .../fluxcd/charts/flux-operator/values.yaml | 9 +- packages/core/fluxcd/patches/hostNetwork.diff | 52 ---- .../core/fluxcd/patches/kubernetesEnvs.diff | 4 +- .../core/fluxcd/templates/flux-instance.yaml | 5 +- packages/core/fluxcd/values.yaml | 5 +- packages/core/installer/images/cozystack.json | 6 +- .../templates/allow-from-kubeapps.yaml | 14 + 14 files changed, 347 insertions(+), 70 deletions(-) delete mode 100644 packages/core/fluxcd/patches/hostNetwork.diff create mode 100644 packages/system/dashboard/templates/allow-from-kubeapps.yaml diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile index fb20faf1..44897f9f 100644 --- a/packages/core/fluxcd/Makefile +++ b/packages/core/fluxcd/Makefile @@ -17,5 +17,4 @@ diff: update: rm -rf charts helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts - patch -p1 --no-backup-if-mismatch < patches/hostNetwork.diff patch -p1 --no-backup-if-mismatch < patches/kubernetesEnvs.diff diff --git a/packages/core/fluxcd/charts/flux-operator/Chart.yaml b/packages/core/fluxcd/charts/flux-operator/Chart.yaml index 695e3a09..4d13ecdb 100644 --- a/packages/core/fluxcd/charts/flux-operator/Chart.yaml +++ b/packages/core/fluxcd/charts/flux-operator/Chart.yaml @@ -8,7 +8,7 @@ annotations: - name: Upstream Project url: https://github.com/controlplaneio-fluxcd/flux-operator apiVersion: v2 -appVersion: v0.4.0 +appVersion: v0.6.0 description: 'A Helm chart for deploying the Flux Operator. ' home: https://github.com/controlplaneio-fluxcd icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png @@ -27,4 +27,4 @@ sources: - https://github.com/controlplaneio-fluxcd/flux-operator - https://github.com/controlplaneio-fluxcd/charts type: application -version: 0.4.0 +version: 0.6.0 diff --git a/packages/core/fluxcd/charts/flux-operator/README.md b/packages/core/fluxcd/charts/flux-operator/README.md index 2fccc5fe..7fea50d7 100644 --- a/packages/core/fluxcd/charts/flux-operator/README.md +++ b/packages/core/fluxcd/charts/flux-operator/README.md @@ -1,6 +1,6 @@ # flux-operator -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.0](https://img.shields.io/badge/AppVersion-v0.4.0-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.6.0](https://img.shields.io/badge/AppVersion-v0.6.0-informational?style=flat-square) The [Flux Operator](https://github.com/controlplaneio-fluxcd) provides a declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the @@ -35,19 +35,20 @@ see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/) | affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}` | Pod affinity and anti-affinity settings. | | commonAnnotations | object | `{}` | Common annotations to add to all deployed objects including pods. | | commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. | +| extraEnvs | list | `[]` | Container extra environment variables. | | fullnameOverride | string | `""` | | -| hostNetwork | bool | `false` | If `true`, start flux-operator in hostNetwork mode. | +| hostNetwork | bool | `false` | If `true`, the container ports (`8080` and `8081`) are exposed on the host network. | | image | object | `{"pullSecrets":[],"repository":"ghcr.io/controlplaneio-fluxcd/flux-operator","tag":""}` | Container image settings. The image tag defaults to the chart appVersion. | | installCRDs | bool | `true` | Install and upgrade the custom resource definitions. | | livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}` | Container liveness probe settings. | -| marketplace | object | `{"account":"","license":""}` | Marketplace settings. | +| marketplace | object | `{"account":"","license":"","type":""}` | Marketplace settings. | | nameOverride | string | `""` | | | podSecurityContext | object | `{}` | Pod security context settings. | | priorityClassName | string | `""` | Pod priority class name. Recommended value is system-cluster-critical. | | readinessProbe | object | `{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}` | Container readiness probe settings. | | resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | Container resources requests and limits settings. | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context settings. The default is compliant with the pod security restricted profile. | -| serviceAccount | object | `{"automount":true,"name":""}` | Pod service account settings. The name of the service account defaults to the release name. | +| serviceAccount | object | `{"automount":true,"create":true,"name":""}` | Pod service account settings. The name of the service account defaults to the release name. | | tolerations | list | `[]` | Pod tolerations settings. | ## Source Code diff --git a/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml b/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml index 6a61979e..ff6dfe83 100644 --- a/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml +++ b/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml @@ -112,6 +112,13 @@ spec: description: Distribution specifies the version and container registry to pull images from. properties: + artifact: + description: |- + Artifact is the URL to the OCI artifact containing + the latest Kubernetes manifests for the distribution, + e.g. 'oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest'. + pattern: ^oci://.*$ + type: string imagePullSecret: description: |- ImagePullSecret is the name of the Kubernetes secret @@ -417,4 +424,281 @@ spec: storage: true subresources: status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: '{{ .Chart.Name }}' + app.kubernetes.io/version: '{{ .Chart.AppVersion }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + name: fluxreports.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: FluxReport + listKind: FluxReportList + plural: fluxreports + singular: fluxreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.distribution.entitlement + name: Entitlement + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].lastTransitionTime + name: LastUpdated + type: string + name: v1 + schema: + openAPIV3Schema: + description: FluxReport is the Schema for the fluxreports API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FluxReportSpec defines the observed state of a Flux installation. + properties: + components: + description: ComponentsStatus is the status of the Flux controller + deployments. + items: + description: FluxComponentStatus defines the observed state of a + Flux component. + properties: + image: + description: Image is the container image of the Flux component. + type: string + name: + description: Name is the name of the Flux component. + type: string + ready: + description: Ready is the readiness status of the Flux component. + type: boolean + status: + description: |- + Status is a human-readable message indicating details + about the Flux component observed state. + type: string + required: + - image + - name + - ready + - status + type: object + type: array + distribution: + description: Distribution is the version information of the Flux installation. + properties: + entitlement: + description: Entitlement is the entitlement verification status. + type: string + managedBy: + description: ManagedBy is the name of the operator managing the + Flux instance. + type: string + status: + description: |- + Status is a human-readable message indicating details + about the distribution observed state. + type: string + version: + description: Version is the version of the Flux instance. + type: string + required: + - entitlement + - status + type: object + reconcilers: + description: |- + ReconcilersStatus is the list of Flux reconcilers and + their statistics grouped by API kind. + items: + description: FluxReconcilerStatus defines the observed state of + a Flux reconciler. + properties: + apiVersion: + description: APIVersion is the API version of the Flux resource. + type: string + kind: + description: Kind is the kind of the Flux resource. + type: string + stats: + description: Stats is the reconcile statics of the Flux resource + kind. + properties: + failing: + description: |- + Failing is the number of reconciled + resources in the Failing state. + type: integer + running: + description: |- + Running is the number of reconciled + resources in the Running state. + type: integer + suspended: + description: |- + Suspended is the number of reconciled + resources in the Suspended state. + type: integer + totalSize: + description: TotalSize is the total size of the artifacts + in storage. + type: string + required: + - failing + - running + - suspended + type: object + required: + - apiVersion + - kind + type: object + type: array + sync: + description: |- + SyncStatus is the status of the cluster sync + Source and Kustomization resources. + properties: + id: + description: ID is the identifier of the sync. + type: string + path: + description: Path is the kustomize path of the sync. + type: string + ready: + description: Ready is the readiness status of the sync. + type: boolean + source: + description: Source is the URL of the source repository. + type: string + status: + description: |- + Status is a human-readable message indicating details + about the sync observed state. + type: string + required: + - id + - ready + - status + type: object + required: + - distribution + type: object + status: + description: FluxReportStatus defines the readiness of a FluxReport. + properties: + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} {{- end }} diff --git a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml index 5ad96a88..7de88af2 100644 --- a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml +++ b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml @@ -35,7 +35,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "flux-operator.fullname" . }} + serviceAccountName: {{ include "flux-operator.serviceAccountName" . }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -50,6 +50,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- with .Values.marketplace.type }} + - name: MARKETPLACE_TYPE + value: {{ . }} + {{- end }} {{- with .Values.marketplace.account }} - name: MARKETPLACE_ACCOUNT value: {{ . }} @@ -58,6 +62,9 @@ spec: - name: MARKETPLACE_LICENSE value: {{ . }} {{- end }} + {{- if .Values.extraEnvs }} + {{- toYaml .Values.extraEnvs | nindent 12 }} + {{- end }} {{- include "cozy.kubernetes_envs" . | nindent 12 }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} diff --git a/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml b/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml index b2dcb45f..2a481a59 100644 --- a/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml +++ b/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml @@ -1,3 +1,4 @@ +{{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: @@ -13,3 +14,4 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/packages/core/fluxcd/charts/flux-operator/values.schema.json b/packages/core/fluxcd/charts/flux-operator/values.schema.json index 64270a70..1324083f 100644 --- a/packages/core/fluxcd/charts/flux-operator/values.schema.json +++ b/packages/core/fluxcd/charts/flux-operator/values.schema.json @@ -71,6 +71,13 @@ "properties": {}, "type": "object" }, + "extraEnvs": { + "items": { + "type": "object" + }, + "type": "array", + "uniqueItems": true + }, "fullnameOverride": { "type": "string" }, @@ -140,6 +147,9 @@ }, "license": { "type": "string" + }, + "type": { + "type": "string" } }, "type": "object" @@ -274,6 +284,9 @@ "automount": { "type": "boolean" }, + "create": { + "type": "boolean" + }, "name": { "type": "string" } diff --git a/packages/core/fluxcd/charts/flux-operator/values.yaml b/packages/core/fluxcd/charts/flux-operator/values.yaml index 7ecefc00..feebdf18 100644 --- a/packages/core/fluxcd/charts/flux-operator/values.yaml +++ b/packages/core/fluxcd/charts/flux-operator/values.yaml @@ -51,6 +51,7 @@ readinessProbe: # @schema default: {"httpGet":{"path":"/readyz","port":8081},"in # -- Pod service account settings. # The name of the service account defaults to the release name. serviceAccount: # @schema default: {"create":true,"automount":true,"name":""} + create: true automount: true name: "" @@ -85,8 +86,12 @@ tolerations: [ ] # @schema item: object ; uniqueItems: true # -- Marketplace settings. marketplace: + type: "" license: "" account: "" -# -- If `true`, start flux-operator in hostNetwork mode. -hostNetwork: false +# -- If `true`, the container ports (`8080` and `8081`) are exposed on the host network. +hostNetwork: false # @schema default: false + +# -- Container extra environment variables. +extraEnvs: [ ] # @schema item: object ; uniqueItems: true diff --git a/packages/core/fluxcd/patches/hostNetwork.diff b/packages/core/fluxcd/patches/hostNetwork.diff deleted file mode 100644 index 89766ab0..00000000 --- a/packages/core/fluxcd/patches/hostNetwork.diff +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/charts/flux-operator/README.md b/charts/flux-operator/README.md -index 071e024..2fccc5f 100644 ---- a/charts/flux-operator/README.md -+++ b/charts/flux-operator/README.md -@@ -36,6 +36,7 @@ see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/) - | commonAnnotations | object | `{}` | Common annotations to add to all deployed objects including pods. | - | commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. | - | fullnameOverride | string | `""` | | -+| hostNetwork | bool | `false` | If `true`, start flux-operator in hostNetwork mode. | - | image | object | `{"pullSecrets":[],"repository":"ghcr.io/controlplaneio-fluxcd/flux-operator","tag":""}` | Container image settings. The image tag defaults to the chart appVersion. | - | installCRDs | bool | `true` | Install and upgrade the custom resource definitions. | - | livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}` | Container liveness probe settings. | -diff --git a/charts/flux-operator/templates/deployment.yaml b/charts/flux-operator/templates/deployment.yaml -index 2d75821..8ffd8d8 100644 ---- a/charts/flux-operator/templates/deployment.yaml -+++ b/charts/flux-operator/templates/deployment.yaml -@@ -40,6 +40,9 @@ spec: - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} -+ {{- if .Values.hostNetwork }} -+ hostNetwork: true -+ {{- end }} - containers: - - name: manager - env: -diff --git a/charts/flux-operator/values.schema.json b/charts/flux-operator/values.schema.json -index 85e4d02..64270a7 100644 ---- a/charts/flux-operator/values.schema.json -+++ b/charts/flux-operator/values.schema.json -@@ -74,6 +74,10 @@ - "fullnameOverride": { - "type": "string" - }, -+ "hostNetwork": { -+ "default": false, -+ "type": "boolean" -+ }, - "image": { - "properties": { - "pullSecrets": { -diff --git a/charts/flux-operator/values.yaml b/charts/flux-operator/values.yaml -index 59b8a23..7ecefc0 100644 ---- a/charts/flux-operator/values.yaml -+++ b/charts/flux-operator/values.yaml -@@ -87,3 +87,6 @@ tolerations: [ ] # @schema item: object ; uniqueItems: true - marketplace: - license: "" - account: "" -+ -+# -- If `true`, start flux-operator in hostNetwork mode. -+hostNetwork: false diff --git a/packages/core/fluxcd/patches/kubernetesEnvs.diff b/packages/core/fluxcd/patches/kubernetesEnvs.diff index 12c00fff..1c9c1c39 100644 --- a/packages/core/fluxcd/patches/kubernetesEnvs.diff +++ b/packages/core/fluxcd/patches/kubernetesEnvs.diff @@ -3,8 +3,8 @@ index 8ffd8d8..5ad96a8 100644 --- a/charts/flux-operator/templates/deployment.yaml +++ b/charts/flux-operator/templates/deployment.yaml @@ -58,6 +58,7 @@ spec: - - name: MARKETPLACE_LICENSE - value: {{ . }} + {{- if .Values.extraEnvs }} + {{- toYaml .Values.extraEnvs | nindent 12 }} {{- end }} + {{- include "cozy.kubernetes_envs" . | nindent 12 }} securityContext: diff --git a/packages/core/fluxcd/templates/flux-instance.yaml b/packages/core/fluxcd/templates/flux-instance.yaml index 12999f66..20887794 100644 --- a/packages/core/fluxcd/templates/flux-instance.yaml +++ b/packages/core/fluxcd/templates/flux-instance.yaml @@ -5,6 +5,9 @@ metadata: spec: {{- with .Values.fluxInstance.cluster }} cluster: + {{- with .networkPolicy }} + networkPolicy: {{ . }} + {{- end }} {{- with .domain }} domain: {{ . }} {{- end }} @@ -19,4 +22,4 @@ spec: kustomize: {{- if .Values.fluxInstance.kustomize }} {{- toYaml .Values.fluxInstance.kustomize | nindent 4 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/packages/core/fluxcd/values.yaml b/packages/core/fluxcd/values.yaml index 0bc3466d..c5a27fe0 100644 --- a/packages/core/fluxcd/values.yaml +++ b/packages/core/fluxcd/values.yaml @@ -6,8 +6,9 @@ flux-operator: hostNetwork: true fluxInstance: - # cluster: - # domain: cozy.local + cluster: + networkPolicy: true + # domain: cozy.local distribution: version: 2.3.x registry: ghcr.io/fluxcd diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 63a732c3..71b95399 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "youthful_hertz/youthful_hertz0/aafwjh8j28i98f59smgh3qe86", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/t5xx0qcox11kirc7xzxp3iwy6", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", + "digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1", "size": 685 }, - "containerimage.digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", + "containerimage.digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1", "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" } \ No newline at end of file diff --git a/packages/system/dashboard/templates/allow-from-kubeapps.yaml b/packages/system/dashboard/templates/allow-from-kubeapps.yaml new file mode 100644 index 00000000..c8850d88 --- /dev/null +++ b/packages/system/dashboard/templates/allow-from-kubeapps.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-dashboard + namespace: cozy-fluxcd +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: cozy-dashboard + podSelector: {} + policyTypes: + - Ingress From 246b44945ea17d65fc2011bd8ee1081adb540780 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 24 Jun 2024 18:55:35 +0200 Subject: [PATCH 31/67] add certManager addon Signed-off-by: Andrei Kvapil --- packages/apps/kubernetes/README.md | 1 + .../templates/helmreleases/cert-manager.yaml | 34 +++++++++++++++++++ .../templates/helmreleases/cilium.yaml | 2 ++ .../templates/helmreleases/csi.yaml | 2 ++ .../templates/helmreleases/delete.yaml | 22 +++++++----- packages/apps/kubernetes/values.yaml | 6 ++++ 6 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml diff --git a/packages/apps/kubernetes/README.md b/packages/apps/kubernetes/README.md index 2d5b43a5..8783db67 100644 --- a/packages/apps/kubernetes/README.md +++ b/packages/apps/kubernetes/README.md @@ -36,3 +36,4 @@ kubectl get secret -n kubernetes--admin-kubeconfig -o g | `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | | `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | | `nodeGroups` | nodeGroups configuration | `{}` | +| `addons` | addons configuration | `{}` | diff --git a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml new file mode 100644 index 00000000..175b94b2 --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml @@ -0,0 +1,34 @@ +{{- if .Values.addons.certManager.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-cert-manager + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 1m + releaseName: cert-mnager + chart: + spec: + chart: cozy-cert-manager + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-cert-manager + storageNamespace: cozy-cert-manager + install: + createNamespace: true + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml index 4f23ed21..ca99af87 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml @@ -44,5 +44,7 @@ spec: enableIPv4Masquerade: true ipv4NativeRoutingCIDR: "" dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/csi.yaml b/packages/apps/kubernetes/templates/helmreleases/csi.yaml index 5ced4163..349da151 100644 --- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml @@ -24,5 +24,7 @@ spec: install: createNamespace: true dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/delete.yaml b/packages/apps/kubernetes/templates/helmreleases/delete.yaml index 71215c30..f89ac771 100644 --- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml @@ -22,15 +22,18 @@ spec: - name: kubectl image: docker.io/clastix/kubectl:v1.29.1 command: - - kubectl - - --namespace={{ .Release.Namespace }} - - patch - - helmrelease - - {{ .Release.Name }}-cilium - - {{ .Release.Name }}-csi - - -p - - '{"spec": {"suspend": true}}' - - --type=merge + - /bin/sh + - -c + - | + kubectl + --namespace={{ .Release.Namespace }} + patch + helmrelease + {{ .Release.Name }}-cilium + {{ .Release.Name }}-csi + {{ .Release.Name }}-cert-manager + -p '{"spec": {"suspend": true}}' + --type=merge --field-manager=flux-client-side-apply || true --- apiVersion: v1 kind: ServiceAccount @@ -60,6 +63,7 @@ rules: resourceNames: - {{ .Release.Name }}-cilium - {{ .Release.Name }}-csi + - {{ .Release.Name }}-cert-manager --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index 15b5cc2b..c2670a7e 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -16,3 +16,9 @@ nodeGroups: resources: cpu: 2 memory: 1024Mi + +## @param addons [object] addons configuration +## +addons: + certManager: + enabled: false From d841a20635e9e01f0951b81f7c415bbac6e80f61 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Tue, 25 Jun 2024 05:53:31 -0400 Subject: [PATCH 32/67] Fix typo (#179) Signed-off-by: Kingdon Barrett --- packages/apps/tenant/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/apps/tenant/README.md b/packages/apps/tenant/README.md index d33ecc7b..9b17e8fc 100644 --- a/packages/apps/tenant/README.md +++ b/packages/apps/tenant/README.md @@ -25,7 +25,7 @@ tenant-root (example.org) Thus, you can create `tenant-u1` with a set of services like `etcd`, `ingress`, `monitoring`. And create another tenant namespace `tenant-u2` inside of `tenant-u1`. -Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namesapce. +Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namespace. Since `tenant-u2` does not have its own cluster services like `etcd`, `ingress`, and `monitoring`, the applications will use the cluster services of the parent tenant. This in turn means: From 2145f41c7f72b26e1b195e997132a7c8a89352ef Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 25 Jun 2024 14:33:07 +0200 Subject: [PATCH 33/67] Use patch with --no-backup-if-mismatch (#181) Add option `--no-backup-if-mismatch` to every patch command, so it will not create .orig and .diff files anymore --- packages/core/fluxcd/Makefile | 2 +- packages/system/dashboard/Makefile | 2 +- packages/system/ingress-nginx/Makefile | 2 +- packages/system/kamaji-etcd/Makefile | 6 +++--- packages/system/kubeovn/Makefile | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile index 44897f9f..6da8d847 100644 --- a/packages/core/fluxcd/Makefile +++ b/packages/core/fluxcd/Makefile @@ -17,4 +17,4 @@ diff: update: rm -rf charts helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts - patch -p1 --no-backup-if-mismatch < patches/kubernetesEnvs.diff + patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff diff --git a/packages/system/dashboard/Makefile b/packages/system/dashboard/Makefile index f7a66c71..e7a91bd4 100644 --- a/packages/system/dashboard/Makefile +++ b/packages/system/dashboard/Makefile @@ -19,7 +19,7 @@ update-chart: update-dockerfiles: tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps | awk -F'[/^]' 'END{print $$3}') && \ wget https://github.com/vmware-tanzu/kubeapps/raw/$${tag}/cmd/kubeapps-apis/Dockerfile -O images/kubeapps-apis/Dockerfile && \ - patch images/kubeapps-apis/Dockerfile < images/kubeapps-apis/dockerfile.diff && \ + patch --no-backup-if-mismatch images/kubeapps-apis/Dockerfile < images/kubeapps-apis/dockerfile.diff && \ node_image=$$(wget -O- https://github.com/vmware-tanzu/kubeapps/raw/main/dashboard/Dockerfile | awk '/FROM bitnami\/node/ {print $$2}') && \ sed -i "s|FROM .* AS build|FROM $${node_image} AS build|" images/dashboard/Dockerfile && \ version=$$(echo "$$tag" | sed 's/^v//') && \ diff --git a/packages/system/ingress-nginx/Makefile b/packages/system/ingress-nginx/Makefile index 831ef0a0..010612d5 100644 --- a/packages/system/ingress-nginx/Makefile +++ b/packages/system/ingress-nginx/Makefile @@ -8,7 +8,7 @@ update: helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update ingress-nginx helm pull ingress-nginx/ingress-nginx --untar --untardir charts - patch -p 3 < patches/add-metrics2.patch + patch --no-backup-if-mismatch -p 3 < patches/add-metrics2.patch rm -f charts/ingress-nginx/templates/controller-deployment.yaml.orig rm -rf charts/ingress-nginx/changelog/ #sed -i '/ type:/a \ allocateLoadBalancerNodePorts: false' charts/ingress-nginx/templates/controller-service.yaml diff --git a/packages/system/kamaji-etcd/Makefile b/packages/system/kamaji-etcd/Makefile index b2f909b8..a5419dbb 100644 --- a/packages/system/kamaji-etcd/Makefile +++ b/packages/system/kamaji-etcd/Makefile @@ -4,6 +4,6 @@ update: helm repo update clastix helm pull clastix/kamaji-etcd --untar --untardir charts sed -i 's/hook-failed/before-hook-creation,hook-failed/' `grep -rl hook-failed charts` - patch -p4 < patches/fix-svc.diff - patch -p4 < patches/fullnameOverride.diff - patch -p4 < patches/remove-plus.patch + patch --no-backup-if-mismatch -p4 < patches/fix-svc.diff + patch --no-backup-if-mismatch -p4 < patches/fullnameOverride.diff + patch --no-backup-if-mismatch -p4 < patches/remove-plus.patch diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index 783005ba..b47ba177 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -10,7 +10,7 @@ update: rm -rf charts && mkdir -p charts/kube-ovn curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/heads/master.tar.gz | \ tar xzvf - --strip 1 kube-ovn-master/charts - patch -p4 --no-backup-if-mismatch < patches/cozyconfig.diff + patch --no-backup-if-mismatch -p4 < patches/cozyconfig.diff ln -s ../../images charts/kube-ovn/images sed -i '/image:/ s/{{.*}}/{{ include "kubeovn.image" . }}/g' `grep -rl image: charts/kube-ovn/templates/` From 6bd2d45531c4ce676c10b6a92535ac6f743dba20 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 25 Jun 2024 12:46:11 +0200 Subject: [PATCH 34/67] add tenant nginx-ingress Signed-off-by: Andrei Kvapil --- packages/apps/kubernetes/Chart.yaml | 2 +- packages/apps/kubernetes/README.md | 14 +- .../apps/kubernetes/templates/cluster.yaml | 9 + .../templates/helmreleases/ingress-nginx.yaml | 44 ++++ .../apps/kubernetes/templates/ingress.yaml | 43 ++++ packages/apps/kubernetes/values.schema.json | 30 +++ packages/apps/kubernetes/values.yaml | 13 +- packages/apps/versions_map | 3 +- packages/core/installer/images/cozystack.json | 6 +- packages/system/ingress-nginx/Makefile | 1 - .../templates/controller-daemonset.yaml.orig | 243 ------------------ 11 files changed, 150 insertions(+), 258 deletions(-) create mode 100644 packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml create mode 100644 packages/apps/kubernetes/templates/ingress.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index 39e8cc22..fd023735 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.0 +version: 0.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/kubernetes/README.md b/packages/apps/kubernetes/README.md index 8783db67..434ca7ee 100644 --- a/packages/apps/kubernetes/README.md +++ b/packages/apps/kubernetes/README.md @@ -31,9 +31,11 @@ kubectl get secret -n kubernetes--admin-kubeconfig -o g ### Common parameters -| Name | Description | Value | -| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ----- | -| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | -| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | -| `nodeGroups` | nodeGroups configuration | `{}` | -| `addons` | addons configuration | `{}` | +| Name | Description | Value | +| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------- | +| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | +| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | +| `nodeGroups` | nodeGroups configuration | `{}` | +| `addons.certManager.enabled` | Enables the certificate manager which automatically creates and manages SSL/TLS certificates | `true` | +| `addons.ingressNginx.enabled` | Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role | `true` | +| `addons.ingressNginx.host` | The domain name that should be passtrough to the cluster by upper ingress. | `example.org` | diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index baa0bc6b..8ef574ef 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -114,6 +114,10 @@ spec: virtualMachineTemplate: metadata: namespace: {{ $.Release.Namespace }} + labels: + {{- range $group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} spec: runStrategy: Always template: @@ -165,6 +169,11 @@ metadata: spec: clusterName: {{ $.Release.Name }} template: + metadata: + labels: + {{- range $group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} spec: bootstrap: configRef: diff --git a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml new file mode 100644 index 00000000..13749a9f --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml @@ -0,0 +1,44 @@ +{{- if .Values.addons.ingressNginx.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-ingress-nginx + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 1m + releaseName: cert-mnager + chart: + spec: + chart: cozy-ingress-nginx + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-ingress-nginx + storageNamespace: cozy-ingress-nginx + install: + createNamespace: true + values: + ingress-nginx: + fullnameOverride: ingress-nginx + controller: + kind: DaemonSet + hostNetwork: true + service: + enabled: false + nodeSelector: + node-role.kubernetes.io/ingress-nginx: "" + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/templates/ingress.yaml b/packages/apps/kubernetes/templates/ingress.yaml new file mode 100644 index 00000000..3951e1de --- /dev/null +++ b/packages/apps/kubernetes/templates/ingress.yaml @@ -0,0 +1,43 @@ +{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} +{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }} +{{- if .Values.addons.ingressNginx.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Name }}-ingress-nginx + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" +spec: + ingressClassName: "{{ $ingress }}" + rules: + - host: {{ .Values.addons.ingressNginx.host | quote }} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ .Release.Name }}-ingress-nginx + port: + number: 443 +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-ingress-nginx +spec: + ports: + - appProtocol: http + name: http + port: 80 + targetPort: 80 + - appProtocol: https + name: https + port: 443 + targetPort: 443 + selector: + cluster.x-k8s.io/cluster-name: {{ .Release.Name }} + node-role.kubernetes.io/ingress-nginx: "" +{{- end }} diff --git a/packages/apps/kubernetes/values.schema.json b/packages/apps/kubernetes/values.schema.json index d467b3fe..2455d5f8 100644 --- a/packages/apps/kubernetes/values.schema.json +++ b/packages/apps/kubernetes/values.schema.json @@ -16,6 +16,36 @@ "default": 2 } } + }, + "addons": { + "type": "object", + "properties": { + "certManager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables the certificate manager which automatically creates and manages SSL/TLS certificates", + "default": true + } + } + }, + "ingressNginx": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role", + "default": true + }, + "host": { + "type": "string", + "description": "The domain name that should be passtrough to the cluster by upper ingress.", + "default": "example.org" + } + } + } + } } } } \ No newline at end of file diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index c2670a7e..8d8f536a 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -16,9 +16,16 @@ nodeGroups: resources: cpu: 2 memory: 1024Mi + roles: + - ingress-nginx -## @param addons [object] addons configuration -## addons: + ## @param addons.certManager.enabled Enables the certificate manager which automatically creates and manages SSL/TLS certificates certManager: - enabled: false + enabled: true + + ## @param addons.ingressNginx.enabled Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role + ## @param addons.ingressNginx.host The domain name that should be passtrough to the cluster by upper ingress. + ingressNginx: + enabled: true + host: "example.org" diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 5d5d46b8..bb7fe850 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -8,7 +8,8 @@ kafka 0.2.0 HEAD kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 kubernetes 0.3.0 7caccec1 -kubernetes 0.4.0 HEAD +kubernetes 0.4.0 6cae6ce8 +kubernetes 0.5.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 71b95399..3594b9b3 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/t5xx0qcox11kirc7xzxp3iwy6", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/d75hbe5lm96nutwocaw0h8ohc", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1", + "digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a", "size": 685 }, - "containerimage.digest": "sha256:8b7ebb9d5de39214d0ffc2634c37ada2e2d2fc7ad956c455b329e857bb6e6fd1", + "containerimage.digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a", "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" } \ No newline at end of file diff --git a/packages/system/ingress-nginx/Makefile b/packages/system/ingress-nginx/Makefile index 831ef0a0..e8167a00 100644 --- a/packages/system/ingress-nginx/Makefile +++ b/packages/system/ingress-nginx/Makefile @@ -11,4 +11,3 @@ update: patch -p 3 < patches/add-metrics2.patch rm -f charts/ingress-nginx/templates/controller-deployment.yaml.orig rm -rf charts/ingress-nginx/changelog/ - #sed -i '/ type:/a \ allocateLoadBalancerNodePorts: false' charts/ingress-nginx/templates/controller-service.yaml diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig deleted file mode 100644 index 3aaa9250..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig +++ /dev/null @@ -1,243 +0,0 @@ -{{- if eq .Values.controller.kind "DaemonSet" -}} -{{- include "isControllerTagValid" . -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ include "ingress-nginx.namespace" . }} - {{- if .Values.controller.annotations }} - annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: controller - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - {{- if .Values.controller.updateStrategy }} - updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} - {{- end }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} - template: - metadata: - {{- if .Values.controller.podAnnotations }} - annotations: - {{- range $key, $value := .Values.controller.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - {{- include "ingress-nginx.labels" . | nindent 8 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.controller.podLabels }} - {{- toYaml .Values.controller.podLabels | nindent 8 }} - {{- end }} - spec: - {{- if .Values.controller.dnsConfig }} - dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} - {{- end }} - {{- if .Values.controller.hostAliases }} - hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} - {{- end }} - {{- if .Values.controller.hostname }} - hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} - {{- end }} - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} - {{- end }} - {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName | quote }} - {{- end }} - {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} - securityContext: - {{- if .Values.controller.podSecurityContext }} - {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} - sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.controller.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} - {{- end }} - containers: - - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" - {{- end }} - imagePullPolicy: {{ .Values.controller.image.pullPolicy }} - {{- if .Values.controller.lifecycle }} - lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} - {{- end }} - args: {{ include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.controller.enableMimalloc }} - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - {{- end }} - {{- if .Values.controller.extraEnvs }} - {{- toYaml .Values.controller.extraEnvs | nindent 12 }} - {{- end }} - {{- if .Values.controller.startupProbe }} - startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.livenessProbe }} - livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.readinessProbe }} - readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} - {{- end }} - ports: - {{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} - {{- end }} - {{- end }} - {{- if .Values.controller.metrics.enabled }} - - name: {{ .Values.controller.metrics.portName }} - containerPort: {{ .Values.controller.metrics.port }} - protocol: TCP - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook - containerPort: {{ .Values.controller.admissionWebhooks.port }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.tcp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp - containerPort: {{ $key }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp - containerPort: {{ $key }} - protocol: UDP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - - name: modules - {{- if .Values.controller.image.chroot }} - mountPath: /chroot/modules_mount - {{- else }} - mountPath: /modules_mount - {{- end }} - {{- end }} - {{- if .Values.controller.customTemplate.configMapName }} - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - {{- end }} - {{- if .Values.controller.extraVolumeMounts }} - {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.controller.resources }} - resources: {{ toYaml .Values.controller.resources | nindent 12 }} - {{- end }} - {{- if .Values.controller.extraContainers }} - {{- toYaml .Values.controller.extraContainers | nindent 8 }} - {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - initContainers: - {{- if .Values.controller.extraInitContainers }} - {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} - {{- end }} - {{- if .Values.controller.extraModules }} - {{- range .Values.controller.extraModules }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled }} - {{- with .Values.controller.opentelemetry }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.controller.hostNetwork }} - hostNetwork: {{ .Values.controller.hostNetwork }} - {{- end }} - {{- if .Values.controller.nodeSelector }} - nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.controller.tolerations }} - tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.controller.affinity }} - affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} - {{- end }} - {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - volumes: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - - name: modules - emptyDir: {} - {{- end }} - {{- if .Values.controller.customTemplate.configMapName }} - - name: nginx-template-volume - configMap: - name: {{ .Values.controller.customTemplate.configMapName }} - items: - - key: {{ .Values.controller.customTemplate.configMapKey }} - path: nginx.tmpl - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - secret: - secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - {{- if .Values.controller.admissionWebhooks.certManager.enabled }} - items: - - key: tls.crt - path: cert - - key: tls.key - path: key - {{- end }} - {{- end }} - {{- if .Values.controller.extraVolumes }} - {{ toYaml .Values.controller.extraVolumes | nindent 8 }} - {{- end }} - {{- end }} -{{- end }} From 91a1f4917c6782b5158a5236c52f572cd6e0969e Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 25 Jun 2024 17:33:28 +0200 Subject: [PATCH 35/67] fix: ingress-nginx duplicate template (#182) in addition to https://github.com/aenix-io/cozystack/pull/181 From cf1d9fabf4306fdf77d7e6e44bbcb8491c2dd97e Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 25 Jun 2024 19:23:20 +0200 Subject: [PATCH 36/67] add fluxcd labels post processor (#180) This PR introduces a new fluxcd-kustomize.sh script that can be used as post-processor for helm for adding a common fluxcd labels. This is very useful for `make diff`, so it will not include diff between these labels anymore Also for debugging specific kustomize cases, eg: - https://github.com/fluxcd/helm-controller/issues/283 - https://github.com/fluxcd/flux2/issues/4368 Signed-off-by: Andrei Kvapil --- packages/system/capi-operator/Makefile | 4 +- packages/system/capi-providers/Makefile | 4 +- packages/system/cert-manager-issuers/Makefile | 4 +- packages/system/cert-manager/Makefile | 4 +- packages/system/cilium/Makefile | 4 +- packages/system/clickhouse-operator/Makefile | 4 +- packages/system/dashboard/Makefile | 4 +- packages/system/etcd-operator/Makefile | 4 +- packages/system/grafana-operator/Makefile | 4 +- packages/system/ingress-nginx/Makefile | 4 +- packages/system/kafka-operator/Makefile | 4 +- packages/system/kamaji/Makefile | 4 +- packages/system/kubeovn/Makefile | 4 +- .../system/kubevirt-cdi-operator/Makefile | 4 +- packages/system/kubevirt-cdi/Makefile | 4 +- packages/system/kubevirt-operator/Makefile | 4 +- packages/system/kubevirt/Makefile | 4 +- packages/system/linstor/Makefile | 4 +- packages/system/mariadb-operator/Makefile | 4 +- packages/system/metallb/Makefile | 4 +- packages/system/monitoring/Makefile | 4 +- packages/system/piraeus-operator/Makefile | 4 +- packages/system/postgres-operator/Makefile | 4 +- packages/system/rabbitmq-operator/Makefile | 4 +- packages/system/redis-operator/Makefile | 4 +- packages/system/telepresence/Makefile | 4 +- .../system/victoria-metrics-operator/Makefile | 4 +- scripts/fluxcd-kustomize.sh | 37 +++++++++++++++++++ scripts/package-system.mk | 6 +-- 29 files changed, 94 insertions(+), 57 deletions(-) create mode 100755 scripts/fluxcd-kustomize.sh diff --git a/packages/system/capi-operator/Makefile b/packages/system/capi-operator/Makefile index b3c9f770..2fd794d3 100644 --- a/packages/system/capi-operator/Makefile +++ b/packages/system/capi-operator/Makefile @@ -1,5 +1,5 @@ -NAME=capi-operator -NAMESPACE=cozy-cluster-api +export NAME=capi-operator +export NAMESPACE=cozy-cluster-api include ../../../scripts/package-system.mk diff --git a/packages/system/capi-providers/Makefile b/packages/system/capi-providers/Makefile index 339d569f..6e8d7868 100644 --- a/packages/system/capi-providers/Makefile +++ b/packages/system/capi-providers/Makefile @@ -1,4 +1,4 @@ -NAME=capi-providers -NAMESPACE=cozy-cluster-api +export NAME=capi-providers +export NAMESPACE=cozy-cluster-api include ../../../scripts/package-system.mk diff --git a/packages/system/cert-manager-issuers/Makefile b/packages/system/cert-manager-issuers/Makefile index 7d38f770..7c01ba56 100644 --- a/packages/system/cert-manager-issuers/Makefile +++ b/packages/system/cert-manager-issuers/Makefile @@ -1,4 +1,4 @@ -NAME=cert-manager-issuers -NAMESPACE=cozy-cert-manager +export NAME=cert-manager-issuers +export NAMESPACE=cozy-cert-manager include ../../../scripts/package-system.mk diff --git a/packages/system/cert-manager/Makefile b/packages/system/cert-manager/Makefile index c871d9d3..929b160a 100644 --- a/packages/system/cert-manager/Makefile +++ b/packages/system/cert-manager/Makefile @@ -1,5 +1,5 @@ -NAME=cert-manager -NAMESPACE=cozy-$(NAME) +export NAME=cert-manager +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index a5caba3b..44d20e29 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -1,7 +1,7 @@ CILIUM_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) -NAME=cilium -NAMESPACE=cozy-$(NAME) +export NAME=cilium +export NAMESPACE=cozy-$(NAME) include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk diff --git a/packages/system/clickhouse-operator/Makefile b/packages/system/clickhouse-operator/Makefile index b83cf6df..64447cca 100644 --- a/packages/system/clickhouse-operator/Makefile +++ b/packages/system/clickhouse-operator/Makefile @@ -1,5 +1,5 @@ -NAME=clickhouse-operator -NAMESPACE=cozy-clickhouse-operator +export NAME=clickhouse-operator +export NAMESPACE=cozy-clickhouse-operator include ../../../scripts/package-system.mk diff --git a/packages/system/dashboard/Makefile b/packages/system/dashboard/Makefile index e7a91bd4..d17d36aa 100644 --- a/packages/system/dashboard/Makefile +++ b/packages/system/dashboard/Makefile @@ -1,5 +1,5 @@ -NAME=dashboard -NAMESPACE=cozy-$(NAME) +export NAME=dashboard +export NAMESPACE=cozy-$(NAME) include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk diff --git a/packages/system/etcd-operator/Makefile b/packages/system/etcd-operator/Makefile index 0c82cdb9..5c0dee74 100644 --- a/packages/system/etcd-operator/Makefile +++ b/packages/system/etcd-operator/Makefile @@ -1,5 +1,5 @@ -NAME=etcd-operator -NAMESPACE=cozy-${NAME} +export NAME=etcd-operator +export NAMESPACE=cozy-${NAME} include ../../../scripts/package-system.mk diff --git a/packages/system/grafana-operator/Makefile b/packages/system/grafana-operator/Makefile index 05916ae5..38eed61c 100644 --- a/packages/system/grafana-operator/Makefile +++ b/packages/system/grafana-operator/Makefile @@ -1,5 +1,5 @@ -NAME=grafana-operator -NAMESPACE=cozy-grafana-operator +export NAME=grafana-operator +export NAMESPACE=cozy-grafana-operator include ../../../scripts/package-system.mk diff --git a/packages/system/ingress-nginx/Makefile b/packages/system/ingress-nginx/Makefile index 21e77233..a6b85f48 100644 --- a/packages/system/ingress-nginx/Makefile +++ b/packages/system/ingress-nginx/Makefile @@ -1,5 +1,5 @@ -NAME=ingress-nginx -NAMESPACE=cozy-$(NAME) +export NAME=ingress-nginx +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/kafka-operator/Makefile b/packages/system/kafka-operator/Makefile index e68cb803..29c32688 100644 --- a/packages/system/kafka-operator/Makefile +++ b/packages/system/kafka-operator/Makefile @@ -1,5 +1,5 @@ -NAME=kafka-operator -NAMESPACE=cozy-$(NAME) +export NAME=kafka-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/kamaji/Makefile b/packages/system/kamaji/Makefile index 163d5548..bc4af6e9 100644 --- a/packages/system/kamaji/Makefile +++ b/packages/system/kamaji/Makefile @@ -1,5 +1,5 @@ -NAME=kamaji -NAMESPACE=cozy-$(NAME) +export NAME=kamaji +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index b47ba177..ce53fcfe 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -1,7 +1,7 @@ KUBEOVN_TAG = v1.13.0 -NAME=kubeovn -NAMESPACE=cozy-$(NAME) +export NAME=kubeovn +export NAMESPACE=cozy-$(NAME) include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk diff --git a/packages/system/kubevirt-cdi-operator/Makefile b/packages/system/kubevirt-cdi-operator/Makefile index b34c0f0f..6cf08193 100644 --- a/packages/system/kubevirt-cdi-operator/Makefile +++ b/packages/system/kubevirt-cdi-operator/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt-cdi-operator -NAMESPACE=cozy-kubevirt-cdi +export NAME=kubevirt-cdi-operator +export NAMESPACE=cozy-kubevirt-cdi include ../../../scripts/package-system.mk diff --git a/packages/system/kubevirt-cdi/Makefile b/packages/system/kubevirt-cdi/Makefile index 09e37e3e..c6209a54 100644 --- a/packages/system/kubevirt-cdi/Makefile +++ b/packages/system/kubevirt-cdi/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt-cdi -NAMESPACE=cozy-$(NAME) +export NAME=kubevirt-cdi +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/kubevirt-operator/Makefile b/packages/system/kubevirt-operator/Makefile index 8f4de121..cea1a529 100644 --- a/packages/system/kubevirt-operator/Makefile +++ b/packages/system/kubevirt-operator/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt-operator -NAMESPACE=cozy-kubevirt +export NAME=kubevirt-operator +export NAMESPACE=cozy-kubevirt include ../../../scripts/package-system.mk diff --git a/packages/system/kubevirt/Makefile b/packages/system/kubevirt/Makefile index 80636712..e939b0f1 100644 --- a/packages/system/kubevirt/Makefile +++ b/packages/system/kubevirt/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt -NAMESPACE=cozy-$(NAME) +export NAME=kubevirt +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/linstor/Makefile b/packages/system/linstor/Makefile index 9191aa74..34e8cd9c 100644 --- a/packages/system/linstor/Makefile +++ b/packages/system/linstor/Makefile @@ -1,4 +1,4 @@ -NAME=linstor -NAMESPACE=cozy-$(NAME) +export NAME=linstor +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/mariadb-operator/Makefile b/packages/system/mariadb-operator/Makefile index 292fa0aa..a94e4306 100644 --- a/packages/system/mariadb-operator/Makefile +++ b/packages/system/mariadb-operator/Makefile @@ -1,5 +1,5 @@ -NAME=mariadb-operator -NAMESPACE=cozy-$(NAME) +export NAME=mariadb-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/metallb/Makefile b/packages/system/metallb/Makefile index 423bbd50..09085f4e 100644 --- a/packages/system/metallb/Makefile +++ b/packages/system/metallb/Makefile @@ -1,5 +1,5 @@ -NAME=metallb -NAMESPACE=cozy-$(NAME) +export NAME=metallb +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/monitoring/Makefile b/packages/system/monitoring/Makefile index 8ebc1e4c..bfc68669 100644 --- a/packages/system/monitoring/Makefile +++ b/packages/system/monitoring/Makefile @@ -1,5 +1,5 @@ -NAME=monitoring -NAMESPACE=cozy-$(NAME) +export NAME=monitoring +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/piraeus-operator/Makefile b/packages/system/piraeus-operator/Makefile index 222d5ef7..ae459844 100644 --- a/packages/system/piraeus-operator/Makefile +++ b/packages/system/piraeus-operator/Makefile @@ -1,5 +1,5 @@ -NAME=piraeus-operator -NAMESPACE=cozy-linstor +export NAME=piraeus-operator +export NAMESPACE=cozy-linstor include ../../../scripts/package-system.mk diff --git a/packages/system/postgres-operator/Makefile b/packages/system/postgres-operator/Makefile index d5e25ee0..037948fc 100644 --- a/packages/system/postgres-operator/Makefile +++ b/packages/system/postgres-operator/Makefile @@ -1,5 +1,5 @@ -NAME=postgres-operator -NAMESPACE=cozy-$(NAME) +export NAME=postgres-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/rabbitmq-operator/Makefile b/packages/system/rabbitmq-operator/Makefile index 143ff227..999958c0 100644 --- a/packages/system/rabbitmq-operator/Makefile +++ b/packages/system/rabbitmq-operator/Makefile @@ -1,5 +1,5 @@ -NAME=rabbitmq-operator -NAMESPACE=cozy-$(NAME) +export NAME=rabbitmq-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/redis-operator/Makefile b/packages/system/redis-operator/Makefile index 1fc8474f..28007838 100644 --- a/packages/system/redis-operator/Makefile +++ b/packages/system/redis-operator/Makefile @@ -1,5 +1,5 @@ -NAME=redis-operator -NAMESPACE=cozy-$(NAME) +export NAME=redis-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/telepresence/Makefile b/packages/system/telepresence/Makefile index ff48731b..31de4820 100644 --- a/packages/system/telepresence/Makefile +++ b/packages/system/telepresence/Makefile @@ -1,5 +1,5 @@ -NAME=traffic-manager -NAMESPACE=cozy-telepresence +export NAME=traffic-manager +export NAMESPACE=cozy-telepresence include ../../../scripts/package-system.mk diff --git a/packages/system/victoria-metrics-operator/Makefile b/packages/system/victoria-metrics-operator/Makefile index 99e28582..5221bfae 100644 --- a/packages/system/victoria-metrics-operator/Makefile +++ b/packages/system/victoria-metrics-operator/Makefile @@ -1,5 +1,5 @@ -NAME=victoria-metrics-operator -NAMESPACE=cozy-$(NAME) +export NAME=victoria-metrics-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/scripts/fluxcd-kustomize.sh b/scripts/fluxcd-kustomize.sh new file mode 100755 index 00000000..a0af5a71 --- /dev/null +++ b/scripts/fluxcd-kustomize.sh @@ -0,0 +1,37 @@ +#!/bin/sh +# This scripts adds common fluxcd labels to all objects + +if [ -z "$NAME" ]; then + echo 'Variable $NAME is not set!' >&2 + exit 1 +fi + +if [ -z "$NAMESPACE" ]; then + echo 'Variable $NAMESPACE is not set!' >&2 + exit 1 +fi + +TMP_DIR=$(mktemp -d) +cat - > "${TMP_DIR}/helm-generated-output.yaml" +cat > "${TMP_DIR}/global-labels.yaml" < "${TMP_DIR}/kustomization.yaml" < Date: Wed, 26 Jun 2024 02:49:14 +0200 Subject: [PATCH 37/67] move fluxcd and operator back to system (#188) Separate and move fluxcd and fluxcd-operator from `core` to `system`. It should not be problem with self-update now, since we correctly set dependsOn option, it ensures ordered update of flux instance right after flux-operator. As part of https://github.com/aenix-io/cozystack/issues/184 and https://github.com/aenix-io/cozystack/issues/185 fixes https://github.com/aenix-io/cozystack/issues/169 Signed-off-by: Andrei Kvapil --- hack/e2e.sh | 14 ++--- packages/core/fluxcd/Makefile | 20 ------- .../core/fluxcd/templates/flux-instance.yaml | 25 --------- packages/core/fluxcd/values.yaml | 55 ------------------- packages/core/installer/images/cozystack.json | 6 +- .../core/platform/bundles/distro-full.yaml | 13 +++++ .../core/platform/bundles/distro-hosted.yaml | 13 +++++ packages/core/platform/bundles/paas-full.yaml | 13 +++++ .../core/platform/bundles/paas-hosted.yaml | 13 +++++ .../core/platform/templates/namespaces.yaml | 1 - .../fluxcd-operator}/.helmignore | 0 packages/system/fluxcd-operator/Chart.yaml | 3 + packages/system/fluxcd-operator/Makefile | 12 ++++ .../charts/flux-operator/.helmignore | 0 .../charts/flux-operator/Chart.yaml | 0 .../charts/flux-operator/README.md | 0 .../charts/flux-operator/templates/NOTES.txt | 0 .../flux-operator/templates/_helpers.tpl | 0 .../flux-operator/templates/clusterrole.yaml | 0 .../charts/flux-operator/templates/crds.yaml | 0 .../flux-operator/templates/deployment.yaml | 0 .../flux-operator/templates/service.yaml | 0 .../templates/serviceaccount.yaml | 0 .../charts/flux-operator/values.schema.json | 0 .../charts/flux-operator/values.yaml | 0 .../patches/kubernetesEnvs.diff | 0 .../fluxcd-operator}/templates/_helpers.tpl | 0 packages/system/fluxcd-operator/values.yaml | 7 +++ packages/{core => system}/fluxcd/Chart.yaml | 0 packages/system/fluxcd/Makefile | 7 +++ .../fluxcd/templates/flux-instance.yaml | 25 +++++++++ packages/system/fluxcd/values.yaml | 47 ++++++++++++++++ scripts/installer.sh | 36 +++++++----- 33 files changed, 184 insertions(+), 126 deletions(-) delete mode 100644 packages/core/fluxcd/Makefile delete mode 100644 packages/core/fluxcd/templates/flux-instance.yaml delete mode 100644 packages/core/fluxcd/values.yaml rename packages/{core/fluxcd => system/fluxcd-operator}/.helmignore (100%) create mode 100644 packages/system/fluxcd-operator/Chart.yaml create mode 100644 packages/system/fluxcd-operator/Makefile rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/.helmignore (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/Chart.yaml (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/README.md (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/templates/NOTES.txt (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/templates/_helpers.tpl (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/templates/clusterrole.yaml (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/templates/crds.yaml (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/templates/deployment.yaml (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/templates/service.yaml (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/templates/serviceaccount.yaml (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/values.schema.json (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/charts/flux-operator/values.yaml (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/patches/kubernetesEnvs.diff (100%) rename packages/{core/fluxcd => system/fluxcd-operator}/templates/_helpers.tpl (100%) create mode 100644 packages/system/fluxcd-operator/values.yaml rename packages/{core => system}/fluxcd/Chart.yaml (100%) create mode 100644 packages/system/fluxcd/Makefile create mode 100644 packages/system/fluxcd/templates/flux-instance.yaml create mode 100644 packages/system/fluxcd/values.yaml diff --git a/hack/e2e.sh b/hack/e2e.sh index 86278beb..462fef65 100755 --- a/hack/e2e.sh +++ b/hack/e2e.sh @@ -294,22 +294,22 @@ kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values": timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root; do sleep 1; done' # Wait for HelmReleases be installed -kubectl wait --timeout=2m --for=condition=ready hr -n tenant-root etcd ingress monitoring tenant-root +kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root # Wait for nginx-ingress-controller timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done' -kubectl wait deploy -n tenant-root --timeout=5m --for=condition=available root-ingress-controller +kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-ingress-controller # Wait for etcd -kubectl wait --for=jsonpath=.status.readyReplicas=3 -n tenant-root --timeout=5m sts etcd +kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd # Wait for Victoria metrics -kubectl wait deploy -n tenant-root --timeout=5m --for=condition=available vmalert-vmalert vminsert-longterm vminsert-shortterm -kubectl wait --for=jsonpath=.status.readyReplicas=2 -n tenant-root --timeout=5m sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm +kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert vminsert-longterm vminsert-shortterm +kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm # Wait for grafana -kubectl wait --for=condition=ready clusters.postgresql.cnpg.io -n tenant-root grafana-db -kubectl wait deploy -n tenant-root --timeout=5m --for=condition=available grafana-deployment +kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db +kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy grafana-deployment # Get IP of nginx-ingress ip=$(kubectl get svc -n tenant-root root-ingress-controller -o jsonpath='{.status.loadBalancer.ingress..ip}') diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile deleted file mode 100644 index 6da8d847..00000000 --- a/packages/core/fluxcd/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -NAME=fluxcd -NAMESPACE=cozy-$(NAME) - -API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions)) - -show: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) - -apply: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks \ - --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f- - -diff: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks \ - --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- - -update: - rm -rf charts - helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts - patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff diff --git a/packages/core/fluxcd/templates/flux-instance.yaml b/packages/core/fluxcd/templates/flux-instance.yaml deleted file mode 100644 index 20887794..00000000 --- a/packages/core/fluxcd/templates/flux-instance.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: fluxcd.controlplane.io/v1 -kind: FluxInstance -metadata: - name: flux -spec: - {{- with .Values.fluxInstance.cluster }} - cluster: - {{- with .networkPolicy }} - networkPolicy: {{ . }} - {{- end }} - {{- with .domain }} - domain: {{ . }} - {{- end }} - {{- end }} - distribution: - version: {{ .Values.fluxInstance.distribution.version }} - registry: {{ .Values.fluxInstance.distribution.registry }} - components: - {{- if .Values.fluxInstance.components }} - {{- toYaml .Values.fluxInstance.components | nindent 4 }} - {{- end }} - kustomize: - {{- if .Values.fluxInstance.kustomize }} - {{- toYaml .Values.fluxInstance.kustomize | nindent 4 }} - {{- end }} diff --git a/packages/core/fluxcd/values.yaml b/packages/core/fluxcd/values.yaml deleted file mode 100644 index c5a27fe0..00000000 --- a/packages/core/fluxcd/values.yaml +++ /dev/null @@ -1,55 +0,0 @@ -flux-operator: - tolerations: - - key: node.kubernetes.io/not-ready - operator: Exists - effect: NoSchedule - hostNetwork: true - -fluxInstance: - cluster: - networkPolicy: true - # domain: cozy.local - distribution: - version: 2.3.x - registry: ghcr.io/fluxcd - components: - - source-controller - - kustomize-controller - - helm-controller - - notification-controller - - image-reflector-controller - - image-automation-controller - kustomize: - patches: - - target: - kind: Deployment - name: "(kustomize-controller|helm-controller|source-controller)" - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --concurrent=20 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --requeue-dependency=5s - - op: replace - path: /spec/template/spec/containers/0/resources/limits - value: - cpu: 2000m - memory: 2048Mi - - target: - kind: Deployment - name: source-controller - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --storage-adv-addr=source-controller.cozy-fluxcd.svc - - op: add - path: /spec/template/spec/containers/0/args/- - value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ - - target: - kind: Deployment - name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller) - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 3594b9b3..8e61c51f 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/d75hbe5lm96nutwocaw0h8ohc", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/h4dfyd134l9durh9d02r2u2uu", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a", + "digest": "sha256:b5cbbb921a240d05c6775aab15c99432180c5547801ef6cb6ca51303eeb489e1", "size": 685 }, - "containerimage.digest": "sha256:a5544e0cf76b09b421345906d2e85282ba8c2187e9db814cfe5c08ddd9ee491a", + "containerimage.digest": "sha256:b5cbbb921a240d05c6775aab15c99432180c5547801ef6cb6ca51303eeb489e1", "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" } \ No newline at end of file diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index 1fd9590a..c3e65e3f 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator,cilium] + - name: cilium releaseName: cilium chart: cozy-cilium diff --git a/packages/core/platform/bundles/distro-hosted.yaml b/packages/core/platform/bundles/distro-hosted.yaml index 41d027fe..6923c1fb 100644 --- a/packages/core/platform/bundles/distro-hosted.yaml +++ b/packages/core/platform/bundles/distro-hosted.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator] + - name: cert-manager releaseName: cert-manager chart: cozy-cert-manager diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index a39931a1..4ed95257 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator,cilium,kubeovn] + - name: cilium releaseName: cilium chart: cozy-cilium diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index 5d6ce1a5..60194d84 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator] + - name: cert-manager releaseName: cert-manager chart: cozy-cert-manager diff --git a/packages/core/platform/templates/namespaces.yaml b/packages/core/platform/templates/namespaces.yaml index 3f25361c..0d35d7ec 100644 --- a/packages/core/platform/templates/namespaces.yaml +++ b/packages/core/platform/templates/namespaces.yaml @@ -16,7 +16,6 @@ {{/* Add extra namespaces */}} {{- $_ := set $namespaces "cozy-public" false }} -{{- $_ := set $namespaces "cozy-fluxcd" true }} {{- range $namespace, $privileged := $namespaces }} --- diff --git a/packages/core/fluxcd/.helmignore b/packages/system/fluxcd-operator/.helmignore similarity index 100% rename from packages/core/fluxcd/.helmignore rename to packages/system/fluxcd-operator/.helmignore diff --git a/packages/system/fluxcd-operator/Chart.yaml b/packages/system/fluxcd-operator/Chart.yaml new file mode 100644 index 00000000..42ed3feb --- /dev/null +++ b/packages/system/fluxcd-operator/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-fluxcd-operator +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/fluxcd-operator/Makefile b/packages/system/fluxcd-operator/Makefile new file mode 100644 index 00000000..26cf39a7 --- /dev/null +++ b/packages/system/fluxcd-operator/Makefile @@ -0,0 +1,12 @@ +NAME=fluxcd-operator +NAMESPACE=cozy-fluxcd + +include ../../../scripts/package-system.mk + +apply-locally: + helm upgrade -i -n $(NAMESPACE) $(NAME) . + +update: + rm -rf charts + helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts + patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff diff --git a/packages/core/fluxcd/charts/flux-operator/.helmignore b/packages/system/fluxcd-operator/charts/flux-operator/.helmignore similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/.helmignore rename to packages/system/fluxcd-operator/charts/flux-operator/.helmignore diff --git a/packages/core/fluxcd/charts/flux-operator/Chart.yaml b/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/Chart.yaml rename to packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml diff --git a/packages/core/fluxcd/charts/flux-operator/README.md b/packages/system/fluxcd-operator/charts/flux-operator/README.md similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/README.md rename to packages/system/fluxcd-operator/charts/flux-operator/README.md diff --git a/packages/core/fluxcd/charts/flux-operator/templates/NOTES.txt b/packages/system/fluxcd-operator/charts/flux-operator/templates/NOTES.txt similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/templates/NOTES.txt rename to packages/system/fluxcd-operator/charts/flux-operator/templates/NOTES.txt diff --git a/packages/core/fluxcd/charts/flux-operator/templates/_helpers.tpl b/packages/system/fluxcd-operator/charts/flux-operator/templates/_helpers.tpl similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/templates/_helpers.tpl rename to packages/system/fluxcd-operator/charts/flux-operator/templates/_helpers.tpl diff --git a/packages/core/fluxcd/charts/flux-operator/templates/clusterrole.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/clusterrole.yaml similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/templates/clusterrole.yaml rename to packages/system/fluxcd-operator/charts/flux-operator/templates/clusterrole.yaml diff --git a/packages/core/fluxcd/charts/flux-operator/templates/crds.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/templates/crds.yaml rename to packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml diff --git a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml rename to packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml diff --git a/packages/core/fluxcd/charts/flux-operator/templates/service.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/service.yaml similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/templates/service.yaml rename to packages/system/fluxcd-operator/charts/flux-operator/templates/service.yaml diff --git a/packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/serviceaccount.yaml similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/templates/serviceaccount.yaml rename to packages/system/fluxcd-operator/charts/flux-operator/templates/serviceaccount.yaml diff --git a/packages/core/fluxcd/charts/flux-operator/values.schema.json b/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/values.schema.json rename to packages/system/fluxcd-operator/charts/flux-operator/values.schema.json diff --git a/packages/core/fluxcd/charts/flux-operator/values.yaml b/packages/system/fluxcd-operator/charts/flux-operator/values.yaml similarity index 100% rename from packages/core/fluxcd/charts/flux-operator/values.yaml rename to packages/system/fluxcd-operator/charts/flux-operator/values.yaml diff --git a/packages/core/fluxcd/patches/kubernetesEnvs.diff b/packages/system/fluxcd-operator/patches/kubernetesEnvs.diff similarity index 100% rename from packages/core/fluxcd/patches/kubernetesEnvs.diff rename to packages/system/fluxcd-operator/patches/kubernetesEnvs.diff diff --git a/packages/core/fluxcd/templates/_helpers.tpl b/packages/system/fluxcd-operator/templates/_helpers.tpl similarity index 100% rename from packages/core/fluxcd/templates/_helpers.tpl rename to packages/system/fluxcd-operator/templates/_helpers.tpl diff --git a/packages/system/fluxcd-operator/values.yaml b/packages/system/fluxcd-operator/values.yaml new file mode 100644 index 00000000..654ca304 --- /dev/null +++ b/packages/system/fluxcd-operator/values.yaml @@ -0,0 +1,7 @@ +flux-operator: + fullnameOverride: flux-operator + tolerations: + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoSchedule + hostNetwork: true diff --git a/packages/core/fluxcd/Chart.yaml b/packages/system/fluxcd/Chart.yaml similarity index 100% rename from packages/core/fluxcd/Chart.yaml rename to packages/system/fluxcd/Chart.yaml diff --git a/packages/system/fluxcd/Makefile b/packages/system/fluxcd/Makefile new file mode 100644 index 00000000..de09740c --- /dev/null +++ b/packages/system/fluxcd/Makefile @@ -0,0 +1,7 @@ +NAME=fluxcd +NAMESPACE=cozy-$(NAME) + +apply-locally: + helm upgrade -i -n $(NAMESPACE) $(NAME) . + +include ../../../scripts/package-system.mk diff --git a/packages/system/fluxcd/templates/flux-instance.yaml b/packages/system/fluxcd/templates/flux-instance.yaml new file mode 100644 index 00000000..ce0fd133 --- /dev/null +++ b/packages/system/fluxcd/templates/flux-instance.yaml @@ -0,0 +1,25 @@ +apiVersion: fluxcd.controlplane.io/v1 +kind: FluxInstance +metadata: + name: flux +spec: + {{- with .Values.cluster }} + cluster: + {{- with .networkPolicy }} + networkPolicy: {{ . }} + {{- end }} + {{- with .domain }} + domain: {{ . }} + {{- end }} + {{- end }} + distribution: + version: {{ .Values.distribution.version }} + registry: {{ .Values.distribution.registry }} + components: + {{- if .Values.components }} + {{- toYaml .Values.components | nindent 4 }} + {{- end }} + kustomize: + {{- if .Values.kustomize }} + {{- toYaml .Values.kustomize | nindent 4 }} + {{- end }} diff --git a/packages/system/fluxcd/values.yaml b/packages/system/fluxcd/values.yaml new file mode 100644 index 00000000..9eba35ec --- /dev/null +++ b/packages/system/fluxcd/values.yaml @@ -0,0 +1,47 @@ +cluster: + networkPolicy: true +# domain: cozy.local +distribution: + version: 2.3.x + registry: ghcr.io/fluxcd +components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller +kustomize: + patches: + - target: + kind: Deployment + name: "(kustomize-controller|helm-controller|source-controller)" + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=20 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + - op: replace + path: /spec/template/spec/containers/0/resources/limits + value: + cpu: 2000m + memory: 2048Mi + - target: + kind: Deployment + name: source-controller + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --storage-adv-addr=source-controller.cozy-fluxcd.svc + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ + - target: + kind: Deployment + name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller) + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ diff --git a/scripts/installer.sh b/scripts/installer.sh index d5edba38..80fce275 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -18,17 +18,27 @@ run_migrations() { done } - -flux_operator_is_ok() { - kubectl wait --for=condition=available -n cozy-fluxcd deploy/fluxcd-flux-operator --timeout=1m +flux_is_ok() { + kubectl wait --for=condition=available -n cozy-fluxcd deploy/source-controller deploy/helm-controller --timeout=1s } -flux_instance_is_ok() { - kubectl wait --for=condition=ready -n cozy-fluxcd fluxinstance/flux --timeout=5m +ensure_fluxcd() { + if flux_is_ok; then + return + fi + if kubectl get crd helmreleases.helm.toolkit.fluxcd.io helmrepositories.source.toolkit.fluxcd.io; then + targets="apply resume" + else + targets="apply-locally" + fi + make -C packages/system/fluxcd-operator $targets + wait_for_crds fluxinstances.fluxcd.controlplane.io + make -C packages/system/fluxcd $targets + wait_for_crds helmreleases.helm.toolkit.fluxcd.io helmrepositories.source.toolkit.fluxcd.io } -flux_controllers_ok() { - kubectl wait --for=condition=available -n cozy-fluxcd deploy/source-controller deploy/helm-controller --timeout=10s +wait_for_crds() { + timeout 60 sh -c "until kubectl get crd $*; do sleep 1; done" } install_basic_charts() { @@ -48,18 +58,14 @@ run_migrations # Install namespaces make -C packages/core/platform namespaces-apply -# Install fluxcd twice (once it will fail, since CRDs can't be ordered) -make -C packages/core/fluxcd apply || make -C packages/core/fluxcd apply - -if flux_operator_is_ok; then - echo "Flux operator is installed and FluxInstance CRD is ready" -fi +# Install fluxcd +ensure_fluxcd # Install platform chart make -C packages/core/platform apply -# Install basic system charts (should be after platform chart applied) -if ! flux_controllers_ok; then +# Install basic charts +if ! flux_is_ok; then install_basic_charts fi From c22a6792c2e8f997178a9fa3bd27a22ed0b7abd1 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 25 Jun 2024 12:46:11 +0200 Subject: [PATCH 38/67] add tenant nginx-ingress Signed-off-by: Andrei Kvapil --- packages/apps/kubernetes/README.md | 21 +++++++++------ .../templates/helmreleases/delete.yaml | 2 ++ .../apps/kubernetes/templates/ingress.yaml | 8 +++--- packages/apps/kubernetes/values.schema.json | 17 ++++++------ packages/apps/kubernetes/values.yaml | 27 ++++++++++++++----- 5 files changed, 49 insertions(+), 26 deletions(-) diff --git a/packages/apps/kubernetes/README.md b/packages/apps/kubernetes/README.md index 434ca7ee..e3134e00 100644 --- a/packages/apps/kubernetes/README.md +++ b/packages/apps/kubernetes/README.md @@ -31,11 +31,16 @@ kubectl get secret -n kubernetes--admin-kubeconfig -o g ### Common parameters -| Name | Description | Value | -| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------- | -| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | -| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | -| `nodeGroups` | nodeGroups configuration | `{}` | -| `addons.certManager.enabled` | Enables the certificate manager which automatically creates and manages SSL/TLS certificates | `true` | -| `addons.ingressNginx.enabled` | Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role | `true` | -| `addons.ingressNginx.host` | The domain name that should be passtrough to the cluster by upper ingress. | `example.org` | +| Name | Description | Value | +| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | +| `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | +| `nodeGroups` | nodeGroups configuration | `{}` | + +### Cluster Addons + +| Name | Description | Value | +| ----------------------------- | ---------------------------------------------------------------------------------- | ------- | +| `addons.certManager.enabled` | Enables the cert-manager | `false` | +| `addons.ingressNginx.enabled` | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role) | `false` | +| `addons.ingressNginx.hosts` | List of domain names that should be passed through to the cluster by upper cluster | `[]` | diff --git a/packages/apps/kubernetes/templates/helmreleases/delete.yaml b/packages/apps/kubernetes/templates/helmreleases/delete.yaml index f89ac771..5874e878 100644 --- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml @@ -32,6 +32,7 @@ spec: {{ .Release.Name }}-cilium {{ .Release.Name }}-csi {{ .Release.Name }}-cert-manager + {{ .Release.Name }}-ingress-nginx -p '{"spec": {"suspend": true}}' --type=merge --field-manager=flux-client-side-apply || true --- @@ -64,6 +65,7 @@ rules: - {{ .Release.Name }}-cilium - {{ .Release.Name }}-csi - {{ .Release.Name }}-cert-manager + - {{ .Release.Name }}-ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/packages/apps/kubernetes/templates/ingress.yaml b/packages/apps/kubernetes/templates/ingress.yaml index 3951e1de..e677afab 100644 --- a/packages/apps/kubernetes/templates/ingress.yaml +++ b/packages/apps/kubernetes/templates/ingress.yaml @@ -1,6 +1,6 @@ {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }} -{{- if .Values.addons.ingressNginx.enabled }} +{{- if .Values.addons.ingressNginx.hosts }} --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -12,16 +12,18 @@ metadata: spec: ingressClassName: "{{ $ingress }}" rules: - - host: {{ .Values.addons.ingressNginx.host | quote }} + {{- range .Values.addons.ingressNginx.hosts }} + - host: {{ . | quote }} http: paths: - path: / pathType: ImplementationSpecific backend: service: - name: {{ .Release.Name }}-ingress-nginx + name: {{ $.Release.Name }}-ingress-nginx port: number: 443 + {{- end }} --- apiVersion: v1 kind: Service diff --git a/packages/apps/kubernetes/values.schema.json b/packages/apps/kubernetes/values.schema.json index 2455d5f8..8d3fa1c7 100644 --- a/packages/apps/kubernetes/values.schema.json +++ b/packages/apps/kubernetes/values.schema.json @@ -25,8 +25,8 @@ "properties": { "enabled": { "type": "boolean", - "description": "Enables the certificate manager which automatically creates and manages SSL/TLS certificates", - "default": true + "description": "Enables the cert-manager", + "default": false } } }, @@ -35,13 +35,14 @@ "properties": { "enabled": { "type": "boolean", - "description": "Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role", - "default": true + "description": "Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)", + "default": false }, - "host": { - "type": "string", - "description": "The domain name that should be passtrough to the cluster by upper ingress.", - "default": "example.org" + "hosts": { + "type": "array", + "description": "List of domain names that should be passed through to the cluster by upper cluster", + "default": [], + "items": {} } } } diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index 8d8f536a..d591a107 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -19,13 +19,26 @@ nodeGroups: roles: - ingress-nginx +## @section Cluster Addons +## addons: - ## @param addons.certManager.enabled Enables the certificate manager which automatically creates and manages SSL/TLS certificates - certManager: - enabled: true - ## @param addons.ingressNginx.enabled Enables Ingress-NGINX Controller on nodes with 'ingress-nginx' role - ## @param addons.ingressNginx.host The domain name that should be passtrough to the cluster by upper ingress. + ## Cert-manager: automatically creates and manages SSL/TLS certificate + ## + certManager: + ## @param addons.certManager.enabled Enables the cert-manager + enabled: false + + ## Ingress-NGINX Controller + ## ingressNginx: - enabled: true - host: "example.org" + ## @param addons.ingressNginx.enabled Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role) + ## + enabled: false + ## @param addons.ingressNginx.hosts List of domain names that should be passed through to the cluster by upper cluster + ## e.g: + ## hosts: + ## - example.org + ## - foo.example.net + ## + hosts: [] From c01604fb7fce10cee5adea1446572ed11a8108f3 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 26 Jun 2024 03:07:53 +0200 Subject: [PATCH 39/67] fix typo in cert-manager addon --- .../apps/kubernetes/templates/helmreleases/cert-manager.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml index 175b94b2..71d395f5 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml @@ -8,7 +8,7 @@ metadata: coztstack.io/target-cluster-name: {{ .Release.Name }} spec: interval: 1m - releaseName: cert-mnager + releaseName: cert-manager chart: spec: chart: cozy-cert-manager From 7462be79be12a289f55ca24cebc484a75d5d7bfc Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 26 Jun 2024 03:08:09 +0200 Subject: [PATCH 40/67] add fluxcd addon --- packages/apps/kubernetes/README.md | 2 + .../templates/helmreleases/delete.yaml | 4 + .../templates/helmreleases/fluxcd.yaml | 74 +++++++++++++++++++ packages/apps/kubernetes/values.schema.json | 10 +++ packages/apps/kubernetes/values.yaml | 7 ++ 5 files changed, 97 insertions(+) create mode 100644 packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml diff --git a/packages/apps/kubernetes/README.md b/packages/apps/kubernetes/README.md index e3134e00..ea801630 100644 --- a/packages/apps/kubernetes/README.md +++ b/packages/apps/kubernetes/README.md @@ -44,3 +44,5 @@ kubectl get secret -n kubernetes--admin-kubeconfig -o g | `addons.certManager.enabled` | Enables the cert-manager | `false` | | `addons.ingressNginx.enabled` | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role) | `false` | | `addons.ingressNginx.hosts` | List of domain names that should be passed through to the cluster by upper cluster | `[]` | +| `addons.fluxcd.enabled` | Enables Flux CD | `false` | + diff --git a/packages/apps/kubernetes/templates/helmreleases/delete.yaml b/packages/apps/kubernetes/templates/helmreleases/delete.yaml index 5874e878..21925476 100644 --- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml @@ -33,6 +33,8 @@ spec: {{ .Release.Name }}-csi {{ .Release.Name }}-cert-manager {{ .Release.Name }}-ingress-nginx + {{ .Release.Name }}-fluxcd-operator + {{ .Release.Name }}-fluxcd -p '{"spec": {"suspend": true}}' --type=merge --field-manager=flux-client-side-apply || true --- @@ -66,6 +68,8 @@ rules: - {{ .Release.Name }}-csi - {{ .Release.Name }}-cert-manager - {{ .Release.Name }}-ingress-nginx + - {{ .Release.Name }}-fluxcd-operator + - {{ .Release.Name }}-fluxcd --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml new file mode 100644 index 00000000..17c1e352 --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml @@ -0,0 +1,74 @@ +{{- if .Values.addons.fluxcd.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-fluxcd-operator + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 1m + releaseName: fluxcd-operator + chart: + spec: + chart: cozy-fluxcd-operator + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-fluxcd + storageNamespace: cozy-fluxcd + install: + createNamespace: true + values: + flux-operator: + fullnameOverride: flux-operator + tolerations: [] + hostNetwork: false + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-fluxcd + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 1m + releaseName: fluxcd + chart: + spec: + chart: cozy-fluxcd + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-fluxcd + storageNamespace: cozy-fluxcd + install: + createNamespace: true + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} + - name: {{ .Release.Name }}-fluxcd-operator + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/values.schema.json b/packages/apps/kubernetes/values.schema.json index 8d3fa1c7..cceff4d3 100644 --- a/packages/apps/kubernetes/values.schema.json +++ b/packages/apps/kubernetes/values.schema.json @@ -45,6 +45,16 @@ "items": {} } } + }, + "fluxcd": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables Flux CD", + "default": false + } + } } } } diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index d591a107..548e344d 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -42,3 +42,10 @@ addons: ## - foo.example.net ## hosts: [] + + ## Flux CD + ## + fluxcd: + ## @param addons.fluxcd.enabled Enables Flux CD + ## + enabled: false From 07384c40f885c5135f706530bd0c6d4f1cc1bcda Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Fri, 28 Jun 2024 03:02:41 -0400 Subject: [PATCH 41/67] Tenant nginx ingress (fixes) (#191) I am testing install with this PR #183 and I had some issues, these should help --------- Signed-off-by: Kingdon Barrett --- .../templates/helmreleases/ingress-nginx.yaml | 2 +- scripts/installer.sh | 1 + scripts/package-system.mk | 11 +++++++---- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml index 13749a9f..2255b07b 100644 --- a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml @@ -8,7 +8,7 @@ metadata: coztstack.io/target-cluster-name: {{ .Release.Name }} spec: interval: 1m - releaseName: cert-mnager + releaseName: ingress-nginx chart: spec: chart: cozy-ingress-nginx diff --git a/scripts/installer.sh b/scripts/installer.sh index 80fce275..63121180 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -20,6 +20,7 @@ run_migrations() { flux_is_ok() { kubectl wait --for=condition=available -n cozy-fluxcd deploy/source-controller deploy/helm-controller --timeout=1s + kubectl wait --for=condition=ready -n cozy-fluxcd helmrelease/fluxcd --timeout=1s # to call "apply resume" below } ensure_fluxcd() { diff --git a/scripts/package-system.mk b/scripts/package-system.mk index 3f9c908d..37d12fe3 100644 --- a/scripts/package-system.mk +++ b/scripts/package-system.mk @@ -5,13 +5,16 @@ help: ## Show this help. @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) show: ## Show output of rendered templates - kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | helm template --dry-run=server --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f - + kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | NAMESPACE=$(NAMESPACE) NAME=$(NAME) \ + helm template --dry-run=server --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f - -apply: suspend ## Apply Helm release to a Kubernetes cluster - kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | helm upgrade -i --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f - +apply: suspend ## Apply Helm release to a Kubernetes cluster + kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | NAMESPACE=$(NAMESPACE) NAME=$(NAME) \ + helm upgrade -i --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f - diff: ## Diff Helm release against objects in a Kubernetes cluster - kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | helm diff upgrade --allow-unreleased --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f - + kubectl get hr -n $(NAMESPACE) $(NAME) -o jsonpath='{.spec.values}' | NAMESPACE=$(NAMESPACE) NAME=$(NAME) \ + helm diff upgrade --allow-unreleased --post-renderer ../../../scripts/fluxcd-kustomize.sh -n $(NAMESPACE) $(NAME) . -f - suspend: ## Suspend reconciliation for an existing Helm release kubectl patch hr -n $(NAMESPACE) $(NAME) -p '{"spec": {"suspend": true}}' --type=merge --field-manager=flux-client-side-apply From a798afc7e83ec20deccd25cb2c9461eb0c1ed862 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 3 Jul 2024 14:14:21 +0200 Subject: [PATCH 42/67] Update etcd-operator v0.3.0 Signed-off-by: Andrei Kvapil --- .../charts/etcd-operator/Chart.yaml | 4 +- .../charts/etcd-operator/README.md | 85 +++++------ .../charts/etcd-operator/README.md.gotmpl | 19 +++ .../etcd-operator/crds/etcd-cluster.yaml | 29 +++- .../rbac/clusterrole-manager-role.yml | 16 +++ .../templates/workload/deployment.yml | 6 + .../charts/etcd-operator/values.schema.json | 10 +- .../charts/etcd-operator/values.yaml | 132 +++++++++++++++--- 8 files changed, 215 insertions(+), 86 deletions(-) create mode 100644 packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl diff --git a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml index 36ad3b42..9c3b72a5 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.2.0 +appVersion: v0.3.0 name: etcd-operator type: application -version: 0.2.0 +version: 0.3.0 diff --git a/packages/system/etcd-operator/charts/etcd-operator/README.md b/packages/system/etcd-operator/charts/etcd-operator/README.md index 729dab25..33838106 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/README.md +++ b/packages/system/etcd-operator/charts/etcd-operator/README.md @@ -1,63 +1,54 @@ # etcd-operator -![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | | +| affinity | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | | etcdOperator.args[0] | string | `"--health-probe-bind-address=:8081"` | | | etcdOperator.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` | | | etcdOperator.args[2] | string | `"--leader-elect"` | | -| etcdOperator.envVars | object | `{}` | | -| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | | -| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | | -| etcdOperator.image.tag | string | `""` | | -| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | | -| etcdOperator.livenessProbe.httpGet.port | int | `8081` | | -| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | | -| etcdOperator.livenessProbe.periodSeconds | int | `20` | | -| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | | -| etcdOperator.readinessProbe.httpGet.port | int | `8081` | | -| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | | -| etcdOperator.readinessProbe.periodSeconds | int | `10` | | -| etcdOperator.resources.limits.cpu | string | `"500m"` | | -| etcdOperator.resources.limits.memory | string | `"128Mi"` | | -| etcdOperator.resources.requests.cpu | string | `"100m"` | | -| etcdOperator.resources.requests.memory | string | `"64Mi"` | | -| etcdOperator.securityContext.allowPrivilegeEscalation | bool | `false` | | -| etcdOperator.securityContext.capabilities.drop[0] | string | `"ALL"` | | -| etcdOperator.service.port | int | `9443` | | -| etcdOperator.service.type | string | `"ClusterIP"` | | -| fullnameOverride | string | `""` | | +| etcdOperator.envVars | object | `{}` | Empty environment variables section | +| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | Image repository | +| etcdOperator.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | Healthcheck liveness probe path | +| etcdOperator.livenessProbe.httpGet.port | int | `8081` | Healthcheck port | +| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.livenessProbe.periodSeconds | int | `20` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | Healthcheck readiness probe path | +| etcdOperator.readinessProbe.httpGet.port | int | `8081` | Healthcheck port | +| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.readinessProbe.periodSeconds | int | `10` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| etcdOperator.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| etcdOperator.service.port | int | `9443` | Service port | +| etcdOperator.service.type | string | `"ClusterIP"` | Service type | +| fullnameOverride | string | `""` | Override a full name of helm release | | imagePullSecrets | list | `[]` | | | kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` | | | kubeRbacProxy.args[1] | string | `"--upstream=http://127.0.0.1:8080/"` | | | kubeRbacProxy.args[2] | string | `"--logtostderr=true"` | | | kubeRbacProxy.args[3] | string | `"--v=0"` | | -| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | | -| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | -| kubeRbacProxy.image.tag | string | `"v0.16.0"` | | -| kubeRbacProxy.livenessProbe | object | `{}` | | -| kubeRbacProxy.readinessProbe | object | `{}` | | -| kubeRbacProxy.resources.limits.cpu | string | `"500m"` | | -| kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | | -| kubeRbacProxy.resources.requests.cpu | string | `"100m"` | | -| kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | | -| kubeRbacProxy.securityContext.allowPrivilegeEscalation | bool | `false` | | -| kubeRbacProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | -| kubeRbacProxy.service.port | int | `8443` | | -| kubeRbacProxy.service.type | string | `"ClusterIP"` | | -| kubernetesClusterDomain | string | `"cluster.local"` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podLabels | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| securityContext.runAsNonRoot | bool | `true` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| tolerations | list | `[]` | | +| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository | +| kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image | +| kubeRbacProxy.livenessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| kubeRbacProxy.readinessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| kubeRbacProxy.resources | object | `{"limits":{"cpu":"250m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| kubeRbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| kubeRbacProxy.service.port | int | `8443` | Service port | +| kubeRbacProxy.service.type | string | `"ClusterIP"` | Service type | +| kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes cluster domain prefix | +| nameOverride | string | `""` | Override a name of helm release | +| nodeSelector | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ | +| podAnnotations | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | +| podLabels | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | +| podSecurityContext | object | `{}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| replicaCount | int | `1` | Count of pod replicas | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| tolerations | list | `[]` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | diff --git a/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl b/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl new file mode 100644 index 00000000..e1c25058 --- /dev/null +++ b/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl @@ -0,0 +1,19 @@ +{{ template "chart.header" . }} + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.typeBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml b/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml index 3abbf976..279e4b63 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: etcd-operator-system/etcd-operator-serving-cert - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: etcdclusters.etcd.aenix.io spec: conversion: @@ -202,25 +202,43 @@ spec: security: description: Security describes security settings of etcd (authentication, certificates, rbac) properties: + enableAuth: + description: Section to enable etcd auth + type: boolean tls: description: Section for user-managed tls certificates properties: clientSecret: - description: Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret. + description: |- + Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string clientTrustedCASecret: - description: Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret. + description: |- + Trusted CA for client certificates that are provided by client to etcd. It is expected to have ca.crt field in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string peerSecret: - description: Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret. + description: |- + Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string peerTrustedCASecret: - description: Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret. + description: |- + Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have ca.crt field in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string serverSecret: description: |- Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default). It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. + type: string + serverTrustedCASecret: + description: |- + Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd. + It is expected to have ca.crt field in the secret. If it is not specified, then insecure communication will be used. + This secret must be created in the namespace with etcdCluster CR. type: string type: object type: object @@ -581,6 +599,7 @@ spec: not set, the implementation will apply its default routing strategy. If set to "PreferClose", implementations should prioritize endpoints that are topologically close (e.g., same zone). + This is an alpha field and requires enabling ServiceTrafficDistribution feature. type: string type: description: |- diff --git a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml index ccb982ac..6cc79370 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml +++ b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml @@ -17,6 +17,22 @@ rules: - patch - update - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - watch - apiGroups: - "" resources: diff --git a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml index ece5bae8..17848ada 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml +++ b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml @@ -58,6 +58,12 @@ spec: - configMapRef: name: {{ include "etcd-operator.fullname" . }}-env {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert diff --git a/packages/system/etcd-operator/charts/etcd-operator/values.schema.json b/packages/system/etcd-operator/charts/etcd-operator/values.schema.json index 97400378..65836a6b 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/values.schema.json +++ b/packages/system/etcd-operator/charts/etcd-operator/values.schema.json @@ -256,14 +256,6 @@ "replicaCount": { "type": "integer" }, - "securityContext": { - "properties": { - "runAsNonRoot": { - "type": "boolean" - } - }, - "type": "object" - }, "serviceAccount": { "properties": { "annotations": { @@ -281,4 +273,4 @@ } }, "type": "object" -} \ No newline at end of file +} diff --git a/packages/system/etcd-operator/charts/etcd-operator/values.yaml b/packages/system/etcd-operator/charts/etcd-operator/values.yaml index 9c9ff75a..dcef802b 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/values.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/values.yaml @@ -1,98 +1,184 @@ etcdOperator: + image: + + # -- Image repository repository: ghcr.io/aenix-io/etcd-operator + + # -- Image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + + # -- Overrides the image tag whose default is the chart appVersion. tag: "" + args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + service: + + # -- Service type type: ClusterIP + + # -- Service port port: 9443 + + # -- Empty environment variables section envVars: {} + livenessProbe: + httpGet: + + # -- Healthcheck liveness probe path path: /healthz + + # -- Healthcheck port port: 8081 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes initialDelaySeconds: 15 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes periodSeconds: 20 + readinessProbe: + httpGet: + + # -- Healthcheck readiness probe path path: /readyz + + # -- Healthcheck port port: 8081 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes initialDelaySeconds: 5 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes periodSeconds: 10 + + # -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: - ALL kubeRbacProxy: + image: + + # -- Image repository repository: gcr.io/kubebuilder/kube-rbac-proxy + + # -- Image pull policy pullPolicy: IfNotPresent + + # -- Version of image tag: v0.16.0 + args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=0 - service: - type: ClusterIP - port: 8443 - livenessProbe: {} - readinessProbe: {} - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + service: + + # -- Service type + type: ClusterIP + + # -- Service port + port: 8443 + + # -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: {} + + # -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + readinessProbe: {} + + # -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + + limits: + + cpu: 250m + + memory: 128Mi + + requests: + + cpu: 100m + + memory: 64Mi + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + + allowPrivilegeEscalation: false + + capabilities: + + drop: + - ALL + +# -- Kubernetes cluster domain prefix kubernetesClusterDomain: cluster.local +# -- Count of pod replicas replicaCount: 1 imagePullSecrets: [] +# -- Override a name of helm release nameOverride: "" +# -- Override a full name of helm release fullnameOverride: "" serviceAccount: - # Specifies whether a service account should be created + + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + + # -- Annotations to add to the service account annotations: {} +# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} +# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} +# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ podSecurityContext: {} # fsGroup: 2000 -securityContext: - runAsNonRoot: true - +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ nodeSelector: {} +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} From 2ab9a386cd177321db102e450386610747f10d51 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Wed, 3 Jul 2024 20:28:57 -0400 Subject: [PATCH 43/67] Fine-tuning Flux configuration (#196) Fix #195 Don't set the `interval` so short on HelmReleases, with this many HelmReleases that really hamstrings the control plane. Also, copy the install/upgrade remediation config from system packages to the Kubernetes templates for addon packages (cilium, flux, ingress) - in my testing the ingress-nginx chart fails every time the first time. Maybe that should be filed as a separate issue, I haven't looked into detail, it is some issue related to a secret not being created, I think it said something related to an admission controller. Looks as though it's a conflict with being installed at the same time as the cert-manager addon. Signed-off-by: Kingdon Barrett --- .../templates/helmreleases/cert-manager.yaml | 7 ++++++- .../kubernetes/templates/helmreleases/cilium.yaml | 7 ++++++- .../kubernetes/templates/helmreleases/csi.yaml | 7 ++++++- .../kubernetes/templates/helmreleases/fluxcd.yaml | 14 ++++++++++++-- .../templates/helmreleases/ingress-nginx.yaml | 7 ++++++- packages/core/platform/templates/helmreleases.yaml | 2 +- 6 files changed, 37 insertions(+), 7 deletions(-) diff --git a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml index 71d395f5..f8e02559 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml @@ -7,7 +7,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: cert-manager chart: spec: @@ -24,6 +24,11 @@ spec: storageNamespace: cozy-cert-manager install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 dependsOn: {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml index ca99af87..8918b5df 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml @@ -6,7 +6,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: cilium chart: spec: @@ -23,6 +23,11 @@ spec: storageNamespace: cozy-cilium install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 values: cilium: tunnel: disabled diff --git a/packages/apps/kubernetes/templates/helmreleases/csi.yaml b/packages/apps/kubernetes/templates/helmreleases/csi.yaml index 349da151..2485d47c 100644 --- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml @@ -6,7 +6,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: csi chart: spec: @@ -23,6 +23,11 @@ spec: storageNamespace: cozy-csi install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 dependsOn: {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} diff --git a/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml index 17c1e352..c4ca6fd3 100644 --- a/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml @@ -7,7 +7,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: fluxcd-operator chart: spec: @@ -24,6 +24,11 @@ spec: storageNamespace: cozy-fluxcd install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 values: flux-operator: fullnameOverride: flux-operator @@ -45,7 +50,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: fluxcd chart: spec: @@ -62,6 +67,11 @@ spec: storageNamespace: cozy-fluxcd install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 dependsOn: {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} diff --git a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml index 2255b07b..573fb601 100644 --- a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml @@ -7,7 +7,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: ingress-nginx chart: spec: @@ -24,6 +24,11 @@ spec: storageNamespace: cozy-ingress-nginx install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 values: ingress-nginx: fullnameOverride: ingress-nginx diff --git a/packages/core/platform/templates/helmreleases.yaml b/packages/core/platform/templates/helmreleases.yaml index bf7e1748..eaee0ea6 100644 --- a/packages/core/platform/templates/helmreleases.yaml +++ b/packages/core/platform/templates/helmreleases.yaml @@ -20,7 +20,7 @@ metadata: labels: cozystack.io/repository: system spec: - interval: 1m + interval: 5m releaseName: {{ $x.releaseName | default $x.name }} install: crds: CreateReplace From b23ad47f514b9f3af9a87497c262a710ff1e3894 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 4 Jul 2024 10:25:58 +0200 Subject: [PATCH 44/67] Update etcd-operator v0.3.1 (#197) --- packages/system/etcd-operator/charts/etcd-operator/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml index 9c3b72a5..ca799e82 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.3.0 +appVersion: v0.3.1 name: etcd-operator type: application -version: 0.3.0 +version: 0.3.1 From 15478a8807228ba0c0ba96120de5b8327f382244 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 4 Jul 2024 10:32:26 +0200 Subject: [PATCH 45/67] Prepare release v0.8.0 (#194) Signed-off-by: Andrei Kvapil --- manifests/cozystack-installer.yaml | 4 +- .../apps/http-cache/images/nginx-cache.json | 48 ++++++++++++++- .../images/ubuntu-container-disk.json | 48 ++++++++++++++- packages/apps/tenant/Chart.yaml | 2 +- packages/apps/versions_map | 3 +- packages/core/installer/images/cozystack.json | 8 +-- packages/core/installer/images/cozystack.tag | 2 +- packages/extra/monitoring/Chart.yaml | 2 +- packages/extra/versions_map | 3 +- packages/system/cilium/images/cilium.json | 61 ++++++++++++++++++- packages/system/cilium/images/cilium.tag | 2 +- .../system/dashboard/images/dashboard.json | 51 +++++++++++++++- .../system/dashboard/images/dashboard.tag | 2 +- .../dashboard/images/kubeapps-apis.json | 57 ++++++++++++++++- .../system/dashboard/images/kubeapps-apis.tag | 2 +- packages/system/kubeovn/images/kubeovn.json | 51 +++++++++++++++- 16 files changed, 320 insertions(+), 26 deletions(-) diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index 3112f1c6..54bbe347 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/http-cache/images/nginx-cache.json b/packages/apps/http-cache/images/nginx-cache.json index 395c34ca..e71ab98c 100644 --- a/packages/apps/http-cache/images/nginx-cache.json +++ b/packages/apps/http-cache/images/nginx-cache.json @@ -1,4 +1,48 @@ { - "containerimage.config.digest": "sha256:31dedc466b9f92131f3e0f35b47d1f3771b6895d5b9a6cc089786b76b00c3a25", - "containerimage.digest": "sha256:86c7a8f2a11cbede492c778ffd67c759f722ab6958cab4a9df66af4035b1d7d9" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64", + "digest": { + "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "args": { + "build-arg:ARCH": "amd64" + }, + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/iixrpj9up3jfyyrovbx167irv", + "containerimage.config.digest": "sha256:a359a6c83a1861ac146c42030e513b925ec155207b77baf5f61f19c507ab3ee5", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:57b113a4392b958612c14ed348147c221fe17d3ad6623fb7bd778e54139f45b9", + "size": 1094, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:57b113a4392b958612c14ed348147c221fe17d3ad6623fb7bd778e54139f45b9", + "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.8.0" } \ No newline at end of file diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.json b/packages/apps/kubernetes/images/ubuntu-container-disk.json index e7685393..05b67523 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.json +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json @@ -1,4 +1,48 @@ { - "containerimage.config.digest": "sha256:24cee18d0bc9ed40e741412da86820dd99bdb9ffa4c794c81856725a4a10d86e", - "containerimage.digest": "sha256:6a43369905e0630bb401e1cf73084bbef3060e960756f261676cd3bea4195e9a" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64", + "digest": { + "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "args": { + "build-arg:ARCH": "amd64" + }, + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/yscjdwk0a8zfgvypn9gfzoeqj", + "containerimage.config.digest": "sha256:62f92e19bf0610f85515bef28db8465650a25346472f52360736ad3a49ce7529", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:f1176049da8651f438b2035c5a2cb6fd253ae868c4640e56785c91364069e0d8", + "size": 506, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:f1176049da8651f438b2035c5a2cb6fd253ae868c4640e56785c91364069e0d8", + "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1-v0.8.0" } \ No newline at end of file diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 9ea4afc6..9a866e0f 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: https://upload.wikimedia.org/wikipedia/commons/0/04/User_icon_1.svg type: application -version: 1.1.0 +version: 1.2.0 diff --git a/packages/apps/versions_map b/packages/apps/versions_map index bb7fe850..614d28d2 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -27,7 +27,8 @@ tenant 0.1.3 3d1b86c tenant 0.1.4 d200480 tenant 0.1.5 e3ab858 tenant 1.0.0 7cd7de7 -tenant 1.1.0 HEAD +tenant 1.1.0 4da8ac3b +tenant 1.2.0 HEAD virtual-machine 0.1.4 f2015d6 virtual-machine 0.1.5 7cd7de7 virtual-machine 0.2.0 HEAD diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 8e61c51f..303597cf 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/h4dfyd134l9durh9d02r2u2uu", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/bkyp0lfy9cwyxbqtk2t3sl0ki", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:b5cbbb921a240d05c6775aab15c99432180c5547801ef6cb6ca51303eeb489e1", + "digest": "sha256:539c8bc610ecee7ea8d1b728020b6131eb5e46aafe40d5a4d85e8cf79fae3c72", "size": 685 }, - "containerimage.digest": "sha256:b5cbbb921a240d05c6775aab15c99432180c5547801ef6cb6ca51303eeb489e1", - "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" + "containerimage.digest": "sha256:539c8bc610ecee7ea8d1b728020b6131eb5e46aafe40d5a4d85e8cf79fae3c72", + "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index 602d7b26..75bdf91c 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:latest +ghcr.io/aenix-io/cozystack/cozystack:v0.8.0 diff --git a/packages/extra/monitoring/Chart.yaml b/packages/extra/monitoring/Chart.yaml index dbfa5374..0c28c1bf 100644 --- a/packages/extra/monitoring/Chart.yaml +++ b/packages/extra/monitoring/Chart.yaml @@ -3,4 +3,4 @@ name: monitoring description: Monitoring and observability stack icon: https://www.svgrepo.com/download/184787/analytics-laptop.svg type: application -version: 1.0.0 +version: 1.1.0 diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 7b373bf8..45fa333e 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -4,4 +4,5 @@ etcd 2.0.1 6fc1cc7d etcd 2.1.0 HEAD ingress 1.0.0 f642698 ingress 1.1.0 HEAD -monitoring 1.0.0 HEAD +monitoring 1.0.0 f642698 +monitoring 1.1.0 HEAD diff --git a/packages/system/cilium/images/cilium.json b/packages/system/cilium/images/cilium.json index 47ee9b16..d502e021 100644 --- a/packages/system/cilium/images/cilium.json +++ b/packages/system/cilium/images/cilium.json @@ -1,4 +1,61 @@ { - "containerimage.config.digest": "sha256:5d7a65f2d5c41bd53cccaa55d4f5d28933c08f5294e732b9a00427d091c1d78f", - "containerimage.digest": "sha256:f9f46b6c57cbe9ccb2686be7e58236e3bfae0942c4be687f0bf16270832f09ab" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/docker/dockerfile@experimental", + "digest": { + "sha256": "600e5c62eedff338b3f7a0850beb7c05866e0ef27b2d2e8c02aa468e78496ff5" + } + }, + { + "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", + "digest": { + "sha256": "7dcf6f2084586b44844aea8615db684c9361cf6bebf235a1750595633ed021bd" + } + }, + { + "uri": "pkg:docker/quay.io/cilium/cilium@v1.15.5?platform=linux%2Famd64", + "digest": { + "sha256": "4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "gateway.v0", + "args": { + "cmdline": "docker/dockerfile:experimental", + "source": "docker/dockerfile:experimental" + }, + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/fsidbune5vw82lhgf2ofhwo0g", + "containerimage.config.digest": "sha256:79635c7d6c1f3a457406d39590ee94168caa925eae7a82bac4fed42e751f135d", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:3cee2f43abcc7ae34dddf589345b871d4eb6a4f0281c7758844b05c7c5ec4965", + "size": 2083, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:3cee2f43abcc7ae34dddf589345b871d4eb6a4f0281c7758844b05c7c5ec4965", + "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.8.0" } \ No newline at end of file diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag index ab03ee07..f2887794 100644 --- a/packages/system/cilium/images/cilium.tag +++ b/packages/system/cilium/images/cilium.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cilium:latest +ghcr.io/aenix-io/cozystack/cilium:1.15.5 diff --git a/packages/system/dashboard/images/dashboard.json b/packages/system/dashboard/images/dashboard.json index fa70d533..d899b03c 100644 --- a/packages/system/dashboard/images/dashboard.json +++ b/packages/system/dashboard/images/dashboard.json @@ -1,4 +1,51 @@ { - "containerimage.config.digest": "sha256:8126f86f18708a9157206884c63dc9df7f3090a33e05f4a1b94f2a7da7610c74", - "containerimage.digest": "sha256:e1a285812d1ce34bcf5c37db2a5c12ec99887c930b46ac261895dc98f674c066" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/bitnami/nginx@1.25.2?platform=linux%2Famd64", + "digest": { + "sha256": "fbd9335f55d83d8aaf9ab1a539b0f2a87b444e8c54f34c9a1ca9d7df15605db4" + } + }, + { + "uri": "pkg:docker/bitnami/node@20.12.1?platform=linux%2Famd64", + "digest": { + "sha256": "ac00b5d3742ef2b522e149ac3912a9118ca8dc27556f13700d4a53c1982b1460" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/o70jr31zju6q5ffssjqf8c5us", + "containerimage.config.digest": "sha256:2c68c6ce6620a8c8afd84fed1c2265738d661a47ded0be21b2517b0309ed7307", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17", + "size": 703, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17", + "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.8.0" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index b2afa3cc..96f44cf8 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.7.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.8.0 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index b7460aa0..f67c02e0 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,57 @@ { - "containerimage.config.digest": "sha256:3fbaba7f41e9055839ecb30c1f0d505be732f79433fefdcfd352052d4ce52a19", - "containerimage.digest": "sha256:b33011eaf4dfe775287103f66b667b2976a053a59711103f405c6a5c5cc841bc" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/bitnami/golang@1.22.2?platform=linux%2Famd64", + "digest": { + "sha256": "f6238d0feb519be3a157e0f29d56312fdcbfde165d96987f3956581126371977" + } + }, + { + "uri": "pkg:docker/bitnami/minideb@bookworm?platform=linux%2Famd64", + "digest": { + "sha256": "29b77c65b015126298b9b5d6c20a389f538145c619c8e049ccf2e7cd436e023a" + } + }, + { + "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64", + "digest": { + "sha256": "b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ggf28zo7pywc734xde1oado8l", + "containerimage.config.digest": "sha256:62c4a42cb62f918a2e4bb295f6faaceb96a2dae7fb8cf4bd6850bc072064b4ce", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:a5eab0f2a900ac1963b24bbdbe35bffbee7ba146c86742d6e8bea8c070610d9c", + "size": 1890, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:a5eab0f2a900ac1963b24bbdbe35bffbee7ba146c86742d6e8bea8c070610d9c", + "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.8.0" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index b87bc749..a760f0de 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:latest +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.8.0 diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json index b6bf0857..a5ba1923 100644 --- a/packages/system/kubeovn/images/kubeovn.json +++ b/packages/system/kubeovn/images/kubeovn.json @@ -1,4 +1,51 @@ { - "containerimage.config.digest": "sha256:b3d76d1764c8c470a32b4d3b19e48592eda547710e8e6508666930e1db1b4cb3", - "containerimage.digest": "sha256:e5275d3a367aba3b4a7ec0bf25583cc21241e320da2ffd86f5c9cf4a7f6fac77" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.13.0?platform=linux%2Famd64", + "digest": { + "sha256": "c9348ac30ee286aa2c801600f5587e54d07b96b9e137919fa28a84f4ed6806d2" + } + }, + { + "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", + "digest": { + "sha256": "7dcf6f2084586b44844aea8615db684c9361cf6bebf235a1750595633ed021bd" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/uy5qpumete0kfxr1v5cf2dyjo", + "containerimage.config.digest": "sha256:b83d8f607c54ba91b71517099aef98c5f373ef64d268e53fe7f95e15e18ec0af", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:9bedea10c9d2fc0b1213338b4b73b056d5e8ea53302395696d623e6be48bc0be", + "size": 5015, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:9bedea10c9d2fc0b1213338b4b73b056d5e8ea53302395696d623e6be48bc0be", + "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.8.0" } \ No newline at end of file From 3ac170184e5c1fc5cdd400611fd70f2c872a97b7 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 4 Jul 2024 14:16:23 +0200 Subject: [PATCH 46/67] Fix: kafka replicas and partitions (#192) Fix kafka app to unhardcode partitions number fixes problem with unability to specify number of partitions and replicas for them also possible fixes https://github.com/aenix-io/cozystack/issues/163 Signed-off-by: Andrei Kvapil --- packages/apps/kafka/Chart.yaml | 2 +- packages/apps/kafka/templates/topics.yaml | 8 ++++++-- packages/apps/kafka/values.yaml | 2 +- packages/apps/versions_map | 3 ++- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/packages/apps/kafka/Chart.yaml b/packages/apps/kafka/Chart.yaml index 289ba581..78be0ce6 100644 --- a/packages/apps/kafka/Chart.yaml +++ b/packages/apps/kafka/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.0 +version: 0.2.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/kafka/templates/topics.yaml b/packages/apps/kafka/templates/topics.yaml index e4f4ea8c..63d4e6fb 100644 --- a/packages/apps/kafka/templates/topics.yaml +++ b/packages/apps/kafka/templates/topics.yaml @@ -8,8 +8,12 @@ metadata: strimzi.io/cluster: "{{ $.Release.Name }}" spec: topicName: "{{ $topic.name }}" - partitions: 10 - replicas: 3 + {{- with $topic.partitions }} + partitions: "{{ . }}" + {{- end }} + {{- with $topic.replicas }} + replicas: "{{ . }}" + {{- end }} {{- with $topic.config }} config: {{- toYaml . | nindent 4 }} diff --git a/packages/apps/kafka/values.yaml b/packages/apps/kafka/values.yaml index b8da34d8..817d6f62 100644 --- a/packages/apps/kafka/values.yaml +++ b/packages/apps/kafka/values.yaml @@ -32,6 +32,6 @@ zookeeper: ## max.compaction.lag.ms: 5400000 ## min.insync.replicas: 2 ## partitions: 1 -## replicationFactor: 3 +## replicas: 3 ## topics: [] diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 614d28d2..423cca3e 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -4,7 +4,8 @@ clickhouse 0.2.1 HEAD http-cache 0.1.0 a956713 http-cache 0.2.0 HEAD kafka 0.1.0 760f86d2 -kafka 0.2.0 HEAD +kafka 0.2.0 a2cc83d +kafka 0.2.1 HEAD kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 kubernetes 0.3.0 7caccec1 From dfbc210bbd6502270be7ae8b47e6d66e2db1bf5d Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 4 Jul 2024 15:18:02 +0200 Subject: [PATCH 47/67] hotfix: handle missing flux-operator release during upgrade (#198) image to test: ``` ghcr.io/aenix-io/cozystack/cozystack:v0.8.0@sha256:48e9f676f4eca5f7036648a56767c31beb0aca8fdc6d6798bd65de74886ed1ef ``` this PR should fix a problem of upgrading from older cozystack version ``` make: Leaving directory '/cozystack/packages/core/platform' deployment.apps/source-controller condition met deployment.apps/helm-controller condition met Error from server (NotFound): helmreleases.helm.toolkit.fluxcd.io "fluxcd" not found NAME CREATED AT helmreleases.helm.toolkit.fluxcd.io 2024-05-29T11:00:16Z helmrepositories.source.toolkit.fluxcd.io 2024-05-29T11:00:17Z make: Entering directory '/cozystack/packages/system/fluxcd-operator' kubectl patch hr -n cozy-fluxcd fluxcd-operator -p '{"spec": {"suspend": true}}' --type=merge --field-manager=flux-client-side-apply Error from server (NotFound): helmreleases.helm.toolkit.fluxcd.io "fluxcd-operator" not found make: *** [../../../scripts/package-system.mk:20: suspend] Error 1 make: Leaving directory '/cozystack/packages/system/fluxcd-operator' time="2024-07-04T12:50:05Z" level=fatal msg="failed to run" err="exit status 2" ``` --- packages/core/installer/images/cozystack.json | 6 +++--- scripts/installer.sh | 16 +++++++++++----- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 303597cf..81e7f558 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/bkyp0lfy9cwyxbqtk2t3sl0ki", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/cyr9s3a1cszjq9tt9vrh2czxt", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:539c8bc610ecee7ea8d1b728020b6131eb5e46aafe40d5a4d85e8cf79fae3c72", + "digest": "sha256:48e9f676f4eca5f7036648a56767c31beb0aca8fdc6d6798bd65de74886ed1ef", "size": 685 }, - "containerimage.digest": "sha256:539c8bc610ecee7ea8d1b728020b6131eb5e46aafe40d5a4d85e8cf79fae3c72", + "containerimage.digest": "sha256:48e9f676f4eca5f7036648a56767c31beb0aca8fdc6d6798bd65de74886ed1ef", "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0" } \ No newline at end of file diff --git a/scripts/installer.sh b/scripts/installer.sh index 63121180..6d08a3bf 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -27,14 +27,20 @@ ensure_fluxcd() { if flux_is_ok; then return fi - if kubectl get crd helmreleases.helm.toolkit.fluxcd.io helmrepositories.source.toolkit.fluxcd.io; then - targets="apply resume" + # Install fluxcd-operator + if kubectl get helmreleases.helm.toolkit.fluxcd.io -n cozy-fluxcd fluxcd-operator; then + make -C packages/system/fluxcd-operator apply resume else - targets="apply-locally" + make -C packages/system/fluxcd-operator apply-locally fi - make -C packages/system/fluxcd-operator $targets wait_for_crds fluxinstances.fluxcd.controlplane.io - make -C packages/system/fluxcd $targets + + # Install fluxcd + if kubectl get helmreleases.helm.toolkit.fluxcd.io -n cozy-fluxcd fluxcd; then + make -C packages/system/fluxcd apply resume + else + make -C packages/system/fluxcd apply-locally + fi wait_for_crds helmreleases.helm.toolkit.fluxcd.io helmrepositories.source.toolkit.fluxcd.io } From 7a3e9f574cdcface14e0a3406d9d62a42445f5ae Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Mon, 8 Jul 2024 12:02:56 -0400 Subject: [PATCH 48/67] Fix nginx config error parsing configmap (#200) The error manifests as: W0705 16:07:35.694677 7 configmap.go:431] unexpected error merging defaults: 2 error(s) decoding: * cannot parse 'proxy-connect-timeout' as int: strconv.ParseInt: parsing "10s": invalid syntax * cannot parse 'proxy-read-timeout' as int: strconv.ParseInt: parsing "10s": invalid syntax I came across this trying to understand why my nginx ingress addon config isn't working, (this didn't help, but at least the warning is gone now.) I'll continue to try to debug, but I think this can merge any time Signed-off-by: Kingdon Barrett --- packages/system/ingress-nginx/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml index 1390e725..b722e5de 100644 --- a/packages/system/ingress-nginx/values.yaml +++ b/packages/system/ingress-nginx/values.yaml @@ -32,8 +32,8 @@ ingress-nginx: #real-ip-header: "proxy_protocol" #enable-real-ip: "true" # keep-alive - proxy-connect-timeout: "10s" - proxy-read-timeout: "10s" + proxy-connect-timeout: "10" + proxy-read-timeout: "10" keep-alive-requests: "1000000" upstream-keepalive-requests: "100000" upstream-keepalive-time: '1m' From 8664d5748e4b592702837663d331192a2695c940 Mon Sep 17 00:00:00 2001 From: Kingdon Barrett Date: Mon, 8 Jul 2024 12:46:40 -0400 Subject: [PATCH 49/67] Fix nginx error related to passthrough TLS (#208) I don't understand why "true" value isn't accepted here, but I have seen this before. The `--enable-ssl-passthrough` parameter is not supposed to accept any value, it's a stand-alone argument. With this change I get my traffic appropriately passed through to backend ingress on a kubevirt cluster that enabled TLS Without it (the change is made on the addon ingress, which is very strange, because that one isn't even configured to use a passthrough annotation... the root ingress controller doesn't seem to care) I get this error: > 400 Bad Request > The plain HTTP request was sent to HTTPS port > --- > nginx Signed-off-by: Kingdon Barrett --- packages/system/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml index b722e5de..16018ed0 100644 --- a/packages/system/ingress-nginx/values.yaml +++ b/packages/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: extraArgs: - enable-ssl-passthrough: true + enable-ssl-passthrough: "" image: registry: ghcr.io image: kvaps/ingress-nginx-with-protobuf-exporter/controller From db1d5cdf4fb21caa26ceafbd2d836fdef157f4ba Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 8 Jul 2024 20:16:12 +0200 Subject: [PATCH 50/67] Update KubeVirt v1.2.2 (#201) Signed-off-by: Andrei Kvapil --- .../templates/kubevirt-operator.yaml | 72 ++++++++++++++++++- 1 file changed, 69 insertions(+), 3 deletions(-) diff --git a/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml b/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml index 236cd3de..ed9f9d03 100644 --- a/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml +++ b/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml @@ -354,6 +354,7 @@ spec: type: boolean type: object emulatedMachines: + description: Deprecated. Use architectureConfiguration instead. items: type: string type: array @@ -624,6 +625,22 @@ spec: binding: additionalProperties: properties: + domainAttachmentType: + description: 'DomainAttachmentType is a standard domain + network attachment method kubevirt supports. Supported + values: "tap". The standard domain attachment can + be used instead or in addition to the sidecarImage. + version: 1alphav1' + type: string + migration: + description: 'Migration means the VM using the plugin + can be safely migrated version: 1alphav1' + properties: + method: + description: 'Method defines a pre-defined migration + methodology version: 1alphav1' + type: string + type: object networkAttachmentDefinition: description: 'NetworkAttachmentDefinition references to a NetworkAttachmentDefinition CR object. Format: @@ -650,6 +667,7 @@ spec: type: boolean type: object ovmfPath: + description: Deprecated. Use architectureConfiguration instead. type: string permittedHostDevices: description: PermittedHostDevices holds information about devices @@ -883,6 +901,14 @@ spec: AutoattachSerialConsole is disabled. type: object type: object + vmRolloutStrategy: + description: VMRolloutStrategy defines how changes to a VM object + propagate to its VMI + enum: + - Stage + - LiveUpdate + nullable: true + type: string vmStateStorageClass: description: VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM. @@ -3422,6 +3448,7 @@ spec: type: boolean type: object emulatedMachines: + description: Deprecated. Use architectureConfiguration instead. items: type: string type: array @@ -3692,6 +3719,22 @@ spec: binding: additionalProperties: properties: + domainAttachmentType: + description: 'DomainAttachmentType is a standard domain + network attachment method kubevirt supports. Supported + values: "tap". The standard domain attachment can + be used instead or in addition to the sidecarImage. + version: 1alphav1' + type: string + migration: + description: 'Migration means the VM using the plugin + can be safely migrated version: 1alphav1' + properties: + method: + description: 'Method defines a pre-defined migration + methodology version: 1alphav1' + type: string + type: object networkAttachmentDefinition: description: 'NetworkAttachmentDefinition references to a NetworkAttachmentDefinition CR object. Format: @@ -3718,6 +3761,7 @@ spec: type: boolean type: object ovmfPath: + description: Deprecated. Use architectureConfiguration instead. type: string permittedHostDevices: description: PermittedHostDevices holds information about devices @@ -3951,6 +3995,14 @@ spec: AutoattachSerialConsole is disabled. type: object type: object + vmRolloutStrategy: + description: VMRolloutStrategy defines how changes to a VM object + propagate to its VMI + enum: + - Stage + - LiveUpdate + nullable: true + type: string vmStateStorageClass: description: VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM. @@ -6970,6 +7022,13 @@ rules: - get - list - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list - apiGroups: - subresources.kubevirt.io resources: @@ -7275,6 +7334,13 @@ rules: - get - list - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list - apiGroups: - subresources.kubevirt.io resources: @@ -7439,14 +7505,14 @@ spec: - virt-operator env: - name: VIRT_OPERATOR_IMAGE - value: quay.io/kubevirt/virt-operator:v1.1.0 + value: quay.io/kubevirt/virt-operator:v1.2.2 - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - name: KUBEVIRT_VERSION - value: v1.1.0 - image: quay.io/kubevirt/virt-operator:v1.1.0 + value: v1.2.2 + image: quay.io/kubevirt/virt-operator:v1.2.2 imagePullPolicy: IfNotPresent name: virt-operator ports: From 2ea5e8b1a698a860e5b048255d33cb412c78ba7f Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 8 Jul 2024 20:16:23 +0200 Subject: [PATCH 51/67] Update Kamaji v1.0.0 (#202) Signed-off-by: Andrei Kvapil --- .../system/kamaji/charts/kamaji/Chart.yaml | 4 +- .../system/kamaji/charts/kamaji/README.md | 6 +- .../kamaji/charts/kamaji/crds/datastore.yaml | 49 +- .../kamaji/crds/tenantcontrolplane.yaml | 1144 ++++++++++++----- .../charts/kamaji/templates/controller.yaml | 3 + .../charts/kamaji/templates/datastore.yaml | 5 + .../validatingwebhookconfiguration.yaml | 21 + .../system/kamaji/charts/kamaji/values.yaml | 12 +- packages/system/kamaji/values.yaml | 5 - 9 files changed, 887 insertions(+), 362 deletions(-) diff --git a/packages/system/kamaji/charts/kamaji/Chart.yaml b/packages/system/kamaji/charts/kamaji/Chart.yaml index d4980db4..854242ba 100644 --- a/packages/system/kamaji/charts/kamaji/Chart.yaml +++ b/packages/system/kamaji/charts/kamaji/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: Kamaji catalog.cattle.io/release-name: kamaji apiVersion: v2 -appVersion: v0.5.0 +appVersion: v1.0.0 description: Kamaji is the Hosted Control Plane Manager for Kubernetes. home: https://github.com/clastix/kamaji icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png @@ -21,4 +21,4 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.15.2 +version: 1.0.0 diff --git a/packages/system/kamaji/charts/kamaji/README.md b/packages/system/kamaji/charts/kamaji/README.md index 6222e435..89a7d078 100644 --- a/packages/system/kamaji/charts/kamaji/README.md +++ b/packages/system/kamaji/charts/kamaji/README.md @@ -1,6 +1,6 @@ # kamaji -![Version: 0.15.2](https://img.shields.io/badge/Version-0.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.5.0](https://img.shields.io/badge/AppVersion-v0.5.0-informational?style=flat-square) +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square) Kamaji is the Hosted Control Plane Manager for Kubernetes. @@ -77,7 +77,7 @@ Here the values you can override: | datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). | | datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) | | datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. | -| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | +| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | | datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. | | datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | | datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | @@ -90,6 +90,7 @@ Here the values you can override: | datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. | | datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | | datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.enabled | bool | `true` | | | etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) | | etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji | | etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image | @@ -133,6 +134,7 @@ Here the values you can override: | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `"kamaji-controller-manager"` | | | serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured | +| telemetry | object | `{"disabled":false}` | Disable the analytics traces collection | | temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") | | tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate | diff --git a/packages/system/kamaji/charts/kamaji/crds/datastore.yaml b/packages/system/kamaji/charts/kamaji/crds/datastore.yaml index 0077a06e..97405495 100644 --- a/packages/system/kamaji/charts/kamaji/crds/datastore.yaml +++ b/packages/system/kamaji/charts/kamaji/crds/datastore.yaml @@ -71,10 +71,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -98,10 +100,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -118,6 +122,7 @@ spec: - etcd - MySQL - PostgreSQL + - NATS type: string endpoints: description: |- @@ -128,7 +133,9 @@ spec: minItems: 1 type: array tlsConfig: - description: Defines the TLS/SSL configuration required to connect to the data store in a secure way. + description: |- + Defines the TLS/SSL configuration required to connect to the data store in a secure way. + This value is optional. properties: certificateAuthority: description: |- @@ -152,10 +159,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -179,10 +188,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -193,7 +204,8 @@ spec: - certificate type: object clientCertificate: - description: Specifies the SSL/TLS key and private key pair used to connect to the data store. + description: Specifies the SSL/TLS key and private key pair used + to connect to the data store. properties: certificate: properties: @@ -212,10 +224,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -239,10 +253,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -255,18 +271,17 @@ spec: type: object required: - certificateAuthority - - clientCertificate type: object required: - driver - endpoints - - tlsConfig type: object status: description: DataStoreStatus defines the observed state of DataStore. properties: usedBy: - description: List of the Tenant Control Planes, namespaced named, using this data store. + description: List of the Tenant Control Planes, namespaced named, + using this data store. items: type: string type: array diff --git a/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml b/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml index 2af86342..b94dd328 100644 --- a/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml +++ b/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml @@ -55,7 +55,8 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: TenantControlPlane is the Schema for the tenantcontrolplanes API. + description: TenantControlPlane is the Schema for the tenantcontrolplanes + API. properties: apiVersion: description: |- @@ -97,7 +98,8 @@ spec: type: string type: object konnectivity: - description: Enables the Konnectivity addon in the Tenant Cluster, required if the worker nodes are in a different network. + description: Enables the Konnectivity addon in the Tenant Cluster, + required if the worker nodes are in a different network. properties: agent: default: @@ -115,8 +117,53 @@ spec: type: array image: default: registry.k8s.io/kas-network-proxy/proxy-agent - description: AgentImage defines the container image for Konnectivity's agent. + description: AgentImage defines the container image for + Konnectivity's agent. type: string + tolerations: + default: + - key: CriticalAddonsOnly + operator: Exists + description: |- + Tolerations for the deployed agent. + Can be customized to start the konnectivity-agent even if the nodes are not ready or tainted. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array version: default: v0.0.32 description: Version for Konnectivity agent. @@ -139,14 +186,17 @@ spec: type: array image: default: registry.k8s.io/kas-network-proxy/proxy-server - description: Container image used by the Konnectivity server. + description: Container image used by the Konnectivity + server. type: string port: - description: The port which Konnectivity server is listening to. + description: The port which Konnectivity server is listening + to. format: int32 type: integer resources: - description: Resources define the amount of CPU and memory to allocate to the Konnectivity server. + description: Resources define the amount of CPU and memory + to allocate to the Konnectivity server. properties: claims: description: |- @@ -160,7 +210,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -202,7 +253,8 @@ spec: type: object version: default: v0.0.32 - description: Container image version of the Konnectivity server. + description: Container image version of the Konnectivity + server. type: string required: - port @@ -231,12 +283,15 @@ spec: such as the number of Pod replicas, the Service resource, or the Ingress. properties: deployment: - description: Defining the options for the deployed Tenant Control Plane as Deployment resource. + description: Defining the options for the deployed Tenant Control + Plane as Deployment resource. properties: additionalContainers: - description: AdditionalContainers allows adding additional containers to the Control Plane deployment. + description: AdditionalContainers allows adding additional + containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: description: |- @@ -271,10 +326,12 @@ spec: List of environment variables to set in the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: description: |- @@ -289,7 +346,8 @@ spec: Defaults to "". type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -304,7 +362,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - key @@ -316,10 +375,13 @@ spec: spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -331,13 +393,16 @@ spec: (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -348,10 +413,13 @@ spec: type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: description: |- @@ -360,7 +428,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - key @@ -383,7 +452,8 @@ spec: Values defined by an Env with a duplicate key will take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from @@ -395,12 +465,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from @@ -412,7 +484,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic @@ -462,7 +535,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -470,9 +544,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -489,7 +565,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -509,10 +586,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -525,7 +604,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -568,7 +648,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -576,9 +657,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -595,7 +678,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -615,10 +699,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -631,7 +717,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -676,10 +763,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -694,7 +783,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -702,9 +792,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -759,10 +851,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -814,7 +908,8 @@ spec: For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: description: |- @@ -823,7 +918,8 @@ spec: format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: description: |- @@ -882,10 +978,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -900,7 +998,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -908,9 +1007,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -965,10 +1066,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1007,7 +1110,8 @@ spec: resizePolicy: description: Resources resize policy for the container. items: - description: ContainerResizePolicy represents resource resize policy for the container. + description: ContainerResizePolicy represents resource + resize policy for the container. properties: resourceName: description: |- @@ -1043,7 +1147,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -1150,14 +1255,16 @@ spec: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic @@ -1219,16 +1326,20 @@ spec: Note that this field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: @@ -1272,7 +1383,8 @@ spec: GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: description: |- @@ -1322,10 +1434,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -1340,7 +1454,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1348,9 +1463,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1405,10 +1522,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1486,15 +1605,20 @@ spec: Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - devicePath @@ -1509,7 +1633,8 @@ spec: Pod volumes to mount into the container's filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: description: |- @@ -1588,9 +1713,11 @@ spec: type: object type: array additionalInitContainers: - description: AdditionalInitContainers allows adding additional init containers to the Control Plane deployment. + description: AdditionalInitContainers allows adding additional + init containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: description: |- @@ -1625,10 +1752,12 @@ spec: List of environment variables to set in the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: description: |- @@ -1643,7 +1772,8 @@ spec: Defaults to "". type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -1658,7 +1788,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - key @@ -1670,10 +1801,13 @@ spec: spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -1685,13 +1819,16 @@ spec: (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -1702,10 +1839,13 @@ spec: type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: description: |- @@ -1714,7 +1854,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - key @@ -1737,7 +1878,8 @@ spec: Values defined by an Env with a duplicate key will take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from @@ -1749,12 +1891,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from @@ -1766,7 +1910,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic @@ -1816,7 +1961,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1824,9 +1970,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1843,7 +1991,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -1863,10 +2012,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -1879,7 +2030,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1922,7 +2074,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1930,9 +2083,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1949,7 +2104,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -1969,10 +2125,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -1985,7 +2143,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2030,10 +2189,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2048,7 +2209,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2056,9 +2218,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2113,10 +2277,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2168,7 +2334,8 @@ spec: For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: description: |- @@ -2177,7 +2344,8 @@ spec: format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: description: |- @@ -2236,10 +2404,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2254,7 +2424,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2262,9 +2433,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2319,10 +2492,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2361,7 +2536,8 @@ spec: resizePolicy: description: Resources resize policy for the container. items: - description: ContainerResizePolicy represents resource resize policy for the container. + description: ContainerResizePolicy represents resource + resize policy for the container. properties: resourceName: description: |- @@ -2397,7 +2573,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -2504,14 +2681,16 @@ spec: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic @@ -2573,16 +2752,20 @@ spec: Note that this field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: @@ -2626,7 +2809,8 @@ spec: GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: description: |- @@ -2676,10 +2860,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2694,7 +2880,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2702,9 +2889,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2759,10 +2948,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2840,15 +3031,20 @@ spec: Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - devicePath @@ -2863,7 +3059,8 @@ spec: Pod volumes to mount into the container's filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: description: |- @@ -2942,7 +3139,9 @@ spec: type: object type: array additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -2960,7 +3159,8 @@ spec: properties: apiServer: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3026,7 +3226,8 @@ spec: type: array controllerManager: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3092,7 +3293,8 @@ spec: type: array scheduler: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3158,9 +3360,11 @@ spec: type: array type: object additionalVolumes: - description: AdditionalVolumes allows to add additional volumes to the Control Plane deployment. + description: AdditionalVolumes allows to add additional volumes + to the Control Plane deployment. items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. properties: awsElasticBlockStore: description: |- @@ -3198,16 +3402,20 @@ spec: - volumeID type: object azureDisk: - description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. properties: cachingMode: - description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.' + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' type: string diskName: - description: diskName is the Name of the data disk in the blob storage + description: diskName is the Name of the data disk + in the blob storage type: string diskURI: - description: diskURI is the URI of data disk in the blob storage + description: diskURI is the URI of data disk in + the blob storage type: string fsType: description: |- @@ -3216,7 +3424,11 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: - description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' type: string readOnly: description: |- @@ -3228,7 +3440,8 @@ spec: - diskURI type: object azureFile: - description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. properties: readOnly: description: |- @@ -3236,7 +3449,8 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: secretName is the name of secret that contains Azure Storage Account Name and Key + description: secretName is the name of secret that + contains Azure Storage Account Name and Key type: string shareName: description: shareName is the azure share Name @@ -3246,7 +3460,8 @@ spec: - shareName type: object cephfs: - description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime properties: monitors: description: |- @@ -3257,7 +3472,9 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /' + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' type: string readOnly: description: |- @@ -3331,7 +3548,8 @@ spec: - volumeID type: object configMap: - description: configMap represents a configMap that should populate this volume + description: configMap represents a configMap that should + populate this volume properties: defaultMode: description: |- @@ -3354,7 +3572,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. @@ -3389,12 +3608,15 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap + or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic csi: - description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). properties: driver: description: |- @@ -3439,7 +3661,8 @@ spec: - driver type: object downwardAPI: - description: downwardAPI represents downward API about the pod that should populate this volume + description: downwardAPI represents downward API about + the pod that should populate this volume properties: defaultMode: description: |- @@ -3454,18 +3677,26 @@ spec: format: int32 type: integer items: - description: Items is a list of downward API volume file + description: Items is a list of downward API volume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -3482,7 +3713,11 @@ spec: format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' type: string resourceFieldRef: description: |- @@ -3490,13 +3725,16 @@ spec: (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -3635,10 +3873,12 @@ spec: For any other third-party types, APIGroup is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string required: - kind @@ -3678,10 +3918,12 @@ spec: For any other third-party types, APIGroup is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string namespace: description: |- @@ -3727,17 +3969,22 @@ spec: type: object type: object selector: - description: selector is a label query over volumes to consider for binding. + description: selector is a label query over + volumes to consider for binding. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -3796,7 +4043,8 @@ spec: Value of Filesystem is implied when not included in claim spec. type: string volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. + description: volumeName is the binding reference + to the PersistentVolume backing this claim. type: string type: object required: @@ -3804,7 +4052,9 @@ spec: type: object type: object fc: - description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. properties: fsType: description: |- @@ -3823,7 +4073,8 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array @@ -3843,7 +4094,8 @@ spec: provisioned/attached using an exec based plugin. properties: driver: - description: driver is the name of the driver to use for this volume. + description: driver is the name of the driver to + use for this volume. type: string fsType: description: |- @@ -3854,7 +4106,8 @@ spec: options: additionalProperties: type: string - description: 'options is Optional: this field holds extra command options if any.' + description: 'options is Optional: this field holds + extra command options if any.' type: object readOnly: description: |- @@ -3881,7 +4134,9 @@ spec: - driver type: object flocker: - description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running properties: datasetName: description: |- @@ -3889,7 +4144,8 @@ spec: should be considered as deprecated type: string datasetUUID: - description: datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset type: string type: object gcePersistentDisk: @@ -3947,7 +4203,8 @@ spec: description: repository is the URL type: string revision: - description: revision is the commit hash for the specified revision. + description: revision is the commit hash for the + specified revision. type: string required: - repository @@ -4010,10 +4267,12 @@ spec: More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: chapAuthSession defines whether support iSCSI Session CHAP authentication + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication type: boolean fsType: description: |- @@ -4055,7 +4314,8 @@ spec: Defaults to false. type: boolean secretRef: - description: secretRef is the CHAP Secret for iSCSI target and initiator authentication + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication properties: name: description: |- @@ -4126,7 +4386,9 @@ spec: - claimName type: object photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine properties: fsType: description: |- @@ -4135,13 +4397,15 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: - description: pdID is the ID that identifies Photon Controller persistent disk + description: pdID is the ID that identifies Photon + Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine properties: fsType: description: |- @@ -4155,13 +4419,15 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: volumeID uniquely identifies a Portworx volume + description: volumeID uniquely identifies a Portworx + volume type: string required: - volumeID type: object projected: - description: projected items for all in one resources secrets, configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: description: |- @@ -4176,7 +4442,8 @@ spec: sources: description: sources is the list of volume projections items: - description: Projection that may be projected along with other supported volume types + description: Projection that may be projected + along with other supported volume types properties: clusterTrustBundle: description: |- @@ -4205,14 +4472,18 @@ spec: everything". properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -4259,7 +4530,8 @@ spec: ClusterTrustBundles. type: boolean path: - description: Relative path from the volume root to write the bundle. + description: Relative path from the volume + root to write the bundle. type: string signerName: description: |- @@ -4271,7 +4543,8 @@ spec: - path type: object configMap: - description: configMap information about the configMap data to project + description: configMap information about the + configMap data to project properties: items: description: |- @@ -4283,7 +4556,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. @@ -4318,26 +4592,38 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether + the ConfigMap or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic downwardAPI: - description: downwardAPI information about the downwardAPI data to project + description: downwardAPI information about + the downwardAPI data to project properties: items: - description: Items is a list of DownwardAPIVolume file + description: Items is a list of DownwardAPIVolume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field + to select in the specified + API version. type: string required: - fieldPath @@ -4354,7 +4640,13 @@ spec: format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' type: string resourceFieldRef: description: |- @@ -4362,17 +4654,22 @@ spec: (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: + required for volumes, optional + for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output + format of the exposed resources, + defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' + description: 'Required: resource + to select' type: string required: - resource @@ -4385,7 +4682,8 @@ spec: x-kubernetes-list-type: atomic type: object secret: - description: secret information about the secret data to project + description: secret information about the + secret data to project properties: items: description: |- @@ -4397,7 +4695,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. @@ -4432,12 +4731,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional field specify whether the Secret or its key must be defined + description: optional field specify whether + the Secret or its key must be defined type: boolean type: object x-kubernetes-map-type: atomic serviceAccountToken: - description: serviceAccountToken is information about the serviceAccountToken data to project + description: serviceAccountToken is information + about the serviceAccountToken data to project properties: audience: description: |- @@ -4469,7 +4770,8 @@ spec: x-kubernetes-list-type: atomic type: object quobyte: - description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime properties: group: description: |- @@ -4498,7 +4800,8 @@ spec: Defaults to serivceaccount user type: string volume: - description: volume is a string that references an already created Quobyte volume by name. + description: volume is a string that references + an already created Quobyte volume by name. type: string required: - registry @@ -4574,7 +4877,8 @@ spec: - monitors type: object scaleIO: - description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. properties: fsType: description: |- @@ -4584,10 +4888,12 @@ spec: Default is "xfs". type: string gateway: - description: gateway is the host address of the ScaleIO API Gateway. + description: gateway is the host address of the + ScaleIO API Gateway. type: string protectionDomain: - description: protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. type: string readOnly: description: |- @@ -4608,7 +4914,8 @@ spec: type: object x-kubernetes-map-type: atomic sslEnabled: - description: sslEnabled Flag enable/disable SSL communication with Gateway, default false + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false type: boolean storageMode: description: |- @@ -4616,10 +4923,12 @@ spec: Default is ThinProvisioned. type: string storagePool: - description: storagePool is the ScaleIO Storage Pool associated with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: system is the name of the storage system as configured in ScaleIO. + description: system is the name of the storage system + as configured in ScaleIO. type: string volumeName: description: |- @@ -4657,7 +4966,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. @@ -4686,7 +4996,8 @@ spec: type: array x-kubernetes-list-type: atomic optional: - description: optional field specify whether the Secret or its keys must be defined + description: optional field specify whether the + Secret or its keys must be defined type: boolean secretName: description: |- @@ -4695,7 +5006,8 @@ spec: type: string type: object storageos: - description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. properties: fsType: description: |- @@ -4737,7 +5049,8 @@ spec: type: string type: object vsphereVolume: - description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine properties: fsType: description: |- @@ -4746,13 +5059,17 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. type: string storagePolicyName: - description: storagePolicyName is the storage Policy Based Management (SPBM) profile name. + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. type: string volumePath: - description: volumePath is the path that identifies vSphere volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -4767,7 +5084,8 @@ spec: More info: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ properties: nodeAffinity: - description: Describes node affinity scheduling rules for the pod. + description: Describes node affinity scheduling rules + for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -4786,17 +5104,20 @@ spec: (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: - description: A node selector term, associated with the corresponding weight. + description: A node selector term, associated + with the corresponding weight. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4821,14 +5142,16 @@ spec: type: array x-kubernetes-list-type: atomic matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4855,7 +5178,9 @@ spec: type: object x-kubernetes-map-type: atomic weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. format: int32 type: integer required: @@ -4873,7 +5198,8 @@ spec: may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. + description: Required. A list of node selector + terms. The terms are ORed. items: description: |- A null or empty node selector term matches no objects. The requirements of @@ -4881,14 +5207,16 @@ spec: The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4913,14 +5241,16 @@ spec: type: array x-kubernetes-list-type: atomic matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4954,7 +5284,9 @@ spec: x-kubernetes-map-type: atomic type: object podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -4968,10 +5300,13 @@ spec: "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: description: |- @@ -4979,14 +5314,18 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5058,14 +5397,18 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5155,14 +5498,17 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5234,14 +5580,17 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5299,7 +5648,9 @@ spec: x-kubernetes-list-type: atomic type: object podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -5313,10 +5664,13 @@ spec: "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: description: |- @@ -5324,14 +5678,18 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5403,14 +5761,18 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5500,14 +5862,17 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5579,14 +5944,17 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5660,7 +6028,8 @@ spec: type: string type: array kine: - description: Available only if Kamaji is running using Kine as backing storage. + description: Available only if Kamaji is running using + Kine as backing storage. items: type: string type: array @@ -5677,6 +6046,20 @@ spec: Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object + podAdditionalMetadata: + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object registrySettings: default: apiServerImage: kube-apiserver @@ -5715,7 +6098,8 @@ spec: (kube-apiserver, controller-manager, and scheduler). properties: apiServer: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5729,7 +6113,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5770,7 +6155,8 @@ spec: type: object type: object controllerManager: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5784,7 +6170,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5841,7 +6228,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5882,7 +6270,8 @@ spec: type: object type: object scheduler: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5896,7 +6285,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5945,6 +6335,11 @@ spec: empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class type: string + serviceAccountName: + default: default + description: ServiceAccountName allows to specify the service + account to be mounted to the pods of the Control plane deployment + type: string strategy: default: rollingUpdate: @@ -5998,7 +6393,8 @@ spec: x-kubernetes-int-or-string: true type: object type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. type: string type: object tolerations: @@ -6049,7 +6445,8 @@ spec: In case of nil underlying LabelSelector, the Kamaji one for the given Tenant Control Plane will be used. All topologySpreadConstraints are ANDed. items: - description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. properties: labelSelector: description: |- @@ -6058,14 +6455,16 @@ spec: in their corresponding topology domain. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: description: |- @@ -6225,10 +6624,13 @@ spec: type: array type: object ingress: - description: Defining the options for an Optional Ingress which will expose API Server of the Tenant Control Plane + description: Defining the options for an Optional Ingress which + will expose API Server of the Tenant Control Plane properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -6248,10 +6650,13 @@ spec: type: string type: object service: - description: Defining the options for the Tenant Control Plane Service resource. + description: Defining the options for the Tenant Control Plane + Service resource. properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -6263,7 +6668,8 @@ spec: type: object type: object serviceType: - description: ServiceType allows specifying how to expose the Tenant Control Plane. + description: ServiceType allows specifying how to expose the + Tenant Control Plane. enum: - ClusterIP - NodePort @@ -6445,7 +6851,8 @@ spec: - enabled type: object konnectivity: - description: KonnectivityStatus defines the status of Konnectivity as Addon. + description: KonnectivityStatus defines the status of Konnectivity + as Addon. properties: agent: properties: @@ -6490,7 +6897,8 @@ spec: enabled: type: boolean kubeconfig: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the + generated kubeconfig. properties: checksum: type: string @@ -6512,12 +6920,24 @@ spec: type: string type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for + the Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the + field path .status.conditions. For example,\n\n\n\ttype + FooStatus struct{\n\t // Represents the observations + of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: description: |- @@ -6551,7 +6971,8 @@ spec: pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, + False, Unknown. enum: - "True" - "False" @@ -6631,7 +7052,9 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of + the service port of which status is + recorded here format: int32 type: integer protocol: @@ -6654,7 +7077,8 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running @@ -6719,10 +7143,12 @@ spec: type: string type: object etcd: - description: ETCDCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificatesStatus defines the observed state + of ETCD Certificate for API server. properties: apiServer: - description: APIServerCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: APIServerCertificatesStatus defines the observed + state of ETCD Certificate for API server. properties: checksum: type: string @@ -6733,7 +7159,8 @@ spec: type: string type: object ca: - description: ETCDCertificateStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificateStatus defines the observed state + of ETCD Certificate for API server. properties: checksum: type: string @@ -6779,13 +7206,16 @@ spec: type: object type: object controlPlaneEndpoint: - description: ControlPlaneEndpoint contains the status of the kubernetes control plane + description: ControlPlaneEndpoint contains the status of the kubernetes + control plane type: string kubeadmPhase: - description: KubeadmPhase contains the status of the kubeadm phases action + description: KubeadmPhase contains the status of the kubeadm phases + action properties: bootstrapToken: - description: KubeadmPhaseStatus contains the status of a kubeadm phase action. + description: KubeadmPhaseStatus contains the status of a kubeadm + phase action. properties: checksum: type: string @@ -6797,7 +7227,8 @@ spec: - bootstrapToken type: object kubeadmconfig: - description: KubeadmConfig contains the status of the configuration required by kubeadm + description: KubeadmConfig contains the status of the configuration + required by kubeadm properties: checksum: description: Checksum of the kubeadm configuration to detect changes @@ -6809,10 +7240,12 @@ spec: type: string type: object kubeconfig: - description: KubeConfig contains information about the kubenconfigs that control plane pieces need + description: KubeConfig contains information about the kubenconfigs + that control plane pieces need properties: admin: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6823,7 +7256,8 @@ spec: type: string type: object controllerManager: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6834,7 +7268,8 @@ spec: type: string type: object scheduler: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6846,13 +7281,16 @@ spec: type: object type: object kubernetesResources: - description: Kubernetes contains information about the reconciliation of the required Kubernetes resources deployed in the admin cluster + description: Kubernetes contains information about the reconciliation + of the required Kubernetes resources deployed in the admin cluster properties: deployment: - description: KubernetesDeploymentStatus defines the status for the Tenant Control Plane Deployment in the management cluster. + description: KubernetesDeploymentStatus defines the status for + the Tenant Control Plane Deployment in the management cluster. properties: availableReplicas: - description: Total number of available pods (ready for at least minReadySeconds) targeted by this deployment. + description: Total number of available pods (ready for at + least minReadySeconds) targeted by this deployment. format: int32 type: integer collisionCount: @@ -6863,12 +7301,15 @@ spec: format: int32 type: integer conditions: - description: Represents the latest available observations of a deployment's current state. + description: Represents the latest available observations + of a deployment's current state. items: - description: DeploymentCondition describes the state of a deployment at a certain point. + description: DeploymentCondition describes the state of + a deployment at a certain point. properties: lastTransitionTime: - description: Last time the condition transitioned from one status to another. + description: Last time the condition transitioned from + one status to another. format: date-time type: string lastUpdateTime: @@ -6876,13 +7317,15 @@ spec: format: date-time type: string message: - description: A human readable message indicating details about the transition. + description: A human readable message indicating details + about the transition. type: string reason: description: The reason for the condition's last transition. type: string status: - description: Status of the condition, one of True, False, Unknown. + description: Status of the condition, one of True, False, + Unknown. type: string type: description: Type of deployment condition. @@ -6903,22 +7346,26 @@ spec: description: The name of the Deployment for the given cluster. type: string namespace: - description: The namespace which the Deployment for the given cluster is deployed. + description: The namespace which the Deployment for the given + cluster is deployed. type: string observedGeneration: description: The generation observed by the deployment controller. format: int64 type: integer readyReplicas: - description: readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. + description: readyReplicas is the number of pods targeted + by this Deployment with a Ready Condition. format: int32 type: integer replicas: - description: Total number of non-terminated pods targeted by this deployment (their labels match the selector). + description: Total number of non-terminated pods targeted + by this deployment (their labels match the selector). format: int32 type: integer selector: - description: Selector is the label selector used to group the Tenant Control Plane Pods used by the scale subresource. + description: Selector is the label selector used to group + the Tenant Control Plane Pods used by the scale subresource. type: string unavailableReplicas: description: |- @@ -6928,7 +7375,8 @@ spec: format: int32 type: integer updatedReplicas: - description: Total number of non-terminated pods targeted by this deployment that have the desired template spec. + description: Total number of non-terminated pods targeted + by this deployment that have the desired template spec. format: int32 type: integer required: @@ -6937,26 +7385,34 @@ spec: - selector type: object ingress: - description: KubernetesIngressStatus defines the status for the Tenant Control Plane Ingress in the management cluster. + description: KubernetesIngressStatus defines the status for the + Tenant Control Plane Ingress in the management cluster. properties: loadBalancer: - description: loadBalancer contains the current status of the load-balancer. + description: loadBalancer contains the current status of the + load-balancer. properties: ingress: - description: ingress is a list containing ingress points for the load-balancer. + description: ingress is a list containing ingress points + for the load-balancer. items: - description: IngressLoadBalancerIngress represents the status of a load-balancer ingress point. + description: IngressLoadBalancerIngress represents the + status of a load-balancer ingress point. properties: hostname: - description: hostname is set for load-balancer ingress points that are DNS based. + description: hostname is set for load-balancer ingress + points that are DNS based. type: string ip: - description: ip is set for load-balancer ingress points that are IP based. + description: ip is set for load-balancer ingress + points that are IP based. type: string ports: - description: ports provides information about the ports exposed by this LoadBalancer. + description: ports provides information about the + ports exposed by this LoadBalancer. items: - description: IngressPortStatus represents the error condition of a service port + description: IngressPortStatus represents the + error condition of a service port properties: error: description: |- @@ -6972,7 +7428,8 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: port is the port number of the ingress port. + description: port is the port number of the + ingress port. format: int32 type: integer protocol: @@ -6995,19 +7452,32 @@ spec: description: The name of the Ingress for the given cluster. type: string namespace: - description: The namespace which the Ingress for the given cluster is deployed. + description: The namespace which the Ingress for the given + cluster is deployed. type: string required: - name - namespace type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for the + Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the field + path .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: description: |- @@ -7041,7 +7511,8 @@ spec: pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, False, + Unknown. enum: - "True" - "False" @@ -7121,7 +7592,9 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of the + service port of which status is recorded + here format: int32 type: integer protocol: @@ -7144,7 +7617,8 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running @@ -7156,11 +7630,13 @@ spec: - port type: object version: - description: KubernetesVersion contains the information regarding the running Kubernetes version, and its upgrade status. + description: KubernetesVersion contains the information regarding + the running Kubernetes version, and its upgrade status. properties: status: default: Provisioning - description: Status returns the current status of the Kubernetes version, such as its provisioning state, or completed upgrade. + description: Status returns the current status of the Kubernetes + version, such as its provisioning state, or completed upgrade. enum: - Provisioning - CertificateAuthorityRotating @@ -7170,12 +7646,14 @@ spec: - NotReady type: string version: - description: Version is the running Kubernetes version of the Tenant Control Plane. + description: Version is the running Kubernetes version of + the Tenant Control Plane. type: string type: object type: object storage: - description: Storage Status contains information about Kubernetes storage system + description: Storage Status contains information about Kubernetes + storage system properties: certificate: properties: diff --git a/packages/system/kamaji/charts/kamaji/templates/controller.yaml b/packages/system/kamaji/charts/kamaji/templates/controller.yaml index 82ddd5cb..e1a73e67 100644 --- a/packages/system/kamaji/charts/kamaji/templates/controller.yaml +++ b/packages/system/kamaji/charts/kamaji/templates/controller.yaml @@ -34,6 +34,9 @@ spec: - --metrics-bind-address={{ .Values.metricsBindAddress }} - --tmp-directory={{ .Values.temporaryDirectoryPath }} - --datastore={{ include "datastore.fullname" . }} + {{- if .Values.telemetry.disabled }} + - --disable-telemetry + {{- end }} {{- if .Values.loggingDevel.enable }} - --zap-devel {{- end }} diff --git a/packages/system/kamaji/charts/kamaji/templates/datastore.yaml b/packages/system/kamaji/charts/kamaji/templates/datastore.yaml index b54ef99a..08631b98 100644 --- a/packages/system/kamaji/charts/kamaji/templates/datastore.yaml +++ b/packages/system/kamaji/charts/kamaji/templates/datastore.yaml @@ -20,9 +20,14 @@ spec: secretReference: {{- .Values.datastore.basicAuth.passwordSecret | toYaml | nindent 8 }} {{- end }} +{{- if .Values.datastore.tlsConfig.enabled }} tlsConfig: certificateAuthority: {{- include "datastore.certificateAuthority" . | indent 6 }} + + {{- if .Values.datastore.tlsConfig.clientCertificate }} clientCertificate: {{- include "datastore.clientCertificate" . | indent 6 }} + {{- end }} +{{- end}} {{- end}} diff --git a/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml b/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml index d981e974..a347443f 100644 --- a/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml +++ b/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml @@ -8,6 +8,27 @@ metadata: {{- include "kamaji.labels" $data | nindent 4 }} name: kamaji-validating-webhook-configuration webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "kamaji.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /telemetry + failurePolicy: Ignore + name: telemetry.kamaji.clastix.io + rules: + - apiGroups: + - kamaji.clastix.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tenantcontrolplanes + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/packages/system/kamaji/charts/kamaji/values.yaml b/packages/system/kamaji/charts/kamaji/values.yaml index 814f2aa9..03d4f635 100644 --- a/packages/system/kamaji/charts/kamaji/values.yaml +++ b/packages/system/kamaji/charts/kamaji/values.yaml @@ -60,7 +60,7 @@ etcd: # -- The custom annotations to add to the PVC customAnnotations: {} # volumeType: local - + # -- (array) Kubernetes affinity rules to apply to Kamaji etcd pods tolerations: [] @@ -162,7 +162,7 @@ loggingDevel: datastore: # -- (bool) Enable the Kamaji Datastore creation (default=true) enabled: true - # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. + # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. nameOverride: # -- (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). driver: etcd @@ -184,6 +184,7 @@ datastore: # -- The Secret key where the data is stored. keyPath: tlsConfig: + enabled: true certificateAuthority: certificate: # -- Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. @@ -218,4 +219,9 @@ datastore: cfssl: image: repository: cfssl/cfssl - tag: latest \ No newline at end of file + tag: latest + +# -- Disable the analytics traces collection +telemetry: + disabled: false + \ No newline at end of file diff --git a/packages/system/kamaji/values.yaml b/packages/system/kamaji/values.yaml index de677502..2ef13714 100644 --- a/packages/system/kamaji/values.yaml +++ b/packages/system/kamaji/values.yaml @@ -1,8 +1,3 @@ kamaji: etcd: deploy: false - - # Fix https://github.com/clastix/kamaji/pull/467 - image: - repository: ghcr.io/kvaps/test - tag: kamaji-v0.6.0-fix From 4972906e7a8c951fd3c86b936205cd3ff27575e7 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 8 Jul 2024 22:44:49 +0200 Subject: [PATCH 52/67] Update Cluster API and hardcode versions (#203) Signed-off-by: Andrei Kvapil Signed-off-by: Andrei Kvapil --- .../charts/cluster-api-operator/Chart.lock | 6 - .../charts/cluster-api-operator/Chart.yaml | 9 +- .../crds/cert-manager.crds.yaml | 4482 ----- .../cluster-api-operator/templates/addon.yaml | 2 + .../templates/cert-manager.namespace.yaml | 8 - .../cluster-api-operator/templates/core.yaml | 10 + .../templates/deployment.yaml | 7 + .../templates/infra-conditions.yaml | 4 + .../cluster-api-operator/templates/infra.yaml | 17 +- .../templates/operator-components.yaml | 15462 +++++++++------- .../charts/cluster-api-operator/values.yaml | 11 +- .../capi-providers/templates/providers.yaml | 16 +- 12 files changed, 8892 insertions(+), 11142 deletions(-) delete mode 100644 packages/system/capi-operator/charts/cluster-api-operator/Chart.lock delete mode 100644 packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml delete mode 100644 packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml diff --git a/packages/system/capi-operator/charts/cluster-api-operator/Chart.lock b/packages/system/capi-operator/charts/cluster-api-operator/Chart.lock deleted file mode 100644 index 5d3381ff..00000000 --- a/packages/system/capi-operator/charts/cluster-api-operator/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: cert-manager - repository: https://charts.jetstack.io - version: v1.13.2 -digest: sha256:b92a86c20cdd8a5e44995e71addefd379fdf302410a7dde388623f0e06187406 -generated: "2024-01-16T12:59:42.630842426Z" diff --git a/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml b/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml index d505a05d..b9b994bb 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml @@ -1,11 +1,6 @@ apiVersion: v2 -appVersion: 0.8.1 -dependencies: -- condition: cert-manager.enabled - name: cert-manager - repository: https://charts.jetstack.io - version: v1.13.2 +appVersion: 0.11.0 description: Cluster API Operator name: cluster-api-operator type: application -version: 0.8.1 +version: 0.11.0 diff --git a/packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml b/packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml deleted file mode 100644 index 14c0726c..00000000 --- a/packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml +++ /dev/null @@ -1,4482 +0,0 @@ -# Copyright 2022 The cert-manager Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificaterequests.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: CertificateRequest - listKind: CertificateRequestList - plural: certificaterequests - shortNames: - - cr - - crs - singular: certificaterequest - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status - name: Denied - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requestor - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Specification of the desired state of the CertificateRequest resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - required: - - issuerRef - - request - properties: - duration: - description: Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. - type: string - extra: - description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: object - additionalProperties: - type: array - items: - type: string - groups: - description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: array - items: - type: string - x-kubernetes-list-type: atomic - isCA: - description: "Requested basic constraints isCA value. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n NOTE: If the CSR in the `Request` field has a BasicConstraints extension, it must have the same isCA value as specified here. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." - type: boolean - issuerRef: - description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: "The PEM-encoded X.509 certificate signing request to be submitted to the issuer for signing. \n If the CSR has a BasicConstraints extension, its isCA attribute must match the `isCA` value of this CertificateRequest. If the CSR has a KeyUsage extension, its key usages must match the key usages in the `usages` field of this CertificateRequest. If the CSR has a ExtKeyUsage extension, its extended key usages must match the extended key usages in the `usages` field of this CertificateRequest." - type: string - format: byte - uid: - description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: "Requested key usages and extended key usages. \n NOTE: If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage extension, these extensions must have the same values as specified here without any additional values. \n If unset, defaults to `digital signature` and `key encipherment`." - type: array - items: - description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - username: - description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - status: - description: 'Status of the CertificateRequest. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - properties: - ca: - description: The PEM encoded X.509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. - type: string - format: byte - certificate: - description: The PEM encoded X.509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. - type: string - format: byte - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`. - type: array - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failureTime: - description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificates.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - - certs - singular: certificate - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Specification of the desired state of the Certificate resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - required: - - issuerRef - - secretName - properties: - additionalOutputFormats: - description: "Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. \n This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both the controller and webhook components." - type: array - items: - description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. - type: object - required: - - type - properties: - type: - description: Type is the name of the format type that should be written to the Certificate's target Secret. - type: string - enum: - - DER - - CombinedPEM - commonName: - description: "Requested common name X509 certificate subject attribute. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 NOTE: TLS clients will ignore this value when any subject alternative name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). \n Should have a length of 64 characters or fewer to avoid generating invalid CSRs. Cannot be set if the `literalSubject` field is set." - type: string - dnsNames: - description: Requested DNS subject alternative names. - type: array - items: - type: string - duration: - description: "Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. \n If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." - type: string - emailAddresses: - description: Requested email subject alternative names. - type: array - items: - type: string - encodeUsagesInRequest: - description: "Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. \n This option defaults to true, and should only be disabled if the target issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions." - type: boolean - ipAddresses: - description: Requested IP address subject alternative names. - type: array - items: - type: string - isCA: - description: "Requested basic constraints isCA value. The isCA value is used to set the `isCA` field on the created CertificateRequest resources. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." - type: boolean - issuerRef: - description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - keystores: - description: Additional keystore output formats to be stored in the Certificate's Secret. - type: object - properties: - jks: - description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - literalSubject: - description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." - type: string - privateKey: - description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. - type: object - properties: - algorithm: - description: "Algorithm is the private key algorithm of the corresponding private key for this certificate. \n If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified and `size` is not provided, key size of 2048 will be used for `RSA` key algorithm and key size of 256 will be used for `ECDSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm." - type: string - enum: - - RSA - - ECDSA - - Ed25519 - encoding: - description: "The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. \n If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified." - type: string - enum: - - PKCS1 - - PKCS8 - rotationPolicy: - description: "RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. \n If set to `Never`, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is `Never` for backward compatibility." - type: string - enum: - - Never - - Always - size: - description: "Size is the key bit size of the corresponding private key for this certificate. \n If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed." - type: integer - renewBefore: - description: "How long before the currently issued certificate's expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). \n NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate. \n If unset, this defaults to 1/3 of the issued certificate's lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." - type: string - revisionHistoryLimit: - description: "The maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. \n If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`." - type: integer - format: int32 - secretName: - description: Name of the Secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. The Secret resource lives in the same namespace as the Certificate resource. - type: string - secretTemplate: - description: Defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. - type: object - properties: - annotations: - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - labels: - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - subject: - description: "Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 \n The common name attribute is specified separately in the `commonName` field. Cannot be set if the `literalSubject` field is set." - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - organizations: - description: Organizations to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uris: - description: Requested URI subject alternative names. - type: array - items: - type: string - usages: - description: "Requested key usages and extended key usages. These usages are used to set the `usages` field on the created CertificateRequest resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages will additionally be encoded in the `request` field which contains the CSR blob. \n If unset, defaults to `digital signature` and `key encipherment`." - type: array - items: - description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: 'Status of the Certificate. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - properties: - conditions: - description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. - type: array - items: - description: CertificateCondition contains condition information for an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failedIssuanceAttempts: - description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). - type: integer - lastFailureTime: - description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset. - type: string - format: date-time - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. - type: string - format: date-time - notBefore: - description: The time after which the certificate stored in the secret named by this resource in `spec.secretName` is valid. - type: string - format: date-time - renewalTime: - description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. - type: string - format: date-time - revision: - description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." - type: integer - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: challenges.acme.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: acme.cert-manager.io - names: - kind: Challenge - listKind: ChallengeList - plural: challenges - singular: challenge - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - properties: - authorizationURL: - description: The URL to the ACME Authorization resource that this challenge is a part of. - type: string - dnsName: - description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - key: - description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' - type: string - solver: - description: Contains the domain solving configuration that should be used to solve this challenge resource. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - accessKeyIDSecretRef: - description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " - type: integer - format: int32 - maximum: 65535 - minimum: 1 - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressClassName: - description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - x-kubernetes-map-type: atomic - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. - type: string - type: - description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". - type: string - enum: - - HTTP-01 - - DNS-01 - url: - description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. - type: boolean - status: - type: object - properties: - presented: - description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. - type: boolean - reason: - description: Contains human readable information on why the Challenge is in the current state. - type: string - state: - description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: "cert-manager" - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - singular: clusterissuer - categories: - - cert-manager - scope: Cluster - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. - type: string - format: byte - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - accessKeyIDSecretRef: - description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " - type: integer - format: int32 - maximum: 65535 - minimum: 1 - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressClassName: - description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - x-kubernetes-map-type: atomic - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceAccountRef: - description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. - type: object - required: - - name - properties: - name: - description: Name of the ServiceAccount used to request a token. - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. - type: string - format: byte - caBundleSecretRef: - description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastPrivateKeyHash: - description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: issuers.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: "cert-manager" - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: Issuer - listKind: IssuerList - plural: issuers - singular: issuer - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. - type: string - format: byte - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - accessKeyIDSecretRef: - description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " - type: integer - format: int32 - maximum: 65535 - minimum: 1 - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressClassName: - description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - x-kubernetes-map-type: atomic - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceAccountRef: - description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. - type: object - required: - - name - properties: - name: - description: Name of the ServiceAccount used to request a token. - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. - type: string - format: byte - caBundleSecretRef: - description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the Issuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastPrivateKeyHash: - description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: orders.acme.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: acme.cert-manager.io - names: - kind: Order - listKind: OrderList - plural: orders - singular: order - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - issuerRef - - request - properties: - commonName: - description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. - type: string - dnsNames: - description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - duration: - description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. - type: string - ipAddresses: - description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. - type: string - format: byte - status: - type: object - properties: - authorizations: - description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. - type: array - items: - description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. - type: object - required: - - url - properties: - challenges: - description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. - type: array - items: - description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. - type: object - required: - - token - - type - - url - properties: - token: - description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. - type: string - identifier: - description: Identifier is the DNS name to be validated as part of this authorization - type: string - initialState: - description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL is the URL of the Authorization that must be completed - type: string - wildcard: - description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - certificate: - description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. - type: string - format: byte - failureTime: - description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. - type: string - served: true - storage: true diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml index a4acb740..9095368c 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml @@ -28,6 +28,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: {{ $addonNamespace }} --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -38,6 +39,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- if or $addonVersion $.Values.secretName }} spec: {{- end}} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml deleted file mode 100644 index 4a5fc8d3..00000000 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if index .Values "cert-manager" "enabled" }} -apiVersion: v1 -kind: Namespace -metadata: - annotations: - "helm.sh/hook": "pre-install" - name: {{ index .Values "cert-manager" "namespace" }} -{{- end }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml index 260efb59..013a2ef0 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml @@ -37,12 +37,22 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- if or $coreVersion $.Values.configSecret.name }} spec: {{- end}} {{- if $coreVersion }} version: {{ $coreVersion }} {{- end }} +{{- if $.Values.manager }} + manager: +{{- if and $.Values.manager.featureGates $.Values.manager.featureGates.core }} + featureGates: + {{- range $key, $value := $.Values.manager.featureGates.core }} + {{ $key }}: {{ $value }} + {{- end }} +{{- end }} +{{- end }} {{- if $.Values.configSecret.name }} configSecret: name: {{ $.Values.configSecret.name }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml index 806d0b1c..0b4c0916 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml @@ -95,10 +95,17 @@ spec: - containerPort: 9443 name: webhook-server protocol: TCP + - containerPort: {{ ( split ":" $.Values.metricsBindAddr)._1 | int }} + name: metrics + protocol: TCP {{- with .Values.resources.manager }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.env.manager }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.containerSecurityContext.manager }} securityContext: {{- toYaml . | nindent 12 }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml index 2d1e8cca..3c3a8a75 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml @@ -9,6 +9,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: capi-kubeadm-bootstrap-system --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -19,6 +20,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- with .Values.configSecret }} spec: configSecret: @@ -37,6 +39,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: capi-kubeadm-control-plane-system --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -47,6 +50,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- with .Values.configSecret }} spec: configSecret: diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml index e2f8b24b..2a4488c2 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml @@ -28,6 +28,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: {{ $infrastructureNamespace }} --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -38,12 +39,26 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" -{{- if or $infrastructureVersion $.Values.configSecret.name }} + "argocd.argoproj.io/sync-wave": "2" +{{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager }} spec: {{- end }} {{- if $infrastructureVersion }} version: {{ $infrastructureVersion }} {{- end }} +{{- if $.Values.manager }} + manager: +{{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $infrastructureName) }} +{{- range $key, $value := $.Values.manager.featureGates }} + {{- if eq $key $infrastructureName }} + featureGates: + {{- range $k, $v := $value }} + {{ $k }}: {{ $v }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} {{- if $.Values.configSecret.name }} configSecret: name: {{ $.Values.configSecret.name }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml index 0e3aaf98..03b1cec6 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml @@ -3,7 +3,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: addonproviders.operator.cluster.x-k8s.io @@ -25,6 +26,8 @@ spec: kind: AddonProvider listKind: AddonProviderList plural: addonproviders + shortNames: + - caap singular: addonprovider scope: Namespaced versions: @@ -41,14 +44,19 @@ spec: description: AddonProvider is the Schema for the addonproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,12 +64,11 @@ spec: description: AddonProviderSpec defines the desired state of AddonProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -73,14 +80,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -103,22 +110,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -128,32 +133,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -166,32 +165,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -213,53 +206,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -272,32 +258,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -320,18 +300,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -342,38 +320,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -385,53 +359,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -443,42 +439,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -487,55 +478,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -548,51 +535,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -605,33 +615,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -644,18 +650,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -666,38 +670,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -709,53 +709,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -767,42 +789,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -811,55 +828,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -872,51 +885,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -929,33 +965,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -966,19 +998,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -999,17 +1032,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -1022,10 +1054,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -1036,11 +1068,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -1055,11 +1085,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -1089,10 +1117,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -1117,19 +1145,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -1146,8 +1179,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1156,11 +1190,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -1170,12 +1204,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -1183,10 +1220,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -1199,83 +1236,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1287,19 +1323,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -1307,36 +1343,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -1345,26 +1387,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -1374,47 +1416,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -1426,37 +1473,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -1464,28 +1514,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -1503,37 +1556,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -1542,8 +1595,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -1566,7 +1620,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: bootstrapproviders.operator.cluster.x-k8s.io @@ -1588,6 +1643,8 @@ spec: kind: BootstrapProvider listKind: BootstrapProviderList plural: bootstrapproviders + shortNames: + - cabp singular: bootstrapprovider scope: Namespaced versions: @@ -1598,20 +1655,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: BootstrapProvider is the Schema for the bootstrapproviders API. + description: |- + BootstrapProvider is the Schema for the bootstrapproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1619,12 +1686,11 @@ spec: description: BootstrapProviderSpec defines the desired state of BootstrapProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -1647,22 +1713,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -1672,32 +1736,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1710,32 +1768,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1757,53 +1809,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1816,32 +1861,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1864,18 +1903,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -1886,38 +1923,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1929,53 +1962,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1987,42 +2042,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -2031,55 +2081,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2092,51 +2138,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2149,33 +2218,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -2188,18 +2253,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -2210,38 +2273,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2253,53 +2312,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2311,42 +2392,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -2355,55 +2431,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2416,51 +2488,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2473,33 +2568,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -2510,19 +2601,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -2543,17 +2635,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -2566,10 +2657,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -2580,11 +2671,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -2599,11 +2688,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -2633,10 +2720,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -2672,19 +2759,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -2701,8 +2793,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -2711,11 +2804,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -2725,12 +2818,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -2738,10 +2834,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -2754,83 +2850,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2842,19 +2937,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -2862,36 +2957,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -2900,26 +3001,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -2929,47 +3030,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -2981,37 +3087,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -3019,35 +3128,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -3063,37 +3175,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -3102,8 +3214,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -3133,14 +3246,19 @@ spec: description: BootstrapProvider is the Schema for the bootstrapproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3148,12 +3266,11 @@ spec: description: BootstrapProviderSpec defines the desired state of BootstrapProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -3165,14 +3282,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -3195,22 +3312,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -3220,32 +3335,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3258,32 +3367,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3305,53 +3408,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3364,32 +3460,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3412,18 +3502,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -3434,38 +3522,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3477,53 +3561,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3535,42 +3641,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -3579,55 +3680,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3640,51 +3737,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3697,33 +3817,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -3736,18 +3852,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -3758,38 +3872,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3801,53 +3911,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3859,42 +3991,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -3903,55 +4030,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3964,51 +4087,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4021,33 +4167,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -4058,19 +4200,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -4091,17 +4234,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -4114,10 +4256,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -4128,11 +4270,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -4147,11 +4287,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -4181,10 +4319,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -4209,19 +4347,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -4238,8 +4381,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -4248,11 +4392,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -4262,12 +4406,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4275,10 +4422,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -4291,83 +4438,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4379,19 +4525,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -4399,36 +4545,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -4437,26 +4589,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -4466,47 +4618,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -4518,37 +4675,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -4556,28 +4716,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -4595,37 +4758,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -4634,8 +4797,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -4658,7 +4822,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: controlplaneproviders.operator.cluster.x-k8s.io @@ -4680,6 +4845,8 @@ spec: kind: ControlPlaneProvider listKind: ControlPlaneProviderList plural: controlplaneproviders + shortNames: + - cacpp singular: controlplaneprovider scope: Namespaced versions: @@ -4690,21 +4857,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: ControlPlaneProvider is the Schema for the controlplaneproviders - API. + description: |- + ControlPlaneProvider is the Schema for the controlplaneproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4712,12 +4888,11 @@ spec: description: ControlPlaneProviderSpec defines the desired state of ControlPlaneProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -4740,22 +4915,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -4765,32 +4938,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4803,32 +4970,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4850,53 +5011,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4909,32 +5063,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4957,18 +5105,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -4979,38 +5125,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5022,53 +5164,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5080,42 +5244,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -5124,55 +5283,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5185,51 +5340,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5242,33 +5420,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -5281,18 +5455,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -5303,38 +5475,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5346,53 +5514,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5404,42 +5594,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -5448,55 +5633,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5509,51 +5690,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5566,33 +5770,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -5603,19 +5803,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -5636,17 +5837,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -5659,10 +5859,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -5673,11 +5873,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -5692,11 +5890,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -5726,10 +5922,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -5765,19 +5961,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -5794,8 +5995,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -5804,11 +6006,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -5818,12 +6020,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -5831,10 +6036,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -5847,83 +6052,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5935,19 +6139,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -5955,36 +6159,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -5993,26 +6203,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -6022,47 +6232,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -6074,37 +6289,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -6112,35 +6330,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -6157,37 +6378,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -6196,8 +6417,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -6228,14 +6450,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6243,12 +6470,11 @@ spec: description: ControlPlaneProviderSpec defines the desired state of ControlPlaneProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -6260,14 +6486,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -6290,22 +6516,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -6315,32 +6539,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6353,32 +6571,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6400,53 +6612,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6459,32 +6664,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6507,18 +6706,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -6529,38 +6726,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6572,53 +6765,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6630,42 +6845,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -6674,55 +6884,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6735,51 +6941,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6792,33 +7021,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -6831,18 +7056,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -6853,38 +7076,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6896,53 +7115,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6954,42 +7195,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -6998,55 +7234,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7059,51 +7291,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7116,33 +7371,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -7153,19 +7404,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -7186,17 +7438,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -7209,10 +7460,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -7223,11 +7474,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -7242,11 +7491,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -7276,10 +7523,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -7304,19 +7551,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -7333,8 +7585,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -7343,11 +7596,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -7357,12 +7610,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -7370,10 +7626,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -7386,83 +7642,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7474,19 +7729,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -7494,36 +7749,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -7532,26 +7793,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -7561,47 +7822,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -7613,37 +7879,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -7651,28 +7920,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -7691,37 +7963,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -7730,8 +8002,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -7754,7 +8027,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: coreproviders.operator.cluster.x-k8s.io @@ -7776,6 +8050,8 @@ spec: kind: CoreProvider listKind: CoreProviderList plural: coreproviders + shortNames: + - cacp singular: coreprovider scope: Namespaced versions: @@ -7786,20 +8062,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: CoreProvider is the Schema for the coreproviders API. + description: |- + CoreProvider is the Schema for the coreproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -7807,12 +8093,11 @@ spec: description: CoreProviderSpec defines the desired state of CoreProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -7835,22 +8120,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -7860,32 +8143,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -7898,32 +8175,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -7945,53 +8216,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -8004,32 +8268,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -8052,18 +8310,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -8074,38 +8330,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8117,53 +8369,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8175,42 +8449,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -8219,55 +8488,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8280,51 +8545,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8337,33 +8625,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -8376,18 +8660,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -8398,38 +8680,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8441,53 +8719,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8499,42 +8799,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -8543,55 +8838,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8604,51 +8895,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8661,33 +8975,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -8698,19 +9008,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -8731,17 +9042,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -8754,10 +9064,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -8768,11 +9078,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -8787,11 +9095,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -8821,10 +9127,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -8860,19 +9166,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -8889,8 +9200,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -8899,11 +9211,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -8913,12 +9225,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -8926,10 +9241,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -8942,83 +9257,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9030,19 +9344,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -9050,36 +9364,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -9088,26 +9408,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -9117,47 +9437,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -9169,37 +9494,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -9207,35 +9535,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -9251,37 +9582,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -9290,8 +9621,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -9321,14 +9653,19 @@ spec: description: CoreProvider is the Schema for the coreproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9336,12 +9673,11 @@ spec: description: CoreProviderSpec defines the desired state of CoreProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -9353,14 +9689,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -9383,22 +9719,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -9408,32 +9742,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9446,32 +9774,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9493,53 +9815,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9552,32 +9867,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9600,18 +9909,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -9622,38 +9929,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9665,53 +9968,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9723,42 +10048,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -9767,55 +10087,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9828,51 +10144,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9885,33 +10224,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -9924,18 +10259,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -9946,38 +10279,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9989,53 +10318,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10047,42 +10398,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -10091,55 +10437,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10152,51 +10494,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10209,33 +10574,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -10246,19 +10607,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -10279,17 +10641,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -10302,10 +10663,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -10316,11 +10677,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -10335,11 +10694,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -10369,10 +10726,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -10397,19 +10754,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -10426,8 +10788,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -10436,11 +10799,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -10450,12 +10813,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -10463,10 +10829,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -10479,83 +10845,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10567,19 +10932,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -10587,36 +10952,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -10625,26 +10996,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -10654,47 +11025,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -10706,37 +11082,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -10744,28 +11123,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -10783,37 +11165,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -10822,8 +11204,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -10846,7 +11229,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: infrastructureproviders.operator.cluster.x-k8s.io @@ -10868,6 +11252,8 @@ spec: kind: InfrastructureProvider listKind: InfrastructureProviderList plural: infrastructureproviders + shortNames: + - caip singular: infrastructureprovider scope: Namespaced versions: @@ -10878,21 +11264,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: InfrastructureProvider is the Schema for the infrastructureproviders - API. + description: |- + InfrastructureProvider is the Schema for the infrastructureproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -10900,12 +11295,11 @@ spec: description: InfrastructureProviderSpec defines the desired state of InfrastructureProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -10928,22 +11322,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -10953,32 +11345,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -10991,32 +11377,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -11038,53 +11418,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -11097,32 +11470,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -11145,18 +11512,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -11167,38 +11532,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11210,53 +11571,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11268,42 +11651,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -11312,55 +11690,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11373,51 +11747,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11430,33 +11827,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -11469,18 +11862,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -11491,38 +11882,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11534,53 +11921,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11592,42 +12001,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -11636,55 +12040,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11697,51 +12097,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11754,33 +12177,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -11791,19 +12210,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -11824,17 +12244,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -11847,10 +12266,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -11861,11 +12280,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -11880,11 +12297,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -11914,10 +12329,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -11953,19 +12368,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -11982,8 +12402,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -11992,11 +12413,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -12006,12 +12427,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -12019,10 +12443,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -12035,83 +12459,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -12123,19 +12546,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -12143,36 +12566,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -12181,26 +12610,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -12210,47 +12639,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -12262,37 +12696,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -12300,35 +12737,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -12345,37 +12785,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -12384,8 +12824,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -12416,14 +12857,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -12431,12 +12877,11 @@ spec: description: InfrastructureProviderSpec defines the desired state of InfrastructureProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -12448,14 +12893,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -12478,22 +12923,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -12503,32 +12946,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12541,32 +12978,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12588,53 +13019,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12647,32 +13071,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12695,18 +13113,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -12717,38 +13133,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -12760,53 +13172,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -12818,42 +13252,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -12862,55 +13291,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12923,51 +13348,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12980,33 +13428,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -13019,18 +13463,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -13041,38 +13483,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13084,53 +13522,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13142,42 +13602,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -13186,55 +13641,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13247,51 +13698,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13304,33 +13778,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -13341,19 +13811,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -13374,17 +13845,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -13397,10 +13867,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -13411,11 +13881,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -13430,11 +13898,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -13464,10 +13930,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -13492,19 +13958,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -13521,8 +13992,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -13531,11 +14003,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -13545,12 +14017,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -13558,10 +14033,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -13574,83 +14049,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13662,19 +14136,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -13682,36 +14156,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -13720,26 +14200,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -13749,47 +14229,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -13801,37 +14286,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -13839,28 +14327,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -13879,37 +14370,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -13918,8 +14409,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -13942,7 +14434,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: ipamproviders.operator.cluster.x-k8s.io @@ -13964,6 +14457,8 @@ spec: kind: IPAMProvider listKind: IPAMProviderList plural: ipamproviders + shortNames: + - caipamp singular: ipamprovider scope: Namespaced versions: @@ -13980,14 +14475,19 @@ spec: description: IPAMProvider is the Schema for the IPAMProviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -13995,12 +14495,11 @@ spec: description: IPAMProviderSpec defines the desired state of IPAMProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -14012,14 +14511,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -14042,22 +14541,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -14067,32 +14564,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14105,32 +14596,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14152,53 +14637,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14211,32 +14689,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14259,18 +14731,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -14281,38 +14751,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14324,53 +14790,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14382,42 +14870,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -14426,55 +14909,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14487,51 +14966,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14544,33 +15046,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -14583,18 +15081,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -14605,38 +15101,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14648,53 +15140,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14706,42 +15220,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -14750,55 +15259,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14811,51 +15316,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14868,33 +15396,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -14905,19 +15429,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -14938,17 +15463,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -14961,10 +15485,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -14975,11 +15499,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -14994,11 +15516,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -15028,10 +15548,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -15056,19 +15576,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -15085,8 +15610,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -15095,11 +15621,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -15109,12 +15635,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -15122,10 +15651,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -15138,83 +15667,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -15226,19 +15754,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -15246,36 +15774,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -15284,26 +15818,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -15313,47 +15847,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -15365,37 +15904,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -15403,28 +15945,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -15442,37 +15987,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -15481,8 +16026,1629 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. + type: string + installedVersion: + description: InstalledVersion is the version of the provider that + is installed. + type: string + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep + labels: + clusterctl.cluster.x-k8s.io/core: capi-operator + name: runtimeextensionproviders.operator.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: capi-operator-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1alpha1 + group: operator.cluster.x-k8s.io + names: + kind: RuntimeExtensionProvider + listKind: RuntimeExtensionProviderList + plural: runtimeextensionproviders + shortNames: + - carep + singular: runtimeextensionprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.installedVersion + name: InstalledVersion + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: RuntimeExtensionProvider is the Schema for the RuntimeExtensionProviders + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RuntimeExtensionProviderSpec defines the desired state of + RuntimeExtensionProvider. + properties: + additionalManifests: + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. + properties: + name: + description: Name defines the name of the configmap. + type: string + namespace: + description: Namespace defines the namespace of the configmap. + type: string + required: + - name + type: object + configSecret: + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. + properties: + name: + description: Name defines the name of the secret. + type: string + namespace: + description: Namespace defines the namespace of the secret. + type: string + required: + - name + type: object + deployment: + description: Deployment defines the properties that can be enabled + on the deployment for the provider. + properties: + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + description: List of containers specified in the Deployment + items: + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. + properties: + args: + additionalProperties: + type: string + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` + will have higher precedence than those defined in `ContainerSpec.Args`. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. + The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. + type: object + command: + description: Command allows override container's entrypoint + array. + items: + type: string + type: array + env: + description: List of environment variables to set in the + container. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + imageUrl: + description: Container Image URL + type: string + name: + description: Name of the container. Cannot be updated. + type: string + resources: + description: Compute resources required by this container. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + required: + - name + type: object + type: array + imagePullSecrets: + description: List of image pull secrets specified in the Deployment + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + replicas: + description: Number of desired pods. This is a pointer to distinguish + between explicit zero and not specified. Defaults to 1. + minimum: 0 + type: integer + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + fetchConfig: + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + properties: + selector: + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + url: + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. + type: string + type: object + manager: + description: Manager defines the properties that can be enabled on + the controller manager for the provider. + properties: + cacheNamespace: + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. + type: string + controller: + description: |- + Controller contains global configuration options for controllers + registered within this manager. + properties: + cacheSyncTimeout: + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. + format: int64 + type: integer + groupKindConcurrency: + additionalProperties: + type: integer + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. + type: object + recoverPanic: + description: RecoverPanic indicates if panics should be recovered. + type: boolean + type: object + featureGates: + additionalProperties: + type: boolean + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. + type: object + gracefulShutDown: + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. + type: string + health: + description: Health contains the controller health configuration + properties: + healthProbeBindAddress: + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. + type: string + livenessEndpointName: + description: LivenessEndpointName, defaults to "healthz" + type: string + readinessEndpointName: + description: ReadinessEndpointName, defaults to "readyz" + type: string + type: object + leaderElection: + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election + properties: + leaderElect: + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. + type: boolean + leaseDuration: + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is + enabled. + type: string + renewDeadline: + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. + type: string + resourceLock: + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. + type: string + resourceName: + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. + type: string + resourceNamespace: + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. + type: string + retryPeriod: + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. + type: string + required: + - leaderElect + - leaseDuration + - renewDeadline + - resourceLock + - resourceName + - resourceNamespace + - retryPeriod + type: object + maxConcurrentReconciles: + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. + minimum: 1 + type: integer + metrics: + description: Metrics contains thw controller metrics configuration + properties: + bindAddress: + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. + type: string + type: object + profilerAddress: + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. + type: string + syncPeriod: + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. + type: string + verbosity: + default: 1 + description: |- + Verbosity set the logs verbosity. Defaults to 1. + Controller Manager flag is --verbosity. + minimum: 0 + type: integer + webhook: + description: Webhook contains the controllers webhook configuration + properties: + certDir: + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. + type: string + host: + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. + type: string + port: + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. + type: integer + type: object + type: object + manifestPatches: + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + items: + type: string + type: array + version: + description: Version indicates the provider version. + type: string + type: object + status: + description: RuntimeExtensionProviderStatus defines the observed state + of RuntimeExtensionProvider. + properties: + conditions: + description: Conditions define the current service state of the provider. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + A human readable message indicating details about the transition. + This field may be empty. + type: string + reason: + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. + type: string + severity: + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + contract: + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -15774,6 +17940,28 @@ webhooks: resources: - ipamproviders sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capi-operator-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /mutate-operator-cluster-x-k8s-io-v1alpha2-runtimeextensionprovider + failurePolicy: Fail + matchPolicy: Equivalent + name: vruntimeextensionprovider.kb.io + rules: + - apiGroups: + - operator.cluster.x-k8s.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - runtimeextensionproviders + sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -15916,3 +18104,25 @@ webhooks: resources: - ipamproviders sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capi-operator-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /validate-operator-cluster-x-k8s-io-v1alpha2-runtimeextensionprovider + failurePolicy: Fail + matchPolicy: Equivalent + name: vruntimeextensionprovider.kb.io + rules: + - apiGroups: + - operator.cluster.x-k8s.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - runtimeextensionproviders + sideEffects: None diff --git a/packages/system/capi-operator/charts/cluster-api-operator/values.yaml b/packages/system/capi-operator/charts/cluster-api-operator/values.yaml index 7575c8bd..212ee2ad 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/values.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/values.yaml @@ -1,10 +1,4 @@ --- -# Cert Manager options -# Full list of supported values is available at https://artifacthub.io/packages/helm/cert-manager/cert-manager -cert-manager: - enabled: false - fullnameOverride: "cert-manager" - namespace: "cert-manager" # --- # Cluster API provider options core: "" @@ -12,6 +6,7 @@ bootstrap: "" controlPlane: "" infrastructure: "" addon: "" +manager.featureGates: {} # --- # Common configuration secret options configSecret: {} @@ -24,8 +19,10 @@ leaderElection: image: manager: repository: registry.k8s.io/capi-operator/cluster-api-operator - tag: v0.8.1 + tag: v0.11.0 pullPolicy: IfNotPresent +env: + manager: [] healthAddr: ":8081" metricsBindAddr: "127.0.0.1:8080" diagnosticsAddress: "8443" diff --git a/packages/system/capi-providers/templates/providers.yaml b/packages/system/capi-providers/templates/providers.yaml index 3ea90d6d..d3416c1e 100644 --- a/packages/system/capi-providers/templates/providers.yaml +++ b/packages/system/capi-providers/templates/providers.yaml @@ -3,24 +3,30 @@ apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: CoreProvider metadata: name: cluster-api +spec: + # https://github.com/kubernetes-sigs/cluster-api + version: v1.7.3 --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: ControlPlaneProvider metadata: name: kamaji spec: - # fix: https://github.com/clastix/cluster-api-control-plane-provider-kamaji/pull/78 - deployment: - containers: - - name: manager - imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.7.1-fix + # https://github.com/clastix/cluster-api-control-plane-provider-kamaji + version: v0.10.0 --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: BootstrapProvider metadata: name: kubeadm +spec: + # https://github.com/kubernetes-sigs/cluster-api + version: v1.7.3 --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: InfrastructureProvider metadata: name: kubevirt +spec: + # https://github.com/kubevirt/cloud-provider-kubevirt + version: v0.5.1 From 4ec770996e83b4b18d249f8cb69a67a156391cd2 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 8 Jul 2024 22:47:10 +0200 Subject: [PATCH 53/67] Update Piraeus v2.5.1 (#204) --- .../system/piraeus-operator/charts/piraeus/Chart.yaml | 4 ++-- .../charts/piraeus/templates/config.yaml | 11 +++++++---- .../charts/piraeus/templates/crds.yaml | 10 ++++++++++ .../charts/piraeus/templates/deployment.yaml | 1 + .../piraeus-operator/charts/piraeus/values.yaml | 2 ++ 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml index f2ce5d79..ac8b65cf 100644 --- a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml @@ -3,8 +3,8 @@ name: piraeus description: | The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes. type: application -version: 2.5.0 -appVersion: "v2.5.0" +version: 2.5.1 +appVersion: "v2.5.1" maintainers: - name: Piraeus Datastore url: https://piraeus.io diff --git a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml index 4ff5234e..a9e77bc6 100644 --- a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml @@ -20,10 +20,11 @@ data: tag: v1.27.1 image: piraeus-server linstor-satellite: - tag: v1.27.1 + # Pin with digest to ensure we pull the version with downgraded thin-send-recv + tag: v1.27.1@sha256:26037f77d30d5487024e02a808d4ef913b93b745f2bb850cabc7f43a5359adff image: piraeus-server linstor-csi: - tag: v1.5.0 + tag: v1.6.0 image: piraeus-csi drbd-reactor: tag: v1.4.0 @@ -38,11 +39,11 @@ data: tag: v0.10 image: ktls-utils drbd-module-loader: - tag: v9.2.8 + tag: v9.2.9 # The special "match" attribute is used to select an image based on the node's reported OS. # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list # here. If one matches, that specific image name will be used instead of the fallback image. - image: drbd9-jammy # Fallback image: chose a fairly recent kernel, which can hopefully compile whatever config is actually in use + image: drbd9-noble # Fallback image: chose a recent kernel, which can hopefully compile whatever config is actually in use match: - osImage: CentOS Linux 7 image: drbd9-centos7 @@ -64,6 +65,8 @@ data: image: drbd9-focal - osImage: Ubuntu 22\.04 image: drbd9-jammy + - osImage: Ubuntu 24\.04 + image: drbd9-noble - osImage: Debian GNU/Linux 12 image: drbd9-bookworm - osImage: Debian GNU/Linux 11 diff --git a/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml b/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml index 275db553..75952f94 100644 --- a/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml @@ -262,11 +262,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -294,14 +296,17 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -814,11 +819,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -846,14 +853,17 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object diff --git a/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml b/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml index d10e931c..84cf2948 100644 --- a/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml @@ -92,6 +92,7 @@ spec: runAsNonRoot: true serviceAccountName: {{ include "piraeus-operator.serviceAccountName" . }} terminationGracePeriodSeconds: 10 + priorityClassName: {{ .Values.priorityClassName | default "system-cluster-critical" }} tolerations: {{- toYaml .Values.tolerations | nindent 8 }} volumes: diff --git a/packages/system/piraeus-operator/charts/piraeus/values.yaml b/packages/system/piraeus-operator/charts/piraeus/values.yaml index ada590fe..87ca5064 100644 --- a/packages/system/piraeus-operator/charts/piraeus/values.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/values.yaml @@ -93,6 +93,8 @@ tolerations: effect: NoSchedule affinity: { } +priorityClassName: "" + podDisruptionBudget: enabled: true minAvailable: 1 From 9709059fb7e5f4b46940c5829f4745754002e1f5 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 8 Jul 2024 22:49:35 +0200 Subject: [PATCH 54/67] kubernetes: Allow upgrading existing node groups (#205) This PR introduces change to allow upgrading existing node groups for tenant Kubernetes cluster: This fixes the error: ``` Status: Failed (UpgradeFailed: Helm upgrade failed for release tenant-test0/kubernetes-test0 with chart kubernetes@0.3.0: cannot patch "kubernetes-test0-md0" with kind KubevirtMachineTemplate: admission webhook "validation.kubevirtmachinetemplate.infrastructure.cluster.x-k8s.io" denied the request: KubevirtMachineTemplateSpec is immutable) ``` This is done by generating unique names for KubevirtMachineTemplate based on hash from spec. Old KubevirtMachineTemplates keep existing in the cluster until some MachineSet continues using them. Signed-off-by: Andrei Kvapil --- .../apps/kubernetes/templates/cluster.yaml | 144 ++++++++++++------ 1 file changed, 94 insertions(+), 50 deletions(-) diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 8ef574ef..d890c178 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -2,6 +2,58 @@ {{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }} {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }} {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} +{{- $kubevirtmachinetemplateNames := list }} +{{- define "kubevirtmachinetemplate" -}} +spec: + virtualMachineBootstrapCheck: + checkStrategy: ssh + virtualMachineTemplate: + metadata: + namespace: {{ $.Release.Namespace }} + labels: + {{- range .group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} + spec: + runStrategy: Always + template: + spec: + domain: + cpu: + threads: 1 + cores: {{ .group.resources.cpu }} + sockets: 1 + devices: + disks: + - name: system + disk: + bus: virtio + pciAddress: 0000:07:00.0 + - name: containerd + disk: + bus: virtio + pciAddress: 0000:08:00.0 + - name: kubelet + disk: + bus: virtio + pciAddress: 0000:09:00.0 + networkInterfaceMultiqueue: true + memory: + guest: {{ .group.resources.memory }} + evictionStrategy: External + volumes: + - name: system + containerDisk: + image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}" + - name: containerd + emptyDisk: + capacity: 20Gi + - name: kubelet + emptyDisk: + capacity: 20Gi +{{- end }} + + --- apiVersion: cluster.x-k8s.io/v1beta1 kind: Cluster @@ -101,60 +153,20 @@ spec: skipPhases: - addon/kube-proxy --- +{{- $context := deepCopy $ }} +{{- $_ := set $context "group" $group }} +{{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }} +{{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }} +{{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }} +{{- $kubevirtmachinetemplateNames = append $kubevirtmachinetemplateNames $kubevirtmachinetemplateName }} apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtMachineTemplate metadata: - name: {{ $.Release.Name }}-{{ $groupName }} + name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }} namespace: {{ $.Release.Namespace }} spec: template: - spec: - virtualMachineBootstrapCheck: - checkStrategy: ssh - virtualMachineTemplate: - metadata: - namespace: {{ $.Release.Namespace }} - labels: - {{- range $group.roles }} - node-role.kubernetes.io/{{ . }}: "" - {{- end }} - spec: - runStrategy: Always - template: - spec: - domain: - cpu: - threads: 1 - cores: {{ $group.resources.cpu }} - sockets: 1 - devices: - disks: - - name: system - disk: - bus: virtio - pciAddress: 0000:07:00.0 - - name: containerd - disk: - bus: virtio - pciAddress: 0000:08:00.0 - - name: kubelet - disk: - bus: virtio - pciAddress: 0000:09:00.0 - networkInterfaceMultiqueue: true - memory: - guest: {{ $group.resources.memory }} - evictionStrategy: External - volumes: - - name: system - containerDisk: - image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}" - - name: containerd - emptyDisk: - capacity: 20Gi - - name: kubelet - emptyDisk: - capacity: 20Gi + {{- $kubevirtmachinetemplate | nindent 4 }} --- apiVersion: cluster.x-k8s.io/v1beta1 kind: MachineDeployment @@ -171,6 +183,8 @@ spec: template: metadata: labels: + cluster.x-k8s.io/cluster-name: {{ $.Release.Name }} + cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }} {{- range $group.roles }} node-role.kubernetes.io/{{ . }}: "" {{- end }} @@ -180,12 +194,42 @@ spec: apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 kind: KubeadmConfigTemplate name: {{ $.Release.Name }}-{{ $groupName }} - namespace: default + namespace: {{ $.Release.Namespace }} clusterName: {{ $.Release.Name }} infrastructureRef: apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtMachineTemplate - name: {{ $.Release.Name }}-{{ $groupName }} + name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }} namespace: default version: v1.29.4 {{- end }} +--- +{{- /* +We must preserve all previous KubevirtMachineTemplates until a MachineSet references them. +*/ -}} +{{- $mss := (lookup "cluster.x-k8s.io/v1beta1" "MachineSet" $.Release.Namespace "").items }} +{{- $oldKubevirtmachinetemplates := dict }} +{{- range $kmt := (lookup "infrastructure.cluster.x-k8s.io/v1alpha1" "KubevirtMachineTemplate" .Release.Namespace "").items }} +{{- range $or := $kmt.metadata.ownerReferences }} +{{- if and (eq $or.kind "Cluster") (eq $or.name $.Release.Name) }} +{{- range $ms := $mss }} +{{- if and (eq $ms.spec.template.spec.infrastructureRef.kind "KubevirtMachineTemplate") (eq $ms.spec.template.spec.infrastructureRef.name $kmt.metadata.name) }} +{{- if not (has $kmt.metadata.name $kubevirtmachinetemplateNames) }} +{{- $oldKubevirtmachinetemplates = merge $oldKubevirtmachinetemplates (dict $kmt.metadata.name $kmt) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- range $oldKubevirtmachinetemplates }} +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 +kind: KubevirtMachineTemplate +metadata: + name: {{ .metadata.name }} + namespace: {{ .metadata.Namespace }} +spec: + {{- .spec | toYaml | nindent 2 }} +{{- end }} From 4cbc8a2c33a081d13d60a23e98cbb49380ffdb25 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 8 Jul 2024 22:51:50 +0200 Subject: [PATCH 55/67] Upgrade tenant Kubernetes v1.30.1 (#206) Signed-off-by: Andrei Kvapil Signed-off-by: Andrei Kvapil --- packages/apps/kubernetes/Chart.yaml | 4 ++-- packages/apps/kubernetes/Makefile | 2 +- .../kubernetes/images/ubuntu-container-disk.json | 16 +++------------- .../kubernetes/images/ubuntu-container-disk.tag | 2 +- .../images/ubuntu-container-disk/Dockerfile | 4 ++-- packages/apps/kubernetes/templates/cluster.yaml | 4 ++-- .../templates/helmreleases/delete.yaml | 2 +- packages/apps/versions_map | 3 ++- 8 files changed, 14 insertions(+), 23 deletions(-) diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index fd023735..cd846685 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,10 +16,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.5.0 +version: 0.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.19.4" +appVersion: "1.30.1" diff --git a/packages/apps/kubernetes/Makefile b/packages/apps/kubernetes/Makefile index e8781a00..69f5486e 100644 --- a/packages/apps/kubernetes/Makefile +++ b/packages/apps/kubernetes/Makefile @@ -1,4 +1,4 @@ -UBUNTU_CONTAINER_DISK_TAG = v1.29.1 +UBUNTU_CONTAINER_DISK_TAG = v1.30.1 include ../../../scripts/common-envs.mk diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.json b/packages/apps/kubernetes/images/ubuntu-container-disk.json index 05b67523..0877c0ee 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.json +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json @@ -32,17 +32,7 @@ } } }, - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/yscjdwk0a8zfgvypn9gfzoeqj", - "containerimage.config.digest": "sha256:62f92e19bf0610f85515bef28db8465650a25346472f52360736ad3a49ce7529", - "containerimage.descriptor": { - "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "digest": "sha256:f1176049da8651f438b2035c5a2cb6fd253ae868c4640e56785c91364069e0d8", - "size": 506, - "platform": { - "architecture": "amd64", - "os": "linux" - } - }, - "containerimage.digest": "sha256:f1176049da8651f438b2035c5a2cb6fd253ae868c4640e56785c91364069e0d8", - "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1-v0.8.0" + "buildx.build.ref": "amd64/amd64/ue2wioxbkuzsgxhir5c3qgwoh", + "containerimage.config.digest": "sha256:363589eb47379eb7548f047aae24045278f14db0b2026022b6bec33a04370f15", + "containerimage.digest": "sha256:f242fd77903f5f5a94ed157e98b0c4532e5ba91734d9653eaf26cfe4b23b017b" } \ No newline at end of file diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.tag b/packages/apps/kubernetes/images/ubuntu-container-disk.tag index c2389748..19963a6b 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1 +ghcr.io/aenix-io/cozystack/ubuntu-container-disk:latest diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile b/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile index a30d70f7..eb08ef10 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile +++ b/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile @@ -26,8 +26,8 @@ RUN qemu-img resize image.img 5G \ && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \ && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \ # kubernetes repo - && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \ - && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \ + && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \ + && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \ # install containerd && guestfish --remote command "apt-get update -y" \ && guestfish --remote command "apt-get install -y containerd.io" \ diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index d890c178..0ce5d542 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -109,7 +109,7 @@ spec: className: "{{ $ingress }}" deployment: replicas: 2 - version: 1.29.4 + version: 1.30.1 --- apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtCluster @@ -201,7 +201,7 @@ spec: kind: KubevirtMachineTemplate name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }} namespace: default - version: v1.29.4 + version: v1.30.1 {{- end }} --- {{- /* diff --git a/packages/apps/kubernetes/templates/helmreleases/delete.yaml b/packages/apps/kubernetes/templates/helmreleases/delete.yaml index 21925476..30cd5586 100644 --- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml @@ -20,7 +20,7 @@ spec: effect: "NoSchedule" containers: - name: kubectl - image: docker.io/clastix/kubectl:v1.29.1 + image: docker.io/clastix/kubectl:v1.30.1 command: - /bin/sh - -c diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 423cca3e..5b3f99fb 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -10,7 +10,8 @@ kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 kubernetes 0.3.0 7caccec1 kubernetes 0.4.0 6cae6ce8 -kubernetes 0.5.0 HEAD +kubernetes 0.5.0 6bd2d455 +kubernetes 0.6.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD From 5bbc488e9c6016944981a2afd85c0fca95fe40a8 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 10 Jul 2024 20:25:29 +0200 Subject: [PATCH 56/67] Prepare release 0.9.0 (#207) --- manifests/cozystack-installer.yaml | 4 +- .../apps/http-cache/images/nginx-cache.json | 16 ++----- .../images/ubuntu-container-disk.json | 2 +- .../images/ubuntu-container-disk.tag | 2 +- packages/core/installer/images/cozystack.json | 8 ++-- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/matchbox.json | 45 ++++++++++++++++++- packages/system/cilium/images/cilium.json | 18 ++------ .../system/dashboard/images/dashboard.json | 16 ++----- .../system/dashboard/images/dashboard.tag | 2 +- .../dashboard/images/kubeapps-apis.json | 16 ++----- .../system/dashboard/images/kubeapps-apis.tag | 2 +- packages/system/kubeovn/images/kubeovn.json | 20 +++------ 13 files changed, 72 insertions(+), 81 deletions(-) diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index 54bbe347..e88aa4c5 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/http-cache/images/nginx-cache.json b/packages/apps/http-cache/images/nginx-cache.json index e71ab98c..bd54b58a 100644 --- a/packages/apps/http-cache/images/nginx-cache.json +++ b/packages/apps/http-cache/images/nginx-cache.json @@ -32,17 +32,7 @@ } } }, - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/iixrpj9up3jfyyrovbx167irv", - "containerimage.config.digest": "sha256:a359a6c83a1861ac146c42030e513b925ec155207b77baf5f61f19c507ab3ee5", - "containerimage.descriptor": { - "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "digest": "sha256:57b113a4392b958612c14ed348147c221fe17d3ad6623fb7bd778e54139f45b9", - "size": 1094, - "platform": { - "architecture": "amd64", - "os": "linux" - } - }, - "containerimage.digest": "sha256:57b113a4392b958612c14ed348147c221fe17d3ad6623fb7bd778e54139f45b9", - "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.8.0" + "buildx.build.ref": "amd64/amd64/gaibgudlqaxqxufa236q5ffdk", + "containerimage.config.digest": "sha256:677b0b84d7a11a31971857863a6a83b5bb863583eca86a2c2b1b89c61659e549", + "containerimage.digest": "sha256:7f864e2c9c86b77e08953258521117503309f84783ea11c617db8c2534f8b545" } \ No newline at end of file diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.json b/packages/apps/kubernetes/images/ubuntu-container-disk.json index 0877c0ee..e249d0e4 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.json +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json @@ -32,7 +32,7 @@ } } }, - "buildx.build.ref": "amd64/amd64/ue2wioxbkuzsgxhir5c3qgwoh", + "buildx.build.ref": "amd64/amd64/kk2drcq44gorgb3xwa8908pfc", "containerimage.config.digest": "sha256:363589eb47379eb7548f047aae24045278f14db0b2026022b6bec33a04370f15", "containerimage.digest": "sha256:f242fd77903f5f5a94ed157e98b0c4532e5ba91734d9653eaf26cfe4b23b017b" } \ No newline at end of file diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.tag b/packages/apps/kubernetes/images/ubuntu-container-disk.tag index 19963a6b..5ea3ff97 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/ubuntu-container-disk:latest +ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1 diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 81e7f558..571f9aa7 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/cyr9s3a1cszjq9tt9vrh2czxt", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:48e9f676f4eca5f7036648a56767c31beb0aca8fdc6d6798bd65de74886ed1ef", + "digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f", "size": 685 }, - "containerimage.digest": "sha256:48e9f676f4eca5f7036648a56767c31beb0aca8fdc6d6798bd65de74886ed1ef", - "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.8.0" + "containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f", + "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index 75bdf91c..aff03e70 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.8.0 +ghcr.io/aenix-io/cozystack/cozystack:v0.9.0 diff --git a/packages/core/installer/images/matchbox.json b/packages/core/installer/images/matchbox.json index d5bf9ebe..930a0ce7 100644 --- a/packages/core/installer/images/matchbox.json +++ b/packages/core/installer/images/matchbox.json @@ -1,4 +1,45 @@ { - "containerimage.config.digest": "sha256:ed483d1187cdfeb92df319a30dde57141ceb1d4bafcc28ba006a1e60abc445ff", - "containerimage.digest": "sha256:000a46c2bffc3cf13909dc0ca570cdcea9692d85b1ef2a875afe08ea8136d2c2" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/quay.io/poseidon/matchbox@v0.10.0?platform=linux%2Famd64", + "digest": { + "sha256": "e14cc4a8f6e8f1182fce74d04fe949b6bfc91b04132b3944297661e2c38c9790" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/k5n5is33n6zu6an3nmlnylejx", + "containerimage.config.digest": "sha256:4676a205eae74f1b16a9065921c612ee85e123ab6566a238edb4bbaf79b2e148", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7", + "size": 1488, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7", + "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.0,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.0" } \ No newline at end of file diff --git a/packages/system/cilium/images/cilium.json b/packages/system/cilium/images/cilium.json index d502e021..d42c822d 100644 --- a/packages/system/cilium/images/cilium.json +++ b/packages/system/cilium/images/cilium.json @@ -11,7 +11,7 @@ { "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", "digest": { - "sha256": "7dcf6f2084586b44844aea8615db684c9361cf6bebf235a1750595633ed021bd" + "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad" } }, { @@ -45,17 +45,7 @@ } } }, - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/fsidbune5vw82lhgf2ofhwo0g", - "containerimage.config.digest": "sha256:79635c7d6c1f3a457406d39590ee94168caa925eae7a82bac4fed42e751f135d", - "containerimage.descriptor": { - "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "digest": "sha256:3cee2f43abcc7ae34dddf589345b871d4eb6a4f0281c7758844b05c7c5ec4965", - "size": 2083, - "platform": { - "architecture": "amd64", - "os": "linux" - } - }, - "containerimage.digest": "sha256:3cee2f43abcc7ae34dddf589345b871d4eb6a4f0281c7758844b05c7c5ec4965", - "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.8.0" + "buildx.build.ref": "amd64/amd64/ydz7c2pwlqaadvlo84t1spegq", + "containerimage.config.digest": "sha256:1f918c5f4bd8a1c90596b7d4256c8a208482141ae3363ab0b4627203b3fa3b32", + "containerimage.digest": "sha256:90e2235e75febcac777c0338fa93d5e7522d82d029facb0c318305ed178a42ac" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.json b/packages/system/dashboard/images/dashboard.json index d899b03c..b5de5c91 100644 --- a/packages/system/dashboard/images/dashboard.json +++ b/packages/system/dashboard/images/dashboard.json @@ -35,17 +35,7 @@ } } }, - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/o70jr31zju6q5ffssjqf8c5us", - "containerimage.config.digest": "sha256:2c68c6ce6620a8c8afd84fed1c2265738d661a47ded0be21b2517b0309ed7307", - "containerimage.descriptor": { - "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17", - "size": 703, - "platform": { - "architecture": "amd64", - "os": "linux" - } - }, - "containerimage.digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17", - "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.8.0" + "buildx.build.ref": "amd64/amd64/vvxs4dbzlno0vtdl1zudk54fj", + "containerimage.config.digest": "sha256:52a7ac58f30de8bec104f3fa9b3dcc674f37edfee184c5d4229e24f69f4ddcb2", + "containerimage.digest": "sha256:8906436ebd6452549f0634c6db693c7c3248c123f0c882bb8b1bde34ec05aeb6" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index 96f44cf8..bff2f641 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.8.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.9.0 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index f67c02e0..c3dd111a 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -41,17 +41,7 @@ } } }, - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ggf28zo7pywc734xde1oado8l", - "containerimage.config.digest": "sha256:62c4a42cb62f918a2e4bb295f6faaceb96a2dae7fb8cf4bd6850bc072064b4ce", - "containerimage.descriptor": { - "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "digest": "sha256:a5eab0f2a900ac1963b24bbdbe35bffbee7ba146c86742d6e8bea8c070610d9c", - "size": 1890, - "platform": { - "architecture": "amd64", - "os": "linux" - } - }, - "containerimage.digest": "sha256:a5eab0f2a900ac1963b24bbdbe35bffbee7ba146c86742d6e8bea8c070610d9c", - "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.8.0" + "buildx.build.ref": "amd64/amd64/p2w3cwt8rnd7ivkbmg86ugjj0", + "containerimage.config.digest": "sha256:28621d87b70bc82caf060b33313051703456a2915e95371bcbe5c0e1e5b9daa3", + "containerimage.digest": "sha256:1b6826f030c6d288f9d91476b636300e544bbf55687e59f6de1765d1320faf7b" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index a760f0de..231ec10a 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.8.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.9.0 diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json index a5ba1923..3c163b02 100644 --- a/packages/system/kubeovn/images/kubeovn.json +++ b/packages/system/kubeovn/images/kubeovn.json @@ -5,13 +5,13 @@ { "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.13.0?platform=linux%2Famd64", "digest": { - "sha256": "c9348ac30ee286aa2c801600f5587e54d07b96b9e137919fa28a84f4ed6806d2" + "sha256": "b383903ab2427169bfd27ac49ec1f835e01be552dd391aae92a63d6a5d04f05d" } }, { "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", "digest": { - "sha256": "7dcf6f2084586b44844aea8615db684c9361cf6bebf235a1750595633ed021bd" + "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad" } } ], @@ -35,17 +35,7 @@ } } }, - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/uy5qpumete0kfxr1v5cf2dyjo", - "containerimage.config.digest": "sha256:b83d8f607c54ba91b71517099aef98c5f373ef64d268e53fe7f95e15e18ec0af", - "containerimage.descriptor": { - "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "digest": "sha256:9bedea10c9d2fc0b1213338b4b73b056d5e8ea53302395696d623e6be48bc0be", - "size": 5015, - "platform": { - "architecture": "amd64", - "os": "linux" - } - }, - "containerimage.digest": "sha256:9bedea10c9d2fc0b1213338b4b73b056d5e8ea53302395696d623e6be48bc0be", - "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.8.0" + "buildx.build.ref": "amd64/amd64/59sogfe3191kwbdbmplhsarwj", + "containerimage.config.digest": "sha256:c60b915c03796938fee46e305997e540bd71f688f9f6b7c4b5846168501768fb", + "containerimage.digest": "sha256:731d2f079c6ef243731f2f7fd70f36b4da4c50626622b496241ecfe9f98913c0" } \ No newline at end of file From 07d666c0beba283627c79299eaa0a0adc43d2fa5 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Tue, 16 Jul 2024 08:06:16 +0200 Subject: [PATCH 57/67] fix: scraping ingress-nginx metrics (#212) Now grafana dashboards for ingress-nginx controller completely works! ![pic](https://github.com/user-attachments/assets/c2414cc7-9e0c-441e-9668-bf78ea3ef0c6) ![pic](https://github.com/user-attachments/assets/8ebe2488-0c53-4fc8-9e26-fc37e0047ebe) ![pic](https://github.com/user-attachments/assets/675a47b8-0304-4c58-9379-75e23c2db90f) --- packages/extra/ingress/Chart.yaml | 2 +- .../ingress}/templates/nginx-scrape.yaml | 6 ++---- packages/extra/versions_map | 3 ++- 3 files changed, 5 insertions(+), 6 deletions(-) rename packages/{system/monitoring => extra/ingress}/templates/nginx-scrape.yaml (92%) diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index e9d3511f..b646aedb 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -3,4 +3,4 @@ name: ingress description: NGINX Ingress Controller icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg type: application -version: 1.1.0 +version: 1.2.0 diff --git a/packages/system/monitoring/templates/nginx-scrape.yaml b/packages/extra/ingress/templates/nginx-scrape.yaml similarity index 92% rename from packages/system/monitoring/templates/nginx-scrape.yaml rename to packages/extra/ingress/templates/nginx-scrape.yaml index d9de45a0..d04c5b65 100644 --- a/packages/system/monitoring/templates/nginx-scrape.yaml +++ b/packages/extra/ingress/templates/nginx-scrape.yaml @@ -3,12 +3,11 @@ apiVersion: operator.victoriametrics.com/v1beta1 kind: VMPodScrape metadata: name: nginx-ingress-controller - namespace: cozy-monitoring spec: jobLabel: jobLabel namespaceSelector: matchNames: - - cozy-ingress-nginx + - {{ .Release.Namespace }} podMetricsEndpoints: - port: metrics honorLabels: true @@ -29,12 +28,11 @@ apiVersion: operator.victoriametrics.com/v1beta1 kind: VMPodScrape metadata: name: nginx-ingress-controller-detailed - namespace: cozy-monitoring spec: jobLabel: jobLabel namespaceSelector: matchNames: - - cozy-ingress-nginx + - {{ .Release.Namespace }} podMetricsEndpoints: - port: metrics2 honorLabels: true diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 45fa333e..996103e5 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -3,6 +3,7 @@ etcd 2.0.0 a6d0f7cf etcd 2.0.1 6fc1cc7d etcd 2.1.0 HEAD ingress 1.0.0 f642698 -ingress 1.1.0 HEAD +ingress 1.1.0 838bee5d +ingress 1.2.0 HEAD monitoring 1.0.0 f642698 monitoring 1.1.0 HEAD From 4ffa8615348b1ed5de78867331f20b5dd52dc3a0 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 15 Jul 2024 22:55:00 +0200 Subject: [PATCH 58/67] add ferretdb Signed-off-by: Andrei Kvapil --- packages/apps/ferretdb/Chart.yaml | 25 +++++ packages/apps/ferretdb/Makefile | 2 + packages/apps/ferretdb/README.md | 34 ++++++ packages/apps/ferretdb/ferretdb.svg | 54 +++++++++ packages/apps/ferretdb/templates/.gitkeep | 0 .../ferretdb/templates/backup-cronjob.yaml | 99 +++++++++++++++++ .../ferretdb/templates/backup-script.yaml | 50 +++++++++ .../ferretdb/templates/backup-secret.yaml | 11 ++ .../apps/ferretdb/templates/external-svc.yaml | 15 +++ .../apps/ferretdb/templates/ferretdb.yaml | 26 +++++ .../apps/ferretdb/templates/init-job.yaml | 66 +++++++++++ .../apps/ferretdb/templates/init-script.yaml | 104 ++++++++++++++++++ .../apps/ferretdb/templates/postgres.yaml | 45 ++++++++ packages/apps/ferretdb/values.schema.json | 81 ++++++++++++++ packages/apps/ferretdb/values.yaml | 48 ++++++++ packages/apps/versions_map | 1 + 16 files changed, 661 insertions(+) create mode 100644 packages/apps/ferretdb/Chart.yaml create mode 100644 packages/apps/ferretdb/Makefile create mode 100644 packages/apps/ferretdb/README.md create mode 100644 packages/apps/ferretdb/ferretdb.svg create mode 100644 packages/apps/ferretdb/templates/.gitkeep create mode 100644 packages/apps/ferretdb/templates/backup-cronjob.yaml create mode 100644 packages/apps/ferretdb/templates/backup-script.yaml create mode 100644 packages/apps/ferretdb/templates/backup-secret.yaml create mode 100644 packages/apps/ferretdb/templates/external-svc.yaml create mode 100644 packages/apps/ferretdb/templates/ferretdb.yaml create mode 100644 packages/apps/ferretdb/templates/init-job.yaml create mode 100644 packages/apps/ferretdb/templates/init-script.yaml create mode 100644 packages/apps/ferretdb/templates/postgres.yaml create mode 100644 packages/apps/ferretdb/values.schema.json create mode 100644 packages/apps/ferretdb/values.yaml diff --git a/packages/apps/ferretdb/Chart.yaml b/packages/apps/ferretdb/Chart.yaml new file mode 100644 index 00000000..6d35a52b --- /dev/null +++ b/packages/apps/ferretdb/Chart.yaml @@ -0,0 +1,25 @@ +apiVersion: v2 +name: ferretdb +description: Managed FerretDB service +icon: ferretdb.svg + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.22.0" diff --git a/packages/apps/ferretdb/Makefile b/packages/apps/ferretdb/Makefile new file mode 100644 index 00000000..207e2133 --- /dev/null +++ b/packages/apps/ferretdb/Makefile @@ -0,0 +1,2 @@ +generate: + readme-generator -v values.yaml -s values.schema.json -r README.md diff --git a/packages/apps/ferretdb/README.md b/packages/apps/ferretdb/README.md new file mode 100644 index 00000000..afa4f961 --- /dev/null +++ b/packages/apps/ferretdb/README.md @@ -0,0 +1,34 @@ +# Managed FerretDB Service + +## Parameters + +### Common parameters + +| Name | Description | Value | +| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- | +| `external` | Enable external access from outside the cluster | `false` | +| `size` | Persistent Volume size | `10Gi` | +| `replicas` | Number of Postgres replicas | `2` | +| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed. | `0` | +| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0` | + +### Configuration parameters + +| Name | Description | Value | +| ------- | ------------------- | ----- | +| `users` | Users configuration | `{}` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ | +| `backup.enabled` | Enable pereiodic backups | `false` | +| `backup.s3Region` | The AWS S3 region where backups are stored | `us-east-1` | +| `backup.s3Bucket` | The S3 bucket used for storing backups | `s3.example.org/postgres-backups` | +| `backup.schedule` | Cron schedule for automated backups | `0 2 * * *` | +| `backup.cleanupStrategy` | The strategy for cleaning up old backups | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` | +| `backup.s3AccessKey` | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu` | +| `backup.s3SecretKey` | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog` | +| `backup.resticPassword` | The password for Restic backup encryption | `ChaXoveekoh6eigh4siesheeda2quai0` | + + diff --git a/packages/apps/ferretdb/ferretdb.svg b/packages/apps/ferretdb/ferretdb.svg new file mode 100644 index 00000000..196871e1 --- /dev/null +++ b/packages/apps/ferretdb/ferretdb.svg @@ -0,0 +1,54 @@ + + + + + + + + + + + + diff --git a/packages/apps/ferretdb/templates/.gitkeep b/packages/apps/ferretdb/templates/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/packages/apps/ferretdb/templates/backup-cronjob.yaml b/packages/apps/ferretdb/templates/backup-cronjob.yaml new file mode 100644 index 00000000..84a6aee7 --- /dev/null +++ b/packages/apps/ferretdb/templates/backup-cronjob.yaml @@ -0,0 +1,99 @@ +{{- if .Values.backup.enabled }} +{{ $image := .Files.Get "images/backup.json" | fromJson }} + +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .Release.Name }}-backup +spec: + schedule: "{{ .Values.backup.schedule }}" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + backoffLimit: 2 + template: + spec: + restartPolicy: OnFailure + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }} + spec: + restartPolicy: Never + containers: + - name: mysqldump + image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}" + command: + - /bin/sh + - /scripts/backup.sh + env: + - name: REPO_PREFIX + value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }} + - name: CLEANUP_STRATEGY + value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }} + - name: PGUSER + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: username + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: password + - name: PGHOST + value: {{ .Release.Name }}-postgres-rw + - name: PGPORT + value: "5432" + - name: PGDATABASE + value: postgres + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-backup + key: s3AccessKey + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-backup + key: s3SecretKey + - name: AWS_DEFAULT_REGION + value: {{ .Values.backup.s3Region }} + - name: RESTIC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-backup + key: resticPassword + volumeMounts: + - mountPath: /scripts + name: scripts + - mountPath: /tmp + name: tmp + - mountPath: /.cache + name: cache + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumes: + - name: scripts + secret: + secretName: {{ .Release.Name }}-backup-script + - name: tmp + emptyDir: {} + - name: cache + emptyDir: {} + securityContext: + runAsNonRoot: true + runAsUser: 9000 + runAsGroup: 9000 + seccompProfile: + type: RuntimeDefault +{{- end }} diff --git a/packages/apps/ferretdb/templates/backup-script.yaml b/packages/apps/ferretdb/templates/backup-script.yaml new file mode 100644 index 00000000..362bdc01 --- /dev/null +++ b/packages/apps/ferretdb/templates/backup-script.yaml @@ -0,0 +1,50 @@ +{{- if .Values.backup.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-backup-script +stringData: + backup.sh: | + #!/bin/sh + set -e + set -o pipefail + + JOB_ID="job-$(uuidgen|cut -f1 -d-)" + DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$') + echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list + echo "Job ID: $JOB_ID" + echo "Target repo: $REPO_PREFIX" + echo "Cleanup strategy: $CLEANUP_STRATEGY" + echo "Start backup for:" + echo "$DB_LIST" + echo + echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`" + for db in $DB_LIST; do + ( + set -x + restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \ + restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2 + restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it + pg_dump -Z0 -Ft -d "$db" | \ + restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar + restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed" + ) + done + echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`" + + echo + echo "Run cleanup:" + echo + + echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`" + for db in $DB_LIST; do + ( + set -x + restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only + restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY + restic prune -r "s3:${REPO_PREFIX}/$db" + ) + done + echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`" +{{- end }} diff --git a/packages/apps/ferretdb/templates/backup-secret.yaml b/packages/apps/ferretdb/templates/backup-secret.yaml new file mode 100644 index 00000000..be221e2f --- /dev/null +++ b/packages/apps/ferretdb/templates/backup-secret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.backup.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-backup +stringData: + s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }} + s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }} + resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }} +{{- end }} diff --git a/packages/apps/ferretdb/templates/external-svc.yaml b/packages/apps/ferretdb/templates/external-svc.yaml new file mode 100644 index 00000000..2e0501c8 --- /dev/null +++ b/packages/apps/ferretdb/templates/external-svc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} +spec: + type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }} + {{- if .Values.external }} + externalTrafficPolicy: Local + allocateLoadBalancerNodePorts: false + {{- end }} + ports: + - name: ferretdb + port: 27017 + selector: + app: {{ .Release.Name }} diff --git a/packages/apps/ferretdb/templates/ferretdb.yaml b/packages/apps/ferretdb/templates/ferretdb.yaml new file mode 100644 index 00000000..8d72787b --- /dev/null +++ b/packages/apps/ferretdb/templates/ferretdb.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + containers: + - name: ferretdb + image: ghcr.io/ferretdb/ferretdb:1.22.0 + ports: + - containerPort: 27017 + env: + - name: FERRETDB_POSTGRESQL_URL + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-app + key: uri diff --git a/packages/apps/ferretdb/templates/init-job.yaml b/packages/apps/ferretdb/templates/init-job.yaml new file mode 100644 index 00000000..b7b03133 --- /dev/null +++ b/packages/apps/ferretdb/templates/init-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-init-job + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + template: + metadata: + name: {{ .Release.Name }}-init-job + annotations: + checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }} + spec: + restartPolicy: Never + containers: + - name: postgres + image: ghcr.io/cloudnative-pg/postgresql:15.3 + command: + - bash + - /scripts/init.sh + env: + - name: PGUSER + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: username + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: password + - name: PGHOST + value: {{ .Release.Name }}-postgres-rw + - name: PGPORT + value: "5432" + - name: PGDATABASE + value: postgres + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/secret + name: secret + - mountPath: /scripts + name: scripts + securityContext: + fsGroup: 26 + runAsGroup: 26 + runAsNonRoot: true + runAsUser: 26 + seccompProfile: + type: RuntimeDefault + volumes: + - name: secret + secret: + secretName: {{ .Release.Name }}-postgres-superuser + - name: scripts + secret: + secretName: {{ .Release.Name }}-init-script diff --git a/packages/apps/ferretdb/templates/init-script.yaml b/packages/apps/ferretdb/templates/init-script.yaml new file mode 100644 index 00000000..3917f8fd --- /dev/null +++ b/packages/apps/ferretdb/templates/init-script.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-init-script +stringData: + init.sh: | + #!/bin/bash + set -e + echo "== create users" + {{- if .Values.users }} + psql -v ON_ERROR_STOP=1 <<\EOT + {{- range $user, $u := .Values.users }} + SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;' + WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec + ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }}; + COMMENT ON ROLE {{ $user }} IS 'user managed by helm'; + {{- end }} + EOT + {{- end }} + + echo "== delete users" + MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ') + DEFINED_USERS="{{ join " " (keys .Values.users) }}" + DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done) + + echo "users to delete: $DELETE_USERS" + for user in $DELETE_USERS; do + # https://stackoverflow.com/a/51257346/2931267 + psql -v ON_ERROR_STOP=1 --echo-all < Date: Tue, 16 Jul 2024 09:36:20 +0200 Subject: [PATCH 59/67] Ship all logos with Cozystack Signed-off-by: Andrei Kvapil --- Makefile | 2 + packages/apps/clickhouse/.helmignore | 3 + packages/apps/clickhouse/Chart.yaml | 2 +- packages/apps/clickhouse/logos/clickhouse.svg | 1 + packages/apps/ferretdb/.helmignore | 3 + packages/apps/ferretdb/Chart.yaml | 2 +- .../apps/ferretdb/{ => logos}/ferretdb.svg | 0 packages/apps/http-cache/.helmignore | 26 +- packages/apps/http-cache/Chart.yaml | 2 +- packages/apps/http-cache/logos/nginx.svg | 2 + packages/apps/kafka/.helmignore | 3 + packages/apps/kafka/Chart.yaml | 2 +- packages/apps/kafka/logos/kafka.svg | 1 + packages/apps/kubernetes/.helmignore | 26 +- packages/apps/kubernetes/Chart.yaml | 2 +- packages/apps/kubernetes/logos/kubernetes.svg | 84 +++++ packages/apps/mysql/.helmignore | 26 +- packages/apps/mysql/Chart.yaml | 2 +- packages/apps/mysql/logos/mariadb.svg | 12 + packages/apps/postgres/.helmignore | 26 +- packages/apps/postgres/Chart.yaml | 2 +- packages/apps/postgres/logos/postgres.svg | 22 ++ packages/apps/rabbitmq/.helmignore | 26 +- packages/apps/rabbitmq/Chart.yaml | 2 +- packages/apps/rabbitmq/logos/rabbitmq.svg | 2 + packages/apps/redis/.helmignore | 26 +- packages/apps/redis/Chart.yaml | 2 +- packages/apps/redis/logos/redis.svg | 2 + packages/apps/tcp-balancer/.helmignore | 26 +- packages/apps/tcp-balancer/Chart.yaml | 2 +- packages/apps/tcp-balancer/logos/haproxy.svg | 165 ++++++++ packages/apps/tenant/.helmignore | 3 + packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/logos/tenant.svg | 351 ++++++++++++++++++ packages/apps/virtual-machine/.helmignore | 26 +- packages/apps/virtual-machine/Chart.yaml | 2 +- packages/apps/virtual-machine/logos/vm.svg | 2 + packages/apps/vpn/.helmignore | 26 +- packages/apps/vpn/Chart.yaml | 2 +- packages/apps/vpn/logos/outline.svg | 64 ++++ .../installer/images/cozystack/Dockerfile | 1 + packages/extra/etcd/.helmignore | 3 + packages/extra/etcd/Chart.yaml | 2 +- packages/extra/etcd/logos/etcd.svg | 8 + packages/extra/ingress/.helmignore | 3 + packages/extra/ingress/Chart.yaml | 2 +- .../extra/ingress/logos/ingress-nginx.svg | 57 +++ packages/extra/monitoring/.helmignore | 3 + packages/extra/monitoring/Chart.yaml | 2 +- .../extra/monitoring/logos/monitoring.svg | 51 +++ packages/system/dashboard/.helmignore | 1 + packages/system/dashboard/Makefile | 1 + .../templates/frontend/configmap.yaml | 6 + packages/system/dashboard/patches/logos.patch | 15 + 54 files changed, 914 insertions(+), 223 deletions(-) create mode 100644 packages/apps/clickhouse/.helmignore create mode 100644 packages/apps/clickhouse/logos/clickhouse.svg create mode 100644 packages/apps/ferretdb/.helmignore rename packages/apps/ferretdb/{ => logos}/ferretdb.svg (100%) create mode 100644 packages/apps/http-cache/logos/nginx.svg create mode 100644 packages/apps/kafka/.helmignore create mode 100644 packages/apps/kafka/logos/kafka.svg create mode 100644 packages/apps/kubernetes/logos/kubernetes.svg create mode 100644 packages/apps/mysql/logos/mariadb.svg create mode 100644 packages/apps/postgres/logos/postgres.svg create mode 100644 packages/apps/rabbitmq/logos/rabbitmq.svg create mode 100644 packages/apps/redis/logos/redis.svg create mode 100644 packages/apps/tcp-balancer/logos/haproxy.svg create mode 100644 packages/apps/tenant/.helmignore create mode 100644 packages/apps/tenant/logos/tenant.svg create mode 100644 packages/apps/virtual-machine/logos/vm.svg create mode 100644 packages/apps/vpn/logos/outline.svg create mode 100644 packages/extra/etcd/.helmignore create mode 100644 packages/extra/etcd/logos/etcd.svg create mode 100644 packages/extra/ingress/.helmignore create mode 100644 packages/extra/ingress/logos/ingress-nginx.svg create mode 100644 packages/extra/monitoring/.helmignore create mode 100644 packages/extra/monitoring/logos/monitoring.svg create mode 100644 packages/system/dashboard/patches/logos.patch diff --git a/Makefile b/Makefile index 9ac01626..10a78ae7 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,8 @@ repos: make -C packages/system repo make -C packages/apps repo make -C packages/extra repo + mkdir -p _out/logos + cp ./packages/apps/*/logos/*.svg ./packages/extra/*/logos/*.svg _out/logos/ assets: make -C packages/core/installer/ assets diff --git a/packages/apps/clickhouse/.helmignore b/packages/apps/clickhouse/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/clickhouse/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/clickhouse/Chart.yaml b/packages/apps/clickhouse/Chart.yaml index d5ad8600..be47e494 100644 --- a/packages/apps/clickhouse/Chart.yaml +++ b/packages/apps/clickhouse/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: clickhouse description: Managed ClickHouse service -icon: https://cdn.worldvectorlogo.com/logos/clickhouse.svg +icon: /logos/clickhouse.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/clickhouse/logos/clickhouse.svg b/packages/apps/clickhouse/logos/clickhouse.svg new file mode 100644 index 00000000..f2144b5d --- /dev/null +++ b/packages/apps/clickhouse/logos/clickhouse.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/apps/ferretdb/.helmignore b/packages/apps/ferretdb/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/ferretdb/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/ferretdb/Chart.yaml b/packages/apps/ferretdb/Chart.yaml index 6d35a52b..2b7c86e5 100644 --- a/packages/apps/ferretdb/Chart.yaml +++ b/packages/apps/ferretdb/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: ferretdb description: Managed FerretDB service -icon: ferretdb.svg +icon: /logos/ferretdb.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/ferretdb/ferretdb.svg b/packages/apps/ferretdb/logos/ferretdb.svg similarity index 100% rename from packages/apps/ferretdb/ferretdb.svg rename to packages/apps/ferretdb/logos/ferretdb.svg diff --git a/packages/apps/http-cache/.helmignore b/packages/apps/http-cache/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/http-cache/.helmignore +++ b/packages/apps/http-cache/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/http-cache/Chart.yaml b/packages/apps/http-cache/Chart.yaml index 716252ae..eb17a386 100644 --- a/packages/apps/http-cache/Chart.yaml +++ b/packages/apps/http-cache/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: http-cache description: Layer7 load balacner and caching service -icon: https://www.svgrepo.com/show/373924/nginx.svg +icon: /logos/nginx.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/http-cache/logos/nginx.svg b/packages/apps/http-cache/logos/nginx.svg new file mode 100644 index 00000000..27062a83 --- /dev/null +++ b/packages/apps/http-cache/logos/nginx.svg @@ -0,0 +1,2 @@ + +file_type_nginx \ No newline at end of file diff --git a/packages/apps/kafka/.helmignore b/packages/apps/kafka/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/kafka/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/kafka/Chart.yaml b/packages/apps/kafka/Chart.yaml index 78be0ce6..193e8d7e 100644 --- a/packages/apps/kafka/Chart.yaml +++ b/packages/apps/kafka/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: kafka description: Managed Kafka service -icon: https://upload.wikimedia.org/wikipedia/commons/0/05/Apache_kafka.svg +icon: /logos/kafka.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/kafka/logos/kafka.svg b/packages/apps/kafka/logos/kafka.svg new file mode 100644 index 00000000..305d8764 --- /dev/null +++ b/packages/apps/kafka/logos/kafka.svg @@ -0,0 +1 @@ + diff --git a/packages/apps/kubernetes/.helmignore b/packages/apps/kubernetes/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/kubernetes/.helmignore +++ b/packages/apps/kubernetes/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index cd846685..30811454 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: kubernetes description: Managed Kubernetes service -icon: https://upload.wikimedia.org/wikipedia/commons/thumb/3/39/Kubernetes_logo_without_workmark.svg/723px-Kubernetes_logo_without_workmark.svg.png +icon: /logos/kubernetes.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/kubernetes/logos/kubernetes.svg b/packages/apps/kubernetes/logos/kubernetes.svg new file mode 100644 index 00000000..bedd3b88 --- /dev/null +++ b/packages/apps/kubernetes/logos/kubernetes.svg @@ -0,0 +1,84 @@ + + + + + + + + + + image/svg+xml + + + + + + + + + + + + diff --git a/packages/apps/mysql/.helmignore b/packages/apps/mysql/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/mysql/.helmignore +++ b/packages/apps/mysql/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/mysql/Chart.yaml b/packages/apps/mysql/Chart.yaml index 25f3132d..07321d2a 100644 --- a/packages/apps/mysql/Chart.yaml +++ b/packages/apps/mysql/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: mysql description: Managed MariaDB service -icon: https://static-00.iconduck.com/assets.00/mariadb-icon-512x340-txozryr2.png +icon: /logos/mariadb.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/mysql/logos/mariadb.svg b/packages/apps/mysql/logos/mariadb.svg new file mode 100644 index 00000000..82ff6f87 --- /dev/null +++ b/packages/apps/mysql/logos/mariadb.svg @@ -0,0 +1,12 @@ + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/apps/postgres/.helmignore b/packages/apps/postgres/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/postgres/.helmignore +++ b/packages/apps/postgres/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml index eb9ab8cc..0bc35560 100644 --- a/packages/apps/postgres/Chart.yaml +++ b/packages/apps/postgres/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: postgres description: Managed PostgreSQL service -icon: https://cdn-icons-png.flaticon.com/512/5968/5968342.png +icon: /logos/postgres.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/postgres/logos/postgres.svg b/packages/apps/postgres/logos/postgres.svg new file mode 100644 index 00000000..d98e3659 --- /dev/null +++ b/packages/apps/postgres/logos/postgres.svg @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/apps/rabbitmq/.helmignore b/packages/apps/rabbitmq/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/rabbitmq/.helmignore +++ b/packages/apps/rabbitmq/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/rabbitmq/Chart.yaml b/packages/apps/rabbitmq/Chart.yaml index f8f02830..2c43a6b6 100644 --- a/packages/apps/rabbitmq/Chart.yaml +++ b/packages/apps/rabbitmq/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: rabbitmq description: Managed RabbitMQ service -icon: https://static-00.iconduck.com/assets.00/rabbitmq-icon-484x512-s9lfaapn.png +icon: /logos/rabbitmq.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/rabbitmq/logos/rabbitmq.svg b/packages/apps/rabbitmq/logos/rabbitmq.svg new file mode 100644 index 00000000..ab4c8693 --- /dev/null +++ b/packages/apps/rabbitmq/logos/rabbitmq.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/packages/apps/redis/.helmignore b/packages/apps/redis/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/redis/.helmignore +++ b/packages/apps/redis/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/redis/Chart.yaml b/packages/apps/redis/Chart.yaml index 3159738e..8daa1619 100644 --- a/packages/apps/redis/Chart.yaml +++ b/packages/apps/redis/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: redis description: Managed Redis service -icon: https://cdn4.iconfinder.com/data/icons/redis-2/1451/Untitled-2-512.png +icon: /logos/redis.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/redis/logos/redis.svg b/packages/apps/redis/logos/redis.svg new file mode 100644 index 00000000..ed312206 --- /dev/null +++ b/packages/apps/redis/logos/redis.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/packages/apps/tcp-balancer/.helmignore b/packages/apps/tcp-balancer/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/tcp-balancer/.helmignore +++ b/packages/apps/tcp-balancer/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/tcp-balancer/Chart.yaml b/packages/apps/tcp-balancer/Chart.yaml index 8f3a6551..c4e9744f 100644 --- a/packages/apps/tcp-balancer/Chart.yaml +++ b/packages/apps/tcp-balancer/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: tcp-balancer description: Layer4 load balancer service -icon: https://cdn.icon-icons.com/icons2/2699/PNG/512/haproxy_logo_icon_171017.png +icon: /logos/haproxy.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/tcp-balancer/logos/haproxy.svg b/packages/apps/tcp-balancer/logos/haproxy.svg new file mode 100644 index 00000000..e2e54609 --- /dev/null +++ b/packages/apps/tcp-balancer/logos/haproxy.svg @@ -0,0 +1,165 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/apps/tenant/.helmignore b/packages/apps/tenant/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/tenant/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 9a866e0f..5f531c11 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: tenant description: Separated tenant namespace -icon: https://upload.wikimedia.org/wikipedia/commons/0/04/User_icon_1.svg +icon: /logos/tenant.svg type: application version: 1.2.0 diff --git a/packages/apps/tenant/logos/tenant.svg b/packages/apps/tenant/logos/tenant.svg new file mode 100644 index 00000000..ea647590 --- /dev/null +++ b/packages/apps/tenant/logos/tenant.svg @@ -0,0 +1,351 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/apps/virtual-machine/.helmignore b/packages/apps/virtual-machine/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/virtual-machine/.helmignore +++ b/packages/apps/virtual-machine/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/virtual-machine/Chart.yaml b/packages/apps/virtual-machine/Chart.yaml index 1e2a3c5a..4699d936 100644 --- a/packages/apps/virtual-machine/Chart.yaml +++ b/packages/apps/virtual-machine/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 #name: Virtual Machine name: virtual-machine description: Virtual machine instance -icon: https://www.svgrepo.com/show/448273/azure-vms.svg +icon: /logos/vm.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/virtual-machine/logos/vm.svg b/packages/apps/virtual-machine/logos/vm.svg new file mode 100644 index 00000000..78911027 --- /dev/null +++ b/packages/apps/virtual-machine/logos/vm.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/packages/apps/vpn/.helmignore b/packages/apps/vpn/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/vpn/.helmignore +++ b/packages/apps/vpn/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/vpn/Chart.yaml b/packages/apps/vpn/Chart.yaml index f19008c9..b40fe8b2 100644 --- a/packages/apps/vpn/Chart.yaml +++ b/packages/apps/vpn/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vpn description: Managed VPN service -icon: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Outline_VPN_icon.png/600px-Outline_VPN_icon.png +icon: /logos/outline.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/vpn/logos/outline.svg b/packages/apps/vpn/logos/outline.svg new file mode 100644 index 00000000..b4af2c6d --- /dev/null +++ b/packages/apps/vpn/logos/outline.svg @@ -0,0 +1,64 @@ + + + + + + + Outline web assets + + + + + + + Outline web assets + + + + diff --git a/packages/core/installer/images/cozystack/Dockerfile b/packages/core/installer/images/cozystack/Dockerfile index 7c9652b3..19878805 100644 --- a/packages/core/installer/images/cozystack/Dockerfile +++ b/packages/core/installer/images/cozystack/Dockerfile @@ -33,6 +33,7 @@ COPY scripts /cozystack/scripts COPY --from=builder /src/packages/core /cozystack/packages/core COPY --from=builder /src/packages/system /cozystack/packages/system COPY --from=builder /src/_out/repos /cozystack/assets/repos +COPY --from=builder /src/_out/logos /cozystack/assets/logos COPY --from=k8s-await-election-builder /k8s-await-election /usr/bin/k8s-await-election COPY dashboards /cozystack/assets/dashboards diff --git a/packages/extra/etcd/.helmignore b/packages/extra/etcd/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/extra/etcd/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml index 76d426a9..dc79f3f5 100644 --- a/packages/extra/etcd/Chart.yaml +++ b/packages/extra/etcd/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: etcd description: Storage for Kubernetes clusters -icon: https://www.svgrepo.com/show/353714/etcd.svg +icon: /logos/etcd.svg type: application version: 2.1.0 diff --git a/packages/extra/etcd/logos/etcd.svg b/packages/extra/etcd/logos/etcd.svg new file mode 100644 index 00000000..2d5b9fa9 --- /dev/null +++ b/packages/extra/etcd/logos/etcd.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/packages/extra/ingress/.helmignore b/packages/extra/ingress/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/extra/ingress/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index b646aedb..664a41c5 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: ingress description: NGINX Ingress Controller -icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg +icon: /logos/ingress-nginx.svg type: application version: 1.2.0 diff --git a/packages/extra/ingress/logos/ingress-nginx.svg b/packages/extra/ingress/logos/ingress-nginx.svg new file mode 100644 index 00000000..52d351c0 --- /dev/null +++ b/packages/extra/ingress/logos/ingress-nginx.svg @@ -0,0 +1,57 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/extra/monitoring/.helmignore b/packages/extra/monitoring/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/extra/monitoring/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/extra/monitoring/Chart.yaml b/packages/extra/monitoring/Chart.yaml index 0c28c1bf..0dfcd509 100644 --- a/packages/extra/monitoring/Chart.yaml +++ b/packages/extra/monitoring/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: monitoring description: Monitoring and observability stack -icon: https://www.svgrepo.com/download/184787/analytics-laptop.svg +icon: /logos/monitoring.svg type: application version: 1.1.0 diff --git a/packages/extra/monitoring/logos/monitoring.svg b/packages/extra/monitoring/logos/monitoring.svg new file mode 100644 index 00000000..1b5a27bf --- /dev/null +++ b/packages/extra/monitoring/logos/monitoring.svg @@ -0,0 +1,51 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/system/dashboard/.helmignore b/packages/system/dashboard/.helmignore index 43b1c5aa..fd9deb8f 100644 --- a/packages/system/dashboard/.helmignore +++ b/packages/system/dashboard/.helmignore @@ -1,3 +1,4 @@ hack .gitkeep images/*/* +/patches diff --git a/packages/system/dashboard/Makefile b/packages/system/dashboard/Makefile index d17d36aa..b628f3c8 100644 --- a/packages/system/dashboard/Makefile +++ b/packages/system/dashboard/Makefile @@ -15,6 +15,7 @@ update-chart: rm -rf charts/kubeapps/charts/postgresql/ ln -s ../../images charts/kubeapps/images sed -i 's/.cluster.local//g' charts/kubeapps/templates/kubeappsapis/deployment.yaml + patch --no-backup-if-mismatch charts/kubeapps/templates/frontend/configmap.yaml < patches/logos.patch update-dockerfiles: tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps | awk -F'[/^]' 'END{print $$3}') && \ diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml index d43f521c..955e5fb9 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml @@ -136,4 +136,10 @@ data: proxy_pass {{ printf "http://%s:%d" (include "kubeapps.dashboard.fullname" .) (int .Values.dashboard.service.ports.http) }}; } {{- end }} + + location /logos { + # Add the Authorization header if exists + add_header Authorization $http_authorization; + proxy_pass http://cozystack.cozy-system.svc:80; + } } diff --git a/packages/system/dashboard/patches/logos.patch b/packages/system/dashboard/patches/logos.patch new file mode 100644 index 00000000..e00492db --- /dev/null +++ b/packages/system/dashboard/patches/logos.patch @@ -0,0 +1,15 @@ +diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml +index d43f521..31ff7d5 100644 +--- a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml ++++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml +@@ -136,4 +136,10 @@ data: + proxy_pass {{ printf "http://%s:%d" (include "kubeapps.dashboard.fullname" .) (int .Values.dashboard.service.ports.http) }}; + } + {{- end }} ++ ++ location /logos { ++ # Add the Authorization header if exists ++ add_header Authorization $http_authorization; ++ proxy_pass http://cozystack.cozy-system.svc:80; ++ } + } From bbd2ca81a376d0ddc32a9f7264f7cdb53dc36b89 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Wed, 17 Jul 2024 12:48:43 +0200 Subject: [PATCH 60/67] fix: ferretdb set schedma owner (#220) undefined --- packages/apps/ferretdb/templates/init-script.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/packages/apps/ferretdb/templates/init-script.yaml b/packages/apps/ferretdb/templates/init-script.yaml index 3917f8fd..818ccf2d 100644 --- a/packages/apps/ferretdb/templates/init-script.yaml +++ b/packages/apps/ferretdb/templates/init-script.yaml @@ -74,9 +74,6 @@ stringData: obj record; BEGIN FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP - EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin'); - EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin'); - -- Set owner for schema EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin'); From d5c202b8bd6ac7d8f80588063381de25e7ff060d Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Wed, 17 Jul 2024 22:51:20 +0300 Subject: [PATCH 61/67] fix conflict in ubuntu-container-disk.tag --- packages/apps/kubernetes/images/ubuntu-container-disk.tag | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.tag b/packages/apps/kubernetes/images/ubuntu-container-disk.tag index 6724238b..c2389748 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag @@ -1 +1 @@ -mgr.cp.if.ua/ubuntu-container-disk:v1.29.1 +ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1 From bb2918d2ec99b650efb1611efc059b4d646b893b Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Wed, 17 Jul 2024 21:51:40 +0200 Subject: [PATCH 62/67] Sync 0.9 to proxmox integration (#221) Signed-off-by: Kingdon Barrett Signed-off-by: Andrei Kvapil Co-authored-by: Kingdon Barrett Co-authored-by: Andrei Kvapil Co-authored-by: Kingdon Barrett --- hack/e2e.sh | 14 +- manifests/cozystack-installer.yaml | 4 +- packages/apps/ferretdb/Chart.yaml | 25 + packages/apps/ferretdb/Makefile | 2 + packages/apps/ferretdb/README.md | 34 + packages/apps/ferretdb/ferretdb.svg | 54 + packages/apps/ferretdb/templates/.gitkeep | 0 .../ferretdb/templates/backup-cronjob.yaml | 99 + .../ferretdb/templates/backup-script.yaml | 50 + .../ferretdb/templates/backup-secret.yaml | 11 + .../apps/ferretdb/templates/external-svc.yaml | 15 + .../apps/ferretdb/templates/ferretdb.yaml | 26 + .../apps/ferretdb/templates/init-job.yaml | 66 + .../apps/ferretdb/templates/init-script.yaml | 101 + .../apps/ferretdb/templates/postgres.yaml | 45 + packages/apps/ferretdb/values.schema.json | 81 + packages/apps/ferretdb/values.yaml | 48 + .../apps/http-cache/images/nginx-cache.json | 38 +- packages/apps/kafka/Chart.yaml | 2 +- packages/apps/kafka/templates/topics.yaml | 8 +- packages/apps/kafka/values.yaml | 2 +- packages/apps/kubernetes/Chart.yaml | 4 +- packages/apps/kubernetes/Makefile | 2 +- packages/apps/kubernetes/README.md | 10 + .../images/ubuntu-container-disk.json | 38 +- .../images/ubuntu-container-disk.tag | 2 +- .../images/ubuntu-container-disk/Dockerfile | 4 +- .../apps/kubernetes/templates/cluster.yaml | 149 +- .../templates/helmreleases/cert-manager.yaml | 39 + .../templates/helmreleases/cilium.yaml | 11 +- .../templates/helmreleases/csi.yaml | 11 +- .../templates/helmreleases/delete.yaml | 30 +- .../templates/helmreleases/fluxcd.yaml | 84 + .../templates/helmreleases/ingress-nginx.yaml | 49 + .../apps/kubernetes/templates/ingress.yaml | 45 + packages/apps/kubernetes/values.schema.json | 41 + packages/apps/kubernetes/values.yaml | 33 + packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/README.md | 2 +- packages/apps/tenant/templates/etcd.yaml | 2 +- packages/apps/tenant/templates/ingress.yaml | 2 +- .../apps/tenant/templates/monitoring.yaml | 2 +- packages/apps/versions_map | 11 +- packages/core/fluxcd/Makefile | 20 - packages/core/fluxcd/charts/flux2/Chart.yaml | 11 - packages/core/fluxcd/charts/flux2/README.md | 174 - .../fluxcd/charts/flux2/templates/_helper.tpl | 7 - .../templates/aggregate-clusterroles.yaml | 47 - ...cluster-reconciler-clusterrolebinding.yaml | 26 - ...r-reconciler-impersonator-clusterrole.yaml | 19 - ...ciler-impersonator-clusterrolebinding.yaml | 26 - .../templates/crd-controller-clusterrole.yaml | 82 - .../crd-controller-clusterrolebinding.yaml | 38 - .../flux2/templates/extra-manifests.yaml | 4 - .../flux2/templates/helm-controller-sa.yaml | 18 - .../flux2/templates/helm-controller.crds.yaml | 2268 --- .../flux2/templates/helm-controller.yaml | 133 - .../image-automation-controller-sa.yaml | 18 - .../image-automation-controller.crds.yaml | 326 - .../image-automation-controller.yaml | 135 - .../image-reflector-controller-sa.yaml | 18 - .../image-reflector-controller.crds.yaml | 901 - .../templates/image-reflector-controller.yaml | 139 - .../templates/kustomize-controller-sa.yaml | 18 - .../kustomize-controller-secret.yaml | 18 - .../templates/kustomize-controller.crds.yaml | 1640 -- .../flux2/templates/kustomize-controller.yaml | 158 - .../notification-controller-ingress.yaml | 49 - .../templates/notification-controller-sa.yaml | 18 - .../notification-controller-service.yaml | 29 - ...tification-controller-webhook-service.yaml | 26 - .../notification-controller.crds.yaml | 1790 -- .../templates/notification-controller.yaml | 136 - .../charts/flux2/templates/podmonitor.yaml | 32 - .../charts/flux2/templates/policies.yaml | 63 - .../pre-install-job-serviceaccount.yaml | 14 - .../flux2/templates/pre-install-job.yaml | 72 - .../templates/source-controller-service.yaml | 29 - .../source-controller-serviceaccount.yaml | 18 - .../templates/source-controller.crds.yaml | 3291 ---- .../flux2/templates/source-controller.yaml | 140 - packages/core/fluxcd/charts/flux2/values.yaml | 327 - packages/core/installer/images/cozystack.json | 8 +- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/matchbox.json | 45 +- .../core/platform/bundles/distro-full.yaml | 13 + .../core/platform/bundles/distro-hosted.yaml | 13 + packages/core/platform/bundles/paas-full.yaml | 17 +- .../core/platform/bundles/paas-hosted.yaml | 17 +- packages/core/platform/templates/apps.yaml | 6 +- .../core/platform/templates/helmreleases.yaml | 4 +- .../core/platform/templates/helmrepos.yaml | 6 +- .../core/platform/templates/namespaces.yaml | 1 - packages/extra/ingress/Chart.yaml | 2 +- .../ingress/templates/nginx-ingress.yaml | 2 +- .../ingress}/templates/nginx-scrape.yaml | 6 +- packages/extra/monitoring/Chart.yaml | 2 +- .../templates/oncall/oncall-release.yaml | 2 +- packages/extra/versions_map | 6 +- packages/system/capi-operator/Makefile | 4 +- .../charts/cluster-api-operator/Chart.lock | 6 - .../charts/cluster-api-operator/Chart.yaml | 9 +- .../crds/cert-manager.crds.yaml | 4482 ----- .../cluster-api-operator/templates/addon.yaml | 2 + .../templates/cert-manager.namespace.yaml | 8 - .../cluster-api-operator/templates/core.yaml | 10 + .../templates/deployment.yaml | 7 + .../templates/infra-conditions.yaml | 4 + .../cluster-api-operator/templates/infra.yaml | 17 +- .../templates/operator-components.yaml | 15462 +++++++++------- .../charts/cluster-api-operator/values.yaml | 11 +- packages/system/capi-providers/Makefile | 4 +- .../capi-providers/templates/providers.yaml | 16 +- packages/system/cert-manager-issuers/Makefile | 4 +- packages/system/cert-manager/Makefile | 4 +- packages/system/cilium/Makefile | 4 +- packages/system/cilium/images/cilium.json | 51 +- packages/system/cilium/images/cilium.tag | 2 +- packages/system/clickhouse-operator/Makefile | 4 +- packages/system/dashboard/Makefile | 6 +- .../system/dashboard/images/dashboard.json | 41 +- .../system/dashboard/images/dashboard.tag | 2 +- .../dashboard/images/kubeapps-apis.json | 47 +- .../system/dashboard/images/kubeapps-apis.tag | 2 +- .../dashboard/images/kubeapps-apis/Dockerfile | 12 +- .../images/kubeapps-apis/fluxcd.diff | 3196 ++++ .../images/kubeapps-apis/labels.diff | 10 +- .../kubeapps-apis/reconcile-strategy.diff | 2 +- packages/system/etcd-operator/Makefile | 4 +- .../charts/etcd-operator/Chart.yaml | 4 +- .../charts/etcd-operator/README.md | 85 +- .../charts/etcd-operator/README.md.gotmpl | 19 + .../etcd-operator/crds/etcd-cluster.yaml | 29 +- .../rbac/clusterrole-manager-role.yml | 16 + .../templates/workload/deployment.yml | 6 + .../charts/etcd-operator/values.schema.json | 10 +- .../charts/etcd-operator/values.yaml | 132 +- .../fluxcd-operator}/.helmignore | 0 packages/system/fluxcd-operator/Chart.yaml | 3 + packages/system/fluxcd-operator/Makefile | 12 + .../charts/flux-operator}/.helmignore | 3 +- .../charts/flux-operator/Chart.yaml | 30 + .../charts/flux-operator/README.md | 57 + .../charts/flux-operator/templates/NOTES.txt | 1 + .../flux-operator/templates/_helpers.tpl | 58 + .../flux-operator/templates/clusterrole.yaml | 21 + .../charts/flux-operator/templates/crds.yaml | 704 + .../flux-operator/templates/deployment.yaml | 99 + .../flux-operator/templates/service.yaml | 22 + .../templates/serviceaccount.yaml | 17 + .../charts/flux-operator/values.schema.json | 309 + .../charts/flux-operator/values.yaml | 97 + .../patches/kubernetesEnvs.diff | 12 + .../fluxcd-operator/templates/_helpers.tpl | 13 + packages/system/fluxcd-operator/values.yaml | 7 + packages/{core => system}/fluxcd/Chart.yaml | 0 packages/system/fluxcd/Makefile | 7 + .../fluxcd/templates/flux-instance.yaml | 25 + packages/system/fluxcd/values.yaml | 47 + packages/system/grafana-operator/Makefile | 4 +- packages/system/ingress-nginx/Makefile | 7 +- .../templates/controller-daemonset.yaml.orig | 243 - packages/system/ingress-nginx/values.yaml | 6 +- packages/system/kafka-operator/Makefile | 4 +- packages/system/kamaji-etcd/Makefile | 6 +- packages/system/kamaji/Makefile | 4 +- .../system/kamaji/charts/kamaji/Chart.yaml | 4 +- .../system/kamaji/charts/kamaji/README.md | 6 +- .../kamaji/charts/kamaji/crds/datastore.yaml | 49 +- .../kamaji/crds/tenantcontrolplane.yaml | 1144 +- .../charts/kamaji/templates/controller.yaml | 3 + .../charts/kamaji/templates/datastore.yaml | 5 + .../validatingwebhookconfiguration.yaml | 21 + .../system/kamaji/charts/kamaji/values.yaml | 12 +- packages/system/kamaji/values.yaml | 5 - packages/system/kubeovn/Makefile | 6 +- packages/system/kubeovn/images/kubeovn.json | 41 +- .../system/kubevirt-cdi-operator/Makefile | 4 +- packages/system/kubevirt-cdi/Makefile | 4 +- packages/system/kubevirt-operator/Makefile | 4 +- .../templates/kubevirt-operator.yaml | 72 +- packages/system/kubevirt/Makefile | 4 +- packages/system/linstor/Makefile | 4 +- packages/system/mariadb-operator/Makefile | 4 +- packages/system/metallb/Makefile | 4 +- packages/system/monitoring/Makefile | 4 +- packages/system/piraeus-operator/Makefile | 4 +- .../charts/piraeus/Chart.yaml | 4 +- .../charts/piraeus/templates/config.yaml | 11 +- .../charts/piraeus/templates/crds.yaml | 10 + .../charts/piraeus/templates/deployment.yaml | 1 + .../charts/piraeus/values.yaml | 2 + packages/system/postgres-operator/Makefile | 4 +- packages/system/rabbitmq-operator/Makefile | 4 +- packages/system/redis-operator/Makefile | 4 +- packages/system/telepresence/Makefile | 4 +- .../system/victoria-metrics-operator/Makefile | 4 +- scripts/fluxcd-kustomize.sh | 37 + scripts/installer.sh | 38 +- scripts/package-system.mk | 11 +- 200 files changed, 16472 insertions(+), 24346 deletions(-) create mode 100644 packages/apps/ferretdb/Chart.yaml create mode 100644 packages/apps/ferretdb/Makefile create mode 100644 packages/apps/ferretdb/README.md create mode 100644 packages/apps/ferretdb/ferretdb.svg create mode 100644 packages/apps/ferretdb/templates/.gitkeep create mode 100644 packages/apps/ferretdb/templates/backup-cronjob.yaml create mode 100644 packages/apps/ferretdb/templates/backup-script.yaml create mode 100644 packages/apps/ferretdb/templates/backup-secret.yaml create mode 100644 packages/apps/ferretdb/templates/external-svc.yaml create mode 100644 packages/apps/ferretdb/templates/ferretdb.yaml create mode 100644 packages/apps/ferretdb/templates/init-job.yaml create mode 100644 packages/apps/ferretdb/templates/init-script.yaml create mode 100644 packages/apps/ferretdb/templates/postgres.yaml create mode 100644 packages/apps/ferretdb/values.schema.json create mode 100644 packages/apps/ferretdb/values.yaml create mode 100644 packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml create mode 100644 packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml create mode 100644 packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml create mode 100644 packages/apps/kubernetes/templates/ingress.yaml delete mode 100644 packages/core/fluxcd/Makefile delete mode 100644 packages/core/fluxcd/charts/flux2/Chart.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/README.md delete mode 100644 packages/core/fluxcd/charts/flux2/templates/_helper.tpl delete mode 100644 packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/policies.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/templates/source-controller.yaml delete mode 100644 packages/core/fluxcd/charts/flux2/values.yaml rename packages/{system/monitoring => extra/ingress}/templates/nginx-scrape.yaml (92%) delete mode 100644 packages/system/capi-operator/charts/cluster-api-operator/Chart.lock delete mode 100644 packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml delete mode 100644 packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml create mode 100644 packages/system/dashboard/images/kubeapps-apis/fluxcd.diff create mode 100644 packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl rename packages/{core/fluxcd => system/fluxcd-operator}/.helmignore (100%) create mode 100644 packages/system/fluxcd-operator/Chart.yaml create mode 100644 packages/system/fluxcd-operator/Makefile rename packages/{core/fluxcd/charts/flux2 => system/fluxcd-operator/charts/flux-operator}/.helmignore (95%) create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/README.md create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/NOTES.txt create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/_helpers.tpl create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/clusterrole.yaml create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/service.yaml create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/templates/serviceaccount.yaml create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/values.schema.json create mode 100644 packages/system/fluxcd-operator/charts/flux-operator/values.yaml create mode 100644 packages/system/fluxcd-operator/patches/kubernetesEnvs.diff create mode 100644 packages/system/fluxcd-operator/templates/_helpers.tpl create mode 100644 packages/system/fluxcd-operator/values.yaml rename packages/{core => system}/fluxcd/Chart.yaml (100%) create mode 100644 packages/system/fluxcd/Makefile create mode 100644 packages/system/fluxcd/templates/flux-instance.yaml create mode 100644 packages/system/fluxcd/values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig create mode 100755 scripts/fluxcd-kustomize.sh diff --git a/hack/e2e.sh b/hack/e2e.sh index 86278beb..462fef65 100755 --- a/hack/e2e.sh +++ b/hack/e2e.sh @@ -294,22 +294,22 @@ kubectl patch -n tenant-root hr/tenant-root --type=merge -p '{"spec":{ "values": timeout 60 sh -c 'until kubectl get hr -n tenant-root etcd ingress monitoring tenant-root; do sleep 1; done' # Wait for HelmReleases be installed -kubectl wait --timeout=2m --for=condition=ready hr -n tenant-root etcd ingress monitoring tenant-root +kubectl wait --timeout=2m --for=condition=ready -n tenant-root hr etcd ingress monitoring tenant-root # Wait for nginx-ingress-controller timeout 60 sh -c 'until kubectl get deploy -n tenant-root root-ingress-controller; do sleep 1; done' -kubectl wait deploy -n tenant-root --timeout=5m --for=condition=available root-ingress-controller +kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy root-ingress-controller # Wait for etcd -kubectl wait --for=jsonpath=.status.readyReplicas=3 -n tenant-root --timeout=5m sts etcd +kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=3 -n tenant-root sts etcd # Wait for Victoria metrics -kubectl wait deploy -n tenant-root --timeout=5m --for=condition=available vmalert-vmalert vminsert-longterm vminsert-shortterm -kubectl wait --for=jsonpath=.status.readyReplicas=2 -n tenant-root --timeout=5m sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm +kubectl wait --timeout=5m --for=condition=available deploy -n tenant-root vmalert-vmalert vminsert-longterm vminsert-shortterm +kubectl wait --timeout=5m --for=jsonpath=.status.readyReplicas=2 -n tenant-root sts vmalertmanager-alertmanager vmselect-longterm vmselect-shortterm vmstorage-longterm vmstorage-shortterm # Wait for grafana -kubectl wait --for=condition=ready clusters.postgresql.cnpg.io -n tenant-root grafana-db -kubectl wait deploy -n tenant-root --timeout=5m --for=condition=available grafana-deployment +kubectl wait --timeout=5m --for=condition=ready -n tenant-root clusters.postgresql.cnpg.io grafana-db +kubectl wait --timeout=5m --for=condition=available -n tenant-root deploy grafana-deployment # Get IP of nginx-ingress ip=$(kubectl get svc -n tenant-root root-ingress-controller -o jsonpath='{.status.loadBalancer.ingress..ip}') diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index 3112f1c6..e88aa4c5 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.7.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/ferretdb/Chart.yaml b/packages/apps/ferretdb/Chart.yaml new file mode 100644 index 00000000..6d35a52b --- /dev/null +++ b/packages/apps/ferretdb/Chart.yaml @@ -0,0 +1,25 @@ +apiVersion: v2 +name: ferretdb +description: Managed FerretDB service +icon: ferretdb.svg + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.22.0" diff --git a/packages/apps/ferretdb/Makefile b/packages/apps/ferretdb/Makefile new file mode 100644 index 00000000..207e2133 --- /dev/null +++ b/packages/apps/ferretdb/Makefile @@ -0,0 +1,2 @@ +generate: + readme-generator -v values.yaml -s values.schema.json -r README.md diff --git a/packages/apps/ferretdb/README.md b/packages/apps/ferretdb/README.md new file mode 100644 index 00000000..afa4f961 --- /dev/null +++ b/packages/apps/ferretdb/README.md @@ -0,0 +1,34 @@ +# Managed FerretDB Service + +## Parameters + +### Common parameters + +| Name | Description | Value | +| ------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ------- | +| `external` | Enable external access from outside the cluster | `false` | +| `size` | Persistent Volume size | `10Gi` | +| `replicas` | Number of Postgres replicas | `2` | +| `quorum.minSyncReplicas` | Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed. | `0` | +| `quorum.maxSyncReplicas` | Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). | `0` | + +### Configuration parameters + +| Name | Description | Value | +| ------- | ------------------- | ----- | +| `users` | Users configuration | `{}` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------ | ---------------------------------------------- | ------------------------------------------------------ | +| `backup.enabled` | Enable pereiodic backups | `false` | +| `backup.s3Region` | The AWS S3 region where backups are stored | `us-east-1` | +| `backup.s3Bucket` | The S3 bucket used for storing backups | `s3.example.org/postgres-backups` | +| `backup.schedule` | Cron schedule for automated backups | `0 2 * * *` | +| `backup.cleanupStrategy` | The strategy for cleaning up old backups | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` | +| `backup.s3AccessKey` | The access key for S3, used for authentication | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu` | +| `backup.s3SecretKey` | The secret key for S3, used for authentication | `ju3eum4dekeich9ahM1te8waeGai0oog` | +| `backup.resticPassword` | The password for Restic backup encryption | `ChaXoveekoh6eigh4siesheeda2quai0` | + + diff --git a/packages/apps/ferretdb/ferretdb.svg b/packages/apps/ferretdb/ferretdb.svg new file mode 100644 index 00000000..196871e1 --- /dev/null +++ b/packages/apps/ferretdb/ferretdb.svg @@ -0,0 +1,54 @@ + + + + + + + + + + + + diff --git a/packages/apps/ferretdb/templates/.gitkeep b/packages/apps/ferretdb/templates/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/packages/apps/ferretdb/templates/backup-cronjob.yaml b/packages/apps/ferretdb/templates/backup-cronjob.yaml new file mode 100644 index 00000000..84a6aee7 --- /dev/null +++ b/packages/apps/ferretdb/templates/backup-cronjob.yaml @@ -0,0 +1,99 @@ +{{- if .Values.backup.enabled }} +{{ $image := .Files.Get "images/backup.json" | fromJson }} + +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .Release.Name }}-backup +spec: + schedule: "{{ .Values.backup.schedule }}" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + backoffLimit: 2 + template: + spec: + restartPolicy: OnFailure + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }} + spec: + restartPolicy: Never + containers: + - name: mysqldump + image: "{{ index $image "image.name" }}@{{ index $image "containerimage.digest" }}" + command: + - /bin/sh + - /scripts/backup.sh + env: + - name: REPO_PREFIX + value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }} + - name: CLEANUP_STRATEGY + value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }} + - name: PGUSER + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: username + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: password + - name: PGHOST + value: {{ .Release.Name }}-postgres-rw + - name: PGPORT + value: "5432" + - name: PGDATABASE + value: postgres + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-backup + key: s3AccessKey + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-backup + key: s3SecretKey + - name: AWS_DEFAULT_REGION + value: {{ .Values.backup.s3Region }} + - name: RESTIC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-backup + key: resticPassword + volumeMounts: + - mountPath: /scripts + name: scripts + - mountPath: /tmp + name: tmp + - mountPath: /.cache + name: cache + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumes: + - name: scripts + secret: + secretName: {{ .Release.Name }}-backup-script + - name: tmp + emptyDir: {} + - name: cache + emptyDir: {} + securityContext: + runAsNonRoot: true + runAsUser: 9000 + runAsGroup: 9000 + seccompProfile: + type: RuntimeDefault +{{- end }} diff --git a/packages/apps/ferretdb/templates/backup-script.yaml b/packages/apps/ferretdb/templates/backup-script.yaml new file mode 100644 index 00000000..362bdc01 --- /dev/null +++ b/packages/apps/ferretdb/templates/backup-script.yaml @@ -0,0 +1,50 @@ +{{- if .Values.backup.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-backup-script +stringData: + backup.sh: | + #!/bin/sh + set -e + set -o pipefail + + JOB_ID="job-$(uuidgen|cut -f1 -d-)" + DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$') + echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list + echo "Job ID: $JOB_ID" + echo "Target repo: $REPO_PREFIX" + echo "Cleanup strategy: $CLEANUP_STRATEGY" + echo "Start backup for:" + echo "$DB_LIST" + echo + echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`" + for db in $DB_LIST; do + ( + set -x + restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \ + restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2 + restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it + pg_dump -Z0 -Ft -d "$db" | \ + restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar + restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed" + ) + done + echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`" + + echo + echo "Run cleanup:" + echo + + echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`" + for db in $DB_LIST; do + ( + set -x + restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only + restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY + restic prune -r "s3:${REPO_PREFIX}/$db" + ) + done + echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`" +{{- end }} diff --git a/packages/apps/ferretdb/templates/backup-secret.yaml b/packages/apps/ferretdb/templates/backup-secret.yaml new file mode 100644 index 00000000..be221e2f --- /dev/null +++ b/packages/apps/ferretdb/templates/backup-secret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.backup.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-backup +stringData: + s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }} + s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }} + resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }} +{{- end }} diff --git a/packages/apps/ferretdb/templates/external-svc.yaml b/packages/apps/ferretdb/templates/external-svc.yaml new file mode 100644 index 00000000..2e0501c8 --- /dev/null +++ b/packages/apps/ferretdb/templates/external-svc.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} +spec: + type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }} + {{- if .Values.external }} + externalTrafficPolicy: Local + allocateLoadBalancerNodePorts: false + {{- end }} + ports: + - name: ferretdb + port: 27017 + selector: + app: {{ .Release.Name }} diff --git a/packages/apps/ferretdb/templates/ferretdb.yaml b/packages/apps/ferretdb/templates/ferretdb.yaml new file mode 100644 index 00000000..8d72787b --- /dev/null +++ b/packages/apps/ferretdb/templates/ferretdb.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + containers: + - name: ferretdb + image: ghcr.io/ferretdb/ferretdb:1.22.0 + ports: + - containerPort: 27017 + env: + - name: FERRETDB_POSTGRESQL_URL + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-app + key: uri diff --git a/packages/apps/ferretdb/templates/init-job.yaml b/packages/apps/ferretdb/templates/init-job.yaml new file mode 100644 index 00000000..b7b03133 --- /dev/null +++ b/packages/apps/ferretdb/templates/init-job.yaml @@ -0,0 +1,66 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-init-job + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation +spec: + template: + metadata: + name: {{ .Release.Name }}-init-job + annotations: + checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }} + spec: + restartPolicy: Never + containers: + - name: postgres + image: ghcr.io/cloudnative-pg/postgresql:15.3 + command: + - bash + - /scripts/init.sh + env: + - name: PGUSER + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: username + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-postgres-superuser + key: password + - name: PGHOST + value: {{ .Release.Name }}-postgres-rw + - name: PGPORT + value: "5432" + - name: PGDATABASE + value: postgres + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/secret + name: secret + - mountPath: /scripts + name: scripts + securityContext: + fsGroup: 26 + runAsGroup: 26 + runAsNonRoot: true + runAsUser: 26 + seccompProfile: + type: RuntimeDefault + volumes: + - name: secret + secret: + secretName: {{ .Release.Name }}-postgres-superuser + - name: scripts + secret: + secretName: {{ .Release.Name }}-init-script diff --git a/packages/apps/ferretdb/templates/init-script.yaml b/packages/apps/ferretdb/templates/init-script.yaml new file mode 100644 index 00000000..818ccf2d --- /dev/null +++ b/packages/apps/ferretdb/templates/init-script.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-init-script +stringData: + init.sh: | + #!/bin/bash + set -e + echo "== create users" + {{- if .Values.users }} + psql -v ON_ERROR_STOP=1 <<\EOT + {{- range $user, $u := .Values.users }} + SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;' + WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec + ALTER ROLE {{ $user }} WITH PASSWORD '{{ $u.password }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }}; + COMMENT ON ROLE {{ $user }} IS 'user managed by helm'; + {{- end }} + EOT + {{- end }} + + echo "== delete users" + MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ') + DEFINED_USERS="{{ join " " (keys .Values.users) }}" + DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done) + + echo "users to delete: $DELETE_USERS" + for user in $DELETE_USERS; do + # https://stackoverflow.com/a/51257346/2931267 + psql -v ON_ERROR_STOP=1 --echo-all < kubernetes--admin-kubeconfig -o g | `host` | The hostname used to access the Kubernetes cluster externally (defaults to using the cluster name as a subdomain for the tenant host). | `""` | | `controlPlane.replicas` | Number of replicas for Kubernetes contorl-plane components | `2` | | `nodeGroups` | nodeGroups configuration | `{}` | + +### Cluster Addons + +| Name | Description | Value | +| ----------------------------- | ---------------------------------------------------------------------------------- | ------- | +| `addons.certManager.enabled` | Enables the cert-manager | `false` | +| `addons.ingressNginx.enabled` | Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role) | `false` | +| `addons.ingressNginx.hosts` | List of domain names that should be passed through to the cluster by upper cluster | `[]` | +| `addons.fluxcd.enabled` | Enables Flux CD | `false` | + diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.json b/packages/apps/kubernetes/images/ubuntu-container-disk.json index e7685393..e249d0e4 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.json +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json @@ -1,4 +1,38 @@ { - "containerimage.config.digest": "sha256:24cee18d0bc9ed40e741412da86820dd99bdb9ffa4c794c81856725a4a10d86e", - "containerimage.digest": "sha256:6a43369905e0630bb401e1cf73084bbef3060e960756f261676cd3bea4195e9a" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/ubuntu@22.04?platform=linux%2Famd64", + "digest": { + "sha256": "340d9b015b194dc6e2a13938944e0d016e57b9679963fdeb9ce021daac430221" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "args": { + "build-arg:ARCH": "amd64" + }, + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "amd64/amd64/kk2drcq44gorgb3xwa8908pfc", + "containerimage.config.digest": "sha256:363589eb47379eb7548f047aae24045278f14db0b2026022b6bec33a04370f15", + "containerimage.digest": "sha256:f242fd77903f5f5a94ed157e98b0c4532e5ba91734d9653eaf26cfe4b23b017b" } \ No newline at end of file diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.tag b/packages/apps/kubernetes/images/ubuntu-container-disk.tag index c2389748..5ea3ff97 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.tag +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.29.1 +ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1 diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile b/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile index a30d70f7..eb08ef10 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile +++ b/packages/apps/kubernetes/images/ubuntu-container-disk/Dockerfile @@ -26,8 +26,8 @@ RUN qemu-img resize image.img 5G \ && guestfish --remote sh "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg" \ && guestfish --remote sh 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list' \ # kubernetes repo - && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \ - && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \ + && guestfish --remote sh "curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg" \ + && guestfish --remote sh "echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list" \ # install containerd && guestfish --remote command "apt-get update -y" \ && guestfish --remote command "apt-get install -y containerd.io" \ diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index baa0bc6b..0ce5d542 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -2,6 +2,58 @@ {{- $etcd := index $myNS.metadata.annotations "namespace.cozystack.io/etcd" }} {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }} {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} +{{- $kubevirtmachinetemplateNames := list }} +{{- define "kubevirtmachinetemplate" -}} +spec: + virtualMachineBootstrapCheck: + checkStrategy: ssh + virtualMachineTemplate: + metadata: + namespace: {{ $.Release.Namespace }} + labels: + {{- range .group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} + spec: + runStrategy: Always + template: + spec: + domain: + cpu: + threads: 1 + cores: {{ .group.resources.cpu }} + sockets: 1 + devices: + disks: + - name: system + disk: + bus: virtio + pciAddress: 0000:07:00.0 + - name: containerd + disk: + bus: virtio + pciAddress: 0000:08:00.0 + - name: kubelet + disk: + bus: virtio + pciAddress: 0000:09:00.0 + networkInterfaceMultiqueue: true + memory: + guest: {{ .group.resources.memory }} + evictionStrategy: External + volumes: + - name: system + containerDisk: + image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}" + - name: containerd + emptyDisk: + capacity: 20Gi + - name: kubelet + emptyDisk: + capacity: 20Gi +{{- end }} + + --- apiVersion: cluster.x-k8s.io/v1beta1 kind: Cluster @@ -57,7 +109,7 @@ spec: className: "{{ $ingress }}" deployment: replicas: 2 - version: 1.29.4 + version: 1.30.1 --- apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtCluster @@ -101,56 +153,20 @@ spec: skipPhases: - addon/kube-proxy --- +{{- $context := deepCopy $ }} +{{- $_ := set $context "group" $group }} +{{- $kubevirtmachinetemplate := include "kubevirtmachinetemplate" $context }} +{{- $kubevirtmachinetemplateHash := $kubevirtmachinetemplate | sha256sum | trunc 6 }} +{{- $kubevirtmachinetemplateName := printf "%s-%s-%s" $.Release.Name $groupName $kubevirtmachinetemplateHash }} +{{- $kubevirtmachinetemplateNames = append $kubevirtmachinetemplateNames $kubevirtmachinetemplateName }} apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtMachineTemplate metadata: - name: {{ $.Release.Name }}-{{ $groupName }} + name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }} namespace: {{ $.Release.Namespace }} spec: template: - spec: - virtualMachineBootstrapCheck: - checkStrategy: ssh - virtualMachineTemplate: - metadata: - namespace: {{ $.Release.Namespace }} - spec: - runStrategy: Always - template: - spec: - domain: - cpu: - threads: 1 - cores: {{ $group.resources.cpu }} - sockets: 1 - devices: - disks: - - name: system - disk: - bus: virtio - pciAddress: 0000:07:00.0 - - name: containerd - disk: - bus: virtio - pciAddress: 0000:08:00.0 - - name: kubelet - disk: - bus: virtio - pciAddress: 0000:09:00.0 - networkInterfaceMultiqueue: true - memory: - guest: {{ $group.resources.memory }} - evictionStrategy: External - volumes: - - name: system - containerDisk: - image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}" - - name: containerd - emptyDisk: - capacity: 20Gi - - name: kubelet - emptyDisk: - capacity: 20Gi + {{- $kubevirtmachinetemplate | nindent 4 }} --- apiVersion: cluster.x-k8s.io/v1beta1 kind: MachineDeployment @@ -165,18 +181,55 @@ metadata: spec: clusterName: {{ $.Release.Name }} template: + metadata: + labels: + cluster.x-k8s.io/cluster-name: {{ $.Release.Name }} + cluster.x-k8s.io/deployment-name: {{ $.Release.Name }}-{{ $groupName }} + {{- range $group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} spec: bootstrap: configRef: apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 kind: KubeadmConfigTemplate name: {{ $.Release.Name }}-{{ $groupName }} - namespace: default + namespace: {{ $.Release.Namespace }} clusterName: {{ $.Release.Name }} infrastructureRef: apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 kind: KubevirtMachineTemplate - name: {{ $.Release.Name }}-{{ $groupName }} + name: {{ $.Release.Name }}-{{ $groupName }}-{{ $kubevirtmachinetemplateHash }} namespace: default - version: v1.29.4 + version: v1.30.1 +{{- end }} +--- +{{- /* +We must preserve all previous KubevirtMachineTemplates until a MachineSet references them. +*/ -}} +{{- $mss := (lookup "cluster.x-k8s.io/v1beta1" "MachineSet" $.Release.Namespace "").items }} +{{- $oldKubevirtmachinetemplates := dict }} +{{- range $kmt := (lookup "infrastructure.cluster.x-k8s.io/v1alpha1" "KubevirtMachineTemplate" .Release.Namespace "").items }} +{{- range $or := $kmt.metadata.ownerReferences }} +{{- if and (eq $or.kind "Cluster") (eq $or.name $.Release.Name) }} +{{- range $ms := $mss }} +{{- if and (eq $ms.spec.template.spec.infrastructureRef.kind "KubevirtMachineTemplate") (eq $ms.spec.template.spec.infrastructureRef.name $kmt.metadata.name) }} +{{- if not (has $kmt.metadata.name $kubevirtmachinetemplateNames) }} +{{- $oldKubevirtmachinetemplates = merge $oldKubevirtmachinetemplates (dict $kmt.metadata.name $kmt) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- range $oldKubevirtmachinetemplates }} +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1 +kind: KubevirtMachineTemplate +metadata: + name: {{ .metadata.name }} + namespace: {{ .metadata.Namespace }} +spec: + {{- .spec | toYaml | nindent 2 }} {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml new file mode 100644 index 00000000..f8e02559 --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml @@ -0,0 +1,39 @@ +{{- if .Values.addons.certManager.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-cert-manager + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 5m + releaseName: cert-manager + chart: + spec: + chart: cozy-cert-manager + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-cert-manager + storageNamespace: cozy-cert-manager + install: + createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml index 14577407..8918b5df 100644 --- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: {{ .Release.Name }}-cilium @@ -6,7 +6,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: cilium chart: spec: @@ -23,6 +23,11 @@ spec: storageNamespace: cozy-cilium install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 values: cilium: tunnel: disabled @@ -44,5 +49,7 @@ spec: enableIPv4Masquerade: true ipv4NativeRoutingCIDR: "" dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/csi.yaml b/packages/apps/kubernetes/templates/helmreleases/csi.yaml index 55169278..2485d47c 100644 --- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: {{ .Release.Name }}-csi @@ -6,7 +6,7 @@ metadata: cozystack.io/repository: system coztstack.io/target-cluster-name: {{ .Release.Name }} spec: - interval: 1m + interval: 5m releaseName: csi chart: spec: @@ -23,6 +23,13 @@ spec: storageNamespace: cozy-csi install: createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/delete.yaml b/packages/apps/kubernetes/templates/helmreleases/delete.yaml index 71215c30..30cd5586 100644 --- a/packages/apps/kubernetes/templates/helmreleases/delete.yaml +++ b/packages/apps/kubernetes/templates/helmreleases/delete.yaml @@ -20,17 +20,23 @@ spec: effect: "NoSchedule" containers: - name: kubectl - image: docker.io/clastix/kubectl:v1.29.1 + image: docker.io/clastix/kubectl:v1.30.1 command: - - kubectl - - --namespace={{ .Release.Namespace }} - - patch - - helmrelease - - {{ .Release.Name }}-cilium - - {{ .Release.Name }}-csi - - -p - - '{"spec": {"suspend": true}}' - - --type=merge + - /bin/sh + - -c + - | + kubectl + --namespace={{ .Release.Namespace }} + patch + helmrelease + {{ .Release.Name }}-cilium + {{ .Release.Name }}-csi + {{ .Release.Name }}-cert-manager + {{ .Release.Name }}-ingress-nginx + {{ .Release.Name }}-fluxcd-operator + {{ .Release.Name }}-fluxcd + -p '{"spec": {"suspend": true}}' + --type=merge --field-manager=flux-client-side-apply || true --- apiVersion: v1 kind: ServiceAccount @@ -60,6 +66,10 @@ rules: resourceNames: - {{ .Release.Name }}-cilium - {{ .Release.Name }}-csi + - {{ .Release.Name }}-cert-manager + - {{ .Release.Name }}-ingress-nginx + - {{ .Release.Name }}-fluxcd-operator + - {{ .Release.Name }}-fluxcd --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml new file mode 100644 index 00000000..c4ca6fd3 --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml @@ -0,0 +1,84 @@ +{{- if .Values.addons.fluxcd.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-fluxcd-operator + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 5m + releaseName: fluxcd-operator + chart: + spec: + chart: cozy-fluxcd-operator + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-fluxcd + storageNamespace: cozy-fluxcd + install: + createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 + values: + flux-operator: + fullnameOverride: flux-operator + tolerations: [] + hostNetwork: false + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-fluxcd + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 5m + releaseName: fluxcd + chart: + spec: + chart: cozy-fluxcd + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-fluxcd + storageNamespace: cozy-fluxcd + install: + createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} + - name: {{ .Release.Name }}-fluxcd-operator + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml new file mode 100644 index 00000000..573fb601 --- /dev/null +++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml @@ -0,0 +1,49 @@ +{{- if .Values.addons.ingressNginx.enabled }} +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-ingress-nginx + labels: + cozystack.io/repository: system + coztstack.io/target-cluster-name: {{ .Release.Name }} +spec: + interval: 5m + releaseName: ingress-nginx + chart: + spec: + chart: cozy-ingress-nginx + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + kubeConfig: + secretRef: + name: {{ .Release.Name }}-kubeconfig + targetNamespace: cozy-ingress-nginx + storageNamespace: cozy-ingress-nginx + install: + createNamespace: true + remediation: + retries: -1 + upgrade: + remediation: + retries: -1 + values: + ingress-nginx: + fullnameOverride: ingress-nginx + controller: + kind: DaemonSet + hostNetwork: true + service: + enabled: false + nodeSelector: + node-role.kubernetes.io/ingress-nginx: "" + dependsOn: + {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" .Release.Namespace .Release.Name }} + - name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + {{- end }} + - name: {{ .Release.Name }}-cilium + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/packages/apps/kubernetes/templates/ingress.yaml b/packages/apps/kubernetes/templates/ingress.yaml new file mode 100644 index 00000000..e677afab --- /dev/null +++ b/packages/apps/kubernetes/templates/ingress.yaml @@ -0,0 +1,45 @@ +{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} +{{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }} +{{- if .Values.addons.ingressNginx.hosts }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Release.Name }}-ingress-nginx + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" +spec: + ingressClassName: "{{ $ingress }}" + rules: + {{- range .Values.addons.ingressNginx.hosts }} + - host: {{ . | quote }} + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ $.Release.Name }}-ingress-nginx + port: + number: 443 + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-ingress-nginx +spec: + ports: + - appProtocol: http + name: http + port: 80 + targetPort: 80 + - appProtocol: https + name: https + port: 443 + targetPort: 443 + selector: + cluster.x-k8s.io/cluster-name: {{ .Release.Name }} + node-role.kubernetes.io/ingress-nginx: "" +{{- end }} diff --git a/packages/apps/kubernetes/values.schema.json b/packages/apps/kubernetes/values.schema.json index d467b3fe..cceff4d3 100644 --- a/packages/apps/kubernetes/values.schema.json +++ b/packages/apps/kubernetes/values.schema.json @@ -16,6 +16,47 @@ "default": 2 } } + }, + "addons": { + "type": "object", + "properties": { + "certManager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables the cert-manager", + "default": false + } + } + }, + "ingressNginx": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role)", + "default": false + }, + "hosts": { + "type": "array", + "description": "List of domain names that should be passed through to the cluster by upper cluster", + "default": [], + "items": {} + } + } + }, + "fluxcd": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enables Flux CD", + "default": false + } + } + } + } } } } \ No newline at end of file diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index 15b5cc2b..548e344d 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -16,3 +16,36 @@ nodeGroups: resources: cpu: 2 memory: 1024Mi + roles: + - ingress-nginx + +## @section Cluster Addons +## +addons: + + ## Cert-manager: automatically creates and manages SSL/TLS certificate + ## + certManager: + ## @param addons.certManager.enabled Enables the cert-manager + enabled: false + + ## Ingress-NGINX Controller + ## + ingressNginx: + ## @param addons.ingressNginx.enabled Enable Ingress-NGINX controller (expect nodes with 'ingress-nginx' role) + ## + enabled: false + ## @param addons.ingressNginx.hosts List of domain names that should be passed through to the cluster by upper cluster + ## e.g: + ## hosts: + ## - example.org + ## - foo.example.net + ## + hosts: [] + + ## Flux CD + ## + fluxcd: + ## @param addons.fluxcd.enabled Enables Flux CD + ## + enabled: false diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 9ea4afc6..9a866e0f 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: https://upload.wikimedia.org/wikipedia/commons/0/04/User_icon_1.svg type: application -version: 1.1.0 +version: 1.2.0 diff --git a/packages/apps/tenant/README.md b/packages/apps/tenant/README.md index d33ecc7b..9b17e8fc 100644 --- a/packages/apps/tenant/README.md +++ b/packages/apps/tenant/README.md @@ -25,7 +25,7 @@ tenant-root (example.org) Thus, you can create `tenant-u1` with a set of services like `etcd`, `ingress`, `monitoring`. And create another tenant namespace `tenant-u2` inside of `tenant-u1`. -Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namesapce. +Let's see what will happen when you run Kubernetes and Postgres under `tenant-u2` namespace. Since `tenant-u2` does not have its own cluster services like `etcd`, `ingress`, and `monitoring`, the applications will use the cluster services of the parent tenant. This in turn means: diff --git a/packages/apps/tenant/templates/etcd.yaml b/packages/apps/tenant/templates/etcd.yaml index 917cf4b4..17b66683 100644 --- a/packages/apps/tenant/templates/etcd.yaml +++ b/packages/apps/tenant/templates/etcd.yaml @@ -1,5 +1,5 @@ {{- if .Values.etcd }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: etcd diff --git a/packages/apps/tenant/templates/ingress.yaml b/packages/apps/tenant/templates/ingress.yaml index 7c413db5..b93ae0fa 100644 --- a/packages/apps/tenant/templates/ingress.yaml +++ b/packages/apps/tenant/templates/ingress.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: ingress diff --git a/packages/apps/tenant/templates/monitoring.yaml b/packages/apps/tenant/templates/monitoring.yaml index d0db03b5..93772546 100644 --- a/packages/apps/tenant/templates/monitoring.yaml +++ b/packages/apps/tenant/templates/monitoring.yaml @@ -1,5 +1,5 @@ {{- if .Values.monitoring }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: monitoring diff --git a/packages/apps/versions_map b/packages/apps/versions_map index 5d5d46b8..d2968be0 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -1,14 +1,18 @@ clickhouse 0.1.0 ca79f72 clickhouse 0.2.0 7cd7de73 clickhouse 0.2.1 HEAD +ferretdb 0.1.0 HEAD http-cache 0.1.0 a956713 http-cache 0.2.0 HEAD kafka 0.1.0 760f86d2 -kafka 0.2.0 HEAD +kafka 0.2.0 a2cc83d +kafka 0.2.1 HEAD kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 kubernetes 0.3.0 7caccec1 -kubernetes 0.4.0 HEAD +kubernetes 0.4.0 6cae6ce8 +kubernetes 0.5.0 6bd2d455 +kubernetes 0.6.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD @@ -26,7 +30,8 @@ tenant 0.1.3 3d1b86c tenant 0.1.4 d200480 tenant 0.1.5 e3ab858 tenant 1.0.0 7cd7de7 -tenant 1.1.0 HEAD +tenant 1.1.0 4da8ac3b +tenant 1.2.0 HEAD virtual-machine 0.1.4 f2015d6 virtual-machine 0.1.5 7cd7de7 virtual-machine 0.2.0 HEAD diff --git a/packages/core/fluxcd/Makefile b/packages/core/fluxcd/Makefile deleted file mode 100644 index 9a44bd14..00000000 --- a/packages/core/fluxcd/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -NAME=fluxcd -NAMESPACE=cozy-$(NAME) - -API_VERSIONS_FLAGS=$(addprefix -a ,$(shell kubectl api-versions)) - -show: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) - -apply: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl apply -n $(NAMESPACE) -f- - -diff: - helm template -n $(NAMESPACE) $(NAME) . --no-hooks --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -n $(NAMESPACE) -f- - -update: - rm -rf charts - helm repo add fluxcd-community https://fluxcd-community.github.io/helm-charts - helm repo update fluxcd-community - helm pull fluxcd-community/flux2 --untar --untardir charts - sed -i 's/\.{{ \.Values\.clusterDomain | default "cluster\.local" }}\.//g' `grep -rl '.{{ .Values.clusterDomain | default "cluster.local" }}.' charts` diff --git a/packages/core/fluxcd/charts/flux2/Chart.yaml b/packages/core/fluxcd/charts/flux2/Chart.yaml deleted file mode 100644 index 8e37f2cb..00000000 --- a/packages/core/fluxcd/charts/flux2/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -annotations: - artifacthub.io/changes: | - - "[Chore]: Update App Version to upstream 2.2.3" -apiVersion: v2 -appVersion: 2.2.3 -description: A Helm chart for flux2 -name: flux2 -sources: -- https://github.com/fluxcd-community/helm-charts -type: application -version: 2.12.4 diff --git a/packages/core/fluxcd/charts/flux2/README.md b/packages/core/fluxcd/charts/flux2/README.md deleted file mode 100644 index 3aa73fa7..00000000 --- a/packages/core/fluxcd/charts/flux2/README.md +++ /dev/null @@ -1,174 +0,0 @@ -# flux2 - -![Version: 2.12.4](https://img.shields.io/badge/Version-2.12.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.2.3](https://img.shields.io/badge/AppVersion-2.2.3-informational?style=flat-square) - -A Helm chart for flux2 - -This helm chart is maintained and released by the fluxcd-community on a best effort basis. - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| cli.affinity | object | `{}` | | -| cli.annotations | object | `{}` | | -| cli.image | string | `"ghcr.io/fluxcd/flux-cli"` | | -| cli.nodeSelector | object | `{}` | | -| cli.serviceAccount.automount | bool | `true` | | -| cli.tag | string | `"v2.2.3"` | | -| cli.tolerations | list | `[]` | | -| clusterDomain | string | `"cluster.local"` | | -| crds.annotations | object | `{}` | Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep | -| extraObjects | list | `[]` | Array of extra K8s manifests to deploy | -| helmController.affinity | object | `{}` | | -| helmController.annotations."prometheus.io/port" | string | `"8080"` | | -| helmController.annotations."prometheus.io/scrape" | string | `"true"` | | -| helmController.container.additionalArgs | list | `[]` | | -| helmController.create | bool | `true` | | -| helmController.extraEnv | list | `[]` | | -| helmController.image | string | `"ghcr.io/fluxcd/helm-controller"` | | -| helmController.imagePullPolicy | string | `""` | | -| helmController.labels | object | `{}` | | -| helmController.nodeSelector | object | `{}` | | -| helmController.priorityClassName | string | `""` | | -| helmController.resources.limits | object | `{}` | | -| helmController.resources.requests.cpu | string | `"100m"` | | -| helmController.resources.requests.memory | string | `"64Mi"` | | -| helmController.serviceAccount.annotations | object | `{}` | | -| helmController.serviceAccount.automount | bool | `true` | | -| helmController.serviceAccount.create | bool | `true` | | -| helmController.tag | string | `"v0.37.4"` | | -| helmController.tolerations | list | `[]` | | -| imageAutomationController.affinity | object | `{}` | | -| imageAutomationController.annotations."prometheus.io/port" | string | `"8080"` | | -| imageAutomationController.annotations."prometheus.io/scrape" | string | `"true"` | | -| imageAutomationController.container.additionalArgs | list | `[]` | | -| imageAutomationController.create | bool | `true` | | -| imageAutomationController.extraEnv | list | `[]` | | -| imageAutomationController.image | string | `"ghcr.io/fluxcd/image-automation-controller"` | | -| imageAutomationController.imagePullPolicy | string | `""` | | -| imageAutomationController.labels | object | `{}` | | -| imageAutomationController.nodeSelector | object | `{}` | | -| imageAutomationController.priorityClassName | string | `""` | | -| imageAutomationController.resources.limits | object | `{}` | | -| imageAutomationController.resources.requests.cpu | string | `"100m"` | | -| imageAutomationController.resources.requests.memory | string | `"64Mi"` | | -| imageAutomationController.serviceAccount.annotations | object | `{}` | | -| imageAutomationController.serviceAccount.automount | bool | `true` | | -| imageAutomationController.serviceAccount.create | bool | `true` | | -| imageAutomationController.tag | string | `"v0.37.1"` | | -| imageAutomationController.tolerations | list | `[]` | | -| imagePullSecrets | list | `[]` | contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers | -| imageReflectionController.affinity | object | `{}` | | -| imageReflectionController.annotations."prometheus.io/port" | string | `"8080"` | | -| imageReflectionController.annotations."prometheus.io/scrape" | string | `"true"` | | -| imageReflectionController.container.additionalArgs | list | `[]` | | -| imageReflectionController.create | bool | `true` | | -| imageReflectionController.extraEnv | list | `[]` | | -| imageReflectionController.image | string | `"ghcr.io/fluxcd/image-reflector-controller"` | | -| imageReflectionController.imagePullPolicy | string | `""` | | -| imageReflectionController.labels | object | `{}` | | -| imageReflectionController.nodeSelector | object | `{}` | | -| imageReflectionController.priorityClassName | string | `""` | | -| imageReflectionController.resources.limits | object | `{}` | | -| imageReflectionController.resources.requests.cpu | string | `"100m"` | | -| imageReflectionController.resources.requests.memory | string | `"64Mi"` | | -| imageReflectionController.serviceAccount.annotations | object | `{}` | | -| imageReflectionController.serviceAccount.automount | bool | `true` | | -| imageReflectionController.serviceAccount.create | bool | `true` | | -| imageReflectionController.tag | string | `"v0.31.2"` | | -| imageReflectionController.tolerations | list | `[]` | | -| installCRDs | bool | `true` | | -| kustomizeController.affinity | object | `{}` | | -| kustomizeController.annotations."prometheus.io/port" | string | `"8080"` | | -| kustomizeController.annotations."prometheus.io/scrape" | string | `"true"` | | -| kustomizeController.container.additionalArgs | list | `[]` | | -| kustomizeController.create | bool | `true` | | -| kustomizeController.envFrom | object | `{"map":{"name":""},"secret":{"name":""}}` | Defines envFrom using a configmap and/or secret. | -| kustomizeController.extraEnv | list | `[]` | | -| kustomizeController.extraSecretMounts | list | `[]` | Defines additional mounts with secrets. Secrets must be manually created in the namespace or with kustomizeController.secret | -| kustomizeController.image | string | `"ghcr.io/fluxcd/kustomize-controller"` | | -| kustomizeController.imagePullPolicy | string | `""` | | -| kustomizeController.labels | object | `{}` | | -| kustomizeController.nodeSelector | object | `{}` | | -| kustomizeController.priorityClassName | string | `""` | | -| kustomizeController.resources.limits | object | `{}` | | -| kustomizeController.resources.requests.cpu | string | `"100m"` | | -| kustomizeController.resources.requests.memory | string | `"64Mi"` | | -| kustomizeController.secret.create | bool | `false` | Create a secret to use it with extraSecretMounts. Defaults to false. | -| kustomizeController.secret.data | object | `{}` | | -| kustomizeController.secret.name | string | `""` | | -| kustomizeController.serviceAccount.annotations | object | `{}` | | -| kustomizeController.serviceAccount.automount | bool | `true` | | -| kustomizeController.serviceAccount.create | bool | `true` | | -| kustomizeController.tag | string | `"v1.2.2"` | | -| kustomizeController.tolerations | list | `[]` | | -| logLevel | string | `"info"` | | -| multitenancy.defaultServiceAccount | string | `"default"` | All Kustomizations and HelmReleases which don’t have spec.serviceAccountName specified, will use the default account from the tenant’s namespace. Tenants have to specify a service account in their Flux resources to be able to deploy workloads in their namespaces as the default account has no permissions. | -| multitenancy.enabled | bool | `false` | Implement the patches for Multi-tenancy lockdown. See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown | -| multitenancy.privileged | bool | `true` | Both kustomize-controller and helm-controller service accounts run privileged with cluster-admin ClusterRoleBinding. Disable if you want to run them with a minimum set of permissions. | -| notificationController.affinity | object | `{}` | | -| notificationController.annotations."prometheus.io/port" | string | `"8080"` | | -| notificationController.annotations."prometheus.io/scrape" | string | `"true"` | | -| notificationController.container.additionalArgs | list | `[]` | | -| notificationController.create | bool | `true` | | -| notificationController.extraEnv | list | `[]` | | -| notificationController.image | string | `"ghcr.io/fluxcd/notification-controller"` | | -| notificationController.imagePullPolicy | string | `""` | | -| notificationController.labels | object | `{}` | | -| notificationController.nodeSelector | object | `{}` | | -| notificationController.priorityClassName | string | `""` | | -| notificationController.resources.limits | object | `{}` | | -| notificationController.resources.requests.cpu | string | `"100m"` | | -| notificationController.resources.requests.memory | string | `"64Mi"` | | -| notificationController.service.annotations | object | `{}` | | -| notificationController.service.labels | object | `{}` | | -| notificationController.serviceAccount.annotations | object | `{}` | | -| notificationController.serviceAccount.automount | bool | `true` | | -| notificationController.serviceAccount.create | bool | `true` | | -| notificationController.tag | string | `"v1.2.4"` | | -| notificationController.tolerations | list | `[]` | | -| notificationController.webhookReceiver.ingress.annotations | object | `{}` | | -| notificationController.webhookReceiver.ingress.create | bool | `false` | | -| notificationController.webhookReceiver.ingress.hosts[0].host | string | `"flux-webhook.example.com"` | | -| notificationController.webhookReceiver.ingress.hosts[0].paths[0].path | string | `"/"` | | -| notificationController.webhookReceiver.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| notificationController.webhookReceiver.ingress.labels | object | `{}` | | -| notificationController.webhookReceiver.ingress.tls | list | `[]` | | -| notificationController.webhookReceiver.service.annotations | object | `{}` | | -| notificationController.webhookReceiver.service.labels | object | `{}` | | -| policies.create | bool | `true` | | -| prometheus.podMonitor.create | bool | `false` | Enables podMonitor endpoint | -| prometheus.podMonitor.podMetricsEndpoints[0].port | string | `"http-prom"` | | -| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].action | string | `"keep"` | | -| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].regex | string | `"Running"` | | -| prometheus.podMonitor.podMetricsEndpoints[0].relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_phase"` | | -| rbac.annotations | object | `{}` | Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep | -| rbac.create | bool | `true` | | -| rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to Flux custom resources | -| sourceController.affinity | object | `{}` | | -| sourceController.annotations."prometheus.io/port" | string | `"8080"` | | -| sourceController.annotations."prometheus.io/scrape" | string | `"true"` | | -| sourceController.container.additionalArgs | list | `[]` | | -| sourceController.create | bool | `true` | | -| sourceController.extraEnv | list | `[]` | | -| sourceController.image | string | `"ghcr.io/fluxcd/source-controller"` | | -| sourceController.imagePullPolicy | string | `""` | | -| sourceController.labels | object | `{}` | | -| sourceController.nodeSelector | object | `{}` | | -| sourceController.priorityClassName | string | `""` | | -| sourceController.resources.limits | object | `{}` | | -| sourceController.resources.requests.cpu | string | `"100m"` | | -| sourceController.resources.requests.memory | string | `"64Mi"` | | -| sourceController.service.annotations | object | `{}` | | -| sourceController.service.labels | object | `{}` | | -| sourceController.serviceAccount.annotations | object | `{}` | | -| sourceController.serviceAccount.automount | bool | `true` | | -| sourceController.serviceAccount.create | bool | `true` | | -| sourceController.tag | string | `"v1.2.4"` | | -| sourceController.tolerations | list | `[]` | | -| watchAllNamespaces | bool | `true` | | diff --git a/packages/core/fluxcd/charts/flux2/templates/_helper.tpl b/packages/core/fluxcd/charts/flux2/templates/_helper.tpl deleted file mode 100644 index 6a36293e..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/_helper.tpl +++ /dev/null @@ -1,7 +0,0 @@ -{{- define "template.image" -}} -{{- if eq (substr 0 7 .tag) "sha256:" -}} -{{- printf "%s@%s" .image .tag -}} -{{- else -}} -{{- printf "%s:%s" .image .tag -}} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml b/packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml deleted file mode 100644 index 432895b2..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/aggregate-clusterroles.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.rbac.createAggregation }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: flux-edit - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: ["*"] - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: flux-view - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: - - apiGroups: - - notification.toolkit.fluxcd.io - - source.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - image.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - resources: ["*"] - verbs: - - get - - list - - watch -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml b/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml deleted file mode 100644 index 63dc8572..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-clusterrolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: cluster-reconciler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.rbac.roleRef.name }} -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: {{ .Release.Namespace }} -- kind: ServiceAccount - name: helm-controller - namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file diff --git a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml b/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml deleted file mode 100644 index e77c13ea..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: cluster-reconciler-impersonator - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -rules: -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["impersonate"] -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml b/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml deleted file mode 100644 index 588c7d49..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: cluster-reconciler-impersonator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reconciler-impersonator -subjects: -- kind: ServiceAccount - name: kustomize-controller - namespace: {{ .Release.Namespace }} -- kind: ServiceAccount - name: helm-controller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml b/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml deleted file mode 100644 index cea0a1ca..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrole.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if and .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: crd-controller - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -rules: -- apiGroups: ['source.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['kustomize.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['helm.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['notification.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: ['image.toolkit.fluxcd.io'] - resources: ['*'] - verbs: ['*'] -- apiGroups: - - "" - resources: - - namespaces - - secrets - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -# required by leader election -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml b/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml deleted file mode 100644 index 51e716f0..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/crd-controller-clusterrolebinding.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if and .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.rbac.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - name: crd-controller - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: crd-controller -subjects: - - kind: ServiceAccount - name: kustomize-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: helm-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: source-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: notification-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: image-reflector-controller - namespace: {{ .Release.Namespace }} - - kind: ServiceAccount - name: image-automation-controller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml b/packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml deleted file mode 100644 index a9bb3b6b..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/extra-manifests.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ tpl (toYaml .) $ }} -{{ end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml deleted file mode 100644 index 9d4ff589..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.helmController.create}} -{{- if .Values.helmController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: helm-controller - {{- with .Values.helmController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml deleted file mode 100644 index 0a930d37..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.crds.yaml +++ /dev/null @@ -1,2268 +0,0 @@ -{{- if and .Values.installCRDs .Values.helmController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: helmreleases.helm.toolkit.fluxcd.io -spec: - group: helm.toolkit.fluxcd.io - names: - kind: HelmRelease - listKind: HelmReleaseList - plural: helmreleases - shortNames: - - hr - singular: helmrelease - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v2beta1 HelmRelease is deprecated, upgrade to v2beta2 - name: v2beta1 - schema: - openAPIV3Schema: - description: HelmRelease is the Schema for the helmreleases API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmReleaseSpec defines the desired state of a Helm release. - properties: - chart: - description: Chart defines the template of the v1beta2.HelmChart that - should be created for this HelmRelease. - properties: - metadata: - description: ObjectMeta holds the template for metadata like labels - and annotations. - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map - stored with a resource that may be set by external tools - to store and retrieve arbitrary metadata. They are not queryable - and should be preserved when modifying objects. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/' - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used - to organize and categorize (scope and select) objects. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/' - type: object - type: object - spec: - description: Spec holds the template for the v1beta2.HelmChartSpec - for this HelmRelease. - properties: - chart: - description: The name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which to check the v1beta2.Source - for updates. Defaults to 'HelmReleaseSpec.Interval'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new - artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on - their behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The name and namespace of the v1beta2.Source - the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace of the referent. - maxLength: 63 - minLength: 1 - type: string - required: - - name - type: object - valuesFile: - description: Alternative values file to use as the default - chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file defined here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the - chart values (values.yaml is not included by default), expected - to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding - the first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the - trusted public keys used to verify the signature and specifies - which provider to use to check whether OCI image is authentic. - This field is only supported for OCI sources. Chart dependencies, - which are not bundled in the umbrella chart artifact, are - not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to - sign the OCI Helm chart. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret - containing the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version semver expression, ignored for charts - from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults - to latest when omitted. - type: string - required: - - chart - - sourceRef - type: object - required: - - spec - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to HelmRelease resources that must be ready - before this HelmRelease can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - driftDetection: - description: "DriftDetection holds the configuration for detecting - and handling differences between the manifest in the Helm storage - and the resources currently existing in the cluster. \n Note: this - field is provisional to the v2beta2 API, and not actively used by - v2beta1 HelmReleases." - properties: - ignore: - description: Ignore contains a list of rules for specifying which - changes to ignore during diffing. - items: - description: IgnoreRule defines a rule to selectively disregard - specific changes during the drift detection process. - properties: - paths: - description: Paths is a list of JSON Pointer (RFC 6901) - paths to be excluded from consideration in a Kubernetes - object. - items: - type: string - type: array - target: - description: Target is a selector for specifying Kubernetes - objects to which this rule applies. If Target is not set, - the Paths will be ignored for all Kubernetes objects within - the manifest of the Helm release. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - paths - type: object - type: array - mode: - description: Mode defines how differences should be handled between - the Helm manifest and the manifest currently applied to the - cluster. If not explicitly set, it defaults to DiffModeDisabled. - enum: - - enabled - - warn - - disabled - type: string - type: object - install: - description: Install holds the configuration for Helm install actions - for this HelmRelease. - properties: - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Create` - and if omitted CRDs are installed but not updated. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are applied (installed) during Helm install action. With this - option users can opt-in to CRD replace existing CRDs on Helm - install actions, which is not (yet) natively supported by Helm. - https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - createNamespace: - description: CreateNamespace tells the Helm install action to - create the HelmReleaseSpec.TargetNamespace if it does not exist - yet. On uninstall, the namespace will not be garbage collected. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm install action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm install - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm install has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm install has been performed. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm install action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an install - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false'. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - an uninstall, is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - type: object - replace: - description: Replace tells the Helm install action to re-use the - 'ReleaseName', but only if that name is a deleted release which - remains in the history. - type: boolean - skipCRDs: - description: "SkipCRDs tells the Helm install action to not install - any CRDs. By default, CRDs are installed if not already present. - \n Deprecated use CRD policy (`crds`) attribute with value `Skip` - instead." - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - interval: - description: Interval at which to reconcile the Helm release. This - interval is approximate and may be subject to jitter to ensure efficient - use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: KubeConfig for reconciling the HelmRelease on a remote - cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - maxHistory: - description: MaxHistory is the number of revisions saved by Helm for - this HelmRelease. Use '0' for an unlimited number of revisions; - defaults to '10'. - type: integer - persistentClient: - description: "PersistentClient tells the controller to use a persistent - Kubernetes client for this release. When enabled, the client will - be reused for the duration of the reconciliation, instead of being - created and destroyed for each (step of a) Helm action. \n This - can improve performance, but may cause issues with some Helm charts - that for example do create Custom Resource Definitions during installation - outside Helm's CRD lifecycle hooks, which are then not observed - to be available by e.g. post-install hooks. \n If not set, it defaults - to true." - type: boolean - postRenderers: - description: PostRenderers holds an array of Helm PostRenderers, which - will be applied in order of their definition. - items: - description: PostRenderer contains a Helm PostRenderer specification. - properties: - kustomize: - description: Kustomization to apply as PostRenderer. - properties: - images: - description: Images is a list of (image name, new name, - new tag or digest) for changing image names, tags or digests. - This can also be achieved with a patch, but this operator - is simpler to specify. - items: - description: Image contains an image name, a new name, - a new tag or digest, which will replace the original - name and tag. - properties: - digest: - description: Digest is the value used to replace the - original image tag. If digest is present NewTag - value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace - the original name. - type: string - newTag: - description: NewTag is the value used to replace the - original tag. - type: string - required: - - name - type: object - type: array - patches: - description: Strategic merge and JSON patches, defined as - inline YAML objects, capable of targeting objects based - on kind, label and annotation selectors. - items: - description: Patch contains an inline StrategicMerge or - JSON6902 patch, and the target the patch should be applied - to. - properties: - patch: - description: Patch contains an inline StrategicMerge - patch or an inline JSON6902 patch with an array - of operation objects. - type: string - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and - the target the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document - with an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. - https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value - that references a location within the target - document where the operation is performed. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - type: string - op: - description: Op indicates the operation to perform. - Its value MUST be one of "add", "remove", - "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer - value that references a location within the - target document where the operation is performed. - The meaning of the value depends on the value - of Op. - type: string - value: - description: Value contains a valid JSON structure. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline - YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - type: array - releaseName: - description: ReleaseName used for the Helm release. Defaults to a - composition of '[TargetNamespace-]Name'. - maxLength: 53 - minLength: 1 - type: string - rollback: - description: Rollback holds the configuration for Helm rollback actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm rollback action when it fails. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm rollback has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm rollback has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - recreate: - description: Recreate performs pod restarts for the resource if - applicable. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this HelmRelease. - type: string - storageNamespace: - description: StorageNamespace used for the Helm storage. Defaults - to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - suspend: - description: Suspend tells the controller to suspend reconciliation - for this HelmRelease, it does not apply to already started reconciliations. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace to target when performing operations - for the HelmRelease. Defaults to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - test: - description: Test holds the configuration for Helm test actions for - this HelmRelease. - properties: - enable: - description: Enable enables Helm test actions for this HelmRelease - after an Helm install or upgrade action has been performed. - type: boolean - ignoreFailures: - description: IgnoreFailures tells the controller to skip remediation - when the Helm tests are run but fail. Can be overwritten for - tests run after install or upgrade actions in 'Install.IgnoreTestFailures' - and 'Upgrade.IgnoreTestFailures'. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation during the performance of a Helm test action. Defaults - to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a Helm - action. Defaults to '5m0s'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - uninstall: - description: Uninstall holds the configuration for Helm uninstall - actions for this HelmRelease. - properties: - deletionPropagation: - default: background - description: DeletionPropagation specifies the deletion propagation - policy when a Helm uninstall is performed. - enum: - - background - - foreground - - orphan - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables waiting for all the resources - to be deleted after a Helm uninstall is performed. - type: boolean - keepHistory: - description: KeepHistory tells Helm to remove all associated resources - and mark the release as deleted, but retain the release history. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - upgrade: - description: Upgrade holds the configuration for Helm upgrade actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm upgrade action when it fails. - type: boolean - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and - if omitted CRDs are neither installed nor upgraded. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are not applied during Helm upgrade action. With this option - users can opt-in to CRD upgrade, which is not (yet) natively - supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm upgrade action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm upgrade - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm upgrade has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm upgrade has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - preserveValues: - description: PreserveValues will make Helm reuse the last release's - values and merge in overrides from 'Values'. Setting this flag - makes the HelmRelease non-declarative. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm upgrade action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an upgrade - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false' unless 'Retries' is greater than 0. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - 'Strategy', is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - strategy: - description: Strategy to use for failure remediation. Defaults - to 'rollback'. - enum: - - rollback - - uninstall - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - values: - description: Values holds the values for this Helm release. - x-kubernetes-preserve-unknown-fields: true - valuesFrom: - description: ValuesFrom holds references to resources containing Helm - values for this HelmRelease, and information about how they should - be merged. - items: - description: ValuesReference contains a reference to a resource - containing Helm values, and optionally the key they can be found - at. - properties: - kind: - description: Kind of the values referent, valid values are ('Secret', - 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside in the - same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - description: Optional marks this ValuesReference as optional. - When set, a not found error for the values reference is ignored, - but any ValuesKey, TargetPath or transient error will still - result in a reconciliation failure. - type: boolean - targetPath: - description: TargetPath is the YAML dot notation path the value - should be merged at. When set, the ValuesKey is expected to - be a single flat value. Defaults to 'None', which results - in the values getting merged at the root. - maxLength: 250 - pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ - type: string - valuesKey: - description: ValuesKey is the data key where the values.yaml - or a specific value can be found at. Defaults to 'values.yaml'. - When set, must be a valid Data Key, consisting of alphanumeric - characters, '-', '_' or '.'. - maxLength: 253 - pattern: ^[\-._a-zA-Z0-9]+$ - type: string - required: - - kind - - name - type: object - type: array - required: - - chart - - interval - type: object - status: - default: - observedGeneration: -1 - description: HelmReleaseStatus defines the observed state of a HelmRelease. - properties: - conditions: - description: Conditions holds the conditions for the HelmRelease. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - failures: - description: Failures is the reconciliation failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - helmChart: - description: HelmChart is the namespaced name of the HelmChart resource - created by the controller for the HelmRelease. - type: string - history: - description: "History holds the history of Helm releases performed - for this HelmRelease up to the last successfully completed release. - \n Note: this field is provisional to the v2beta2 API, and not actively - used by v2beta1 HelmReleases." - items: - description: Snapshot captures a point-in-time copy of the status - information for a Helm release, as managed by the controller. - properties: - apiVersion: - description: 'APIVersion is the API version of the Snapshot. - Provisional: when the calculation method of the Digest field - is changed, this field will be used to distinguish between - the old and new methods.' - type: string - chartName: - description: ChartName is the chart name of the release object - in storage. - type: string - chartVersion: - description: ChartVersion is the chart version of the release - object in storage. - type: string - configDigest: - description: ConfigDigest is the checksum of the config (better - known as "values") of the release object in storage. It has - the format of `:`. - type: string - deleted: - description: Deleted is when the release was deleted. - format: date-time - type: string - digest: - description: Digest is the checksum of the release object in - storage. It has the format of `:`. - type: string - firstDeployed: - description: FirstDeployed is when the release was first deployed. - format: date-time - type: string - lastDeployed: - description: LastDeployed is when the release was last deployed. - format: date-time - type: string - name: - description: Name is the name of the release. - type: string - namespace: - description: Namespace is the namespace the release is deployed - to. - type: string - status: - description: Status is the current state of the release. - type: string - testHooks: - additionalProperties: - description: TestHookStatus holds the status information for - a test hook as observed to be run by the controller. - properties: - lastCompleted: - description: LastCompleted is the time the test hook last - completed. - format: date-time - type: string - lastStarted: - description: LastStarted is the time the test hook was - last started. - format: date-time - type: string - phase: - description: Phase the test hook was observed to be in. - type: string - type: object - description: TestHooks is the list of test hooks for the release - as observed to be run by the controller. - type: object - version: - description: Version is the version of the release object in - storage. - type: integer - required: - - chartName - - chartVersion - - configDigest - - digest - - firstDeployed - - lastDeployed - - name - - namespace - - status - - version - type: object - type: array - installFailures: - description: InstallFailures is the install failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - lastAppliedRevision: - description: LastAppliedRevision is the revision of the last successfully - applied source. - type: string - lastAttemptedConfigDigest: - description: "LastAttemptedConfigDigest is the digest for the config - (better known as \"values\") of the last reconciliation attempt. - \n Note: this field is provisional to the v2beta2 API, and not actively - used by v2beta1 HelmReleases." - type: string - lastAttemptedGeneration: - description: "LastAttemptedGeneration is the last generation the controller - attempted to reconcile. \n Note: this field is provisional to the - v2beta2 API, and not actively used by v2beta1 HelmReleases." - format: int64 - type: integer - lastAttemptedReleaseAction: - description: "LastAttemptedReleaseAction is the last release action - performed for this HelmRelease. It is used to determine the active - remediation strategy. \n Note: this field is provisional to the - v2beta2 API, and not actively used by v2beta1 HelmReleases." - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastAttemptedValuesChecksum: - description: LastAttemptedValuesChecksum is the SHA1 checksum of the - values of the last reconciliation attempt. - type: string - lastHandledForceAt: - description: "LastHandledForceAt holds the value of the most recent - force request value, so a change of the annotation value can be - detected. \n Note: this field is provisional to the v2beta2 API, - and not actively used by v2beta1 HelmReleases." - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastHandledResetAt: - description: "LastHandledResetAt holds the value of the most recent - reset request value, so a change of the annotation value can be - detected. \n Note: this field is provisional to the v2beta2 API, - and not actively used by v2beta1 HelmReleases." - type: string - lastReleaseRevision: - description: LastReleaseRevision is the revision of the last successful - Helm release. - type: integer - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - storageNamespace: - description: "StorageNamespace is the namespace of the Helm release - storage for the current release. \n Note: this field is provisional - to the v2beta2 API, and not actively used by v2beta1 HelmReleases." - type: string - upgradeFailures: - description: UpgradeFailures is the upgrade failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v2beta2 - schema: - openAPIV3Schema: - description: HelmRelease is the Schema for the helmreleases API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmReleaseSpec defines the desired state of a Helm release. - properties: - chart: - description: Chart defines the template of the v1beta2.HelmChart that - should be created for this HelmRelease. - properties: - metadata: - description: ObjectMeta holds the template for metadata like labels - and annotations. - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map - stored with a resource that may be set by external tools - to store and retrieve arbitrary metadata. They are not queryable - and should be preserved when modifying objects. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/' - type: object - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used - to organize and categorize (scope and select) objects. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/' - type: object - type: object - spec: - description: Spec holds the template for the v1beta2.HelmChartSpec - for this HelmRelease. - properties: - chart: - description: The name or path the Helm chart is available - at in the SourceRef. - maxLength: 2048 - minLength: 1 - type: string - interval: - description: Interval at which to check the v1.Source for - updates. Defaults to 'HelmReleaseSpec.Interval'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new - artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on - their behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The name and namespace of the v1.Source the chart - is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: Namespace of the referent. - maxLength: 63 - minLength: 1 - type: string - required: - - name - type: object - valuesFile: - description: Alternative values file to use as the default - chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file defined here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the - chart values (values.yaml is not included by default), expected - to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding - the first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the - trusted public keys used to verify the signature and specifies - which provider to use to check whether OCI image is authentic. - This field is only supported for OCI sources. Chart dependencies, - which are not bundled in the umbrella chart artifact, are - not verified. - properties: - provider: - default: cosign - description: Provider specifies the technology used to - sign the OCI Helm chart. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret - containing the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version semver expression, ignored for charts - from v1beta2.GitRepository and v1beta2.Bucket sources. Defaults - to latest when omitted. - type: string - required: - - chart - - sourceRef - type: object - required: - - spec - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to HelmRelease resources that must be ready - before this HelmRelease can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - driftDetection: - description: DriftDetection holds the configuration for detecting - and handling differences between the manifest in the Helm storage - and the resources currently existing in the cluster. - properties: - ignore: - description: Ignore contains a list of rules for specifying which - changes to ignore during diffing. - items: - description: IgnoreRule defines a rule to selectively disregard - specific changes during the drift detection process. - properties: - paths: - description: Paths is a list of JSON Pointer (RFC 6901) - paths to be excluded from consideration in a Kubernetes - object. - items: - type: string - type: array - target: - description: Target is a selector for specifying Kubernetes - objects to which this rule applies. If Target is not set, - the Paths will be ignored for all Kubernetes objects within - the manifest of the Helm release. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is capable - of unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - paths - type: object - type: array - mode: - description: Mode defines how differences should be handled between - the Helm manifest and the manifest currently applied to the - cluster. If not explicitly set, it defaults to DiffModeDisabled. - enum: - - enabled - - warn - - disabled - type: string - type: object - install: - description: Install holds the configuration for Helm install actions - for this HelmRelease. - properties: - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Create` - and if omitted CRDs are installed but not updated. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are applied (installed) during Helm install action. With this - option users can opt in to CRD replace existing CRDs on Helm - install actions, which is not (yet) natively supported by Helm. - https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - createNamespace: - description: CreateNamespace tells the Helm install action to - create the HelmReleaseSpec.TargetNamespace if it does not exist - yet. On uninstall, the namespace will not be garbage collected. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm install action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm install - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm install has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm install has been performed. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm install action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an install - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false'. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - an uninstall, is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - type: object - replace: - description: Replace tells the Helm install action to re-use the - 'ReleaseName', but only if that name is a deleted release which - remains in the history. - type: boolean - skipCRDs: - description: "SkipCRDs tells the Helm install action to not install - any CRDs. By default, CRDs are installed if not already present. - \n Deprecated use CRD policy (`crds`) attribute with value `Skip` - instead." - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm install action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - interval: - description: Interval at which to reconcile the Helm release. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: KubeConfig for reconciling the HelmRelease on a remote - cluster. When used in combination with HelmReleaseSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when HelmReleaseSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - maxHistory: - description: MaxHistory is the number of revisions saved by Helm for - this HelmRelease. Use '0' for an unlimited number of revisions; - defaults to '5'. - type: integer - persistentClient: - description: "PersistentClient tells the controller to use a persistent - Kubernetes client for this release. When enabled, the client will - be reused for the duration of the reconciliation, instead of being - created and destroyed for each (step of a) Helm action. \n This - can improve performance, but may cause issues with some Helm charts - that for example do create Custom Resource Definitions during installation - outside Helm's CRD lifecycle hooks, which are then not observed - to be available by e.g. post-install hooks. \n If not set, it defaults - to true." - type: boolean - postRenderers: - description: PostRenderers holds an array of Helm PostRenderers, which - will be applied in order of their definition. - items: - description: PostRenderer contains a Helm PostRenderer specification. - properties: - kustomize: - description: Kustomization to apply as PostRenderer. - properties: - images: - description: Images is a list of (image name, new name, - new tag or digest) for changing image names, tags or digests. - This can also be achieved with a patch, but this operator - is simpler to specify. - items: - description: Image contains an image name, a new name, - a new tag or digest, which will replace the original - name and tag. - properties: - digest: - description: Digest is the value used to replace the - original image tag. If digest is present NewTag - value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace - the original name. - type: string - newTag: - description: NewTag is the value used to replace the - original tag. - type: string - required: - - name - type: object - type: array - patches: - description: Strategic merge and JSON patches, defined as - inline YAML objects, capable of targeting objects based - on kind, label and annotation selectors. - items: - description: Patch contains an inline StrategicMerge or - JSON6902 patch, and the target the patch should be applied - to. - properties: - patch: - description: Patch contains an inline StrategicMerge - patch or an inline JSON6902 patch with an array - of operation objects. - type: string - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: 'JSON 6902 patches, defined as inline YAML - objects. Deprecated: use Patches instead.' - items: - description: JSON6902Patch contains a JSON6902 patch and - the target the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document - with an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. - https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value - that references a location within the target - document where the operation is performed. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - type: string - op: - description: Op indicates the operation to perform. - Its value MUST be one of "add", "remove", - "replace", "move", "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer - value that references a location within the - target document where the operation is performed. - The meaning of the value depends on the value - of Op. - type: string - value: - description: Value contains a valid JSON structure. - The meaning of the value depends on the value - of Op, and is NOT taken into account by all - operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the - patch document should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that - follows the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select - resources from. Together with Version and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources - from. Together with Group and Version it is - capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select - resources from. Together with Group and Kind - it is capable of unambiguously identifying and/or - selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: 'Strategic merge patches, defined as inline - YAML objects. Deprecated: use Patches instead.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - type: object - type: array - releaseName: - description: ReleaseName used for the Helm release. Defaults to a - composition of '[TargetNamespace-]Name'. - maxLength: 53 - minLength: 1 - type: string - rollback: - description: Rollback holds the configuration for Helm rollback actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm rollback action when it fails. - type: boolean - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm rollback has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm rollback has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - recreate: - description: Recreate performs pod restarts for the resource if - applicable. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this HelmRelease. - maxLength: 253 - minLength: 1 - type: string - storageNamespace: - description: StorageNamespace used for the Helm storage. Defaults - to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - suspend: - description: Suspend tells the controller to suspend reconciliation - for this HelmRelease, it does not apply to already started reconciliations. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace to target when performing operations - for the HelmRelease. Defaults to the namespace of the HelmRelease. - maxLength: 63 - minLength: 1 - type: string - test: - description: Test holds the configuration for Helm test actions for - this HelmRelease. - properties: - enable: - description: Enable enables Helm test actions for this HelmRelease - after an Helm install or upgrade action has been performed. - type: boolean - filters: - description: Filters is a list of tests to run or exclude from - running. - items: - description: Filter holds the configuration for individual Helm - test filters. - properties: - exclude: - description: Exclude specifies whether the named test should - be excluded. - type: boolean - name: - description: Name is the name of the test. - maxLength: 253 - minLength: 1 - type: string - required: - - name - type: object - type: array - ignoreFailures: - description: IgnoreFailures tells the controller to skip remediation - when the Helm tests are run but fail. Can be overwritten for - tests run after install or upgrade actions in 'Install.IgnoreTestFailures' - and 'Upgrade.IgnoreTestFailures'. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation during the performance of a Helm test action. Defaults - to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a Helm - action. Defaults to '5m0s'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - uninstall: - description: Uninstall holds the configuration for Helm uninstall - actions for this HelmRelease. - properties: - deletionPropagation: - default: background - description: DeletionPropagation specifies the deletion propagation - policy when a Helm uninstall is performed. - enum: - - background - - foreground - - orphan - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm rollback action. - type: boolean - disableWait: - description: DisableWait disables waiting for all the resources - to be deleted after a Helm uninstall is performed. - type: boolean - keepHistory: - description: KeepHistory tells Helm to remove all associated resources - and mark the release as deleted, but retain the release history. - type: boolean - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - upgrade: - description: Upgrade holds the configuration for Helm upgrade actions - for this HelmRelease. - properties: - cleanupOnFail: - description: CleanupOnFail allows deletion of new resources created - during the Helm upgrade action when it fails. - type: boolean - crds: - description: "CRDs upgrade CRDs from the Helm Chart's crds directory - according to the CRD upgrade policy provided here. Valid values - are `Skip`, `Create` or `CreateReplace`. Default is `Skip` and - if omitted CRDs are neither installed nor upgraded. \n Skip: - do neither install nor replace (update) any CRDs. \n Create: - new CRDs are created, existing CRDs are neither updated nor - deleted. \n CreateReplace: new CRDs are created, existing CRDs - are updated (replaced) but not deleted. \n By default, CRDs - are not applied during Helm upgrade action. With this option - users can opt-in to CRD upgrade, which is not (yet) natively - supported by Helm. https://helm.sh/docs/chart_best_practices/custom_resource_definitions." - enum: - - Skip - - Create - - CreateReplace - type: string - disableHooks: - description: DisableHooks prevents hooks from running during the - Helm upgrade action. - type: boolean - disableOpenAPIValidation: - description: DisableOpenAPIValidation prevents the Helm upgrade - action from validating rendered templates against the Kubernetes - OpenAPI Schema. - type: boolean - disableWait: - description: DisableWait disables the waiting for resources to - be ready after a Helm upgrade has been performed. - type: boolean - disableWaitForJobs: - description: DisableWaitForJobs disables waiting for jobs to complete - after a Helm upgrade has been performed. - type: boolean - force: - description: Force forces resource updates through a replacement - strategy. - type: boolean - preserveValues: - description: PreserveValues will make Helm reuse the last release's - values and merge in overrides from 'Values'. Setting this flag - makes the HelmRelease non-declarative. - type: boolean - remediation: - description: Remediation holds the remediation configuration for - when the Helm upgrade action for the HelmRelease fails. The - default is to not perform any action. - properties: - ignoreTestFailures: - description: IgnoreTestFailures tells the controller to skip - remediation when the Helm tests are run after an upgrade - action but fail. Defaults to 'Test.IgnoreFailures'. - type: boolean - remediateLastFailure: - description: RemediateLastFailure tells the controller to - remediate the last failure, when no retries remain. Defaults - to 'false' unless 'Retries' is greater than 0. - type: boolean - retries: - description: Retries is the number of retries that should - be attempted on failures before bailing. Remediation, using - 'Strategy', is performed between each attempt. Defaults - to '0', a negative integer equals to unlimited retries. - type: integer - strategy: - description: Strategy to use for failure remediation. Defaults - to 'rollback'. - enum: - - rollback - - uninstall - type: string - type: object - timeout: - description: Timeout is the time to wait for any individual Kubernetes - operation (like Jobs for hooks) during the performance of a - Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - type: object - values: - description: Values holds the values for this Helm release. - x-kubernetes-preserve-unknown-fields: true - valuesFrom: - description: ValuesFrom holds references to resources containing Helm - values for this HelmRelease, and information about how they should - be merged. - items: - description: ValuesReference contains a reference to a resource - containing Helm values, and optionally the key they can be found - at. - properties: - kind: - description: Kind of the values referent, valid values are ('Secret', - 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside in the - same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - description: Optional marks this ValuesReference as optional. - When set, a not found error for the values reference is ignored, - but any ValuesKey, TargetPath or transient error will still - result in a reconciliation failure. - type: boolean - targetPath: - description: TargetPath is the YAML dot notation path the value - should be merged at. When set, the ValuesKey is expected to - be a single flat value. Defaults to 'None', which results - in the values getting merged at the root. - maxLength: 250 - pattern: ^([a-zA-Z0-9_\-.\\\/]|\[[0-9]{1,5}\])+$ - type: string - valuesKey: - description: ValuesKey is the data key where the values.yaml - or a specific value can be found at. Defaults to 'values.yaml'. - maxLength: 253 - pattern: ^[\-._a-zA-Z0-9]+$ - type: string - required: - - kind - - name - type: object - type: array - required: - - chart - - interval - type: object - status: - default: - observedGeneration: -1 - description: HelmReleaseStatus defines the observed state of a HelmRelease. - properties: - conditions: - description: Conditions holds the conditions for the HelmRelease. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - failures: - description: Failures is the reconciliation failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - helmChart: - description: HelmChart is the namespaced name of the HelmChart resource - created by the controller for the HelmRelease. - type: string - history: - description: History holds the history of Helm releases performed - for this HelmRelease up to the last successfully completed release. - items: - description: Snapshot captures a point-in-time copy of the status - information for a Helm release, as managed by the controller. - properties: - apiVersion: - description: 'APIVersion is the API version of the Snapshot. - Provisional: when the calculation method of the Digest field - is changed, this field will be used to distinguish between - the old and new methods.' - type: string - chartName: - description: ChartName is the chart name of the release object - in storage. - type: string - chartVersion: - description: ChartVersion is the chart version of the release - object in storage. - type: string - configDigest: - description: ConfigDigest is the checksum of the config (better - known as "values") of the release object in storage. It has - the format of `:`. - type: string - deleted: - description: Deleted is when the release was deleted. - format: date-time - type: string - digest: - description: Digest is the checksum of the release object in - storage. It has the format of `:`. - type: string - firstDeployed: - description: FirstDeployed is when the release was first deployed. - format: date-time - type: string - lastDeployed: - description: LastDeployed is when the release was last deployed. - format: date-time - type: string - name: - description: Name is the name of the release. - type: string - namespace: - description: Namespace is the namespace the release is deployed - to. - type: string - status: - description: Status is the current state of the release. - type: string - testHooks: - additionalProperties: - description: TestHookStatus holds the status information for - a test hook as observed to be run by the controller. - properties: - lastCompleted: - description: LastCompleted is the time the test hook last - completed. - format: date-time - type: string - lastStarted: - description: LastStarted is the time the test hook was - last started. - format: date-time - type: string - phase: - description: Phase the test hook was observed to be in. - type: string - type: object - description: TestHooks is the list of test hooks for the release - as observed to be run by the controller. - type: object - version: - description: Version is the version of the release object in - storage. - type: integer - required: - - chartName - - chartVersion - - configDigest - - digest - - firstDeployed - - lastDeployed - - name - - namespace - - status - - version - type: object - type: array - installFailures: - description: InstallFailures is the install failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - lastAppliedRevision: - description: 'LastAppliedRevision is the revision of the last successfully - applied source. Deprecated: the revision can now be found in the - History.' - type: string - lastAttemptedConfigDigest: - description: LastAttemptedConfigDigest is the digest for the config - (better known as "values") of the last reconciliation attempt. - type: string - lastAttemptedGeneration: - description: LastAttemptedGeneration is the last generation the controller - attempted to reconcile. - format: int64 - type: integer - lastAttemptedReleaseAction: - description: LastAttemptedReleaseAction is the last release action - performed for this HelmRelease. It is used to determine the active - remediation strategy. - enum: - - install - - upgrade - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the Source revision of the last - reconciliation attempt. - type: string - lastAttemptedValuesChecksum: - description: 'LastAttemptedValuesChecksum is the SHA1 checksum for - the values of the last reconciliation attempt. Deprecated: Use LastAttemptedConfigDigest - instead.' - type: string - lastHandledForceAt: - description: LastHandledForceAt holds the value of the most recent - force request value, so a change of the annotation value can be - detected. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastHandledResetAt: - description: LastHandledResetAt holds the value of the most recent - reset request value, so a change of the annotation value can be - detected. - type: string - lastReleaseRevision: - description: 'LastReleaseRevision is the revision of the last successful - Helm release. Deprecated: Use History instead.' - type: integer - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - storageNamespace: - description: StorageNamespace is the namespace of the Helm release - storage for the current release. - maxLength: 63 - minLength: 1 - type: string - upgradeFailures: - description: UpgradeFailures is the upgrade failure count against - the latest desired state. It is reset after a successful reconciliation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml deleted file mode 100644 index 8177c17c..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/helm-controller.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{- if and .Values.helmController.create}} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: helm-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.helmController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: helm-controller -spec: - {{- if kindIs "invalid" .Values.helmController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.helmController.replicas }} - {{- end}} - selector: - matchLabels: - app: helm-controller - template: - metadata: - {{- with .Values.helmController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: helm-controller -{{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }} - {{- if .Values.helmController.initContainers}} - initContainers: - {{- toYaml .Values.helmController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.helmController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.helmController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.helmController }} - {{- if .Values.helmController.imagePullPolicy }} - imagePullPolicy: {{ .Values.helmController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.helmController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.helmController.securityContext }} - securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.helmController.volumeMounts }} - {{- toYaml .Values.helmController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.helmController.priorityClassName }} - priorityClassName: {{ .Values.helmController.priorityClassName | quote }} - {{- end }} - {{- if .Values.helmController.podSecurityContext }} - securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }} - {{- end }} - serviceAccountName: helm-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 600 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.helmController.volumes }} - {{- toYaml .Values.helmController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.helmController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.helmController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.helmController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml deleted file mode 100644 index ac41e696..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.imageAutomationController.create }} -{{- if .Values.imageAutomationController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: image-automation-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: image-automation-controller - {{- with .Values.imageAutomationController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml deleted file mode 100644 index 53b711ee..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.crds.yaml +++ /dev/null @@ -1,326 +0,0 @@ -{{- if and .Values.installCRDs .Values.imageAutomationController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: image-automation-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: imageupdateautomations.image.toolkit.fluxcd.io -spec: - group: image.toolkit.fluxcd.io - names: - kind: ImageUpdateAutomation - listKind: ImageUpdateAutomationList - plural: imageupdateautomations - singular: imageupdateautomation - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastAutomationRunTime - name: Last run - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ImageUpdateAutomation is the Schema for the imageupdateautomations - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImageUpdateAutomationSpec defines the desired state of ImageUpdateAutomation - properties: - git: - description: GitSpec contains all the git-specific definitions. This - is technically optional, but in practice mandatory until there are - other kinds of source allowed. - properties: - checkout: - description: Checkout gives the parameters for cloning the git - repository, ready to make changes. If not present, the `spec.ref` - field from the referenced `GitRepository` or its default will - be used. - properties: - ref: - description: Reference gives a branch, tag or commit to clone - from the Git repository. - properties: - branch: - description: Branch to check out, defaults to 'master' - if no other field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence - over all reference fields. \n This can be combined with - Branch to shallow clone the branch, in which the commit - is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes - precedence over Branch, Tag and SemVer. \n It must be - a valid Git reference: https://git-scm.com/docs/git-check-ref-format#_description - Examples: \"refs/heads/main\", \"refs/tags/v0.1.0\", - \"refs/pull/420/head\", \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes - precedence over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - required: - - ref - type: object - commit: - description: Commit specifies how to commit to the git repository. - properties: - author: - description: Author gives the email and optionally the name - to use as the author of commits. - properties: - email: - description: Email gives the email to provide when making - a commit. - type: string - name: - description: Name gives the name to provide when making - a commit. - type: string - required: - - email - type: object - messageTemplate: - description: MessageTemplate provides a template for the commit - message, into which will be interpolated the details of - the change made. - type: string - signingKey: - description: SigningKey provides the option to sign commits - with a GPG key - properties: - secretRef: - description: SecretRef holds the name to a secret that - contains a 'git.asc' key corresponding to the ASCII - Armored file containing the GPG signing keypair as the - value. It must be in the same namespace as the ImageUpdateAutomation. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - type: object - required: - - author - type: object - push: - description: Push specifies how and where to push commits made - by the automation. If missing, commits are pushed (back) to - `.spec.checkout.branch` or its default. - properties: - branch: - description: Branch specifies that commits should be pushed - to the branch named. The branch is created using `.spec.checkout.branch` - as the starting point, if it doesn't already exist. - type: string - options: - additionalProperties: - type: string - description: 'Options specifies the push options that are - sent to the Git server when performing a push operation. - For details, see: https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt' - type: object - refspec: - description: 'Refspec specifies the Git Refspec to use for - a push operation. If both Branch and Refspec are provided, - then the commit is pushed to the branch and also using the - specified refspec. For more details about Git Refspecs, - see: https://git-scm.com/book/en/v2/Git-Internals-The-Refspec' - type: string - type: object - required: - - commit - type: object - interval: - description: Interval gives an lower bound for how often the automation - run should be attempted. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - sourceRef: - description: SourceRef refers to the resource giving access details - to a git repository. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - default: GitRepository - description: Kind of the referent. - enum: - - GitRepository - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: Suspend tells the controller to not run this automation, - until it is unset (or set to false). Defaults to false. - type: boolean - update: - default: - strategy: Setters - description: Update gives the specification for how to update the - files in the repository. This can be left empty, to use the default - value. - properties: - path: - description: Path to the directory containing the manifests to - be updated. Defaults to 'None', which translates to the root - path of the GitRepositoryRef. - type: string - strategy: - default: Setters - description: Strategy names the strategy to be used. - enum: - - Setters - type: string - required: - - strategy - type: object - required: - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: ImageUpdateAutomationStatus defines the observed state of - ImageUpdateAutomation - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAutomationRunTime: - description: LastAutomationRunTime records the last time the controller - ran this automation through to completion (even if no updates were - made). - format: date-time - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastPushCommit: - description: LastPushCommit records the SHA1 of the last commit made - by the controller, for this automation object - type: string - lastPushTime: - description: LastPushTime records the time of the last pushed change. - format: date-time - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml deleted file mode 100644 index 40e4da8d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-automation-controller.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{- if and .Values.imageAutomationController.create}} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: image-automation-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.imageAutomationController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: image-automation-controller -spec: - {{- if kindIs "invalid" .Values.imageAutomationController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.imageAutomationController.replicas }} - {{- end}} - selector: - matchLabels: - app: image-automation-controller - template: - metadata: - {{- with .Values.imageAutomationController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: image-automation-controller -{{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }} - {{- if .Values.imageAutomationController.initContainers}} - initContainers: - {{- toYaml .Values.imageAutomationController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.imageAutomationController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.imageAutomationController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.imageAutomationController }} - {{- if .Values.imageAutomationController.imagePullPolicy }} - imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.imageAutomationController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.imageAutomationController.securityContext }} - securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.imageAutomationController.volumeMounts }} - {{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.imageAutomationController.priorityClassName }} - priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }} - {{- end }} - {{- if .Values.imageAutomationController.podSecurityContext }} - securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: image-automation-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.imageAutomationController.volumes }} - {{- toYaml .Values.imageAutomationController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.imageAutomationController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageAutomationController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageAutomationController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml deleted file mode 100644 index 16f9cb9d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.imageReflectionController.create }} -{{- if .Values.imageReflectionController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: image-reflector-controller - {{- with .Values.imageReflectionController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml deleted file mode 100644 index 1bf92fae..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.crds.yaml +++ /dev/null @@ -1,901 +0,0 @@ -{{- if and .Values.installCRDs .Values.imageReflectionController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: imagepolicies.image.toolkit.fluxcd.io -spec: - group: image.toolkit.fluxcd.io - names: - kind: ImagePolicy - listKind: ImagePolicyList - plural: imagepolicies - singular: imagepolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.latestImage - name: LatestImage - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ImagePolicy is the Schema for the imagepolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImagePolicySpec defines the parameters for calculating the - ImagePolicy - properties: - filterTags: - description: FilterTags enables filtering for only a subset of tags - based on a set of rules. If no rules are provided, all the tags - from the repository will be ordered and compared. - properties: - extract: - description: Extract allows a capture group to be extracted from - the specified regular expression pattern, useful before tag - evaluation. - type: string - pattern: - description: Pattern specifies a regular expression pattern used - to filter for image tags. - type: string - type: object - imageRepositoryRef: - description: ImageRepositoryRef points at the object specifying the - image being scanned - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - policy: - description: Policy gives the particulars of the policy to be followed - in selecting the most recent image - properties: - alphabetical: - description: Alphabetical set of rules to use for alphabetical - ordering of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the letters of the alphabet as tags, ascending order - would select Z, and descending order would select A. - enum: - - asc - - desc - type: string - type: object - numerical: - description: Numerical set of rules to use for numerical ordering - of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the integer values from 0 to 9 as tags, ascending - order would select 9, and descending order would select - 0. - enum: - - asc - - desc - type: string - type: object - semver: - description: SemVer gives a semantic version range to check against - the tags available. - properties: - range: - description: Range gives a semver range for the image tag; - the highest version within the range that's a tag yields - the latest image. - type: string - required: - - range - type: object - type: object - required: - - imageRepositoryRef - - policy - type: object - status: - default: - observedGeneration: -1 - description: ImagePolicyStatus defines the observed state of ImagePolicy - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - latestImage: - description: LatestImage gives the first in the list of images scanned - by the image repository, when filtered and ordered according to - the policy. - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.latestImage - name: LatestImage - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: ImagePolicy is the Schema for the imagepolicies API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImagePolicySpec defines the parameters for calculating the - ImagePolicy. - properties: - filterTags: - description: FilterTags enables filtering for only a subset of tags - based on a set of rules. If no rules are provided, all the tags - from the repository will be ordered and compared. - properties: - extract: - description: Extract allows a capture group to be extracted from - the specified regular expression pattern, useful before tag - evaluation. - type: string - pattern: - description: Pattern specifies a regular expression pattern used - to filter for image tags. - type: string - type: object - imageRepositoryRef: - description: ImageRepositoryRef points at the object specifying the - image being scanned - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - policy: - description: Policy gives the particulars of the policy to be followed - in selecting the most recent image - properties: - alphabetical: - description: Alphabetical set of rules to use for alphabetical - ordering of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the letters of the alphabet as tags, ascending order - would select Z, and descending order would select A. - enum: - - asc - - desc - type: string - type: object - numerical: - description: Numerical set of rules to use for numerical ordering - of the tags. - properties: - order: - default: asc - description: Order specifies the sorting order of the tags. - Given the integer values from 0 to 9 as tags, ascending - order would select 9, and descending order would select - 0. - enum: - - asc - - desc - type: string - type: object - semver: - description: SemVer gives a semantic version range to check against - the tags available. - properties: - range: - description: Range gives a semver range for the image tag; - the highest version within the range that's a tag yields - the latest image. - type: string - required: - - range - type: object - type: object - required: - - imageRepositoryRef - - policy - type: object - status: - default: - observedGeneration: -1 - description: ImagePolicyStatus defines the observed state of ImagePolicy - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - latestImage: - description: LatestImage gives the first in the list of images scanned - by the image repository, when filtered and ordered according to - the policy. - type: string - observedGeneration: - format: int64 - type: integer - observedPreviousImage: - description: ObservedPreviousImage is the observed previous LatestImage. - It is used to keep track of the previous and current images. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: imagerepositories.image.toolkit.fluxcd.io -spec: - group: image.toolkit.fluxcd.io - names: - kind: ImageRepository - listKind: ImageRepositoryList - plural: imagerepositories - singular: imagerepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.lastScanResult.scanTime - name: Last scan - type: string - - jsonPath: .status.lastScanResult.tagCount - name: Tags - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ImageRepository is the Schema for the imagerepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImageRepositorySpec defines the parameters for scanning an - image repository, e.g., `fluxcd/flux`. - properties: - accessFrom: - description: AccessFrom defines an ACL for allowing cross-namespace - references to the ImageRepository object based on the caller's namespace - labels. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - certSecretRef: - description: "CertSecretRef can be given the name of a secret containing - either or both of \n - a PEM-encoded client certificate (`certFile`) - and private key (`keyFile`); - a PEM-encoded CA certificate (`caFile`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - exclusionList: - description: ExclusionList is a list of regex strings used to exclude - certain tags from being stored in the database. - items: - type: string - type: array - image: - description: Image is the name of the image repository - type: string - interval: - description: Interval is the length of time to wait between scans - of the image repository. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - secretRef: - description: SecretRef can be given the name of a secret containing - credentials to use for the image registry. The secret should be - created with `kubectl create secret docker-registry`, or the equivalent. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. - maxLength: 253 - type: string - suspend: - description: This flag tells the controller to suspend subsequent - image scans. It does not apply to already started scans. Defaults - to false. - type: boolean - timeout: - description: Timeout for image scanning. Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: object - status: - default: - observedGeneration: -1 - description: ImageRepositoryStatus defines the observed state of ImageRepository - properties: - canonicalImageName: - description: CanonicalName is the name of the image repository with - all the implied bits made explicit; e.g., `docker.io/library/alpine` - rather than `alpine`. - type: string - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastScanResult: - description: LastScanResult contains the number of fetched tags. - properties: - scanTime: - format: date-time - type: string - tagCount: - type: integer - required: - - tagCount - type: object - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.lastScanResult.scanTime - name: Last scan - type: string - - jsonPath: .status.lastScanResult.tagCount - name: Tags - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: ImageRepository is the Schema for the imagerepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ImageRepositorySpec defines the parameters for scanning an - image repository, e.g., `fluxcd/flux`. - properties: - accessFrom: - description: AccessFrom defines an ACL for allowing cross-namespace - references to the ImageRepository object based on the caller's namespace - labels. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n Note: Support for the `caFile`, `certFile` and `keyFile` keys - has been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - exclusionList: - default: - - ^.*\.sig$ - description: ExclusionList is a list of regex strings used to exclude - certain tags from being stored in the database. - items: - type: string - maxItems: 25 - type: array - image: - description: Image is the name of the image repository - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. - type: boolean - interval: - description: Interval is the length of time to wait between scans - of the image repository. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - provider: - default: generic - description: The provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. When not specified, defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - secretRef: - description: SecretRef can be given the name of a secret containing - credentials to use for the image registry. The secret should be - created with `kubectl create secret docker-registry`, or the equivalent. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. - maxLength: 253 - type: string - suspend: - description: This flag tells the controller to suspend subsequent - image scans. It does not apply to already started scans. Defaults - to false. - type: boolean - timeout: - description: Timeout for image scanning. Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: object - status: - default: - observedGeneration: -1 - description: ImageRepositoryStatus defines the observed state of ImageRepository - properties: - canonicalImageName: - description: CanonicalName is the name of the image repository with - all the implied bits made explicit; e.g., `docker.io/library/alpine` - rather than `alpine`. - type: string - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - lastScanResult: - description: LastScanResult contains the number of fetched tags. - properties: - latestTags: - items: - type: string - type: array - scanTime: - format: date-time - type: string - tagCount: - type: integer - required: - - tagCount - type: object - observedExclusionList: - description: ObservedExclusionList is a list of observed exclusion - list. It reflects the exclusion rules used for the observed scan - result in spec.lastScanResult. - items: - type: string - type: array - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml deleted file mode 100644 index 6be9c3e1..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/image-reflector-controller.yaml +++ /dev/null @@ -1,139 +0,0 @@ -{{- if and .Values.imageReflectionController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: image-reflector-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.imageReflectionController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: image-reflector-controller -spec: - {{- if kindIs "invalid" .Values.imageReflectionController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.imageReflectionController.replicas }} - {{- end}} - selector: - matchLabels: - app: image-reflector-controller - template: - metadata: - {{- with .Values.imageReflectionController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: image-reflector-controller -{{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }} - {{- if .Values.imageReflectionController.initContainers}} - initContainers: - {{- toYaml .Values.imageReflectionController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.imageReflectionController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.imageReflectionController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.imageReflectionController }} - {{- if .Values.imageReflectionController.imagePullPolicy }} - imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.imageReflectionController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.imageReflectionController.securityContext }} - securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - - mountPath: /data - name: data - {{- if .Values.imageReflectionController.volumeMounts }} - {{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.imageReflectionController.priorityClassName }} - priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }} - {{- end }} - {{- if .Values.imageReflectionController.podSecurityContext }} - securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: image-reflector-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp - - emptyDir: {} - name: data - {{- if .Values.imageReflectionController.volumes }} - {{- toYaml .Values.imageReflectionController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.imageReflectionController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageReflectionController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.imageReflectionController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml deleted file mode 100644 index 140c30b1..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.kustomizeController.create }} -{{- if .Values.kustomizeController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: kustomize-controller - {{- with .Values.kustomizeController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml deleted file mode 100644 index 8a547043..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.kustomizeController.secret.create }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.kustomizeController.secret.name }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} -type: Opaque -data: - {{- range $key, $value := .Values.kustomizeController.secret.data }} - {{ $key }}: {{ $value | toString | b64enc | quote }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml deleted file mode 100644 index 433cce66..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.crds.yaml +++ /dev/null @@ -1,1640 +0,0 @@ -{{- if and .Values.installCRDs .Values.kustomizeController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: kustomizations.kustomize.toolkit.fluxcd.io -spec: - group: kustomize.toolkit.fluxcd.io - names: - kind: Kustomization - listKind: KustomizationList - plural: kustomizations - shortNames: - - ks - singular: kustomization - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - This interval is approximate and may be subject to jitter to ensure - efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names, and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 Kustomization is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the desired state of a kustomization. - properties: - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When specified, KubeConfig takes precedence over - ServiceAccountName. - properties: - secretRef: - description: SecretRef holds the name to a secret that contains - a 'value' key with the kubeconfig file as the value. It must - be in the same namespace as the Kustomization. It is recommended - that the kubeconfig is self-contained, and the secret is regularly - updated if credentials such as a cloud-access-token expire. - Cloud specific `cmd-path` auth helpers will not function without - adding binaries and credentials to the Pod that is responsible - for reconciling the Kustomization. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: JSON 6902 patches, defined as inline YAML objects. - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: Strategic merge patches, defined as inline YAML objects. - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - GitRepository - - Bucket - type: string - name: - description: Name of the referent - type: string - namespace: - description: Namespace of the referent, defaults to the Kustomization - namespace - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - type: string - validation: - description: Validate the Kubernetes objects before applying them - on the cluster. The validation strategy can be 'client' (local dry-run), - 'server' (APIServer dry-run) or 'none'. When 'Force' is 'true', - validation will fallback to 'client' if set to 'server' because - server-side validation is not supported in this scenario. - enum: - - none - - client - - server - type: string - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastAppliedRevision: - description: The last successfully applied revision. The revision - format for Git sources is /. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - snapshot: - description: The last successfully applied revision metadata. - properties: - checksum: - description: The manifests sha1 checksum. - type: string - entries: - description: A list of Kubernetes kinds grouped by namespace. - items: - description: Snapshot holds the metadata of namespaced Kubernetes - objects - properties: - kinds: - additionalProperties: - type: string - description: The list of Kubernetes kinds. - type: object - namespace: - description: The namespace of this entry. - type: string - required: - - kinds - type: object - type: array - required: - - checksum - - entries - type: object - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Kustomization is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Kustomization is the Schema for the kustomizations API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KustomizationSpec defines the configuration to calculate - the desired state from a Source using Kustomize. - properties: - commonMetadata: - description: CommonMetadata specifies the common labels and annotations - that are applied to all resources. Any existing label or annotation - will be overridden if its key matches a common one. - properties: - annotations: - additionalProperties: - type: string - description: Annotations to be added to the object's metadata. - type: object - labels: - additionalProperties: - type: string - description: Labels to be added to the object's metadata. - type: object - type: object - components: - description: Components specifies relative paths to specifications - of other Components. - items: - type: string - type: array - decryption: - description: Decrypt Kubernetes secrets before applying them on the - cluster. - properties: - provider: - description: Provider is the name of the decryption engine. - enum: - - sops - type: string - secretRef: - description: The secret name containing the private OpenPGP keys - used for decryption. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - dependsOn: - description: DependsOn may contain a meta.NamespacedObjectReference - slice with references to Kustomization resources that must be ready - before this Kustomization can be reconciled. - items: - description: NamespacedObjectReference contains enough information - to locate the referenced Kubernetes resource object in any namespace. - properties: - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - name - type: object - type: array - force: - default: false - description: Force instructs the controller to recreate resources - when patching fails due to an immutable field change. - type: boolean - healthChecks: - description: A list of resources to be included in the health assessment. - items: - description: NamespacedObjectKindReference contains enough information - to locate the typed referenced Kubernetes resource object in any - namespace. - properties: - apiVersion: - description: API version of the referent, if not specified the - Kubernetes preferred version will be used. - type: string - kind: - description: Kind of the referent. - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, when not specified it - acts as LocalObjectReference. - type: string - required: - - kind - - name - type: object - type: array - images: - description: Images is a list of (image name, new name, new tag or - digest) for changing image names, tags or digests. This can also - be achieved with a patch, but this operator is simpler to specify. - items: - description: Image contains an image name, a new name, a new tag - or digest, which will replace the original name and tag. - properties: - digest: - description: Digest is the value used to replace the original - image tag. If digest is present NewTag value is ignored. - type: string - name: - description: Name is a tag-less image name. - type: string - newName: - description: NewName is the value used to replace the original - name. - type: string - newTag: - description: NewTag is the value used to replace the original - tag. - type: string - required: - - name - type: object - type: array - interval: - description: The interval at which to reconcile the Kustomization. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - kubeConfig: - description: The KubeConfig for reconciling the Kustomization on a - remote cluster. When used in combination with KustomizationSpec.ServiceAccountName, - forces the controller to act on behalf of that Service Account at - the target cluster. If the --default-service-account flag is set, - its value will be used as a controller level fallback for when KustomizationSpec.ServiceAccountName - is empty. - properties: - secretRef: - description: SecretRef holds the name of a secret that contains - a key with the kubeconfig file as the value. If no key is set, - the key will default to 'value'. It is recommended that the - kubeconfig is self-contained, and the secret is regularly updated - if credentials such as a cloud-access-token expire. Cloud specific - `cmd-path` auth helpers will not function without adding binaries - and credentials to the Pod that is responsible for reconciling - Kubernetes resources. - properties: - key: - description: Key in the Secret, when not specified an implementation-specific - default key is used. - type: string - name: - description: Name of the Secret. - type: string - required: - - name - type: object - required: - - secretRef - type: object - patches: - description: Strategic merge and JSON patches, defined as inline YAML - objects, capable of targeting objects based on kind, label and annotation - selectors. - items: - description: Patch contains an inline StrategicMerge or JSON6902 - patch, and the target the patch should be applied to. - properties: - patch: - description: Patch contains an inline StrategicMerge patch or - an inline JSON6902 patch with an array of operation objects. - type: string - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - type: object - type: array - patchesJson6902: - description: 'JSON 6902 patches, defined as inline YAML objects. Deprecated: - Use Patches instead.' - items: - description: JSON6902Patch contains a JSON6902 patch and the target - the patch should be applied to. - properties: - patch: - description: Patch contains the JSON6902 patch document with - an array of operation objects. - items: - description: JSON6902 is a JSON6902 operation object. https://datatracker.ietf.org/doc/html/rfc6902#section-4 - properties: - from: - description: From contains a JSON-pointer value that references - a location within the target document where the operation - is performed. The meaning of the value depends on the - value of Op, and is NOT taken into account by all operations. - type: string - op: - description: Op indicates the operation to perform. Its - value MUST be one of "add", "remove", "replace", "move", - "copy", or "test". https://datatracker.ietf.org/doc/html/rfc6902#section-4 - enum: - - test - - remove - - add - - replace - - move - - copy - type: string - path: - description: Path contains the JSON-pointer value that - references a location within the target document where - the operation is performed. The meaning of the value - depends on the value of Op. - type: string - value: - description: Value contains a valid JSON structure. The - meaning of the value depends on the value of Op, and - is NOT taken into account by all operations. - x-kubernetes-preserve-unknown-fields: true - required: - - op - - path - type: object - type: array - target: - description: Target points to the resources that the patch document - should be applied to. - properties: - annotationSelector: - description: AnnotationSelector is a string that follows - the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource annotations. - type: string - group: - description: Group is the API group to select resources - from. Together with Version and Kind it is capable of - unambiguously identifying and/or selecting resources. - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - kind: - description: Kind of the API Group to select resources from. - Together with Group and Version it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - labelSelector: - description: LabelSelector is a string that follows the - label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api - It matches with the resource labels. - type: string - name: - description: Name to match resources with. - type: string - namespace: - description: Namespace to select resources from. - type: string - version: - description: Version of the API Group to select resources - from. Together with Group and Kind it is capable of unambiguously - identifying and/or selecting resources. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md - type: string - type: object - required: - - patch - - target - type: object - type: array - patchesStrategicMerge: - description: 'Strategic merge patches, defined as inline YAML objects. - Deprecated: Use Patches instead.' - items: - x-kubernetes-preserve-unknown-fields: true - type: array - path: - description: Path to the directory containing the kustomization.yaml - file, or the set of plain YAMLs a kustomization.yaml should be generated - for. Defaults to 'None', which translates to the root path of the - SourceRef. - type: string - postBuild: - description: PostBuild describes which actions to perform on the YAML - manifest generated by building the kustomize overlay. - properties: - substitute: - additionalProperties: - type: string - description: Substitute holds a map of key/value pairs. The variables - defined in your YAML manifests that match any of the keys defined - in the map will be substituted with the set value. Includes - support for bash string replacement functions e.g. ${var:=default}, - ${var:position} and ${var/substring/replacement}. - type: object - substituteFrom: - description: SubstituteFrom holds references to ConfigMaps and - Secrets containing the variables and their values to be substituted - in the YAML manifests. The ConfigMap and the Secret data keys - represent the var names and they must match the vars declared - in the manifests for the substitution to happen. - items: - description: SubstituteReference contains a reference to a resource - containing the variables name and value. - properties: - kind: - description: Kind of the values referent, valid values are - ('Secret', 'ConfigMap'). - enum: - - Secret - - ConfigMap - type: string - name: - description: Name of the values referent. Should reside - in the same namespace as the referring resource. - maxLength: 253 - minLength: 1 - type: string - optional: - default: false - description: Optional indicates whether the referenced resource - must exist, or whether to tolerate its absence. If true - and the referenced resource is absent, proceed as if the - resource was present but empty, without any variables - defined. - type: boolean - required: - - kind - - name - type: object - type: array - type: object - prune: - description: Prune enables garbage collection. - type: boolean - retryInterval: - description: The interval at which to retry a previously failed reconciliation. - When not specified, the controller uses the KustomizationSpec.Interval - value to retry failures. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - serviceAccountName: - description: The name of the Kubernetes service account to impersonate - when reconciling this Kustomization. - type: string - sourceRef: - description: Reference of the source where the kustomization file - is. - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: Kind of the referent. - enum: - - OCIRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - namespace: - description: Namespace of the referent, defaults to the namespace - of the Kubernetes resource object that contains the reference. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - kustomize executions, it does not apply to already started executions. - Defaults to false. - type: boolean - targetNamespace: - description: TargetNamespace sets or overrides the namespace in the - kustomization.yaml file. - maxLength: 63 - minLength: 1 - type: string - timeout: - description: Timeout for validation, apply and health checking operations. - Defaults to 'Interval' duration. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - validation: - description: 'Deprecated: Not used in v1beta2.' - enum: - - none - - client - - server - type: string - wait: - description: Wait instructs the controller to check the health of - all the reconciled resources. When enabled, the HealthChecks are - ignored. Defaults to false. - type: boolean - required: - - interval - - prune - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: KustomizationStatus defines the observed state of a kustomization. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - inventory: - description: Inventory contains the list of Kubernetes resource object - references that have been successfully applied. - properties: - entries: - description: Entries of Kubernetes resource object references. - items: - description: ResourceRef contains the information necessary - to locate a resource within a cluster. - properties: - id: - description: ID is the string representation of the Kubernetes - resource object's metadata, in the format '___'. - type: string - v: - description: Version is the API version of the Kubernetes - resource object's kind. - type: string - required: - - id - - v - type: object - type: array - required: - - entries - type: object - lastAppliedRevision: - description: The last successfully applied revision. Equals the Revision - of the applied Artifact from the referenced Source. - type: string - lastAttemptedRevision: - description: LastAttemptedRevision is the revision of the last reconciliation - attempt. - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml deleted file mode 100644 index 6473dbe0..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/kustomize-controller.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{- if and .Values.kustomizeController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: kustomize-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.kustomizeController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: kustomize-controller -spec: - {{- if kindIs "invalid" .Values.kustomizeController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.kustomizeController.replicas }} - {{- end}} - selector: - matchLabels: - app: kustomize-controller - template: - metadata: - {{- with .Values.kustomizeController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: kustomize-controller -{{ with .Values.kustomizeController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.kustomizeController.serviceAccount.automount }} - {{- if .Values.kustomizeController.initContainers}} - initContainers: - {{- toYaml .Values.kustomizeController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} - {{- end}} - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.kustomizeController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.kustomizeController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if or (.Values.kustomizeController.envFrom.map.name) (.Values.kustomizeController.envFrom.secret.name) }} - envFrom: - {{- if .Values.kustomizeController.envFrom.map.name }} - - configMapRef: - name: {{ .Values.kustomizeController.envFrom.map.name }} - {{- end }} - {{- if .Values.kustomizeController.envFrom.secret.name }} - - secretRef: - name: {{ .Values.kustomizeController.envFrom.secret.name }} - {{- end }} - {{- end }} - image: {{ template "template.image" .Values.kustomizeController }} - {{- if .Values.kustomizeController.imagePullPolicy }} - imagePullPolicy: {{ .Values.kustomizeController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 8080 - name: http-prom - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.kustomizeController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.kustomizeController.securityContext }} - securityContext: {{ toYaml .Values.kustomizeController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.kustomizeController.volumeMounts }} - {{- toYaml .Values.kustomizeController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.kustomizeController.priorityClassName }} - priorityClassName: {{ .Values.kustomizeController.priorityClassName | quote }} - {{- end }} - {{- range .Values.kustomizeController.extraSecretMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- if .Values.kustomizeController.podSecurityContext }} - securityContext: {{ toYaml .Values.kustomizeController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: kustomize-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.kustomizeController.volumes }} - {{- toYaml .Values.kustomizeController.volumes | nindent 6 }} - {{- end}} - {{- range .Values.kustomizeController.extraSecretMounts }} - - name: {{ .name }} - secret: - secretName: {{ .secretName }} - {{- end }} - {{- with .Values.kustomizeController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.kustomizeController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.kustomizeController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml deleted file mode 100644 index 942cd68c..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-ingress.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }} - {{- with .Values.notificationController.webhookReceiver.ingress.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} - name: webhook-receiver -spec: - {{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }} - ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }} - {{- end -}} - {{- if .Values.notificationController.webhookReceiver.ingress.tls }} - tls: - {{- range .Values.notificationController.webhookReceiver.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.notificationController.webhookReceiver.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - pathType: {{ .pathType }} - backend: - service: - name: webhook-receiver - port: - number: 80 - {{- end }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml deleted file mode 100644 index b44e8dac..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-sa.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.notificationController.create -}} -{{- if .Values.notificationController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: notification-controller - {{- with .Values.notificationController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml deleted file mode 100644 index 79b12dc6..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if and .Values.notificationController.create }} -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} - name: notification-controller - {{- with .Values.notificationController.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - {{- if .Values.notificationController.service.ports }} - {{- toYaml .Values.notificationController.service.ports | nindent 2 }} - {{- end}} - selector: - app: notification-controller - type: ClusterIP -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml deleted file mode 100644 index 3d71034a..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller-webhook-service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.notificationController.create }} -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} - name: webhook-receiver - {{- with .Values.notificationController.webhookReceiver.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 9292 - selector: - app: notification-controller - type: ClusterIP -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml deleted file mode 100644 index b6dbf6ed..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller.crds.yaml +++ /dev/null @@ -1,1790 +0,0 @@ -{{- if and .Values.installCRDs .Values.notificationController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: alerts.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Alert - listKind: AlertList - plural: alerts - singular: alert - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Alert is deprecated, upgrade to v1beta3 - name: v1beta1 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects - properties: - eventSeverity: - default: info - description: Filter events based on severity, defaults to ('info'). - If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: Filter events based on the involved objects. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - exclusionList: - description: A list of Golang regular expressions to be used for excluding - messages. - items: - type: string - type: array - providerRef: - description: Send events using this provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Short description of the impact and affected cluster. - type: string - suspend: - description: This flag tells the controller to suspend subsequent - events dispatching. Defaults to false. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of Alert - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Alert is deprecated, upgrade to v1beta3 - name: v1beta2 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects. - properties: - eventMetadata: - additionalProperties: - type: string - description: EventMetadata is an optional field for adding metadata - to events dispatched by the controller. This can be used for enhancing - the context of the event. If a field would override one already - present on the original event as generated by the emitter, then - the override doesn't happen, i.e. the original value is preserved, - and an info log is printed. - type: object - eventSeverity: - default: info - description: EventSeverity specifies how to filter events based on - severity. If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: EventSources specifies how to filter events based on - the involved object kind, name and namespace. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - exclusionList: - description: ExclusionList specifies a list of Golang regular expressions - to be used for excluding messages. - items: - type: string - type: array - inclusionList: - description: InclusionList specifies a list of Golang regular expressions - to be used for including messages. - items: - type: string - type: array - providerRef: - description: ProviderRef specifies which Provider this Alert should - use. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Summary holds a short description of the impact and affected - cluster. - maxLength: 255 - type: string - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Alert. - type: boolean - required: - - eventSources - - providerRef - type: object - status: - default: - observedGeneration: -1 - description: AlertStatus defines the observed state of the Alert. - properties: - conditions: - description: Conditions holds the conditions for the Alert. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta3 - schema: - openAPIV3Schema: - description: Alert is the Schema for the alerts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AlertSpec defines an alerting rule for events involving a - list of objects. - properties: - eventMetadata: - additionalProperties: - type: string - description: EventMetadata is an optional field for adding metadata - to events dispatched by the controller. This can be used for enhancing - the context of the event. If a field would override one already - present on the original event as generated by the emitter, then - the override doesn't happen, i.e. the original value is preserved, - and an info log is printed. - type: object - eventSeverity: - default: info - description: EventSeverity specifies how to filter events based on - severity. If set to 'info' no events will be filtered. - enum: - - info - - error - type: string - eventSources: - description: EventSources specifies how to filter events based on - the involved object kind, name and namespace. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - exclusionList: - description: ExclusionList specifies a list of Golang regular expressions - to be used for excluding messages. - items: - type: string - type: array - inclusionList: - description: InclusionList specifies a list of Golang regular expressions - to be used for including messages. - items: - type: string - type: array - providerRef: - description: ProviderRef specifies which Provider this Alert should - use. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - summary: - description: Summary holds a short description of the impact and affected - cluster. - maxLength: 255 - type: string - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Alert. - type: boolean - required: - - eventSources - - providerRef - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: providers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Provider - listKind: ProviderList - plural: providers - singular: provider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Provider is deprecated, upgrade to v1beta3 - name: v1beta1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of Provider - properties: - address: - description: HTTP/S webhook address of this provider - pattern: ^(http|https):// - type: string - certSecretRef: - description: CertSecretRef can be given the name of a secret containing - a PEM-encoded CA certificate (`caFile`) - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Alert channel for this provider - type: string - proxy: - description: HTTP/S address of the proxy - pattern: ^(http|https):// - type: string - secretRef: - description: Secret reference containing the provider webhook URL - using "address" as data key - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - timeout: - description: Timeout for sending alerts to the provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of provider - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - azuredevops - - googlechat - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - type: string - username: - description: Bot username for this provider - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of Provider - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Provider is deprecated, upgrade to v1beta3 - name: v1beta2 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of the Provider. - properties: - address: - description: Address specifies the endpoint, in a generic sense, to - where alerts are sent. What kind of endpoint depends on the specific - Provider type being used. For the generic Provider, for example, - this is an HTTP/S address. For other Provider types this could be - a project ID or a namespace. - maxLength: 2048 - type: string - certSecretRef: - description: "CertSecretRef specifies the Secret containing a PEM-encoded - CA certificate (in the `ca.crt` key). \n Note: Support for the `caFile` - key has been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Channel specifies the destination channel where events - should be posted. - maxLength: 2048 - type: string - interval: - description: Interval at which to reconcile the Provider with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxy: - description: Proxy the HTTP/S address of the proxy server. - maxLength: 2048 - pattern: ^(http|https)://.*$ - type: string - secretRef: - description: SecretRef specifies the Secret containing the authentication - credentials for this Provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Provider. - type: boolean - timeout: - description: Timeout for sending alerts to the Provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type specifies which Provider implementation to use. - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - gitea - - bitbucketserver - - bitbucket - - azuredevops - - googlechat - - googlepubsub - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - - pagerduty - - datadog - type: string - username: - description: Username specifies the name under which events are posted. - maxLength: 2048 - type: string - required: - - type - type: object - status: - default: - observedGeneration: -1 - description: ProviderStatus defines the observed state of the Provider. - properties: - conditions: - description: Conditions holds the conditions for the Provider. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last reconciled generation. - format: int64 - type: integer - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta3 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ProviderSpec defines the desired state of the Provider. - properties: - address: - description: Address specifies the endpoint, in a generic sense, to - where alerts are sent. What kind of endpoint depends on the specific - Provider type being used. For the generic Provider, for example, - this is an HTTP/S address. For other Provider types this could be - a project ID or a namespace. - maxLength: 2048 - type: string - certSecretRef: - description: "CertSecretRef specifies the Secret containing a PEM-encoded - CA certificate (in the `ca.crt` key). \n Note: Support for the `caFile` - key has been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - channel: - description: Channel specifies the destination channel where events - should be posted. - maxLength: 2048 - type: string - interval: - description: Interval at which to reconcile the Provider with its - Secret references. Deprecated and not used in v1beta3. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxy: - description: Proxy the HTTP/S address of the proxy server. - maxLength: 2048 - pattern: ^(http|https)://.*$ - type: string - secretRef: - description: SecretRef specifies the Secret containing the authentication - credentials for this Provider. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this Provider. - type: boolean - timeout: - description: Timeout for sending alerts to the Provider. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type specifies which Provider implementation to use. - enum: - - slack - - discord - - msteams - - rocket - - generic - - generic-hmac - - github - - gitlab - - gitea - - bitbucketserver - - bitbucket - - azuredevops - - googlechat - - googlepubsub - - webex - - sentry - - azureeventhub - - telegram - - lark - - matrix - - opsgenie - - alertmanager - - grafana - - githubdispatch - - pagerduty - - datadog - - nats - type: string - username: - description: Username specifies the name under which events are posted. - maxLength: 2048 - type: string - required: - - type - type: object - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: receivers.notification.toolkit.fluxcd.io -spec: - group: notification.toolkit.fluxcd.io - names: - kind: Receiver - listKind: ReceiverList - plural: receivers - singular: receiver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - default: 10m - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - secretRef - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta1 Receiver is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of Receiver - properties: - events: - description: A list of events to handle, e.g. 'push' for GitHub or - 'Push Hook' for GitLab. - items: - type: string - type: array - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - name: - description: Name of the referent - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - name - type: object - type: array - secretRef: - description: Secret reference containing the token used to validate - the payload authenticity - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend subsequent - events handling. Defaults to false. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of Receiver - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: Generated webhook URL in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 Receiver is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: Receiver is the Schema for the receivers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReceiverSpec defines the desired state of the Receiver. - properties: - events: - description: Events specifies the list of event types to handle, e.g. - 'push' for GitHub or 'Push Hook' for GitLab. - items: - type: string - type: array - interval: - description: Interval at which to reconcile the Receiver with its - Secret references. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - resources: - description: A list of resources to be notified about changes. - items: - description: CrossNamespaceObjectReference contains enough information - to let you locate the typed referenced object at cluster level - properties: - apiVersion: - description: API version of the referent - type: string - kind: - description: Kind of the referent - enum: - - Bucket - - GitRepository - - Kustomization - - HelmRelease - - HelmChart - - HelmRepository - - ImageRepository - - ImagePolicy - - ImageUpdateAutomation - - OCIRepository - type: string - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. MatchLabels requires the name to be set to `*`. - type: object - name: - description: Name of the referent If multiple resources are - targeted `*` may be set. - maxLength: 53 - minLength: 1 - type: string - namespace: - description: Namespace of the referent - maxLength: 53 - minLength: 1 - type: string - required: - - kind - - name - type: object - type: array - secretRef: - description: SecretRef specifies the Secret containing the token used - to validate the payload authenticity. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend subsequent events - handling for this receiver. - type: boolean - type: - description: Type of webhook sender, used to determine the validation - procedure and payload deserialization. - enum: - - generic - - generic-hmac - - github - - gitlab - - bitbucket - - harbor - - dockerhub - - quay - - gcr - - nexus - - acr - type: string - required: - - resources - - type - type: object - status: - default: - observedGeneration: -1 - description: ReceiverStatus defines the observed state of the Receiver. - properties: - conditions: - description: Conditions holds the conditions for the Receiver. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Receiver object. - format: int64 - type: integer - url: - description: 'URL is the generated incoming webhook address in the - format of ''/hook/sha256sum(token+name+namespace)''. Deprecated: - Replaced by WebhookPath.' - type: string - webhookPath: - description: WebhookPath is the generated incoming webhook address - in the format of '/hook/sha256sum(token+name+namespace)'. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml deleted file mode 100644 index d4d6772d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/notification-controller.yaml +++ /dev/null @@ -1,136 +0,0 @@ -{{- if and .Values.notificationController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: notification-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.notificationController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: notification-controller -spec: - {{- if kindIs "invalid" .Values.notificationController.replicas }} - replicas: 1 - {{- else }} - replicas: {{ .Values.notificationController.replicas }} - {{- end}} - selector: - matchLabels: - app: notification-controller - template: - metadata: - {{- with .Values.notificationController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: notification-controller -{{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }} - {{- if .Values.notificationController.initContainers}} - initContainers: - {{- toYaml .Values.notificationController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.multitenancy.enabled }} - - --no-cross-namespace-refs=true - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - {{- range .Values.notificationController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.notificationController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.notificationController }} - {{- if .Values.notificationController.imagePullPolicy }} - imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 9292 - name: http-webhook - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - {{- with .Values.notificationController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.notificationController.securityContext }} - securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /tmp - name: temp - {{- if .Values.notificationController.volumeMounts }} - {{- toYaml .Values.notificationController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.notificationController.priorityClassName }} - priorityClassName: {{ .Values.notificationController.priorityClassName | quote }} - {{- end }} - {{- if .Values.notificationController.podSecurityContext }} - securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }} - {{- end }} - serviceAccountName: notification-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: temp - {{- if .Values.notificationController.volumes }} - {{- toYaml .Values.notificationController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.notificationController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.notificationController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.notificationController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml b/packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml deleted file mode 100644 index 3db75272..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/podmonitor.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{ if .Values.prometheus.podMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ .Release.Name }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - {{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchExpressions: - - key: app - operator: In - values: - - helm-controller - - source-controller - - kustomize-controller - - notification-controller - - image-automation-controller - - image-reflector-controller - podMetricsEndpoints: -{{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/policies.yaml b/packages/core/fluxcd/charts/flux2/templates/policies.yaml deleted file mode 100644 index 731e2980..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/policies.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if and .Values.policies.create}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: allow-egress -spec: - egress: - - {} - ingress: - - from: - - podSelector: {} - podSelector: {} - policyTypes: - - Ingress - - Egress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: allow-scraping -spec: - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8080 - protocol: TCP - podSelector: {} - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: allow-webhooks -spec: - ingress: - - from: - - namespaceSelector: {} - podSelector: - matchLabels: - app: notification-controller - policyTypes: - - Ingress -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml b/packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml deleted file mode 100644 index f6348698..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/pre-install-job-serviceaccount.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: "{{ .Release.Name }}-flux-check" - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "-10" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml b/packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml deleted file mode 100644 index 2c2541f5..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/pre-install-job.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: "{{ .Release.Name }}-flux-check" - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded -spec: - backoffLimit: 1 - template: - metadata: - name: "{{ .Release.Name }}" - {{- with .Values.cli.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - spec: - restartPolicy: Never - serviceAccountName: "{{ .Release.Name }}-flux-check" - automountServiceAccountToken: {{ .Values.cli.serviceAccount.automount }} - containers: - - name: flux-cli - image: {{ template "template.image" .Values.cli }} - command: ["/usr/local/bin/flux", "check", "--pre", "--namespace", {{ .Release.Namespace }}] - {{- with .Values.cli.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.cli.securityContext }} - securityContext: {{ toYaml .Values.cli.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - {{- if .Values.cli.volumeMounts }} - volumeMounts: - {{- toYaml .Values.cli.volumeMounts | nindent 10 }} - {{- end}} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - {{- with .Values.cli.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.cli.volumes }} - volumes: - {{- toYaml .Values.cli.volumes | nindent 8 }} - {{- end}} - {{- with .Values.cli.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.cli.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml deleted file mode 100644 index 25caae35..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller-service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.sourceController.create }} -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} - name: source-controller - {{- with .Values.sourceController.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - {{- if .Values.sourceController.service.ports }} - {{- toYaml .Values.sourceController.service.ports | nindent 2 }} - {{- end}} - selector: - app: source-controller - type: ClusterIP -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml deleted file mode 100644 index 286a625f..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller-serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.sourceController.create -}} -{{- if .Values.sourceController.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: source-controller - {{- with .Values.sourceController.serviceAccount.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml deleted file mode 100644 index d4fccd6d..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller.crds.yaml +++ /dev/null @@ -1,3291 +0,0 @@ -{{- if and .Values.installCRDs .Values.sourceController.create }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: buckets.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: Bucket - listKind: BucketList - plural: buckets - singular: bucket - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec defines the desired state of an S3 compatible - bucket - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: The bucket name. - type: string - endpoint: - description: The bucket endpoint address. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS S3 HTTP endpoint. - type: boolean - interval: - description: The interval at which to check for bucket updates. - type: string - provider: - default: generic - description: The S3 compatible storage provider name, default ('generic'). - enum: - - generic - - aws - - gcp - type: string - region: - description: The bucket region. - type: string - secretRef: - description: The name of the secret containing authentication credentials - for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for download operations, defaults to 60s. - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus defines the observed state of a bucket - properties: - artifact: - description: Artifact represents the output of the last successful - Bucket sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last Bucket sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.endpoint - name: Endpoint - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: Bucket is the Schema for the buckets API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BucketSpec specifies the required configuration to produce - an Artifact for an object storage bucket. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - bucketName: - description: BucketName is the name of the object storage bucket. - type: string - endpoint: - description: Endpoint is the object storage address the BucketName - is located at. - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP Endpoint. - type: boolean - interval: - description: Interval at which the Bucket Endpoint is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - prefix: - description: Prefix to use for server-side filtering of files in the - Bucket. - type: string - provider: - default: generic - description: Provider of the object storage bucket. Defaults to 'generic', - which expects an S3 (API) compatible object storage. - enum: - - generic - - aws - - gcp - - azure - type: string - region: - description: Region of the Endpoint where the BucketName is located - in. - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the Bucket. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this Bucket. - type: boolean - timeout: - default: 60s - description: Timeout for fetch operations, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - required: - - bucketName - - endpoint - - interval - type: object - status: - default: - observedGeneration: -1 - description: BucketStatus records the observed state of a Bucket. - properties: - artifact: - description: Artifact represents the last successful Bucket reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the Bucket. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the Bucket object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: gitrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: GitRepository - listKind: GitRepositoryList - plural: gitrepositories - shortNames: - - gitrepo - singular: gitrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which the GitRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - proxySecretRef: - description: ProxySecretRef specifies the Secret containing the proxy - configuration to use while communicating with the Git server. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - default: HEAD - description: "Mode specifies which Git object(s) should be verified. - \n The variants \"head\" and \"HEAD\" both imply the same thing, - i.e. verify the commit that the HEAD of the Git repository points - to. The variant \"head\" solely exists to ensure backwards compatibility." - enum: - - head - - HEAD - - Tag - - TagAndHEAD - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - sourceVerificationMode: - description: SourceVerificationMode is the last used verification - mode indicating which Git object(s) have been verified. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - deprecated: true - deprecationWarning: v1beta1 GitRepository is deprecated, upgrade to v1 - name: v1beta1 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec defines the desired state of a Git repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: Determines which git client library to use. Defaults - to go-git, valid values are ('go-git', 'libgit2'). - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Extra git repositories to map into the repository - items: - description: GitRepositoryInclude defines a source with a from and - to path. - properties: - fromPath: - description: The path to copy contents from, defaults to the - root directory. - type: string - repository: - description: Reference to a GitRepository to include. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: The path to copy contents to, defaults to the name - of the source ref. - type: string - required: - - repository - type: object - type: array - interval: - description: The interval at which to check for repository updates. - type: string - recurseSubmodules: - description: When enabled, after the clone is created, initializes - all submodules within, using their default settings. This option - is available only when using the 'go-git' GitImplementation. - type: boolean - ref: - description: The Git reference to checkout and monitor for changes, - defaults to master branch. - properties: - branch: - description: The Git branch to checkout, defaults to master. - type: string - commit: - description: The Git commit SHA to checkout, if specified Tag - filters will be ignored. - type: string - semver: - description: The Git tag semver expression, takes precedence over - Tag. - type: string - tag: - description: The Git tag to checkout, takes precedence over Branch. - type: string - type: object - secretRef: - description: The secret name containing the Git credentials. For HTTPS - repositories the secret must contain username and password fields. - For SSH repositories the secret must contain identity and known_hosts - fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote Git operations like cloning, defaults - to 60s. - type: string - url: - description: The repository URL, can be a HTTP/S or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verify OpenPGP signature for the Git commit HEAD points - to. - properties: - mode: - description: Mode describes what git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: The secret name containing the public keys of all - trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus defines the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - includedArtifacts: - description: IncludedArtifacts represents the included artifacts from - the last successful repository sync. - items: - description: Artifact represents the output of a source synchronisation. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the artifact output of the - last repository sync. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - deprecated: true - deprecationWarning: v1beta2 GitRepository is deprecated, upgrade to v1 - name: v1beta2 - schema: - openAPIV3Schema: - description: GitRepository is the Schema for the gitrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GitRepositorySpec specifies the required configuration to - produce an Artifact for a Git repository. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - gitImplementation: - default: go-git - description: 'GitImplementation specifies which Git client library - implementation to use. Defaults to ''go-git'', valid values are - (''go-git'', ''libgit2''). Deprecated: gitImplementation is deprecated - now that ''go-git'' is the only supported implementation.' - enum: - - go-git - - libgit2 - type: string - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - include: - description: Include specifies a list of GitRepository resources which - Artifacts should be included in the Artifact produced for this GitRepository. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - interval: - description: Interval at which to check the GitRepository for updates. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - recurseSubmodules: - description: RecurseSubmodules enables the initialization of all submodules - within the GitRepository as cloned from the URL, using their default - settings. - type: boolean - ref: - description: Reference specifies the Git reference to resolve and - monitor for changes, defaults to the 'master' branch. - properties: - branch: - description: Branch to check out, defaults to 'master' if no other - field is defined. - type: string - commit: - description: "Commit SHA to check out, takes precedence over all - reference fields. \n This can be combined with Branch to shallow - clone the branch, in which the commit is expected to exist." - type: string - name: - description: "Name of the reference to check out; takes precedence - over Branch, Tag and SemVer. \n It must be a valid Git reference: - https://git-scm.com/docs/git-check-ref-format#_description Examples: - \"refs/heads/main\", \"refs/tags/v0.1.0\", \"refs/pull/420/head\", - \"refs/merge-requests/1/head\"" - type: string - semver: - description: SemVer tag expression to check out, takes precedence - over Tag. - type: string - tag: - description: Tag to check out, takes precedence over Branch. - type: string - type: object - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the GitRepository. For HTTPS repositories the Secret - must contain 'username' and 'password' fields for basic auth or - 'bearerToken' field for token auth. For SSH repositories the Secret - must contain 'identity' and 'known_hosts' fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this GitRepository. - type: boolean - timeout: - default: 60s - description: Timeout for Git operations like cloning, defaults to - 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL specifies the Git repository URL, it can be an HTTP/S - or SSH address. - pattern: ^(http|https|ssh)://.*$ - type: string - verify: - description: Verification specifies the configuration to verify the - Git commit signature(s). - properties: - mode: - description: Mode specifies what Git object should be verified, - currently ('head'). - enum: - - head - type: string - secretRef: - description: SecretRef specifies the Secret containing the public - keys of trusted Git authors. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - mode - - secretRef - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: GitRepositoryStatus records the observed state of a Git repository. - properties: - artifact: - description: Artifact represents the last successful GitRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the GitRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.recurseSubmodules - .spec.included and the checksum of the - included artifacts observed in .status.observedGeneration version - of the object. This can be used to determine if the content of the - included repository has changed. It has the format of `:`, - for example: `sha256:`. \n Deprecated: Replaced with explicit - fields for observed artifact content config in the status." - type: string - includedArtifacts: - description: IncludedArtifacts contains a list of the last successfully - included Artifacts as instructed by GitRepositorySpec.Include. - items: - description: Artifact represents the output of a Source reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of - ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI - annotations. - type: object - path: - description: Path is the relative file path of the Artifact. - It can be used to locate the file in the root of the Artifact - storage on the local file system of the controller managing - the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the GitRepository object. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedInclude: - description: ObservedInclude is the observed list of GitRepository - resources used to to produce the current Artifact. - items: - description: GitRepositoryInclude specifies a local reference to - a GitRepository which Artifact (sub-)contents must be included, - and where they should be placed. - properties: - fromPath: - description: FromPath specifies the path to copy contents from, - defaults to the root of the Artifact. - type: string - repository: - description: GitRepositoryRef specifies the GitRepository which - Artifact contents must be included. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - toPath: - description: ToPath specifies the path to copy contents to, - defaults to the name of the GitRepositoryRef. - type: string - required: - - repository - type: object - type: array - observedRecurseSubmodules: - description: ObservedRecurseSubmodules is the observed resource submodules - configuration used to produce the current Artifact. - type: boolean - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise GitRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: helmcharts.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmChart - listKind: HelmChartList - plural: helmcharts - shortNames: - - hc - singular: helmchart - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec defines the desired state of a Helm chart. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: The name or path the Helm chart is available at in the - SourceRef. - type: string - interval: - description: The interval at which to check the Source for updates. - type: string - reconcileStrategy: - default: ChartVersion - description: Determines what enables the creation of a new artifact. - Valid values are ('ChartVersion', 'Revision'). See the documentation - of the values for an explanation on their behavior. Defaults to - ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: The reference to the Source the chart is available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: Alternative values file to use as the default chart values, - expected to be a relative path in the SourceRef. Deprecated in favor - of ValuesFiles, for backwards compatibility the file defined here - is merged before the ValuesFiles items. Ignored when omitted. - type: string - valuesFiles: - description: Alternative list of values files to use as the chart - values (values.yaml is not included by default), expected to be - a relative path in the SourceRef. Values files are merged in the - order of this list with the last file overriding the first. Ignored - when omitted. - items: - type: string - type: array - version: - default: '*' - description: The chart version semver expression, ignored for charts - from GitRepository and Bucket sources. Defaults to latest when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus defines the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - chart sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last chart pulled. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.chart - name: Chart - type: string - - jsonPath: .spec.version - name: Version - type: string - - jsonPath: .spec.sourceRef.kind - name: Source Kind - type: string - - jsonPath: .spec.sourceRef.name - name: Source Name - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmChart is the Schema for the helmcharts API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmChartSpec specifies the desired state of a Helm chart. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - chart: - description: Chart is the name or path the Helm chart is available - at in the SourceRef. - type: string - interval: - description: Interval at which the HelmChart SourceRef is checked - for updates. This interval is approximate and may be subject to - jitter to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - reconcileStrategy: - default: ChartVersion - description: ReconcileStrategy determines what enables the creation - of a new artifact. Valid values are ('ChartVersion', 'Revision'). - See the documentation of the values for an explanation on their - behavior. Defaults to ChartVersion when omitted. - enum: - - ChartVersion - - Revision - type: string - sourceRef: - description: SourceRef is the reference to the Source the chart is - available at. - properties: - apiVersion: - description: APIVersion of the referent. - type: string - kind: - description: Kind of the referent, valid values are ('HelmRepository', - 'GitRepository', 'Bucket'). - enum: - - HelmRepository - - GitRepository - - Bucket - type: string - name: - description: Name of the referent. - type: string - required: - - kind - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this source. - type: boolean - valuesFile: - description: ValuesFile is an alternative values file to use as the - default chart values, expected to be a relative path in the SourceRef. - Deprecated in favor of ValuesFiles, for backwards compatibility - the file specified here is merged before the ValuesFiles items. - Ignored when omitted. - type: string - valuesFiles: - description: ValuesFiles is an alternative list of values files to - use as the chart values (values.yaml is not included by default), - expected to be a relative path in the SourceRef. Values files are - merged in the order of this list with the last file overriding the - first. Ignored when omitted. - items: - type: string - type: array - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. This field is only - supported when using HelmRepository source with spec.type 'oci'. - Chart dependencies, which are not bundled in the umbrella chart - artifact, are not verified. - properties: - matchOIDCIdentity: - description: MatchOIDCIdentity specifies the identity matching - criteria to use while verifying an OCI artifact which was signed - using Cosign keyless signing. The artifact's identity is deemed - to be verified if any of the specified matchers match against - the identity. - items: - description: OIDCIdentityMatch specifies options for verifying - the certificate identity, i.e. the issuer and the subject - of the certificate. - properties: - issuer: - description: Issuer specifies the regex pattern to match - against to verify the OIDC issuer in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - subject: - description: Subject specifies the regex pattern to match - against to verify the identity subject in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - required: - - issuer - - subject - type: object - type: array - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - version: - default: '*' - description: Version is the chart version semver expression, ignored - for charts from GitRepository and Bucket sources. Defaults to latest - when omitted. - type: string - required: - - chart - - interval - - sourceRef - type: object - status: - default: - observedGeneration: -1 - description: HelmChartStatus records the observed state of the HelmChart. - properties: - artifact: - description: Artifact represents the output of the last successful - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmChart. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedChartName: - description: ObservedChartName is the last observed chart name as - specified by the resolved chart reference. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmChart object. - format: int64 - type: integer - observedSourceArtifactRevision: - description: ObservedSourceArtifactRevision is the last observed Artifact.Revision - of the HelmChartSpec.SourceRef. - type: string - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise BucketStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: helmrepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: HelmRepository - listKind: HelmRepositoryList - plural: helmrepositories - shortNames: - - helmrepo - singular: helmrepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec defines the reference to a Helm repository. - properties: - accessFrom: - description: AccessFrom defines an Access Control List for allowing - cross-namespace references to this object. - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - interval: - description: The interval at which to check the upstream for updates. - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - secretRef: - description: The name of the secret containing authentication credentials - for the Helm repository. For HTTP/S basic auth the secret must contain - username and password fields. For TLS the secret must contain a - certFile and keyFile, and/or caFile fields. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout of index downloading, defaults to 60s. - type: string - url: - description: The Helm repository URL, a valid URL contains at least - a protocol and host. - type: string - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus defines the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the output of the last successful - repository sync. - properties: - checksum: - description: Checksum is the SHA256 checksum of the artifact. - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of this artifact. - format: date-time - type: string - path: - description: Path is the relative file path of this artifact. - type: string - revision: - description: Revision is a human readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm index timestamp, a Helm chart version, etc. - type: string - url: - description: URL is the HTTP address of this artifact. - type: string - required: - - path - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - url: - description: URL is the download link for the last index fetched. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - name: v1beta2 - schema: - openAPIV3Schema: - description: HelmRepository is the Schema for the helmrepositories API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HelmRepositorySpec specifies the required configuration to - produce an Artifact for a Helm repository index YAML. - properties: - accessFrom: - description: 'AccessFrom specifies an Access Control List for allowing - cross-namespace references to this object. NOTE: Not implemented, - provisional as of https://github.com/fluxcd/flux2/pull/2092' - properties: - namespaceSelectors: - description: NamespaceSelectors is the list of namespace selectors - to which this ACL applies. Items in this list are evaluated - using a logical OR operation. - items: - description: NamespaceSelector selects the namespaces to which - this ACL applies. An empty map of MatchLabels matches all - namespaces in a cluster. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - required: - - namespaceSelectors - type: object - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n It takes precedence over the values specified in the Secret referred - to by `.spec.secretRef`." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. This field is only taken into account if the .spec.type - field is set to 'oci'. - type: boolean - interval: - description: Interval at which the HelmRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - passCredentials: - description: PassCredentials allows the credentials from the SecretRef - to be passed on to a host that does not match the host as defined - in URL. This may be required if the host of the advertised chart - URLs in the index differ from the defined URL. Enabling this should - be done with caution, as it can potentially result in credentials - getting stolen in a MITM-attack. - type: boolean - provider: - default: generic - description: Provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. This field is optional, and only taken into - account if the .spec.type field is set to 'oci'. When not specified, - defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - secretRef: - description: SecretRef specifies the Secret containing authentication - credentials for the HelmRepository. For HTTP/S basic auth the secret - must contain 'username' and 'password' fields. Support for TLS auth - using the 'certFile' and 'keyFile', and/or 'caFile' keys is deprecated. - Please use `.spec.certSecretRef` instead. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - suspend: - description: Suspend tells the controller to suspend the reconciliation - of this HelmRepository. - type: boolean - timeout: - description: Timeout is used for the index fetch operation for an - HTTPS helm repository, and for remote OCI Repository operations - like pulling for an OCI helm chart by the associated HelmChart. - Its default value is 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - type: - description: Type of the HelmRepository. When this field is set to "oci", - the URL field value must be prefixed with "oci://". - enum: - - default - - oci - type: string - url: - description: URL of the Helm repository, a valid URL contains at least - a protocol and host. - pattern: ^(http|https|oci)://.*$ - type: string - required: - - url - type: object - status: - default: - observedGeneration: -1 - description: HelmRepositoryStatus records the observed state of the HelmRepository. - properties: - artifact: - description: Artifact represents the last successful HelmRepository - reconciliation. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the HelmRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation of - the HelmRepository object. - format: int64 - type: integer - url: - description: URL is the dynamic fetch link for the latest Artifact. - It is provided on a "best effort" basis, and using the precise HelmRepositoryStatus.Artifact - data is recommended. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.0 - {{- with .Values.crds.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: '{{ .Release.Namespace }}' - app.kubernetes.io/managed-by: '{{ .Release.Service }}' - app.kubernetes.io/part-of: flux - app.kubernetes.io/version: '{{ .Chart.AppVersion }}' - helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - name: ocirepositories.source.toolkit.fluxcd.io -spec: - group: source.toolkit.fluxcd.io - names: - kind: OCIRepository - listKind: OCIRepositoryList - plural: ocirepositories - shortNames: - - ocirepo - singular: ocirepository - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.url - name: URL - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: OCIRepository is the Schema for the ocirepositories API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: OCIRepositorySpec defines the desired state of OCIRepository - properties: - certSecretRef: - description: "CertSecretRef can be given the name of a Secret containing - either or both of \n - a PEM-encoded client certificate (`tls.crt`) - and private key (`tls.key`); - a PEM-encoded CA certificate (`ca.crt`) - \n and whichever are supplied, will be used for connecting to the - registry. The client cert and key are useful if you are authenticating - with a certificate; the CA cert is useful if you are using a self-signed - server certificate. The Secret must be of type `Opaque` or `kubernetes.io/tls`. - \n Note: Support for the `caFile`, `certFile` and `keyFile` keys - have been deprecated." - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - ignore: - description: Ignore overrides the set of excluded patterns in the - .sourceignore format (which is the same as .gitignore). If not provided, - a default will be used, consult the documentation for your version - to find out what those are. - type: string - insecure: - description: Insecure allows connecting to a non-TLS HTTP container - registry. - type: boolean - interval: - description: Interval at which the OCIRepository URL is checked for - updates. This interval is approximate and may be subject to jitter - to ensure efficient use of resources. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ - type: string - layerSelector: - description: LayerSelector specifies which layer should be extracted - from the OCI artifact. When not specified, the first layer found - in the artifact is selected. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - provider: - default: generic - description: The provider used for authentication, can be 'aws', 'azure', - 'gcp' or 'generic'. When not specified, defaults to 'generic'. - enum: - - generic - - aws - - azure - - gcp - type: string - ref: - description: The OCI reference to pull and monitor for changes, defaults - to the latest tag. - properties: - digest: - description: Digest is the image digest to pull, takes precedence - over SemVer. The value should be in the format 'sha256:'. - type: string - semver: - description: SemVer is the range of tags to pull selecting the - latest within the range, takes precedence over Tag. - type: string - tag: - description: Tag is the image tag to pull, defaults to latest. - type: string - type: object - secretRef: - description: SecretRef contains the secret name containing the registry - login credentials to resolve image metadata. The secret must be - of type kubernetes.io/dockerconfigjson. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - serviceAccountName: - description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount - used to authenticate the image pull if the service account has attached - pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account' - type: string - suspend: - description: This flag tells the controller to suspend the reconciliation - of this source. - type: boolean - timeout: - default: 60s - description: The timeout for remote OCI Repository operations like - pulling, defaults to 60s. - pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m))+$ - type: string - url: - description: URL is a reference to an OCI artifact repository hosted - on a remote container registry. - pattern: ^oci://.*$ - type: string - verify: - description: Verify contains the secret name containing the trusted - public keys used to verify the signature and specifies which provider - to use to check whether OCI image is authentic. - properties: - matchOIDCIdentity: - description: MatchOIDCIdentity specifies the identity matching - criteria to use while verifying an OCI artifact which was signed - using Cosign keyless signing. The artifact's identity is deemed - to be verified if any of the specified matchers match against - the identity. - items: - description: OIDCIdentityMatch specifies options for verifying - the certificate identity, i.e. the issuer and the subject - of the certificate. - properties: - issuer: - description: Issuer specifies the regex pattern to match - against to verify the OIDC issuer in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - subject: - description: Subject specifies the regex pattern to match - against to verify the identity subject in the Fulcio certificate. - The pattern must be a valid Go regular expression. - type: string - required: - - issuer - - subject - type: object - type: array - provider: - default: cosign - description: Provider specifies the technology used to sign the - OCI Artifact. - enum: - - cosign - type: string - secretRef: - description: SecretRef specifies the Kubernetes Secret containing - the trusted public keys. - properties: - name: - description: Name of the referent. - type: string - required: - - name - type: object - required: - - provider - type: object - required: - - interval - - url - type: object - status: - default: - observedGeneration: -1 - description: OCIRepositoryStatus defines the observed state of OCIRepository - properties: - artifact: - description: Artifact represents the output of the last successful - OCI Repository sync. - properties: - digest: - description: Digest is the digest of the file in the form of ':'. - pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$ - type: string - lastUpdateTime: - description: LastUpdateTime is the timestamp corresponding to - the last update of the Artifact. - format: date-time - type: string - metadata: - additionalProperties: - type: string - description: Metadata holds upstream information such as OCI annotations. - type: object - path: - description: Path is the relative file path of the Artifact. It - can be used to locate the file in the root of the Artifact storage - on the local file system of the controller managing the Source. - type: string - revision: - description: Revision is a human-readable identifier traceable - in the origin source system. It can be a Git commit SHA, Git - tag, a Helm chart version, etc. - type: string - size: - description: Size is the number of bytes in the file. - format: int64 - type: integer - url: - description: URL is the HTTP address of the Artifact as exposed - by the controller managing the Source. It can be used to retrieve - the Artifact for consumption, e.g. by another controller applying - the Artifact contents. - type: string - required: - - lastUpdateTime - - path - - revision - - url - type: object - conditions: - description: Conditions holds the conditions for the OCIRepository. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - contentConfigChecksum: - description: "ContentConfigChecksum is a checksum of all the configurations - related to the content of the source artifact: - .spec.ignore - - .spec.layerSelector observed in .status.observedGeneration version - of the object. This can be used to determine if the content configuration - has changed and the artifact needs to be rebuilt. It has the format - of `:`, for example: `sha256:`. \n Deprecated: - Replaced with explicit fields for observed artifact content config - in the status." - type: string - lastHandledReconcileAt: - description: LastHandledReconcileAt holds the value of the most recent - reconcile request value, so a change of the annotation value can - be detected. - type: string - observedGeneration: - description: ObservedGeneration is the last observed generation. - format: int64 - type: integer - observedIgnore: - description: ObservedIgnore is the observed exclusion patterns used - for constructing the source artifact. - type: string - observedLayerSelector: - description: ObservedLayerSelector is the observed layer selector - used for constructing the source artifact. - properties: - mediaType: - description: MediaType specifies the OCI media type of the layer - which should be extracted from the OCI Artifact. The first layer - matching this type is selected. - type: string - operation: - description: Operation specifies how the selected layer should - be processed. By default, the layer compressed content is extracted - to storage. When the operation is set to 'copy', the layer compressed - content is persisted to storage as it is. - enum: - - extract - - copy - type: string - type: object - url: - description: URL is the download link for the artifact output of the - last OCI Repository sync. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml b/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml deleted file mode 100644 index 517b54bd..00000000 --- a/packages/core/fluxcd/charts/flux2/templates/source-controller.yaml +++ /dev/null @@ -1,140 +0,0 @@ -{{- if .Values.sourceController.create }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: source-controller - app.kubernetes.io/instance: {{ .Release.Namespace | quote }} - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - app.kubernetes.io/part-of: flux - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - control-plane: controller - {{- with .Values.sourceController.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - name: source-controller -spec: - replicas: 1 - selector: - matchLabels: - app: source-controller - strategy: - type: Recreate - template: - metadata: - {{- with .Values.sourceController.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - labels: - app: source-controller -{{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }} - spec: - automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }} - {{- if .Values.sourceController.initContainers}} - initContainers: - {{- toYaml .Values.sourceController.initContainers | nindent 8}} - {{- end}} - containers: - - args: - {{- if .Values.notificationController.create }} - - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc - {{- end}} - - --watch-all-namespaces={{ .Values.watchAllNamespaces }} - - --log-level={{ .Values.logLevel | default "info" }} - - --log-encoding=json - - --enable-leader-election - - --storage-path=/data - - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc - {{- range .Values.sourceController.container.additionalArgs }} - - {{ . }} - {{- end}} - env: - - name: RUNTIME_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.sourceController.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - image: {{ template "template.image" .Values.sourceController }} - {{- if .Values.sourceController.imagePullPolicy }} - imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }} - {{- else }} - imagePullPolicy: IfNotPresent - {{- end }} - livenessProbe: - httpGet: - path: /healthz - port: healthz - name: manager - ports: - - containerPort: 9090 - name: http - protocol: TCP - - containerPort: 8080 - name: http-prom - protocol: TCP - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: / - port: http - {{- with .Values.sourceController.resources }} - resources: {{ toYaml . | nindent 10 }} - {{- end }} - {{- if .Values.sourceController.securityContext }} - securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }} - {{- else }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - {{- end}} - volumeMounts: - - mountPath: /data - name: data - - mountPath: /tmp - name: tmp - {{- if .Values.sourceController.volumeMounts }} - {{- toYaml .Values.sourceController.volumeMounts | nindent 8 }} - {{- end}} - {{- if .Values.sourceController.priorityClassName }} - priorityClassName: {{ .Values.sourceController.priorityClassName | quote }} - {{- end }} - {{- if .Values.sourceController.podSecurityContext }} - securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }} - {{- else }} - securityContext: - fsGroup: 1337 - {{- end}} - serviceAccountName: source-controller - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} - {{- end }} - terminationGracePeriodSeconds: 10 - volumes: - - emptyDir: {} - name: data - - emptyDir: {} - name: tmp - {{- if .Values.sourceController.volumes }} - {{- toYaml .Values.sourceController.volumes | nindent 6 }} - {{- end}} - {{- with .Values.sourceController.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.sourceController.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.sourceController.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/packages/core/fluxcd/charts/flux2/values.yaml b/packages/core/fluxcd/charts/flux2/values.yaml deleted file mode 100644 index 379c07e8..00000000 --- a/packages/core/fluxcd/charts/flux2/values.yaml +++ /dev/null @@ -1,327 +0,0 @@ -# global - -installCRDs: true -crds: - # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep - annotations: {} - -multitenancy: - # -- Implement the patches for Multi-tenancy lockdown. - # See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown - enabled: false - # -- All Kustomizations and HelmReleases which don’t have spec.serviceAccountName - # specified, will use the default account from the tenant’s namespace. - # Tenants have to specify a service account in their Flux resources to be able - # to deploy workloads in their namespaces as the default account has no permissions. - defaultServiceAccount: "default" - # -- Both kustomize-controller and helm-controller service accounts run privileged - # with cluster-admin ClusterRoleBinding. Disable if you want to run them with a - # minimum set of permissions. - privileged: true - -clusterDomain: cluster.local - -cli: - image: ghcr.io/fluxcd/flux-cli - tag: v2.2.3 - nodeSelector: {} - affinity: {} - tolerations: [] - annotations: {} - serviceAccount: - automount: true - -# controllers - -helmController: - create: true - image: ghcr.io/fluxcd/helm-controller - tag: v0.37.4 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - nodeSelector: {} - # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core - # for example: - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: foo.bar.com/role - # operator: In - # values: - # - master - - affinity: {} - # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core - # for example: - # tolerations: - # - key: foo.bar.com/role - # operator: Equal - # value: master - # effect: NoSchedule - - tolerations: [] - -imageAutomationController: - create: true - image: ghcr.io/fluxcd/image-automation-controller - tag: v0.37.1 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - nodeSelector: {} - affinity: {} - tolerations: [] - -imageReflectionController: - create: true - image: ghcr.io/fluxcd/image-reflector-controller - tag: v0.31.2 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - nodeSelector: {} - affinity: {} - tolerations: [] - -kustomizeController: - create: true - image: ghcr.io/fluxcd/kustomize-controller - tag: v1.2.2 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - secret: - # -- Create a secret to use it with extraSecretMounts. Defaults to false. - create: false - name: "" - data: {} - # -- Defines envFrom using a configmap and/or secret. - envFrom: - map: - name: "" - secret: - name: "" - # -- Defines additional mounts with secrets. - # Secrets must be manually created in the namespace or with kustomizeController.secret - extraSecretMounts: [] - # - name: secret-files - # mountPath: /etc/secrets - # subPath: "" - # secretName: secret-files - # readOnly: true - - nodeSelector: {} - affinity: {} - tolerations: [] - -notificationController: - create: true - image: ghcr.io/fluxcd/notification-controller - tag: v1.2.4 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - extraEnv: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - service: - labels: {} - annotations: {} - webhookReceiver: - service: - labels: {} - annotations: {} - ingress: - create: false - # ingressClassName: nginx - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - hosts: - - host: flux-webhook.example.com - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: flux-webhook-tls - # hosts: - # - flux-webhook.example.com - - - nodeSelector: {} - affinity: {} - tolerations: [] - -sourceController: - create: true - image: ghcr.io/fluxcd/source-controller - tag: v1.2.4 - resources: - limits: {} - # cpu: 1000m - # memory: 1Gi - requests: - cpu: 100m - memory: 64Mi - priorityClassName: "" - annotations: - prometheus.io/port: "8080" - prometheus.io/scrape: "true" - labels: {} - container: - additionalArgs: [] - serviceAccount: - create: true - automount: true - annotations: {} - imagePullPolicy: "" - service: - labels: {} - annotations: {} - nodeSelector: {} - affinity: {} - tolerations: [] - extraEnv: [] - -policies: - create: true - -rbac: - create: true - # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources - createAggregation: true - # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep - annotations: {} - roleRef: - name: cluster-admin - -logLevel: info -watchAllNamespaces: true - -# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers -imagePullSecrets: [] - -# -- Array of extra K8s manifests to deploy -extraObjects: [] -# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication -# - apiVersion: source.toolkit.fluxcd.io/v1beta2 -# kind: Bucket -# metadata: -# name: podinfo -# namespace: default -# spec: -# interval: 1m -# provider: generic -# bucketName: podinfo -# endpoint: minio.minio.svc.cluster.local:9000 -# insecure: true -# secretRef: -# name: minio-credentials -# - apiVersion: v1 -# kind: Secret -# metadata: -# name: minio-credentials -# namespace: default -# type: Opaque -# data: -# accesskey: -# secretkey: - -# Enables podMonitor creation for the Prometheus Operator -prometheus: - podMonitor: - # -- Enables podMonitor endpoint - create: false - podMetricsEndpoints: - - port: http-prom - relabelings: - # https://github.com/prometheus-operator/prometheus-operator/issues/4816 - - sourceLabels: [__meta_kubernetes_pod_phase] - action: keep - regex: Running diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 63a732c3..571f9aa7 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "youthful_hertz/youthful_hertz0/aafwjh8j28i98f59smgh3qe86", + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", + "digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f", "size": 685 }, - "containerimage.digest": "sha256:e0c0defb9f5b10f5187d4002ccec7d01841e96c7350963f253003c0efeff6cef", - "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" + "containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f", + "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index 602d7b26..aff03e70 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:latest +ghcr.io/aenix-io/cozystack/cozystack:v0.9.0 diff --git a/packages/core/installer/images/matchbox.json b/packages/core/installer/images/matchbox.json index d5bf9ebe..930a0ce7 100644 --- a/packages/core/installer/images/matchbox.json +++ b/packages/core/installer/images/matchbox.json @@ -1,4 +1,45 @@ { - "containerimage.config.digest": "sha256:ed483d1187cdfeb92df319a30dde57141ceb1d4bafcc28ba006a1e60abc445ff", - "containerimage.digest": "sha256:000a46c2bffc3cf13909dc0ca570cdcea9692d85b1ef2a875afe08ea8136d2c2" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/quay.io/poseidon/matchbox@v0.10.0?platform=linux%2Famd64", + "digest": { + "sha256": "e14cc4a8f6e8f1182fce74d04fe949b6bfc91b04132b3944297661e2c38c9790" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/k5n5is33n6zu6an3nmlnylejx", + "containerimage.config.digest": "sha256:4676a205eae74f1b16a9065921c612ee85e123ab6566a238edb4bbaf79b2e148", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7", + "size": 1488, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7", + "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.0,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.0" } \ No newline at end of file diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index 1fd9590a..c3e65e3f 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator,cilium] + - name: cilium releaseName: cilium chart: cozy-cilium diff --git a/packages/core/platform/bundles/distro-hosted.yaml b/packages/core/platform/bundles/distro-hosted.yaml index 41d027fe..6923c1fb 100644 --- a/packages/core/platform/bundles/distro-hosted.yaml +++ b/packages/core/platform/bundles/distro-hosted.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator] + - name: cert-manager releaseName: cert-manager chart: cozy-cert-manager diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 6ee2ad41..4ed95257 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator,cilium,kubeovn] + - name: cilium releaseName: cilium chart: cozy-cilium @@ -153,8 +166,8 @@ releases: chart: cozy-dashboard namespace: cozy-dashboard dependsOn: [cilium,kubeovn] - {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }} - {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }} + {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }} + {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }} values: kubeapps: redis: diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index a9c33818..60194d84 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -1,6 +1,19 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} releases: +- name: fluxcd-operator + releaseName: fluxcd-operator + chart: cozy-fluxcd-operator + namespace: cozy-fluxcd + privileged: true + dependsOn: [] + +- name: fluxcd + releaseName: fluxcd + chart: cozy-fluxcd + namespace: cozy-fluxcd + dependsOn: [fluxcd-operator] + - name: cert-manager releaseName: cert-manager chart: cozy-cert-manager @@ -91,8 +104,8 @@ releases: chart: cozy-dashboard namespace: cozy-dashboard dependsOn: [] - {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }} - {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }} + {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }} + {{- with (lookup "source.toolkit.fluxcd.io/v1" "HelmRepository" "cozy-public" "").items }} values: kubeapps: redis: diff --git a/packages/core/platform/templates/apps.yaml b/packages/core/platform/templates/apps.yaml index 2ba4f8ed..073edbdb 100644 --- a/packages/core/platform/templates/apps.yaml +++ b/packages/core/platform/templates/apps.yaml @@ -3,8 +3,8 @@ {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }} {{- $host := "example.org" }} {{- $tenantRoot := list }} -{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }} -{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }} +{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }} +{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "tenant-root" "tenant-root" }} {{- end }} {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }} {{- $host = $tenantRoot.spec.values.host }} @@ -22,7 +22,7 @@ metadata: namespace.cozystack.io/host: "{{ $host }}" name: tenant-root --- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: tenant-root diff --git a/packages/core/platform/templates/helmreleases.yaml b/packages/core/platform/templates/helmreleases.yaml index 5834c0be..eaee0ea6 100644 --- a/packages/core/platform/templates/helmreleases.yaml +++ b/packages/core/platform/templates/helmreleases.yaml @@ -12,7 +12,7 @@ {{- range $x := $bundle.releases }} {{- if not (has $x.name $disabledComponents) }} --- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: {{ $x.name }} @@ -20,7 +20,7 @@ metadata: labels: cozystack.io/repository: system spec: - interval: 1m + interval: 5m releaseName: {{ $x.releaseName | default $x.name }} install: crds: CreateReplace diff --git a/packages/core/platform/templates/helmrepos.yaml b/packages/core/platform/templates/helmrepos.yaml index 3e061e41..69f77534 100644 --- a/packages/core/platform/templates/helmrepos.yaml +++ b/packages/core/platform/templates/helmrepos.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cozystack-system @@ -10,7 +10,7 @@ spec: interval: 5m0s url: http://cozystack.cozy-system.svc/repos/system --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cozystack-apps @@ -22,7 +22,7 @@ spec: interval: 5m0s url: http://cozystack.cozy-system.svc/repos/apps --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cozystack-extra diff --git a/packages/core/platform/templates/namespaces.yaml b/packages/core/platform/templates/namespaces.yaml index fd3a58e0..0d35d7ec 100644 --- a/packages/core/platform/templates/namespaces.yaml +++ b/packages/core/platform/templates/namespaces.yaml @@ -16,7 +16,6 @@ {{/* Add extra namespaces */}} {{- $_ := set $namespaces "cozy-public" false }} -{{- $_ := set $namespaces "cozy-fluxcd" false }} {{- range $namespace, $privileged := $namespaces }} --- diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index e9d3511f..b646aedb 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -3,4 +3,4 @@ name: ingress description: NGINX Ingress Controller icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg type: application -version: 1.1.0 +version: 1.2.0 diff --git a/packages/extra/ingress/templates/nginx-ingress.yaml b/packages/extra/ingress/templates/nginx-ingress.yaml index 816327f0..43a3a9a6 100644 --- a/packages/extra/ingress/templates/nginx-ingress.yaml +++ b/packages/extra/ingress/templates/nginx-ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: ingress-nginx diff --git a/packages/system/monitoring/templates/nginx-scrape.yaml b/packages/extra/ingress/templates/nginx-scrape.yaml similarity index 92% rename from packages/system/monitoring/templates/nginx-scrape.yaml rename to packages/extra/ingress/templates/nginx-scrape.yaml index d9de45a0..d04c5b65 100644 --- a/packages/system/monitoring/templates/nginx-scrape.yaml +++ b/packages/extra/ingress/templates/nginx-scrape.yaml @@ -3,12 +3,11 @@ apiVersion: operator.victoriametrics.com/v1beta1 kind: VMPodScrape metadata: name: nginx-ingress-controller - namespace: cozy-monitoring spec: jobLabel: jobLabel namespaceSelector: matchNames: - - cozy-ingress-nginx + - {{ .Release.Namespace }} podMetricsEndpoints: - port: metrics honorLabels: true @@ -29,12 +28,11 @@ apiVersion: operator.victoriametrics.com/v1beta1 kind: VMPodScrape metadata: name: nginx-ingress-controller-detailed - namespace: cozy-monitoring spec: jobLabel: jobLabel namespaceSelector: matchNames: - - cozy-ingress-nginx + - {{ .Release.Namespace }} podMetricsEndpoints: - port: metrics2 honorLabels: true diff --git a/packages/extra/monitoring/Chart.yaml b/packages/extra/monitoring/Chart.yaml index dbfa5374..0c28c1bf 100644 --- a/packages/extra/monitoring/Chart.yaml +++ b/packages/extra/monitoring/Chart.yaml @@ -3,4 +3,4 @@ name: monitoring description: Monitoring and observability stack icon: https://www.svgrepo.com/download/184787/analytics-laptop.svg type: application -version: 1.0.0 +version: 1.1.0 diff --git a/packages/extra/monitoring/templates/oncall/oncall-release.yaml b/packages/extra/monitoring/templates/oncall/oncall-release.yaml index 46d124e4..48416776 100644 --- a/packages/extra/monitoring/templates/oncall/oncall-release.yaml +++ b/packages/extra/monitoring/templates/oncall/oncall-release.yaml @@ -1,7 +1,7 @@ {{- if .Values.oncall.enabled }} {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} -apiVersion: helm.toolkit.fluxcd.io/v2beta1 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: grafana-oncall diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 7b373bf8..996103e5 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -3,5 +3,7 @@ etcd 2.0.0 a6d0f7cf etcd 2.0.1 6fc1cc7d etcd 2.1.0 HEAD ingress 1.0.0 f642698 -ingress 1.1.0 HEAD -monitoring 1.0.0 HEAD +ingress 1.1.0 838bee5d +ingress 1.2.0 HEAD +monitoring 1.0.0 f642698 +monitoring 1.1.0 HEAD diff --git a/packages/system/capi-operator/Makefile b/packages/system/capi-operator/Makefile index b3c9f770..2fd794d3 100644 --- a/packages/system/capi-operator/Makefile +++ b/packages/system/capi-operator/Makefile @@ -1,5 +1,5 @@ -NAME=capi-operator -NAMESPACE=cozy-cluster-api +export NAME=capi-operator +export NAMESPACE=cozy-cluster-api include ../../../scripts/package-system.mk diff --git a/packages/system/capi-operator/charts/cluster-api-operator/Chart.lock b/packages/system/capi-operator/charts/cluster-api-operator/Chart.lock deleted file mode 100644 index 5d3381ff..00000000 --- a/packages/system/capi-operator/charts/cluster-api-operator/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: cert-manager - repository: https://charts.jetstack.io - version: v1.13.2 -digest: sha256:b92a86c20cdd8a5e44995e71addefd379fdf302410a7dde388623f0e06187406 -generated: "2024-01-16T12:59:42.630842426Z" diff --git a/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml b/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml index d505a05d..b9b994bb 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/Chart.yaml @@ -1,11 +1,6 @@ apiVersion: v2 -appVersion: 0.8.1 -dependencies: -- condition: cert-manager.enabled - name: cert-manager - repository: https://charts.jetstack.io - version: v1.13.2 +appVersion: 0.11.0 description: Cluster API Operator name: cluster-api-operator type: application -version: 0.8.1 +version: 0.11.0 diff --git a/packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml b/packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml deleted file mode 100644 index 14c0726c..00000000 --- a/packages/system/capi-operator/charts/cluster-api-operator/crds/cert-manager.crds.yaml +++ /dev/null @@ -1,4482 +0,0 @@ -# Copyright 2022 The cert-manager Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificaterequests.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: CertificateRequest - listKind: CertificateRequestList - plural: certificaterequests - shortNames: - - cr - - crs - singular: certificaterequest - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Approved")].status - name: Approved - type: string - - jsonPath: .status.conditions[?(@.type=="Denied")].status - name: Denied - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - type: string - - jsonPath: .spec.username - name: Requestor - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A CertificateRequest is used to request a signed certificate from one of the configured issuers. \n All fields within the CertificateRequest's `spec` are immutable after creation. A CertificateRequest will either succeed or fail, as denoted by its `Ready` status condition and its `status.failureTime` field. \n A CertificateRequest is a one-shot resource, meaning it represents a single point in time request for a certificate and cannot be re-used." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Specification of the desired state of the CertificateRequest resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - required: - - issuerRef - - request - properties: - duration: - description: Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. - type: string - extra: - description: Extra contains extra attributes of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: object - additionalProperties: - type: array - items: - type: string - groups: - description: Groups contains group membership of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: array - items: - type: string - x-kubernetes-list-type: atomic - isCA: - description: "Requested basic constraints isCA value. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n NOTE: If the CSR in the `Request` field has a BasicConstraints extension, it must have the same isCA value as specified here. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." - type: boolean - issuerRef: - description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: "The PEM-encoded X.509 certificate signing request to be submitted to the issuer for signing. \n If the CSR has a BasicConstraints extension, its isCA attribute must match the `isCA` value of this CertificateRequest. If the CSR has a KeyUsage extension, its key usages must match the key usages in the `usages` field of this CertificateRequest. If the CSR has a ExtKeyUsage extension, its extended key usages must match the extended key usages in the `usages` field of this CertificateRequest." - type: string - format: byte - uid: - description: UID contains the uid of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - usages: - description: "Requested key usages and extended key usages. \n NOTE: If the CSR in the `Request` field has uses the KeyUsage or ExtKeyUsage extension, these extensions must have the same values as specified here without any additional values. \n If unset, defaults to `digital signature` and `key encipherment`." - type: array - items: - description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - username: - description: Username contains the name of the user that created the CertificateRequest. Populated by the cert-manager webhook on creation and immutable. - type: string - status: - description: 'Status of the CertificateRequest. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - properties: - ca: - description: The PEM encoded X.509 certificate of the signer, also known as the CA (Certificate Authority). This is set on a best-effort basis by different issuers. If not set, the CA is assumed to be unknown/not available. - type: string - format: byte - certificate: - description: The PEM encoded X.509 certificate resulting from the certificate signing request. If not set, the CertificateRequest has either not been completed or has failed. More information on failure can be found by checking the `conditions` field. - type: string - format: byte - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`. - type: array - items: - description: CertificateRequestCondition contains condition information for a CertificateRequest. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `InvalidRequest`, `Approved`, `Denied`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failureTime: - description: FailureTime stores the time that this CertificateRequest failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificates.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: Certificate - listKind: CertificateList - plural: certificates - shortNames: - - cert - - certs - singular: certificate - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .spec.secretName - name: Secret - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: "A Certificate resource should be created to ensure an up to date and signed X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`. \n The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`)." - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Specification of the desired state of the Certificate resource. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status - type: object - required: - - issuerRef - - secretName - properties: - additionalOutputFormats: - description: "Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. \n This is an Alpha Feature and is only enabled with the `--feature-gates=AdditionalCertificateOutputFormats=true` option set on both the controller and webhook components." - type: array - items: - description: CertificateAdditionalOutputFormat defines an additional output format of a Certificate resource. These contain supplementary data formats of the signed certificate chain and paired private key. - type: object - required: - - type - properties: - type: - description: Type is the name of the format type that should be written to the Certificate's target Secret. - type: string - enum: - - DER - - CombinedPEM - commonName: - description: "Requested common name X509 certificate subject attribute. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 NOTE: TLS clients will ignore this value when any subject alternative name is set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). \n Should have a length of 64 characters or fewer to avoid generating invalid CSRs. Cannot be set if the `literalSubject` field is set." - type: string - dnsNames: - description: Requested DNS subject alternative names. - type: array - items: - type: string - duration: - description: "Requested 'duration' (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute. \n If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." - type: string - emailAddresses: - description: Requested email subject alternative names. - type: array - items: - type: string - encodeUsagesInRequest: - description: "Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR. \n This option defaults to true, and should only be disabled if the target issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions." - type: boolean - ipAddresses: - description: Requested IP address subject alternative names. - type: array - items: - type: string - isCA: - description: "Requested basic constraints isCA value. The isCA value is used to set the `isCA` field on the created CertificateRequest resources. Note that the issuer may choose to ignore the requested isCA value, just like any other requested attribute. \n If true, this will automatically add the `cert sign` usage to the list of requested `usages`." - type: boolean - issuerRef: - description: "Reference to the issuer responsible for issuing the certificate. If the issuer is namespace-scoped, it must be in the same namespace as the Certificate. If the issuer is cluster-scoped, it can be used from any namespace. \n The `name` field of the reference must always be specified." - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - keystores: - description: Additional keystore output formats to be stored in the Certificate's Secret. - type: object - properties: - jks: - description: JKS configures options for storing a JKS keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - pkcs12: - description: PKCS12 configures options for storing a PKCS12 keystore in the `spec.secretName` Secret resource. - type: object - required: - - create - - passwordSecretRef - properties: - create: - description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority - type: boolean - passwordSecretRef: - description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - literalSubject: - description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." - type: string - privateKey: - description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. - type: object - properties: - algorithm: - description: "Algorithm is the private key algorithm of the corresponding private key for this certificate. \n If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`. If `algorithm` is specified and `size` is not provided, key size of 2048 will be used for `RSA` key algorithm and key size of 256 will be used for `ECDSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm." - type: string - enum: - - RSA - - ECDSA - - Ed25519 - encoding: - description: "The private key cryptography standards (PKCS) encoding for this certificate's private key to be encoded in. \n If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if not specified." - type: string - enum: - - PKCS1 - - PKCS8 - rotationPolicy: - description: "RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. \n If set to `Never`, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is `Never` for backward compatibility." - type: string - enum: - - Never - - Always - size: - description: "Size is the key bit size of the corresponding private key for this certificate. \n If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed." - type: integer - renewBefore: - description: "How long before the currently issued certificate's expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid). \n NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate. \n If unset, this defaults to 1/3 of the issued certificate's lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration." - type: string - revisionHistoryLimit: - description: "The maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. \n If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`." - type: integer - format: int32 - secretName: - description: Name of the Secret resource that will be automatically created and managed by this Certificate resource. It will be populated with a private key and certificate, signed by the denoted issuer. The Secret resource lives in the same namespace as the Certificate resource. - type: string - secretTemplate: - description: Defines annotations and labels to be copied to the Certificate's Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate's Secret. - type: object - properties: - annotations: - description: Annotations is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - labels: - description: Labels is a key value map to be copied to the target Kubernetes Secret. - type: object - additionalProperties: - type: string - subject: - description: "Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 \n The common name attribute is specified separately in the `commonName` field. Cannot be set if the `literalSubject` field is set." - type: object - properties: - countries: - description: Countries to be used on the Certificate. - type: array - items: - type: string - localities: - description: Cities to be used on the Certificate. - type: array - items: - type: string - organizationalUnits: - description: Organizational Units to be used on the Certificate. - type: array - items: - type: string - organizations: - description: Organizations to be used on the Certificate. - type: array - items: - type: string - postalCodes: - description: Postal codes to be used on the Certificate. - type: array - items: - type: string - provinces: - description: State/Provinces to be used on the Certificate. - type: array - items: - type: string - serialNumber: - description: Serial number to be used on the Certificate. - type: string - streetAddresses: - description: Street addresses to be used on the Certificate. - type: array - items: - type: string - uris: - description: Requested URI subject alternative names. - type: array - items: - type: string - usages: - description: "Requested key usages and extended key usages. These usages are used to set the `usages` field on the created CertificateRequest resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages will additionally be encoded in the `request` field which contains the CSR blob. \n If unset, defaults to `digital signature` and `key encipherment`." - type: array - items: - description: "KeyUsage specifies valid usage contexts for keys. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 \n Valid KeyUsage values are as follows: \"signing\", \"digital signature\", \"content commitment\", \"key encipherment\", \"key agreement\", \"data encipherment\", \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\", \"server auth\", \"client auth\", \"code signing\", \"email protection\", \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"" - type: string - enum: - - signing - - digital signature - - content commitment - - key encipherment - - key agreement - - data encipherment - - cert sign - - crl sign - - encipher only - - decipher only - - any - - server auth - - client auth - - code signing - - email protection - - s/mime - - ipsec end system - - ipsec tunnel - - ipsec user - - timestamping - - ocsp signing - - microsoft sgc - - netscape sgc - status: - description: 'Status of the Certificate. This is set and managed automatically. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - properties: - conditions: - description: List of status conditions to indicate the status of certificates. Known condition types are `Ready` and `Issuing`. - type: array - items: - description: CertificateCondition contains condition information for an Certificate. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Certificate. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`, `Issuing`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - failedIssuanceAttempts: - description: The number of continuous failed issuance attempts up till now. This field gets removed (if set) on a successful issuance and gets set to 1 if unset and an issuance has failed. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). - type: integer - lastFailureTime: - description: LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset. - type: string - format: date-time - nextPrivateKeySecretName: - description: The name of the Secret resource containing the private key to be used for the next certificate iteration. The keymanager controller will automatically set this field if the `Issuing` condition is set to `True`. It will automatically unset this field when the Issuing condition is not set or False. - type: string - notAfter: - description: The expiration time of the certificate stored in the secret named by this resource in `spec.secretName`. - type: string - format: date-time - notBefore: - description: The time after which the certificate stored in the secret named by this resource in `spec.secretName` is valid. - type: string - format: date-time - renewalTime: - description: RenewalTime is the time at which the certificate will be next renewed. If not set, no upcoming renewal is scheduled. - type: string - format: date-time - revision: - description: "The current 'revision' of the certificate as issued. \n When a CertificateRequest resource is created, it will have the `cert-manager.io/certificate-revision` set to one greater than the current value of this field. \n Upon issuance, this field will be set to the value of the annotation on the CertificateRequest resource used to issue the certificate. \n Persisting the value on the CertificateRequest resource allows the certificates controller to know whether a request is part of an old issuance or if it is part of the ongoing revision's issuance by checking if the revision value in the annotation is greater than this field." - type: integer - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: challenges.acme.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: acme.cert-manager.io - names: - kind: Challenge - listKind: ChallengeList - plural: challenges - singular: challenge - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.dnsName - name: Domain - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Challenge is a type to represent a Challenge request with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - authorizationURL - - dnsName - - issuerRef - - key - - solver - - token - - type - - url - properties: - authorizationURL: - description: The URL to the ACME Authorization resource that this challenge is a part of. - type: string - dnsName: - description: dnsName is the identifier that this challenge is for, e.g. example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. - type: string - issuerRef: - description: References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - key: - description: 'The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT record content.' - type: string - solver: - description: Contains the domain solving configuration that should be used to solve this challenge resource. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - accessKeyIDSecretRef: - description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " - type: integer - format: int32 - maximum: 65535 - minimum: 1 - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressClassName: - description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - x-kubernetes-map-type: atomic - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - token: - description: The ACME challenge token for this challenge. This is the raw value returned from the ACME server. - type: string - type: - description: The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01". - type: string - enum: - - HTTP-01 - - DNS-01 - url: - description: The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. - type: string - wildcard: - description: wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'. - type: boolean - status: - type: object - properties: - presented: - description: presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). - type: boolean - processing: - description: Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. - type: boolean - reason: - description: Contains human readable information on why the Challenge is in the current state. - type: string - state: - description: Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - served: true - storage: true - subresources: - status: {} ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterissuers.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: "cert-manager" - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: ClusterIssuer - listKind: ClusterIssuerList - plural: clusterissuers - singular: clusterissuer - categories: - - cert-manager - scope: Cluster - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: A ClusterIssuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is similar to an Issuer, however it is cluster-scoped and therefore can be referenced by resources that exist in *any* namespace, not just the same namespace as the referent. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the ClusterIssuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. - type: string - format: byte - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - accessKeyIDSecretRef: - description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " - type: integer - format: int32 - maximum: 65535 - minimum: 1 - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressClassName: - description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - x-kubernetes-map-type: atomic - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceAccountRef: - description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. - type: object - required: - - name - properties: - name: - description: Name of the ServiceAccount used to request a token. - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. - type: string - format: byte - caBundleSecretRef: - description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the ClusterIssuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastPrivateKeyHash: - description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: issuers.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: "cert-manager" - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: cert-manager.io - names: - kind: Issuer - listKind: IssuerList - plural: issuers - singular: issuer - categories: - - cert-manager - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.conditions[?(@.type=="Ready")].status - name: Ready - type: string - - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Status - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: An Issuer represents a certificate issuing authority which can be referenced as part of `issuerRef` fields. It is scoped to a single namespace and can therefore only be referenced by resources within the same namespace. - type: object - required: - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Desired state of the Issuer resource. - type: object - properties: - acme: - description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. - type: object - required: - - privateKeySecretRef - - server - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which can be used to validate the certificate chain presented by the ACME server. Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various kinds of security vulnerabilities. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. - type: string - format: byte - disableAccountKeyGeneration: - description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new account but will expect the account key to be supplied via an existing secret. If false, the cert-manager system will generate a new ACME account key for the Issuer. Defaults to false. - type: boolean - email: - description: Email is the email address to be associated with the ACME account. This field is optional, but it is strongly recommended to be set. It will be used to contact you in case of issues with your account or certificates, including expiry notification emails. This field may be updated after the account is initially registered. - type: string - enableDurationFeature: - description: Enables requesting a Not After date on certificates that matches the duration of the certificate. This is not supported by all ACME servers like Let's Encrypt. If set to true when the ACME server does not support it it will create an error on the Order. Defaults to false. - type: boolean - externalAccountBinding: - description: ExternalAccountBinding is a reference to a CA external account of the ACME server. If set, upon registration cert-manager will attempt to associate the given external account credentials with the registered ACME account. - type: object - required: - - keyID - - keySecretRef - properties: - keyAlgorithm: - description: 'Deprecated: keyAlgorithm field exists for historical compatibility reasons and should not be used. The algorithm is now hardcoded to HS256 in golang/x/crypto/acme.' - type: string - enum: - - HS256 - - HS384 - - HS512 - keyID: - description: keyID is the ID of the CA key that the External Account is bound to. - type: string - keySecretRef: - description: keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes Secret which holds the symmetric MAC key of the External Account Binding. The `key` is the index string that is paired with the key data in the Secret and should not be confused with the key data itself, or indeed with the External Account Binding keyID above. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - preferredChain: - description: 'PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let''s Encrypt''s DST crosssign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let''s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer''s CN' - type: string - maxLength: 64 - privateKeySecretRef: - description: PrivateKey is the name of a Kubernetes Secret resource that will be used to store the automatically generated ACME account private key. Optionally, a `key` may be specified to select a specific entry within the named Secret resource. If `key` is not specified, a default of `tls.key` will be used. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - server: - description: 'Server is the URL used to access the ACME server''s ''directory'' endpoint. For example, for Let''s Encrypt''s staging endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". Only ACME v2 endpoints (i.e. RFC 8555) are supported.' - type: string - skipTLSVerify: - description: 'INSECURE: Enables or disables validation of the ACME server TLS certificate. If true, requests to the ACME server will not have the TLS certificate chain validated. Mutually exclusive with CABundle; prefer using CABundle to prevent various kinds of security vulnerabilities. Only enable this option in development environments. If CABundle and SkipTLSVerify are unset, the system certificate bundle inside the container is used to validate the TLS connection. Defaults to false.' - type: boolean - solvers: - description: 'Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. Solver configurations must be provided in order to obtain certificates from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' - type: array - items: - description: An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of. A selector may be provided to use different solving strategies for different DNS names. Only one of HTTP01 or DNS01 must be provided. - type: object - properties: - dns01: - description: Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow. - type: object - properties: - acmeDNS: - description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records. - type: object - required: - - accountSecretRef - - host - properties: - accountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - host: - type: string - akamai: - description: Use the Akamai DNS zone management API to manage DNS01 challenge records. - type: object - required: - - accessTokenSecretRef - - clientSecretSecretRef - - clientTokenSecretRef - - serviceConsumerDomain - properties: - accessTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - clientTokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceConsumerDomain: - type: string - azureDNS: - description: Use the Microsoft Azure DNS API to manage DNS01 challenge records. - type: object - required: - - resourceGroupName - - subscriptionID - properties: - clientID: - description: if both this and ClientSecret are left unset MSI will be used - type: string - clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - environment: - description: name of the Azure environment (default AzurePublicCloud) - type: string - enum: - - AzurePublicCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureUSGovernmentCloud - hostedZoneName: - description: name of the DNS zone that should be used - type: string - managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID - type: object - properties: - clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID - type: string - resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID - type: string - resourceGroupName: - description: resource group the DNS zone is located in - type: string - subscriptionID: - description: ID of the Azure subscription - type: string - tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed - type: string - cloudDNS: - description: Use the Google Cloud DNS API to manage DNS01 challenge records. - type: object - required: - - project - properties: - hostedZoneName: - description: HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone. - type: string - project: - type: string - serviceAccountSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - cloudflare: - description: Use the Cloudflare API to manage DNS01 challenge records. - type: object - properties: - apiKeySecretRef: - description: 'API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - apiTokenSecretRef: - description: API token used to authenticate with Cloudflare. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - email: - description: Email of the account, only required when using API key based authentication. - type: string - cnameStrategy: - description: CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones. - type: string - enum: - - None - - Follow - digitalocean: - description: Use the DigitalOcean DNS API to manage DNS01 challenge records. - type: object - required: - - tokenSecretRef - properties: - tokenSecretRef: - description: A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - rfc2136: - description: Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records. - type: object - required: - - nameserver - properties: - nameserver: - description: The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional. This field is required. - type: string - tsigAlgorithm: - description: 'The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' - type: string - tsigKeyName: - description: The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required. - type: string - tsigSecretSecretRef: - description: The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - route53: - description: Use the AWS Route53 API to manage DNS01 challenge records. - type: object - required: - - region - properties: - accessKeyID: - description: 'The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: string - accessKeyIDSecretRef: - description: 'The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - hostedZoneID: - description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call. - type: string - region: - description: Always set the region when using AccessKeyID and SecretAccessKey - type: string - role: - description: Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata - type: string - secretAccessKeySecretRef: - description: 'The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall-back to using env vars, shared credentials file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - webhook: - description: Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records. - type: object - required: - - groupName - - solverName - properties: - config: - description: Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g. credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. - x-kubernetes-preserve-unknown-fields: true - groupName: - description: The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation. - type: string - solverName: - description: The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g. 'cloudflare'. - type: string - http01: - description: Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g. `*.example.com`) using the HTTP01 challenge mechanism. - type: object - properties: - gatewayHTTPRoute: - description: The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future. - type: object - properties: - labels: - description: Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges. - type: object - additionalProperties: - type: string - parentRefs: - description: 'When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' - type: array - items: - description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n This API may be extended in the future to support additional kinds of parent resources. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." - type: object - required: - - name - properties: - group: - description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" - type: string - default: gateway.networking.k8s.io - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - kind: - description: "Kind is kind of the referent. \n There are two kinds of parent resources with \"Core\" support: \n * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, experimental, ClusterIP Services only) \n Support for other resources is Implementation-Specific." - type: string - default: Gateway - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - name: - description: "Name is the name of the referent. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" - type: string - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " - type: integer - format: int32 - maximum: 65535 - minimum: 1 - sectionName: - description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Note that attaching Routes to Services as Parents is part of experimental Mesh support and is not supported for any other purpose. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" - type: string - maxLength: 253 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - ingress: - description: The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed. - type: object - properties: - class: - description: This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressClassName: - description: This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - ingressTemplate: - description: Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver ingress. - type: object - additionalProperties: - type: string - name: - description: The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified. - type: string - podTemplate: - description: Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges. - type: object - properties: - metadata: - description: ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values. - type: object - properties: - annotations: - description: Annotations that should be added to the create ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - labels: - description: Labels that should be added to the created ACME HTTP01 solver pods. - type: object - additionalProperties: - type: string - spec: - description: PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored. - type: object - properties: - affinity: - description: If specified, the pod's scheduling constraints - type: object - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - type: array - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - type: object - required: - - preference - - weight - properties: - preference: - description: A node selector term, associated with the corresponding weight. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - type: object - required: - - nodeSelectorTerms - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - type: array - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - type: object - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchFields: - description: A list of node selector requirements by node's fields. - type: array - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - type: array - items: - type: string - x-kubernetes-map-type: atomic - x-kubernetes-map-type: atomic - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - type: object - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - type: array - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - type: object - required: - - podAffinityTerm - - weight - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - type: integer - format: int32 - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - type: array - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - type: object - required: - - topologyKey - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. - type: object - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - type: array - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - type: object - required: - - key - - operator - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - type: array - items: - type: string - matchLabels: - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - additionalProperties: - type: string - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". - type: array - items: - type: string - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - imagePullSecrets: - description: If specified, the pod's imagePullSecrets - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - x-kubernetes-map-type: atomic - nodeSelector: - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - additionalProperties: - type: string - priorityClassName: - description: If specified, the pod's priorityClassName. - type: string - serviceAccountName: - description: If specified, the pod's service account - type: string - tolerations: - description: If specified, the pod's tolerations. - type: array - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - type: object - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - type: integer - format: int64 - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - serviceType: - description: Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort. - type: string - selector: - description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead. - type: object - properties: - dnsNames: - description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - dnsZones: - description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. - type: array - items: - type: string - matchLabels: - description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. - type: object - additionalProperties: - type: string - ca: - description: CA configures this issuer to sign certificates using a signing CA keypair stored in a Secret resource. This is used to build internal PKIs that are managed by cert-manager. - type: object - required: - - secretName - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set, certificates will be issued without distribution points set. - type: array - items: - type: string - ocspServers: - description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". - type: array - items: - type: string - secretName: - description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. - type: string - selfSigned: - description: SelfSigned configures this issuer to 'self sign' certificates using the private key used to create the CertificateRequest object. - type: object - properties: - crlDistributionPoints: - description: The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. If not set certificate will be issued without CDP. Values are strings. - type: array - items: - type: string - vault: - description: Vault configures this issuer to sign certificates using a HashiCorp Vault PKI backend. - type: object - required: - - auth - - path - - server - properties: - auth: - description: Auth configures how cert-manager authenticates with the Vault server. - type: object - properties: - appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. - type: object - required: - - path - - roleId - - secretRef - properties: - path: - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' - type: string - roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. - type: string - secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. - type: object - required: - - role - properties: - mountPath: - description: The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the default value "/v1/auth/kubernetes" will be used. - type: string - role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. - type: string - secretRef: - description: The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of 'ambient credentials' is not supported. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - serviceAccountRef: - description: A reference to a service account that will be used to request a bound token (also known as "projected token"). Compared to using "secretRef", using this field means that you don't rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token. - type: object - required: - - name - properties: - name: - description: Name of the ServiceAccount used to request a token. - type: string - tokenSecretRef: - description: TokenSecretRef authenticates with Vault by presenting a token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by Vault. Only used if using HTTPS to connect to Vault and ignored for HTTP connections. Mutually exclusive with CABundleSecretRef. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. - type: string - format: byte - caBundleSecretRef: - description: Reference to a Secret containing a bundle of PEM-encoded CAs to use when verifying the certificate chain presented by Vault when using HTTPS. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection. If no key for the Secret is specified, cert-manager will default to 'ca.crt'. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1" More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' - type: string - path: - description: 'Path is the mount path of the Vault PKI backend''s `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' - type: string - server: - description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' - type: string - venafi: - description: Venafi configures this issuer to sign certificates using a Venafi TPP or Venafi Cloud policy zone. - type: object - required: - - zone - properties: - cloud: - description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - apiTokenSecretRef - properties: - apiTokenSecretRef: - description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. - type: object - required: - - name - properties: - key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. - type: string - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: URL is the base URL for Venafi Cloud. Defaults to "https://api.venafi.cloud/v1". - type: string - tpp: - description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. - type: object - required: - - credentialsRef - - url - properties: - caBundle: - description: Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain. - type: string - format: byte - credentialsRef: - description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. - type: object - required: - - name - properties: - name: - description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - url: - description: 'URL is the base URL for the vedsdk endpoint of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' - type: string - zone: - description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. - type: string - status: - description: Status of the Issuer. This is set and managed automatically. - type: object - properties: - acme: - description: ACME specific status options. This field should only be set if the Issuer is configured to use an ACME server to issue certificates. - type: object - properties: - lastPrivateKeyHash: - description: LastPrivateKeyHash is a hash of the private key associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - lastRegisteredEmail: - description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer - type: string - uri: - description: URI is the unique account identifier, which can also be used to retrieve account details from the CA - type: string - conditions: - description: List of status conditions to indicate the status of a CertificateRequest. Known condition types are `Ready`. - type: array - items: - description: IssuerCondition contains condition information for an Issuer. - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. - type: string - format: date-time - message: - description: Message is a human readable description of the details of the last transition, complementing reason. - type: string - observedGeneration: - description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Issuer. - type: integer - format: int64 - reason: - description: Reason is a brief machine readable explanation for the condition's last transition. - type: string - status: - description: Status of the condition, one of (`True`, `False`, `Unknown`). - type: string - enum: - - "True" - - "False" - - Unknown - type: - description: Type of the condition, known values are (`Ready`). - type: string - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - served: true - storage: true ---- -# Source: cert-manager/templates/crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: orders.acme.cert-manager.io - labels: - app: 'cert-manager' - app.kubernetes.io/name: 'cert-manager' - app.kubernetes.io/instance: 'cert-manager' - # Generated labels - app.kubernetes.io/version: "v1.13.2" -spec: - group: acme.cert-manager.io - names: - kind: Order - listKind: OrderList - plural: orders - singular: order - categories: - - cert-manager - - cert-manager-acme - scope: Namespaced - versions: - - name: v1 - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.issuerRef.name - name: Issuer - priority: 1 - type: string - - jsonPath: .status.reason - name: Reason - priority: 1 - type: string - - jsonPath: .metadata.creationTimestamp - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. - name: Age - type: date - schema: - openAPIV3Schema: - description: Order is a type to represent an Order with an ACME server - type: object - required: - - metadata - - spec - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - type: object - required: - - issuerRef - - request - properties: - commonName: - description: CommonName is the common name as specified on the DER encoded CSR. If specified, this value must also be present in `dnsNames` or `ipAddresses`. This field must match the corresponding field on the DER encoded CSR. - type: string - dnsNames: - description: DNSNames is a list of DNS names that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - duration: - description: Duration is the duration for the not after date for the requested certificate. this is set on order creation as pe the ACME spec. - type: string - ipAddresses: - description: IPAddresses is a list of IP addresses that should be included as part of the Order validation process. This field must match the corresponding field on the DER encoded CSR. - type: array - items: - type: string - issuerRef: - description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. - type: object - required: - - name - properties: - group: - description: Group of the resource being referred to. - type: string - kind: - description: Kind of the resource being referred to. - type: string - name: - description: Name of the resource being referred to. - type: string - request: - description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. - type: string - format: byte - status: - type: object - properties: - authorizations: - description: Authorizations contains data returned from the ACME server on what authorizations must be completed in order to validate the DNS names specified on the Order. - type: array - items: - description: ACMEAuthorization contains data returned from the ACME server on an authorization that must be completed in order validate a DNS name on an ACME Order resource. - type: object - required: - - url - properties: - challenges: - description: Challenges specifies the challenge types offered by the ACME server. One of these challenge types will be selected when validating the DNS name and an appropriate Challenge resource will be created to perform the ACME challenge process. - type: array - items: - description: Challenge specifies a challenge offered by the ACME server for an Order. An appropriate Challenge resource can be created to perform the ACME challenge process. - type: object - required: - - token - - type - - url - properties: - token: - description: Token is the token that must be presented for this challenge. This is used to compute the 'key' that must also be presented. - type: string - type: - description: Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values will be ignored. - type: string - url: - description: URL is the URL of this challenge. It can be used to retrieve additional metadata about the Challenge from the ACME server. - type: string - identifier: - description: Identifier is the DNS name to be validated as part of this authorization - type: string - initialState: - description: InitialState is the initial state of the ACME authorization when first fetched from the ACME server. If an Authorization is already 'valid', the Order controller will not create a Challenge resource for the authorization. This will occur when working with an ACME server that enables 'authz reuse' (such as Let's Encrypt's production endpoint). If not set and 'identifier' is set, the state is assumed to be pending and a Challenge will be created. - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL is the URL of the Authorization that must be completed - type: string - wildcard: - description: Wildcard will be true if this authorization is for a wildcard DNS name. If this is true, the identifier will be the *non-wildcard* version of the DNS name. For example, if '*.example.com' is the DNS name being validated, this field will be 'true' and the 'identifier' field will be 'example.com'. - type: boolean - certificate: - description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. - type: string - format: byte - failureTime: - description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. - type: string - format: date-time - finalizeURL: - description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. - type: string - reason: - description: Reason optionally provides more information about a why the order is in the current state. - type: string - state: - description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' - type: string - enum: - - valid - - ready - - pending - - processing - - invalid - - expired - - errored - url: - description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. - type: string - served: true - storage: true diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml index a4acb740..9095368c 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/addon.yaml @@ -28,6 +28,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: {{ $addonNamespace }} --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -38,6 +39,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- if or $addonVersion $.Values.secretName }} spec: {{- end}} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml deleted file mode 100644 index 4a5fc8d3..00000000 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/cert-manager.namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- if index .Values "cert-manager" "enabled" }} -apiVersion: v1 -kind: Namespace -metadata: - annotations: - "helm.sh/hook": "pre-install" - name: {{ index .Values "cert-manager" "namespace" }} -{{- end }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml index 260efb59..013a2ef0 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/core.yaml @@ -37,12 +37,22 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- if or $coreVersion $.Values.configSecret.name }} spec: {{- end}} {{- if $coreVersion }} version: {{ $coreVersion }} {{- end }} +{{- if $.Values.manager }} + manager: +{{- if and $.Values.manager.featureGates $.Values.manager.featureGates.core }} + featureGates: + {{- range $key, $value := $.Values.manager.featureGates.core }} + {{ $key }}: {{ $value }} + {{- end }} +{{- end }} +{{- end }} {{- if $.Values.configSecret.name }} configSecret: name: {{ $.Values.configSecret.name }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml index 806d0b1c..0b4c0916 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/deployment.yaml @@ -95,10 +95,17 @@ spec: - containerPort: 9443 name: webhook-server protocol: TCP + - containerPort: {{ ( split ":" $.Values.metricsBindAddr)._1 | int }} + name: metrics + protocol: TCP {{- with .Values.resources.manager }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.env.manager }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.containerSecurityContext.manager }} securityContext: {{- toYaml . | nindent 12 }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml index 2d1e8cca..3c3a8a75 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra-conditions.yaml @@ -9,6 +9,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: capi-kubeadm-bootstrap-system --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -19,6 +20,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- with .Values.configSecret }} spec: configSecret: @@ -37,6 +39,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: capi-kubeadm-control-plane-system --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -47,6 +50,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" + "argocd.argoproj.io/sync-wave": "2" {{- with .Values.configSecret }} spec: configSecret: diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml index e2f8b24b..2a4488c2 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/infra.yaml @@ -28,6 +28,7 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "1" + "argocd.argoproj.io/sync-wave": "1" name: {{ $infrastructureNamespace }} --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 @@ -38,12 +39,26 @@ metadata: annotations: "helm.sh/hook": "post-install" "helm.sh/hook-weight": "2" -{{- if or $infrastructureVersion $.Values.configSecret.name }} + "argocd.argoproj.io/sync-wave": "2" +{{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager }} spec: {{- end }} {{- if $infrastructureVersion }} version: {{ $infrastructureVersion }} {{- end }} +{{- if $.Values.manager }} + manager: +{{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $infrastructureName) }} +{{- range $key, $value := $.Values.manager.featureGates }} + {{- if eq $key $infrastructureName }} + featureGates: + {{- range $k, $v := $value }} + {{ $k }}: {{ $v }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} {{- if $.Values.configSecret.name }} configSecret: name: {{ $.Values.configSecret.name }} diff --git a/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml b/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml index 0e3aaf98..03b1cec6 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/templates/operator-components.yaml @@ -3,7 +3,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: addonproviders.operator.cluster.x-k8s.io @@ -25,6 +26,8 @@ spec: kind: AddonProvider listKind: AddonProviderList plural: addonproviders + shortNames: + - caap singular: addonprovider scope: Namespaced versions: @@ -41,14 +44,19 @@ spec: description: AddonProvider is the Schema for the addonproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -56,12 +64,11 @@ spec: description: AddonProviderSpec defines the desired state of AddonProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -73,14 +80,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -103,22 +110,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -128,32 +133,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -166,32 +165,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -213,53 +206,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -272,32 +258,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -320,18 +300,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -342,38 +320,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -385,53 +359,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -443,42 +439,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -487,55 +478,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -548,51 +535,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -605,33 +615,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -644,18 +650,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -666,38 +670,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -709,53 +709,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -767,42 +789,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -811,55 +828,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -872,51 +885,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -929,33 +965,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -966,19 +998,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -999,17 +1032,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -1022,10 +1054,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -1036,11 +1068,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -1055,11 +1085,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -1089,10 +1117,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -1117,19 +1145,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -1146,8 +1179,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -1156,11 +1190,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -1170,12 +1204,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -1183,10 +1220,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -1199,83 +1236,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1287,19 +1323,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -1307,36 +1343,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -1345,26 +1387,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -1374,47 +1416,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -1426,37 +1473,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -1464,28 +1514,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -1503,37 +1556,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -1542,8 +1595,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -1566,7 +1620,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: bootstrapproviders.operator.cluster.x-k8s.io @@ -1588,6 +1643,8 @@ spec: kind: BootstrapProvider listKind: BootstrapProviderList plural: bootstrapproviders + shortNames: + - cabp singular: bootstrapprovider scope: Namespaced versions: @@ -1598,20 +1655,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: BootstrapProvider is the Schema for the bootstrapproviders API. + description: |- + BootstrapProvider is the Schema for the bootstrapproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1619,12 +1686,11 @@ spec: description: BootstrapProviderSpec defines the desired state of BootstrapProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -1647,22 +1713,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -1672,32 +1736,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1710,32 +1768,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1757,53 +1809,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1816,32 +1861,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -1864,18 +1903,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -1886,38 +1923,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1929,53 +1962,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1987,42 +2042,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -2031,55 +2081,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2092,51 +2138,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2149,33 +2218,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -2188,18 +2253,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -2210,38 +2273,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2253,53 +2312,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2311,42 +2392,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -2355,55 +2431,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2416,51 +2488,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2473,33 +2568,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -2510,19 +2601,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -2543,17 +2635,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -2566,10 +2657,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -2580,11 +2671,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -2599,11 +2688,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -2633,10 +2720,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -2672,19 +2759,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -2701,8 +2793,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -2711,11 +2804,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -2725,12 +2818,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -2738,10 +2834,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -2754,83 +2850,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2842,19 +2937,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -2862,36 +2957,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -2900,26 +3001,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -2929,47 +3030,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -2981,37 +3087,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -3019,35 +3128,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -3063,37 +3175,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -3102,8 +3214,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -3133,14 +3246,19 @@ spec: description: BootstrapProvider is the Schema for the bootstrapproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3148,12 +3266,11 @@ spec: description: BootstrapProviderSpec defines the desired state of BootstrapProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -3165,14 +3282,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -3195,22 +3312,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -3220,32 +3335,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3258,32 +3367,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3305,53 +3408,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3364,32 +3460,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -3412,18 +3502,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -3434,38 +3522,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3477,53 +3561,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3535,42 +3641,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -3579,55 +3680,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3640,51 +3737,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3697,33 +3817,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -3736,18 +3852,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -3758,38 +3872,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3801,53 +3911,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3859,42 +3991,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -3903,55 +4030,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -3964,51 +4087,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4021,33 +4167,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -4058,19 +4200,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -4091,17 +4234,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -4114,10 +4256,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -4128,11 +4270,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -4147,11 +4287,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -4181,10 +4319,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -4209,19 +4347,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -4238,8 +4381,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -4248,11 +4392,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -4262,12 +4406,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -4275,10 +4422,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -4291,83 +4438,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4379,19 +4525,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -4399,36 +4545,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -4437,26 +4589,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -4466,47 +4618,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -4518,37 +4675,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -4556,28 +4716,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -4595,37 +4758,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -4634,8 +4797,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -4658,7 +4822,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: controlplaneproviders.operator.cluster.x-k8s.io @@ -4680,6 +4845,8 @@ spec: kind: ControlPlaneProvider listKind: ControlPlaneProviderList plural: controlplaneproviders + shortNames: + - cacpp singular: controlplaneprovider scope: Namespaced versions: @@ -4690,21 +4857,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: ControlPlaneProvider is the Schema for the controlplaneproviders - API. + description: |- + ControlPlaneProvider is the Schema for the controlplaneproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4712,12 +4888,11 @@ spec: description: ControlPlaneProviderSpec defines the desired state of ControlPlaneProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -4740,22 +4915,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -4765,32 +4938,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4803,32 +4970,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4850,53 +5011,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4909,32 +5063,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -4957,18 +5105,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -4979,38 +5125,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5022,53 +5164,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5080,42 +5244,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -5124,55 +5283,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5185,51 +5340,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5242,33 +5420,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -5281,18 +5455,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -5303,38 +5475,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5346,53 +5514,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5404,42 +5594,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -5448,55 +5633,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5509,51 +5690,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5566,33 +5770,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -5603,19 +5803,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -5636,17 +5837,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -5659,10 +5859,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -5673,11 +5873,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -5692,11 +5890,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -5726,10 +5922,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -5765,19 +5961,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -5794,8 +5995,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -5804,11 +6006,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -5818,12 +6020,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -5831,10 +6036,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -5847,83 +6052,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5935,19 +6139,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -5955,36 +6159,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -5993,26 +6203,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -6022,47 +6232,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -6074,37 +6289,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -6112,35 +6330,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -6157,37 +6378,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -6196,8 +6417,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -6228,14 +6450,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6243,12 +6470,11 @@ spec: description: ControlPlaneProviderSpec defines the desired state of ControlPlaneProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -6260,14 +6486,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -6290,22 +6516,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -6315,32 +6539,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6353,32 +6571,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6400,53 +6612,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6459,32 +6664,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -6507,18 +6706,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -6529,38 +6726,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6572,53 +6765,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6630,42 +6845,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -6674,55 +6884,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6735,51 +6941,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6792,33 +7021,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -6831,18 +7056,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -6853,38 +7076,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6896,53 +7115,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6954,42 +7195,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -6998,55 +7234,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7059,51 +7291,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7116,33 +7371,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -7153,19 +7404,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -7186,17 +7438,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -7209,10 +7460,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -7223,11 +7474,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -7242,11 +7491,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -7276,10 +7523,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -7304,19 +7551,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -7333,8 +7585,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -7343,11 +7596,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -7357,12 +7610,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -7370,10 +7626,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -7386,83 +7642,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7474,19 +7729,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -7494,36 +7749,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -7532,26 +7793,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -7561,47 +7822,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -7613,37 +7879,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -7651,28 +7920,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -7691,37 +7963,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -7730,8 +8002,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -7754,7 +8027,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: coreproviders.operator.cluster.x-k8s.io @@ -7776,6 +8050,8 @@ spec: kind: CoreProvider listKind: CoreProviderList plural: coreproviders + shortNames: + - cacp singular: coreprovider scope: Namespaced versions: @@ -7786,20 +8062,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: CoreProvider is the Schema for the coreproviders API. + description: |- + CoreProvider is the Schema for the coreproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -7807,12 +8093,11 @@ spec: description: CoreProviderSpec defines the desired state of CoreProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -7835,22 +8120,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -7860,32 +8143,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -7898,32 +8175,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -7945,53 +8216,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -8004,32 +8268,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -8052,18 +8310,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -8074,38 +8330,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8117,53 +8369,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8175,42 +8449,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -8219,55 +8488,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8280,51 +8545,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8337,33 +8625,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -8376,18 +8660,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -8398,38 +8680,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8441,53 +8719,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8499,42 +8799,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -8543,55 +8838,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8604,51 +8895,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8661,33 +8975,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -8698,19 +9008,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -8731,17 +9042,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -8754,10 +9064,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -8768,11 +9078,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -8787,11 +9095,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -8821,10 +9127,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -8860,19 +9166,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -8889,8 +9200,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -8899,11 +9211,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -8913,12 +9225,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -8926,10 +9241,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -8942,83 +9257,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9030,19 +9344,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -9050,36 +9364,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -9088,26 +9408,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -9117,47 +9437,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -9169,37 +9494,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -9207,35 +9535,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -9251,37 +9582,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -9290,8 +9621,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -9321,14 +9653,19 @@ spec: description: CoreProvider is the Schema for the coreproviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9336,12 +9673,11 @@ spec: description: CoreProviderSpec defines the desired state of CoreProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -9353,14 +9689,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -9383,22 +9719,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -9408,32 +9742,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9446,32 +9774,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9493,53 +9815,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9552,32 +9867,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -9600,18 +9909,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -9622,38 +9929,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9665,53 +9968,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9723,42 +10048,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -9767,55 +10087,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9828,51 +10144,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9885,33 +10224,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -9924,18 +10259,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -9946,38 +10279,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -9989,53 +10318,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10047,42 +10398,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -10091,55 +10437,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10152,51 +10494,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10209,33 +10574,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -10246,19 +10607,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -10279,17 +10641,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -10302,10 +10663,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -10316,11 +10677,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -10335,11 +10694,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -10369,10 +10726,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -10397,19 +10754,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -10426,8 +10788,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -10436,11 +10799,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -10450,12 +10813,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -10463,10 +10829,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -10479,83 +10845,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10567,19 +10932,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -10587,36 +10952,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -10625,26 +10996,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -10654,47 +11025,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -10706,37 +11082,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -10744,28 +11123,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -10783,37 +11165,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -10822,8 +11204,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -10846,7 +11229,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: infrastructureproviders.operator.cluster.x-k8s.io @@ -10868,6 +11252,8 @@ spec: kind: InfrastructureProvider listKind: InfrastructureProviderList plural: infrastructureproviders + shortNames: + - caip singular: infrastructureprovider scope: Namespaced versions: @@ -10878,21 +11264,30 @@ spec: - jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string + deprecated: true name: v1alpha1 schema: openAPIV3Schema: - description: InfrastructureProvider is the Schema for the infrastructureproviders - API. + description: |- + InfrastructureProvider is the Schema for the infrastructureproviders API. + + + Deprecated: This type will be removed in one of the next releases. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -10900,12 +11295,11 @@ spec: description: InfrastructureProviderSpec defines the desired state of InfrastructureProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -10928,22 +11322,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -10953,32 +11345,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -10991,32 +11377,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -11038,53 +11418,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -11097,32 +11470,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -11145,18 +11512,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -11167,38 +11532,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11210,53 +11571,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11268,42 +11651,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -11312,55 +11690,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11373,51 +11747,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11430,33 +11827,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -11469,18 +11862,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -11491,38 +11882,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11534,53 +11921,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11592,42 +12001,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -11636,55 +12040,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11697,51 +12097,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11754,33 +12177,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -11791,19 +12210,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -11824,17 +12244,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -11847,10 +12266,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -11861,11 +12280,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -11880,11 +12297,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -11914,10 +12329,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -11953,19 +12368,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -11982,8 +12402,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -11992,11 +12413,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -12006,12 +12427,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -12019,10 +12443,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -12035,83 +12459,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -12123,19 +12546,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -12143,36 +12566,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -12181,26 +12610,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -12210,47 +12639,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -12262,37 +12696,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains the controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -12300,35 +12737,38 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object secretName: - description: SecretName is the name of the Secret providing the configuration + description: |- + SecretName is the name of the Secret providing the configuration variables for the current provider instance, like e.g. credentials. - Such configurations will be used when creating or upgrading provider - components. The contents of the secret will be treated as immutable. - If changes need to be made, a new object can be created and the - name should be updated. The contents should be in the form of key:value. - This secret must be in the same namespace as the provider. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. type: string secretNamespace: - description: SecretNamespace is the namespace of the Secret providing - the configuration variables. If not specified, the namespace of - the provider will be used. + description: |- + SecretNamespace is the namespace of the Secret providing the configuration variables. If not specified, + the namespace of the provider will be used. type: string version: description: Version indicates the provider version. @@ -12345,37 +12785,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -12384,8 +12824,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -12416,14 +12857,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -12431,12 +12877,11 @@ spec: description: InfrastructureProviderSpec defines the desired state of InfrastructureProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -12448,14 +12893,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -12478,22 +12923,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -12503,32 +12946,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12541,32 +12978,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12588,53 +13019,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12647,32 +13071,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -12695,18 +13113,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -12717,38 +13133,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -12760,53 +13172,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -12818,42 +13252,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -12862,55 +13291,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12923,51 +13348,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12980,33 +13428,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -13019,18 +13463,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -13041,38 +13483,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13084,53 +13522,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13142,42 +13602,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -13186,55 +13641,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13247,51 +13698,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13304,33 +13778,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -13341,19 +13811,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -13374,17 +13845,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -13397,10 +13867,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -13411,11 +13881,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -13430,11 +13898,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -13464,10 +13930,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -13492,19 +13958,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -13521,8 +13992,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -13531,11 +14003,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -13545,12 +14017,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -13558,10 +14033,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -13574,83 +14049,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13662,19 +14136,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -13682,36 +14156,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -13720,26 +14200,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -13749,47 +14229,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -13801,37 +14286,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -13839,28 +14327,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -13879,37 +14370,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -13918,8 +14409,9 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -13942,7 +14434,8 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep labels: clusterctl.cluster.x-k8s.io/core: capi-operator name: ipamproviders.operator.cluster.x-k8s.io @@ -13964,6 +14457,8 @@ spec: kind: IPAMProvider listKind: IPAMProviderList plural: ipamproviders + shortNames: + - caipamp singular: ipamprovider scope: Namespaced versions: @@ -13980,14 +14475,19 @@ spec: description: IPAMProvider is the Schema for the IPAMProviders API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -13995,12 +14495,11 @@ spec: description: IPAMProviderSpec defines the desired state of IPAMProvider. properties: additionalManifests: - description: AdditionalManifests is reference to configmap that contains - additional manifests that will be applied together with the provider - components. The key for storing these manifests has to be `manifests`. - The manifests are applied only once when a certain release is installed/upgraded. - If namespace is not specified, the namespace of the provider will - be used. There is no validation of the yaml content inside the configmap. + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. properties: name: description: Name defines the name of the configmap. @@ -14012,14 +14511,14 @@ spec: - name type: object configSecret: - description: ConfigSecret is the object with name and namespace of - the Secret providing the configuration variables for the current - provider instance, like e.g. credentials. Such configurations will - be used when creating or upgrading provider components. The contents - of the secret will be treated as immutable. If changes need to be - made, a new object can be created and the name should be updated. - The contents should be in the form of key:value. This secret must - be in the same namespace as the provider. + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. properties: name: description: Name defines the name of the secret. @@ -14042,22 +14541,20 @@ spec: the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches - all objects with implicit weight 0 (i.e. it's a no-op). - A null preferred scheduling term matches no objects - (i.e. is also a no-op). + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with @@ -14067,32 +14564,26 @@ spec: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14105,32 +14596,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14152,53 +14637,46 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to an update), the system - may or may not try to eventually evict the pod from - its node. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them are - ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14211,32 +14689,26 @@ spec: description: A list of node selector requirements by node's fields. items: - description: A node selector requirement is - a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, the - values array must be non-empty. If the - operator is Exists or DoesNotExist, - the values array must be empty. If the - operator is Gt or Lt, the values array - must have a single element, which will - be interpreted as an integer. This array - is replaced during a strategic merge - patch. + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. items: type: string type: array @@ -14259,18 +14731,16 @@ spec: other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -14281,38 +14751,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14324,53 +14790,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14382,42 +14870,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -14426,55 +14909,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14487,51 +14966,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14544,33 +15046,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -14583,18 +15081,16 @@ spec: as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node that - violates one or more of the expressions. The node that - is most preferred is the one with the greatest sum of - weights, i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - anti-affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred @@ -14605,38 +15101,34 @@ spec: with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14648,53 +15140,75 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -14706,42 +15220,37 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. format: int32 type: integer required: @@ -14750,55 +15259,51 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the pod - will not be scheduled onto the node. If the anti-affinity - requirements specified by this field cease to be met - at some point during pod execution (e.g. due to a pod - label update), the system may or may not try to eventually - evict the pod from its node. When there are multiple - elements, the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14811,51 +15316,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14868,33 +15396,29 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. type: string required: - topologyKey @@ -14905,19 +15429,20 @@ spec: containers: description: List of containers specified in the Deployment items: - description: ContainerSpec defines the properties available - to override for each container in a provider deployment such - as Image and Args to the container’s entrypoint. + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. properties: args: additionalProperties: type: string - description: Args represents extra provider specific flags - that are not encoded as fields in this API. Explicit controller - manager properties defined in the `Provider.ManagerSpec` + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` will have higher precedence than those defined in `ContainerSpec.Args`. - For example, `ManagerSpec.SyncPeriod` will be used instead - of the container arg `--sync-period` if both are defined. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. type: object command: @@ -14938,17 +15463,16 @@ spec: be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are - expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, the - reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". Escaped - references will never be expanded, regardless of - whether the variable exists or not. Defaults to - "".' + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". type: string valueFrom: description: Source for the environment variable's @@ -14961,10 +15485,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap @@ -14975,11 +15499,9 @@ spec: type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: description: Version of the schema the FieldPath @@ -14994,11 +15516,9 @@ spec: type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported.' + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: description: 'Container name: required for @@ -15028,10 +15548,10 @@ spec: from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or @@ -15056,19 +15576,24 @@ spec: description: Compute resources required by this container. properties: claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where - this field is used. It makes that resource available + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available inside a container. type: string required: @@ -15085,8 +15610,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of - compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -15095,11 +15621,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is omitted - for a container, it defaults to Limits if that is - explicitly specified, otherwise to an implementation-defined - value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object required: @@ -15109,12 +15635,15 @@ spec: imagePullSecrets: description: List of image pull secrets specified in the Deployment items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same namespace. + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -15122,10 +15651,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for - the pod to fit on a node. Selector which must match a node''s - labels for the pod to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object replicas: description: Number of desired pods. This is a pointer to distinguish @@ -15138,83 +15667,82 @@ spec: tolerations: description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array type: object fetchConfig: - description: FetchConfig determines how the operator will fetch the - components and metadata for the provider. If nil, the operator will - try to fetch components according to default embedded fetch configuration - for the given kind and `ObjectMeta.Name`. For example, the infrastructure - name `aws` will fetch artifacts from https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. properties: selector: - description: 'Selector to be used for fetching provider’s components - and metadata from ConfigMaps stored inside the cluster. Each - ConfigMap is expected to contain components and metadata for - a specific version only. Note: the name of the ConfigMap should - be set to the version or to override this add a label like the - following: provider.cluster.x-k8s.io/version=v1.4.3' + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -15226,19 +15754,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic url: - description: URL to be used for fetching the provider’s components - and metadata from a remote Github repository. For example, https://github.com/{owner}/{repository}/releases - You must set `providerSpec.Version` field for operator to pick - up desired version of the release from GitHub. + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. type: string type: object manager: @@ -15246,36 +15774,42 @@ spec: the controller manager for the provider. properties: cacheNamespace: - description: "CacheNamespace if specified restricts the manager's - cache to watch objects in the desired namespace Defaults to - all namespaces \n Note: If a namespace is specified, controllers - can still Watch for a cluster-scoped resource (e.g Node). For - namespaced resources the cache will only hold objects from the - desired namespace." + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. type: string controller: - description: Controller contains global configuration options - for controllers registered within this manager. + description: |- + Controller contains global configuration options for controllers + registered within this manager. properties: cacheSyncTimeout: - description: CacheSyncTimeout refers to the time limit set - to wait for syncing caches. Defaults to 2 minutes if not - set. + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. format: int64 type: integer groupKindConcurrency: additionalProperties: type: integer - description: "GroupKindConcurrency is a map from a Kind to - the number of concurrent reconciliation allowed for that - controller. \n When a controller is registered within this - manager using the builder utilities, users have to specify - the type the controller reconciles in the For(...) call. - If the object's kind passed matches one of the keys in this - map, the concurrency for that controller is set to the number - specified. \n The key is expected to be consistent in form - with GroupKind.String(), e.g. ReplicaSet in apps group (regardless - of version) would be `ReplicaSet.apps`." + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. type: object recoverPanic: description: RecoverPanic indicates if panics should be recovered. @@ -15284,26 +15818,26 @@ spec: featureGates: additionalProperties: type: boolean - description: FeatureGates define provider specific feature flags - that will be passed in as container args to the provider's controller - manager. Controller Manager flag is --feature-gates. + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. type: object gracefulShutDown: - description: GracefulShutdownTimeout is the duration given to - runnable to stop before the manager actually returns on stop. - To disable graceful shutdown, set to time.Duration(0) To use - graceful shutdown without timeout, set to a negative duration, - e.G. time.Duration(-1) The graceful shutdown is skipped for - safety reasons in case the leader election lease is lost. + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. type: string health: description: Health contains the controller health configuration properties: healthProbeBindAddress: - description: HealthProbeBindAddress is the TCP address that - the controller should bind to for serving health probes - It can be set to "0" or "" to disable serving the health - probe. + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. type: string livenessEndpointName: description: LivenessEndpointName, defaults to "healthz" @@ -15313,47 +15847,52 @@ spec: type: string type: object leaderElection: - description: LeaderElection is the LeaderElection config to be - used when configuring the manager.Manager leader election + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election properties: leaderElect: - description: leaderElect enables a leader election client - to gain leadership before executing the main loop. Enable - this when running replicated components for high availability. + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. type: boolean leaseDuration: - description: leaseDuration is the duration that non-leader - candidates will wait after observing a leadership renewal - until attempting to acquire leadership of a led but unrenewed - leader slot. This is effectively the maximum duration that - a leader can be stopped before it is replaced by another - candidate. This is only applicable if leader election is + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is enabled. type: string renewDeadline: - description: renewDeadline is the interval between attempts - by the acting master to renew a leadership slot before it - stops leading. This must be less than or equal to the lease - duration. This is only applicable if leader election is - enabled. + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. type: string resourceLock: - description: resourceLock indicates the resource object type - that will be used to lock during leader election cycles. + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. type: string resourceName: - description: resourceName indicates the name of resource object - that will be used to lock during leader election cycles. + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. type: string resourceNamespace: - description: resourceName indicates the namespace of resource - object that will be used to lock during leader election - cycles. + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. type: string retryPeriod: - description: retryPeriod is the duration the clients should - wait between attempting acquisition and renewal of a leadership. - This is only applicable if leader election is enabled. + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. type: string required: - leaderElect @@ -15365,37 +15904,40 @@ spec: - retryPeriod type: object maxConcurrentReconciles: - description: MaxConcurrentReconciles is the maximum number of - concurrent Reconciles which can be run. + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. minimum: 1 type: integer metrics: description: Metrics contains thw controller metrics configuration properties: bindAddress: - description: BindAddress is the TCP address that the controller - should bind to for serving prometheus metrics. It can be - set to "0" to disable the metrics serving. + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. type: string type: object profilerAddress: - description: ProfilerAddress defines the bind address to expose - the pprof profiler (e.g. localhost:6060). Default empty, meaning - the profiler is disabled. Controller Manager flag is --profiler-address. + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. type: string syncPeriod: - description: SyncPeriod determines the minimum frequency at which - watched resources are reconciled. A lower period will correct - entropy more quickly, but reduce responsiveness to change if - there are many watched resources. Change this value only if - you know what you are doing. Defaults to 10 hours if unset. - there will a 10 percent jitter between the SyncPeriod of all - controllers so that all controllers will not send list requests - simultaneously. + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. type: string verbosity: default: 1 - description: Verbosity set the logs verbosity. Defaults to 1. + description: |- + Verbosity set the logs verbosity. Defaults to 1. Controller Manager flag is --verbosity. minimum: 0 type: integer @@ -15403,28 +15945,31 @@ spec: description: Webhook contains the controllers webhook configuration properties: certDir: - description: CertDir is the directory that contains the server - key and certificate. if not set, webhook server would look - up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs. - The server key and certificate must be named tls.key and - tls.crt, respectively. + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. type: string host: - description: Host is the hostname that the webhook server - binds to. It is used to set webhook.Server.Host. + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. type: string port: - description: Port is the port that the webhook server serves - at. It is used to set webhook.Server.Port. + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. type: integer type: object type: object manifestPatches: - description: ManifestPatches are applied to rendered provider manifests - to customize the provider manifests. Patches are applied in the - order they are specified. The `kind` field must match the target - object, and if `apiVersion` is specified it will only be applied - to matching objects. This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 items: type: string type: array @@ -15442,37 +15987,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -15481,8 +16026,1629 @@ spec: type: object type: array contract: - description: Contract will contain the core provider contract that - the provider is abiding by, like e.g. v1alpha4. + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. + type: string + installedVersion: + description: InstalledVersion is the version of the provider that + is installed. + type: string + observedGeneration: + description: ObservedGeneration is the latest generation observed + by the controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/capi-operator-serving-cert' + controller-gen.kubebuilder.io/version: v0.14.0 + helm.sh/resource-policy: keep + labels: + clusterctl.cluster.x-k8s.io/core: capi-operator + name: runtimeextensionproviders.operator.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: Cg== + service: + name: capi-operator-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /convert + conversionReviewVersions: + - v1 + - v1alpha1 + group: operator.cluster.x-k8s.io + names: + kind: RuntimeExtensionProvider + listKind: RuntimeExtensionProviderList + plural: runtimeextensionproviders + shortNames: + - carep + singular: runtimeextensionprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.installedVersion + name: InstalledVersion + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: RuntimeExtensionProvider is the Schema for the RuntimeExtensionProviders + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: RuntimeExtensionProviderSpec defines the desired state of + RuntimeExtensionProvider. + properties: + additionalManifests: + description: |- + AdditionalManifests is reference to configmap that contains additional manifests that will be applied + together with the provider components. The key for storing these manifests has to be `manifests`. + The manifests are applied only once when a certain release is installed/upgraded. If namespace is not specified, the + namespace of the provider will be used. There is no validation of the yaml content inside the configmap. + properties: + name: + description: Name defines the name of the configmap. + type: string + namespace: + description: Namespace defines the namespace of the configmap. + type: string + required: + - name + type: object + configSecret: + description: |- + ConfigSecret is the object with name and namespace of the Secret providing + the configuration variables for the current provider instance, like e.g. credentials. + Such configurations will be used when creating or upgrading provider components. + The contents of the secret will be treated as immutable. If changes need + to be made, a new object can be created and the name should be updated. + The contents should be in the form of key:value. This secret must be in + the same namespace as the provider. + properties: + name: + description: Name defines the name of the secret. + type: string + namespace: + description: Namespace defines the namespace of the secret. + type: string + required: + - name + type: object + deployment: + description: Deployment defines the properties that can be enabled + on the deployment for the provider. + properties: + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. + Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + containers: + description: List of containers specified in the Deployment + items: + description: |- + ContainerSpec defines the properties available to override for each + container in a provider deployment such as Image and Args to the container’s + entrypoint. + properties: + args: + additionalProperties: + type: string + description: |- + Args represents extra provider specific flags that are not encoded as fields in this API. + Explicit controller manager properties defined in the `Provider.ManagerSpec` + will have higher precedence than those defined in `ContainerSpec.Args`. + For example, `ManagerSpec.SyncPeriod` will be used instead of the + container arg `--sync-period` if both are defined. + The same holds for `ManagerSpec.FeatureGates` and `--feature-gates`. + type: object + command: + description: Command allows override container's entrypoint + array. + items: + type: string + type: array + env: + description: List of environment variables to set in the + container. + items: + description: EnvVar represents an environment variable + present in a Container. + properties: + name: + description: Name of the environment variable. Must + be a C_IDENTIFIER. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's + value. Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the ConfigMap + or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for + volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the + pod's namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + optional: + description: Specify whether the Secret or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + imageUrl: + description: Container Image URL + type: string + name: + description: Name of the container. Cannot be updated. + type: string + resources: + description: Compute resources required by this container. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + required: + - name + type: object + type: array + imagePullSecrets: + description: List of image pull secrets specified in the Deployment + items: + description: |- + LocalObjectReference contains enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: array + nodeSelector: + additionalProperties: + type: string + description: |- + NodeSelector is a selector which must be true for the pod to fit on a node. + Selector which must match a node's labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + type: object + replicas: + description: Number of desired pods. This is a pointer to distinguish + between explicit zero and not specified. Defaults to 1. + minimum: 0 + type: integer + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + fetchConfig: + description: |- + FetchConfig determines how the operator will fetch the components and metadata for the provider. + If nil, the operator will try to fetch components according to default + embedded fetch configuration for the given kind and `ObjectMeta.Name`. + For example, the infrastructure name `aws` will fetch artifacts from + https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases. + properties: + selector: + description: |- + Selector to be used for fetching provider’s components and metadata from + ConfigMaps stored inside the cluster. Each ConfigMap is expected to contain + components and metadata for a specific version only. + Note: the name of the ConfigMap should be set to the version or to override this + add a label like the following: provider.cluster.x-k8s.io/version=v1.4.3 + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + url: + description: |- + URL to be used for fetching the provider’s components and metadata from a remote Github repository. + For example, https://github.com/{owner}/{repository}/releases + You must set `providerSpec.Version` field for operator to pick up + desired version of the release from GitHub. + type: string + type: object + manager: + description: Manager defines the properties that can be enabled on + the controller manager for the provider. + properties: + cacheNamespace: + description: |- + CacheNamespace if specified restricts the manager's cache to watch objects in + the desired namespace Defaults to all namespaces + + + Note: If a namespace is specified, controllers can still Watch for a + cluster-scoped resource (e.g Node). For namespaced resources the cache + will only hold objects from the desired namespace. + type: string + controller: + description: |- + Controller contains global configuration options for controllers + registered within this manager. + properties: + cacheSyncTimeout: + description: |- + CacheSyncTimeout refers to the time limit set to wait for syncing caches. + Defaults to 2 minutes if not set. + format: int64 + type: integer + groupKindConcurrency: + additionalProperties: + type: integer + description: |- + GroupKindConcurrency is a map from a Kind to the number of concurrent reconciliation + allowed for that controller. + + + When a controller is registered within this manager using the builder utilities, + users have to specify the type the controller reconciles in the For(...) call. + If the object's kind passed matches one of the keys in this map, the concurrency + for that controller is set to the number specified. + + + The key is expected to be consistent in form with GroupKind.String(), + e.g. ReplicaSet in apps group (regardless of version) would be `ReplicaSet.apps`. + type: object + recoverPanic: + description: RecoverPanic indicates if panics should be recovered. + type: boolean + type: object + featureGates: + additionalProperties: + type: boolean + description: |- + FeatureGates define provider specific feature flags that will be passed + in as container args to the provider's controller manager. + Controller Manager flag is --feature-gates. + type: object + gracefulShutDown: + description: |- + GracefulShutdownTimeout is the duration given to runnable to stop before the manager actually returns on stop. + To disable graceful shutdown, set to time.Duration(0) + To use graceful shutdown without timeout, set to a negative duration, e.G. time.Duration(-1) + The graceful shutdown is skipped for safety reasons in case the leader election lease is lost. + type: string + health: + description: Health contains the controller health configuration + properties: + healthProbeBindAddress: + description: |- + HealthProbeBindAddress is the TCP address that the controller should bind to + for serving health probes + It can be set to "0" or "" to disable serving the health probe. + type: string + livenessEndpointName: + description: LivenessEndpointName, defaults to "healthz" + type: string + readinessEndpointName: + description: ReadinessEndpointName, defaults to "readyz" + type: string + type: object + leaderElection: + description: |- + LeaderElection is the LeaderElection config to be used when configuring + the manager.Manager leader election + properties: + leaderElect: + description: |- + leaderElect enables a leader election client to gain leadership + before executing the main loop. Enable this when running replicated + components for high availability. + type: boolean + leaseDuration: + description: |- + leaseDuration is the duration that non-leader candidates will wait + after observing a leadership renewal until attempting to acquire + leadership of a led but unrenewed leader slot. This is effectively the + maximum duration that a leader can be stopped before it is replaced + by another candidate. This is only applicable if leader election is + enabled. + type: string + renewDeadline: + description: |- + renewDeadline is the interval between attempts by the acting master to + renew a leadership slot before it stops leading. This must be less + than or equal to the lease duration. This is only applicable if leader + election is enabled. + type: string + resourceLock: + description: |- + resourceLock indicates the resource object type that will be used to lock + during leader election cycles. + type: string + resourceName: + description: |- + resourceName indicates the name of resource object that will be used to lock + during leader election cycles. + type: string + resourceNamespace: + description: |- + resourceName indicates the namespace of resource object that will be used to lock + during leader election cycles. + type: string + retryPeriod: + description: |- + retryPeriod is the duration the clients should wait between attempting + acquisition and renewal of a leadership. This is only applicable if + leader election is enabled. + type: string + required: + - leaderElect + - leaseDuration + - renewDeadline + - resourceLock + - resourceName + - resourceNamespace + - retryPeriod + type: object + maxConcurrentReconciles: + description: |- + MaxConcurrentReconciles is the maximum number of concurrent Reconciles + which can be run. + minimum: 1 + type: integer + metrics: + description: Metrics contains thw controller metrics configuration + properties: + bindAddress: + description: |- + BindAddress is the TCP address that the controller should bind to + for serving prometheus metrics. + It can be set to "0" to disable the metrics serving. + type: string + type: object + profilerAddress: + description: |- + ProfilerAddress defines the bind address to expose the pprof profiler (e.g. localhost:6060). + Default empty, meaning the profiler is disabled. + Controller Manager flag is --profiler-address. + type: string + syncPeriod: + description: |- + SyncPeriod determines the minimum frequency at which watched resources are + reconciled. A lower period will correct entropy more quickly, but reduce + responsiveness to change if there are many watched resources. Change this + value only if you know what you are doing. Defaults to 10 hours if unset. + there will a 10 percent jitter between the SyncPeriod of all controllers + so that all controllers will not send list requests simultaneously. + type: string + verbosity: + default: 1 + description: |- + Verbosity set the logs verbosity. Defaults to 1. + Controller Manager flag is --verbosity. + minimum: 0 + type: integer + webhook: + description: Webhook contains the controllers webhook configuration + properties: + certDir: + description: |- + CertDir is the directory that contains the server key and certificate. + if not set, webhook server would look up the server key and certificate in + {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate + must be named tls.key and tls.crt, respectively. + type: string + host: + description: |- + Host is the hostname that the webhook server binds to. + It is used to set webhook.Server.Host. + type: string + port: + description: |- + Port is the port that the webhook server serves at. + It is used to set webhook.Server.Port. + type: integer + type: object + type: object + manifestPatches: + description: |- + ManifestPatches are applied to rendered provider manifests to customize the + provider manifests. Patches are applied in the order they are specified. + The `kind` field must match the target object, and + if `apiVersion` is specified it will only be applied to matching objects. + This should be an inline yaml blob-string https://datatracker.ietf.org/doc/html/rfc7396 + items: + type: string + type: array + version: + description: Version indicates the provider version. + type: string + type: object + status: + description: RuntimeExtensionProviderStatus defines the observed state + of RuntimeExtensionProvider. + properties: + conditions: + description: Conditions define the current service state of the provider. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + A human readable message indicating details about the transition. + This field may be empty. + type: string + reason: + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. + type: string + severity: + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + contract: + description: |- + Contract will contain the core provider contract that the provider is + abiding by, like e.g. v1alpha4. type: string installedVersion: description: InstalledVersion is the version of the provider that @@ -15774,6 +17940,28 @@ webhooks: resources: - ipamproviders sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capi-operator-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /mutate-operator-cluster-x-k8s-io-v1alpha2-runtimeextensionprovider + failurePolicy: Fail + matchPolicy: Equivalent + name: vruntimeextensionprovider.kb.io + rules: + - apiGroups: + - operator.cluster.x-k8s.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - runtimeextensionproviders + sideEffects: None --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -15916,3 +18104,25 @@ webhooks: resources: - ipamproviders sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: capi-operator-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /validate-operator-cluster-x-k8s-io-v1alpha2-runtimeextensionprovider + failurePolicy: Fail + matchPolicy: Equivalent + name: vruntimeextensionprovider.kb.io + rules: + - apiGroups: + - operator.cluster.x-k8s.io + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - runtimeextensionproviders + sideEffects: None diff --git a/packages/system/capi-operator/charts/cluster-api-operator/values.yaml b/packages/system/capi-operator/charts/cluster-api-operator/values.yaml index 7575c8bd..212ee2ad 100644 --- a/packages/system/capi-operator/charts/cluster-api-operator/values.yaml +++ b/packages/system/capi-operator/charts/cluster-api-operator/values.yaml @@ -1,10 +1,4 @@ --- -# Cert Manager options -# Full list of supported values is available at https://artifacthub.io/packages/helm/cert-manager/cert-manager -cert-manager: - enabled: false - fullnameOverride: "cert-manager" - namespace: "cert-manager" # --- # Cluster API provider options core: "" @@ -12,6 +6,7 @@ bootstrap: "" controlPlane: "" infrastructure: "" addon: "" +manager.featureGates: {} # --- # Common configuration secret options configSecret: {} @@ -24,8 +19,10 @@ leaderElection: image: manager: repository: registry.k8s.io/capi-operator/cluster-api-operator - tag: v0.8.1 + tag: v0.11.0 pullPolicy: IfNotPresent +env: + manager: [] healthAddr: ":8081" metricsBindAddr: "127.0.0.1:8080" diagnosticsAddress: "8443" diff --git a/packages/system/capi-providers/Makefile b/packages/system/capi-providers/Makefile index 339d569f..6e8d7868 100644 --- a/packages/system/capi-providers/Makefile +++ b/packages/system/capi-providers/Makefile @@ -1,4 +1,4 @@ -NAME=capi-providers -NAMESPACE=cozy-cluster-api +export NAME=capi-providers +export NAMESPACE=cozy-cluster-api include ../../../scripts/package-system.mk diff --git a/packages/system/capi-providers/templates/providers.yaml b/packages/system/capi-providers/templates/providers.yaml index 3ea90d6d..d3416c1e 100644 --- a/packages/system/capi-providers/templates/providers.yaml +++ b/packages/system/capi-providers/templates/providers.yaml @@ -3,24 +3,30 @@ apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: CoreProvider metadata: name: cluster-api +spec: + # https://github.com/kubernetes-sigs/cluster-api + version: v1.7.3 --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: ControlPlaneProvider metadata: name: kamaji spec: - # fix: https://github.com/clastix/cluster-api-control-plane-provider-kamaji/pull/78 - deployment: - containers: - - name: manager - imageUrl: ghcr.io/kvaps/test:cluster-api-control-plane-provider-kamaji-v0.7.1-fix + # https://github.com/clastix/cluster-api-control-plane-provider-kamaji + version: v0.10.0 --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: BootstrapProvider metadata: name: kubeadm +spec: + # https://github.com/kubernetes-sigs/cluster-api + version: v1.7.3 --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: InfrastructureProvider metadata: name: kubevirt +spec: + # https://github.com/kubevirt/cloud-provider-kubevirt + version: v0.5.1 diff --git a/packages/system/cert-manager-issuers/Makefile b/packages/system/cert-manager-issuers/Makefile index 7d38f770..7c01ba56 100644 --- a/packages/system/cert-manager-issuers/Makefile +++ b/packages/system/cert-manager-issuers/Makefile @@ -1,4 +1,4 @@ -NAME=cert-manager-issuers -NAMESPACE=cozy-cert-manager +export NAME=cert-manager-issuers +export NAMESPACE=cozy-cert-manager include ../../../scripts/package-system.mk diff --git a/packages/system/cert-manager/Makefile b/packages/system/cert-manager/Makefile index c871d9d3..929b160a 100644 --- a/packages/system/cert-manager/Makefile +++ b/packages/system/cert-manager/Makefile @@ -1,5 +1,5 @@ -NAME=cert-manager -NAMESPACE=cozy-$(NAME) +export NAME=cert-manager +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index a5caba3b..44d20e29 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -1,7 +1,7 @@ CILIUM_TAG=$(shell awk '$$1 == "version:" {print $$2}' charts/cilium/Chart.yaml) -NAME=cilium -NAMESPACE=cozy-$(NAME) +export NAME=cilium +export NAMESPACE=cozy-$(NAME) include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk diff --git a/packages/system/cilium/images/cilium.json b/packages/system/cilium/images/cilium.json index 47ee9b16..d42c822d 100644 --- a/packages/system/cilium/images/cilium.json +++ b/packages/system/cilium/images/cilium.json @@ -1,4 +1,51 @@ { - "containerimage.config.digest": "sha256:5d7a65f2d5c41bd53cccaa55d4f5d28933c08f5294e732b9a00427d091c1d78f", - "containerimage.digest": "sha256:f9f46b6c57cbe9ccb2686be7e58236e3bfae0942c4be687f0bf16270832f09ab" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/docker/dockerfile@experimental", + "digest": { + "sha256": "600e5c62eedff338b3f7a0850beb7c05866e0ef27b2d2e8c02aa468e78496ff5" + } + }, + { + "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", + "digest": { + "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad" + } + }, + { + "uri": "pkg:docker/quay.io/cilium/cilium@v1.15.5?platform=linux%2Famd64", + "digest": { + "sha256": "4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "gateway.v0", + "args": { + "cmdline": "docker/dockerfile:experimental", + "source": "docker/dockerfile:experimental" + }, + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "amd64/amd64/ydz7c2pwlqaadvlo84t1spegq", + "containerimage.config.digest": "sha256:1f918c5f4bd8a1c90596b7d4256c8a208482141ae3363ab0b4627203b3fa3b32", + "containerimage.digest": "sha256:90e2235e75febcac777c0338fa93d5e7522d82d029facb0c318305ed178a42ac" } \ No newline at end of file diff --git a/packages/system/cilium/images/cilium.tag b/packages/system/cilium/images/cilium.tag index ab03ee07..f2887794 100644 --- a/packages/system/cilium/images/cilium.tag +++ b/packages/system/cilium/images/cilium.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cilium:latest +ghcr.io/aenix-io/cozystack/cilium:1.15.5 diff --git a/packages/system/clickhouse-operator/Makefile b/packages/system/clickhouse-operator/Makefile index b83cf6df..64447cca 100644 --- a/packages/system/clickhouse-operator/Makefile +++ b/packages/system/clickhouse-operator/Makefile @@ -1,5 +1,5 @@ -NAME=clickhouse-operator -NAMESPACE=cozy-clickhouse-operator +export NAME=clickhouse-operator +export NAMESPACE=cozy-clickhouse-operator include ../../../scripts/package-system.mk diff --git a/packages/system/dashboard/Makefile b/packages/system/dashboard/Makefile index f7a66c71..d17d36aa 100644 --- a/packages/system/dashboard/Makefile +++ b/packages/system/dashboard/Makefile @@ -1,5 +1,5 @@ -NAME=dashboard -NAMESPACE=cozy-$(NAME) +export NAME=dashboard +export NAMESPACE=cozy-$(NAME) include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk @@ -19,7 +19,7 @@ update-chart: update-dockerfiles: tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps | awk -F'[/^]' 'END{print $$3}') && \ wget https://github.com/vmware-tanzu/kubeapps/raw/$${tag}/cmd/kubeapps-apis/Dockerfile -O images/kubeapps-apis/Dockerfile && \ - patch images/kubeapps-apis/Dockerfile < images/kubeapps-apis/dockerfile.diff && \ + patch --no-backup-if-mismatch images/kubeapps-apis/Dockerfile < images/kubeapps-apis/dockerfile.diff && \ node_image=$$(wget -O- https://github.com/vmware-tanzu/kubeapps/raw/main/dashboard/Dockerfile | awk '/FROM bitnami\/node/ {print $$2}') && \ sed -i "s|FROM .* AS build|FROM $${node_image} AS build|" images/dashboard/Dockerfile && \ version=$$(echo "$$tag" | sed 's/^v//') && \ diff --git a/packages/system/dashboard/images/dashboard.json b/packages/system/dashboard/images/dashboard.json index fa70d533..b5de5c91 100644 --- a/packages/system/dashboard/images/dashboard.json +++ b/packages/system/dashboard/images/dashboard.json @@ -1,4 +1,41 @@ { - "containerimage.config.digest": "sha256:8126f86f18708a9157206884c63dc9df7f3090a33e05f4a1b94f2a7da7610c74", - "containerimage.digest": "sha256:e1a285812d1ce34bcf5c37db2a5c12ec99887c930b46ac261895dc98f674c066" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/bitnami/nginx@1.25.2?platform=linux%2Famd64", + "digest": { + "sha256": "fbd9335f55d83d8aaf9ab1a539b0f2a87b444e8c54f34c9a1ca9d7df15605db4" + } + }, + { + "uri": "pkg:docker/bitnami/node@20.12.1?platform=linux%2Famd64", + "digest": { + "sha256": "ac00b5d3742ef2b522e149ac3912a9118ca8dc27556f13700d4a53c1982b1460" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "amd64/amd64/vvxs4dbzlno0vtdl1zudk54fj", + "containerimage.config.digest": "sha256:52a7ac58f30de8bec104f3fa9b3dcc674f37edfee184c5d4229e24f69f4ddcb2", + "containerimage.digest": "sha256:8906436ebd6452549f0634c6db693c7c3248c123f0c882bb8b1bde34ec05aeb6" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index b2afa3cc..bff2f641 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.7.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.9.0 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index 8a5f4ced..c3dd111a 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -1,4 +1,47 @@ { - "containerimage.config.digest": "sha256:44db4f7c92adb68c79eb3e152c95318e559e5c1ac0ba6e3d467596b1315f37a1", - "containerimage.digest": "sha256:b0c355cf5387b376e676a9e395fa0a11790409123a29e637a7080a413fe7f10d" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/bitnami/golang@1.22.2?platform=linux%2Famd64", + "digest": { + "sha256": "f6238d0feb519be3a157e0f29d56312fdcbfde165d96987f3956581126371977" + } + }, + { + "uri": "pkg:docker/bitnami/minideb@bookworm?platform=linux%2Famd64", + "digest": { + "sha256": "29b77c65b015126298b9b5d6c20a389f538145c619c8e049ccf2e7cd436e023a" + } + }, + { + "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64", + "digest": { + "sha256": "b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "amd64/amd64/p2w3cwt8rnd7ivkbmg86ugjj0", + "containerimage.config.digest": "sha256:28621d87b70bc82caf060b33313051703456a2915e95371bcbe5c0e1e5b9daa3", + "containerimage.digest": "sha256:1b6826f030c6d288f9d91476b636300e544bbf55687e59f6de1765d1320faf7b" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index e6a5a538..231ec10a 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.7.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.9.0 diff --git a/packages/system/dashboard/images/kubeapps-apis/Dockerfile b/packages/system/dashboard/images/kubeapps-apis/Dockerfile index b53ee603..99e7e56a 100644 --- a/packages/system/dashboard/images/kubeapps-apis/Dockerfile +++ b/packages/system/dashboard/images/kubeapps-apis/Dockerfile @@ -8,8 +8,10 @@ ARG VERSION=v2.10.0 RUN apk add --no-cache patch WORKDIR /source RUN wget -O- https://github.com/vmware-tanzu/kubeapps/archive/refs/tags/${VERSION}.tar.gz | tar xzf - --strip-components=1 +COPY fluxcd.diff /patches/fluxcd.diff COPY labels.diff /patches/labels.diff COPY reconcile-strategy.diff /patches/reconcile-strategy.diff +RUN patch -p1 < /patches/fluxcd.diff RUN patch -p1 < /patches/labels.diff RUN patch -p1 < /patches/reconcile-strategy.diff @@ -70,15 +72,6 @@ RUN --mount=type=cache,target=/go/pkg/mod \ -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \ ./cmd/kubeapps-apis -# Build 'kapp-controller' plugin, version 'v1alpha1' -RUN --mount=type=cache,target=/go/pkg/mod \ - --mount=type=cache,target=/root/.cache/go-build \ - GOPROXY="https://proxy.golang.org,direct" \ - go build \ - -ldflags "-X github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/cmd.version=$VERSION" \ - -o /kapp-controller-packages-v1alpha1-plugin.so -buildmode=plugin \ - ./cmd/kubeapps-apis/plugins/kapp_controller/packages/v1alpha1/*.go - ## Build 'fluxv2' plugin, version 'v1alpha1' RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ @@ -111,7 +104,6 @@ RUN --mount=type=cache,target=/go/pkg/mod \ FROM bitnami/minideb:bookworm COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /go/src/github.com/vmware-tanzu/kubeapps/kubeapps-apis /kubeapps-apis -COPY --from=builder /kapp-controller-packages-v1alpha1-plugin.so /plugins/kapp-controller-packages/ COPY --from=builder /fluxv2-packages-v1alpha1-plugin.so /plugins/fluxv2-packages/ COPY --from=builder /helm-packages-v1alpha1-plugin.so /plugins/helm-packages/ COPY --from=builder /resources-v1alpha1-plugin.so /plugins/resources/ diff --git a/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff b/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff new file mode 100644 index 00000000..eb073c6c --- /dev/null +++ b/packages/system/dashboard/images/kubeapps-apis/fluxcd.diff @@ -0,0 +1,3196 @@ +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go +index fa38d6ba6..f57d6f65c 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache/watcher_cache.go +@@ -131,7 +131,7 @@ type NamespacedResourceWatcherCacheConfig struct { + OnResyncFunc ResyncFunc + + // These funcs are needed to manipulate API-specific objects, such as flux's +- // sourcev1beta2.HelmRepository, in a generic fashion ++ // sourcev1.HelmRepository, in a generic fashion + NewObjFunc NewObjectFunc + NewListFunc NewObjectListFunc + ListItemsFunc GetListItemsFunc +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go +index 58aae6e88..c0d62a9a7 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart.go +@@ -12,7 +12,7 @@ import ( + "strings" + + "github.com/bufbuild/connect-go" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common" +@@ -27,12 +27,12 @@ import ( + "sigs.k8s.io/yaml" + ) + +-func (s *Server) getChartInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1beta2.HelmChart, error) { ++func (s *Server) getChartInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1.HelmChart, error) { + client, err := s.getClient(headers, key.Namespace) + if err != nil { + return nil, err + } +- var chartObj sourcev1beta2.HelmChart ++ var chartObj sourcev1.HelmChart + if err = client.Get(ctx, key, &chartObj); err != nil { + return nil, connecterror.FromK8sError("get", "HelmChart", key.String(), err) + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go +index 2c16c88ec..95455476f 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_integration_test.go +@@ -12,7 +12,7 @@ import ( + "testing" + "time" + +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + fluxplugin "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/plugins/fluxv2/packages/v1alpha1" +@@ -329,12 +329,12 @@ func TestKindClusterRepoAndChartRBAC(t *testing.T) { + rules := map[string][]rbacv1.PolicyRule{ + names[1].Namespace: { + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{fluxHelmRepositories}, + Verbs: []string{"get", "list"}, + }, + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{"helmcharts"}, + Verbs: []string{"get", "list"}, + }, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go +index 7641d5c77..362fc82ef 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/chart_test.go +@@ -16,7 +16,7 @@ import ( + "github.com/bufbuild/connect-go" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redismock/v8" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache" +@@ -187,7 +187,7 @@ func TestGetAvailablePackageDetail(t *testing.T) { + } + defer ts2.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, secretObjs) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, secretObjs) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -291,7 +291,7 @@ func TestTransientHttpFailuresAreRetriedForChartCache(t *testing.T) { + } + defer ts2.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -468,7 +468,7 @@ func TestNonExistingRepoOrInvalidPkgVersionGetAvailablePackageDetail(t *testing. + } + defer ts2.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -649,7 +649,7 @@ func TestGetAvailablePackageVersions(t *testing.T) { + } + defer ts.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -736,7 +736,7 @@ func TestGetOciAvailablePackageVersions(t *testing.T) { + t.Fatal(err) + } + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, tc.charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, tc.charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -979,12 +979,12 @@ func TestChartWithRelativeURL(t *testing.T) { + } + })) + +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: ts.URL, + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -1003,7 +1003,7 @@ func TestChartWithRelativeURL(t *testing.T) { + defer ts.Close() + + s, mock, err := newServerWithRepos(t, +- []sourcev1beta2.HelmRepository{repo}, ++ []sourcev1.HelmRepository{repo}, + []testSpecChartWithUrl{ + { + chartID: fmt.Sprintf("%s/airflow", repoName), +@@ -1073,7 +1073,7 @@ func TestGetOciAvailablePackageDetail(t *testing.T) { + t.Fatal(err) + } + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, tc.charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, tc.charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -1129,8 +1129,8 @@ func TestGetOciAvailablePackageDetail(t *testing.T) { + } + } + +-func newChart(name, namespace string, spec *sourcev1beta2.HelmChartSpec, status *sourcev1beta2.HelmChartStatus) sourcev1beta2.HelmChart { +- helmChart := sourcev1beta2.HelmChart{ ++func newChart(name, namespace string, spec *sourcev1.HelmChartSpec, status *sourcev1.HelmChartStatus) sourcev1.HelmChart { ++ helmChart := sourcev1.HelmChart{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Generation: int64(1), +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go +index cdb3611b0..5d5f5433b 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common/utils.go +@@ -24,8 +24,8 @@ import ( + "github.com/bufbuild/connect-go" + "github.com/docker/cli/cli/config" + "github.com/docker/cli/cli/config/credentials" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redis/v8" + "github.com/google/go-containerregistry/pkg/authn" + plugins "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/plugins/v1alpha1" +@@ -68,20 +68,20 @@ func init() { + } + + repositoriesGvr = schema.GroupVersionResource{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, + Resource: "helmrepositories", + } + + chartsGvr = schema.GroupVersionResource{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, + Resource: "helmcharts", + } + + releasesGvr = schema.GroupVersionResource{ +- Group: helmv2beta2.GroupVersion.Group, +- Version: helmv2beta2.GroupVersion.Version, ++ Group: helmv2.GroupVersion.Group, ++ Version: helmv2.GroupVersion.Version, + Resource: "helmreleases", + } + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go +index e3c1880a5..556516068 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/global_vars_test.go +@@ -10,10 +10,10 @@ import ( + + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/k8sutils" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/plugins/fluxv2/packages/v1alpha1" + "google.golang.org/protobuf/types/known/anypb" +@@ -1006,33 +1006,33 @@ var ( + }, + } + +- add_repo_1 = sourcev1beta2.HelmRepository{ ++ add_repo_1 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, + } + +- add_repo_2 = sourcev1beta2.HelmRepository{ ++ add_repo_2 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +@@ -1040,17 +1040,17 @@ var ( + }, + } + +- add_repo_3 = sourcev1beta2.HelmRepository{ ++ add_repo_3 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +@@ -1058,17 +1058,17 @@ var ( + }, + } + +- add_repo_4 = sourcev1beta2.HelmRepository{ ++ add_repo_4 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +@@ -1077,51 +1077,51 @@ var ( + }, + } + +- add_repo_5 = sourcev1beta2.HelmRepository{ ++ add_repo_5 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + PassCredentials: true, + }, + } + +- add_repo_6 = sourcev1beta2.HelmRepository{ ++ add_repo_6 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: github_stefanprodan_podinfo_oci_registry_url, + Interval: metav1.Duration{Duration: 10 * time.Minute}, + Type: "oci", + }, + } + +- add_repo_7 = sourcev1beta2.HelmRepository{ ++ add_repo_7 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", + Namespace: "foo", + ResourceVersion: "1", + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: github_stefanprodan_podinfo_oci_registry_url, + Interval: metav1.Duration{Duration: 10 * time.Minute}, + Type: "oci", +@@ -1129,10 +1129,10 @@ var ( + }, + } + +- add_repo_8 = sourcev1beta2.HelmRepository{ ++ add_repo_8 = sourcev1.HelmRepository{ + TypeMeta: metav1.TypeMeta{ +- Kind: sourcev1beta2.HelmRepositoryKind, +- APIVersion: sourcev1beta2.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "bar", +@@ -1140,7 +1140,7 @@ var ( + ResourceVersion: "1", + Annotations: map[string]string{k8sutils.AnnotationDescriptionKey: "repo desc"}, + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +@@ -1831,7 +1831,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1844,7 +1844,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -1886,7 +1886,7 @@ var ( + releaseSuspend: true, + releaseServiceAccountName: "foo", + releaseValues: &v1.JSON{Raw: redis_existing_spec_completed_with_values_and_reconciliation_options_values_bytes}, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1899,7 +1899,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -1923,20 +1923,20 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.InstallFailedReason, ++ Reason: helmv2.InstallFailedReason, + Message: "install retries exhausted", + }, + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.InstallFailedReason, ++ Reason: helmv2.InstallFailedReason, + Message: "Helm install failed: unable to build kubernetes objects from release manifest: error validating \"\": error validating data: ValidationError(Deployment.spec.replicas): invalid type for io.k8s.api.apps.v1.DeploymentSpec.replicas: got \"string\", expected \"integer\"", + }, + }, +@@ -1961,13 +1961,13 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.GetLastReleaseFailedReason, ++ Reason: helmv2.GetLastReleaseFailedReason, + Message: "failed to get last release revision", + }, + }, +@@ -1990,13 +1990,13 @@ var ( + Namespace: "test", + Generation: 2, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.GetLastReleaseFailedReason, ++ Reason: helmv2.GetLastReleaseFailedReason, + Message: "failed to get last release revision", + }, + }, +@@ -2027,7 +2027,7 @@ var ( + Namespace: "namespace-2", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2040,7 +2040,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2064,7 +2064,7 @@ var ( + Namespace: "namespace-2", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2077,7 +2077,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2101,7 +2101,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2130,13 +2130,13 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionFalse, +- Reason: helmv2beta2.ArtifactFailedReason, ++ Reason: helmv2.ArtifactFailedReason, + Message: "HelmChart 'default/kubeapps-my-redis' is not ready", + }, + }, +@@ -2168,7 +2168,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2181,7 +2181,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2275,41 +2275,41 @@ var ( + PostInstallationNotes: "some notes", + } + +- flux_helm_release_basic = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_basic = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_semver_constraint = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_semver_constraint = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + Version: "> 5", + }) + +- flux_helm_release_reconcile_options = &helmv2beta2.HelmRelease{ ++ flux_helm_release_reconcile_options = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-podinfo", + Namespace: "test", + ResourceVersion: "1", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, +@@ -2327,22 +2327,22 @@ var ( + "message": "what we do in the shadows", + }}) + +- flux_helm_release_values = &helmv2beta2.HelmRelease{ ++ flux_helm_release_values = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-podinfo", + Namespace: "test", + ResourceVersion: "1", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, +@@ -2357,10 +2357,10 @@ var ( + InstalledPackageRef: installedRef("my-podinfo", "test"), + } + +- flux_helm_release_updated_1 = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_1 = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2368,12 +2368,12 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2384,10 +2384,10 @@ var ( + }, + } + +- flux_helm_release_updated_2 = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_2 = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2395,12 +2395,12 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2424,7 +2424,7 @@ var ( + Namespace: "test", + Generation: 1, + }, +- releaseStatus: helmv2beta2.HelmReleaseStatus{ ++ releaseStatus: helmv2.HelmReleaseStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2437,7 +2437,7 @@ var ( + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Type: "Released", + Status: metav1.ConditionTrue, +- Reason: helmv2beta2.InstallSucceededReason, ++ Reason: helmv2.InstallSucceededReason, + Message: "Helm install succeeded", + }, + }, +@@ -2457,10 +2457,10 @@ var ( + status: release.StatusDeployed, + } + +- flux_helm_release_updated_target_ns_is_set = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_target_ns_is_set = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2468,12 +2468,12 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2661,50 +2661,50 @@ var ( + }, + } + +- flux_helm_release_upgrade_policy_none = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_none = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: "5.2.1", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_upgrade_policy_major = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_major = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: ">=5.2.1", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_upgrade_policy_minor = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_minor = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: ">=5.2.1 <6.0.0", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_upgrade_policy_patch = newFluxHelmRelease(helmv2beta2.HelmChartTemplateSpec{ ++ flux_helm_release_upgrade_policy_patch = newFluxHelmRelease(helmv2.HelmChartTemplateSpec{ + Chart: "podinfo", + Version: ">=5.2.1 <5.3.0", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "podinfo", + Namespace: "namespace-1", + }, + }) + +- flux_helm_release_updated_upgrade_major = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_upgrade_major = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2712,13 +2712,13 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Version: ">=14.4.0", + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2728,10 +2728,10 @@ var ( + }, + } + +- flux_helm_release_updated_upgrade_minor = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_upgrade_minor = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2739,13 +2739,13 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Version: ">=14.4.0 <15.0.0", + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -2755,10 +2755,10 @@ var ( + }, + } + +- flux_helm_release_updated_upgrade_patch = &helmv2beta2.HelmRelease{ ++ flux_helm_release_updated_upgrade_patch = &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-redis", +@@ -2766,13 +2766,13 @@ var ( + Generation: int64(1), + ResourceVersion: "1000", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Version: ">=14.4.0 <14.5.0", + Chart: "redis", +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ +- Kind: sourcev1beta2.HelmRepositoryKind, ++ SourceRef: helmv2.CrossNamespaceObjectReference{ ++ Kind: sourcev1.HelmRepositoryKind, + Name: "bitnami-1", + Namespace: "default", + }, +@@ -3230,13 +3230,13 @@ var ( + } + + get_summaries_repo_1 = newRepo("bar", "foo", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 + SecretRef: &fluxmeta.LocalObjectReference{}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -3257,11 +3257,11 @@ var ( + }) + + get_summaries_repo_2 = newRepo("zot", "xyz", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -3282,19 +3282,19 @@ var ( + }) + + get_summaries_repo_3 = newRepo("pending", "xyz", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ObservedGeneration: -1}, ++ &sourcev1.HelmRepositoryStatus{ObservedGeneration: -1}, + ) + + get_summaries_repo_4 = newRepo("failed", "xyz", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 10 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -4027,19 +4027,19 @@ var ( + } + } + +- newFluxHelmRelease = func(chartSpec helmv2beta2.HelmChartTemplateSpec) *helmv2beta2.HelmRelease { +- return &helmv2beta2.HelmRelease{ ++ newFluxHelmRelease = func(chartSpec helmv2.HelmChartTemplateSpec) *helmv2.HelmRelease { ++ return &helmv2.HelmRelease{ + TypeMeta: metav1.TypeMeta{ +- Kind: helmv2beta2.HelmReleaseKind, +- APIVersion: helmv2beta2.GroupVersion.String(), ++ Kind: helmv2.HelmReleaseKind, ++ APIVersion: helmv2.GroupVersion.String(), + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-podinfo", + Namespace: "test", + ResourceVersion: "1", + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ + Spec: chartSpec, + }, + Interval: metav1.Duration{Duration: 1 * time.Minute}, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go +index 672b8140d..be0270f16 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/integration_utils_test.go +@@ -18,9 +18,9 @@ import ( + "testing" + "time" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redis/v8" + "github.com/vmware-tanzu/kubeapps/cmd/apprepository-controller/pkg/client/clientset/versioned/scheme" + plugins "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/plugins/v1alpha1" +@@ -143,7 +143,7 @@ func checkEnv(t *testing.T) (fluxplugin.FluxV2PackagesServiceClient, fluxplugin. + } + + // Check for helmrepositories left over from manual testing. This has caused me a lot grief +- var l *sourcev1beta2.HelmRepositoryList ++ var l *sourcev1.HelmRepositoryList + var names []string + const maxWait = 25 + for i := 0; i <= maxWait; i++ { +@@ -251,12 +251,12 @@ func kubeAddHelmRepository(t *testing.T, name types.NamespacedName, typ, url, se + if interval <= 0 { + interval = time.Duration(10 * time.Minute) + } +- repo := sourcev1beta2.HelmRepository{ ++ repo := sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: name.Name, + Namespace: name.Namespace, + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: url, + Interval: metav1.Duration{Duration: interval}, + }, +@@ -297,7 +297,7 @@ func kubeAddHelmRepositoryAndCleanup(t *testing.T, name types.NamespacedName, ty + return err + } + +-func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1beta2.HelmRepository, error) { ++func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1.HelmRepository, error) { + t.Logf("+kubeGetHelmRepository(%s)", name) + + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) +@@ -305,7 +305,7 @@ func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1be + if ifc, err := kubeGetCtrlClient(); err != nil { + return nil, err + } else { +- var repo sourcev1beta2.HelmRepository ++ var repo sourcev1.HelmRepository + if err := ifc.Get(ctx, name, &repo); err != nil { + return nil, err + } +@@ -313,7 +313,7 @@ func kubeGetHelmRepository(t *testing.T, name types.NamespacedName) (*sourcev1be + } + } + +-func kubeListAllHelmRepositories(t *testing.T) (*sourcev1beta2.HelmRepositoryList, error) { ++func kubeListAllHelmRepositories(t *testing.T) (*sourcev1.HelmRepositoryList, error) { + t.Logf("+kubeListAllHelmRepositories()") + + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) +@@ -321,7 +321,7 @@ func kubeListAllHelmRepositories(t *testing.T) (*sourcev1beta2.HelmRepositoryLis + if ifc, err := kubeGetCtrlClient(); err != nil { + return nil, err + } else { +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + if err := ifc.List(ctx, &repoList); err != nil { + return nil, err + } +@@ -340,7 +340,7 @@ func kubeWaitUntilHelmRepositoryIsReady(t *testing.T, name types.NamespacedName) + } else { + ctx, cancel := context.WithTimeout(context.Background(), 90*time.Second) + defer cancel() +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + if watcher, err := ifc.Watch(ctx, &repoList); err != nil { + return err + } else { +@@ -357,8 +357,8 @@ func kubeWaitUntilHelmRepositoryIsReady(t *testing.T, name types.NamespacedName) + } + switch event.Type { + case watch.Added, watch.Modified: +- if repo, ok := event.Object.(*sourcev1beta2.HelmRepository); !ok { +- return errors.New("Could not cast to *sourcev1beta2.HelmRepository") ++ if repo, ok := event.Object.(*sourcev1.HelmRepository); !ok { ++ return errors.New("Could not cast to *sourcev1.HelmRepository") + } else { + hour, minute, second := time.Now().Clock() + complete, success, reason := isHelmRepositoryReady(*repo) +@@ -381,7 +381,7 @@ func kubeWaitUntilHelmRepositoryIsReady(t *testing.T, name types.NamespacedName) + // this should eventually be replaced with flux plugin's DeleteRepository() + func kubeDeleteHelmRepository(t *testing.T, name types.NamespacedName) error { + t.Logf("+kubeDeleteHelmRepository(%s)", name) +- repo := &sourcev1beta2.HelmRepository{ ++ repo := &sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: name.Name, + Namespace: name.Namespace, +@@ -400,7 +400,7 @@ func kubeExistsHelmRepository(t *testing.T, name types.NamespacedName) (bool, er + t.Logf("+kubeExistsHelmRepository(%s)", name) + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) + defer cancel() +- var repo sourcev1beta2.HelmRepository ++ var repo sourcev1.HelmRepository + if ifc, err := kubeGetCtrlClient(); err != nil { + return false, err + } else if err = ifc.Get(ctx, name, &repo); err == nil { +@@ -414,7 +414,7 @@ func kubeDeleteHelmRelease(t *testing.T, name types.NamespacedName) error { + t.Logf("+kubeDeleteHelmRelease(%s)", name) + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) + defer cancel() +- release := &helmv2beta2.HelmRelease{ ++ release := &helmv2.HelmRelease{ + ObjectMeta: metav1.ObjectMeta{ + Name: name.Name, + Namespace: name.Namespace, +@@ -431,7 +431,7 @@ func kubeExistsHelmRelease(t *testing.T, name types.NamespacedName) (bool, error + t.Logf("+kubeExistsHelmRelease(%s)", name) + ctx, cancel := context.WithTimeout(context.Background(), defaultContextTimeout) + defer cancel() +- var rel helmv2beta2.HelmRelease ++ var rel helmv2.HelmRelease + if ifc, err := kubeGetCtrlClient(); err != nil { + return false, err + } else if err = ifc.Get(ctx, name, &rel); err == nil { +@@ -826,7 +826,7 @@ func kubeCreateSecret(t *testing.T, secret *apiv1.Secret) error { + return err + } + +-func kubeSetKubeappsManagedSecretOwnerRef(t *testing.T, secretName types.NamespacedName, ownerRepo *sourcev1beta2.HelmRepository) error { ++func kubeSetKubeappsManagedSecretOwnerRef(t *testing.T, secretName types.NamespacedName, ownerRepo *sourcev1.HelmRepository) error { + t.Logf("+kubeSetKubeappsManagedSecretOwnerRef(%s, %s)", secretName, ownerRepo.Name) + typedClient, err := kubeGetTypedClient() + if err != nil { +@@ -852,9 +852,9 @@ func kubeSetKubeappsManagedSecretOwnerRef(t *testing.T, secretName types.Namespa + *metav1.NewControllerRef( + ownerRepo, + schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmRepositoryKind, + }), + } + +@@ -1029,11 +1029,11 @@ func kubeGetCtrlClient() (ctrlclient.WithWatch, error) { + return nil, err + } else { + scheme := runtime.NewScheme() +- err = sourcev1beta2.AddToScheme(scheme) ++ err = sourcev1.AddToScheme(scheme) + if err != nil { + return nil, err + } +- err = helmv2beta2.AddToScheme(scheme) ++ err = helmv2.AddToScheme(scheme) + if err != nil { + return nil, err + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go +index 67bfa5480..149f904c4 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/oci_repo.go +@@ -47,7 +47,7 @@ import ( + + "github.com/fluxcd/pkg/oci/auth/login" + "github.com/fluxcd/pkg/version" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + + // OCI Registry As a Storage (ORAS) + orasregistryauthv2 "oras.land/oras-go/v2/registry/remote/auth" +@@ -386,7 +386,7 @@ func newRegistryClient(isLogin bool, tlsConfig *tls.Config, getterOpts []getter. + // OCI Helm repository, which defines a source, does not produce an Artifact + // ref https://fluxcd.io/docs/components/source/helmrepositories/#helm-oci-repository + +-func (s *repoEventSink) onAddOciRepo(repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onAddOciRepo(repo sourcev1.HelmRepository) ([]byte, bool, error) { + log.V(4).Infof("+onAddOciRepo(%s)", common.PrettyPrint(repo)) + defer log.V(4).Info("-onAddOciRepo") + +@@ -444,7 +444,7 @@ func (s *repoEventSink) onAddOciRepo(repo sourcev1beta2.HelmRepository) ([]byte, + return buf.Bytes(), true, nil + } + +-func (s *repoEventSink) onModifyOciRepo(key string, oldValue interface{}, repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onModifyOciRepo(key string, oldValue interface{}, repo sourcev1.HelmRepository) ([]byte, bool, error) { + log.Infof("+onModifyOciRepo(%s)", common.PrettyPrint(repo)) + defer log.Info("-onModifyOciRepo") + +@@ -576,12 +576,12 @@ func (r *OCIChartRepository) shortRepoName(fullRepoName string) (string, error) + } + } + +-func (s *Server) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1beta2.HelmRepository) (*OCIChartRepository, error) { ++func (s *Server) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1.HelmRepository) (*OCIChartRepository, error) { + sink := s.newRepoEventSink() + return sink.newOCIChartRepositoryAndLogin(ctx, repo) + } + +-func (s *repoEventSink) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1beta2.HelmRepository) (*OCIChartRepository, error) { ++func (s *repoEventSink) newOCIChartRepositoryAndLogin(ctx context.Context, repo sourcev1.HelmRepository) (*OCIChartRepository, error) { + if loginOpts, getterOpts, cred, err := s.clientOptionsForOciRepo(ctx, repo); err != nil { + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Failed to create registry client: %w", err)) + } else { +@@ -649,7 +649,7 @@ func (s *repoEventSink) newOCIChartRepositoryAndLoginWithOptions(registryURL str + return ociRepo, nil + } + +-func (s *repoEventSink) clientOptionsForOciRepo(ctx context.Context, repo sourcev1beta2.HelmRepository) ([]registry.LoginOption, []getter.Option, *orasregistryauthv2.Credential, error) { ++func (s *repoEventSink) clientOptionsForOciRepo(ctx context.Context, repo sourcev1.HelmRepository) ([]registry.LoginOption, []getter.Option, *orasregistryauthv2.Credential, error) { + var loginOpts []registry.LoginOption + var cred *orasregistryauthv2.Credential + getterOpts := []getter.Option{ +@@ -680,7 +680,7 @@ func (s *repoEventSink) clientOptionsForOciRepo(ctx context.Context, repo source + } + } + +- if repo.Spec.Provider != "" && repo.Spec.Provider != sourcev1beta2.GenericOCIProvider { ++ if repo.Spec.Provider != "" && repo.Spec.Provider != "generic" { + ctxTimeout, cancel := context.WithTimeout(ctx, repo.Spec.Timeout.Duration) + defer cancel() + +@@ -734,7 +734,7 @@ func downloadChartWithHelmGetter(tlsConfig *tls.Config, getterOptions []getter.O + return buf, err + } + +-func getOciChartModels(appNames []string, allTags map[string]TagList, ociChartRepo *OCIChartRepository, repo *sourcev1beta2.HelmRepository) ([]models.Chart, error) { ++func getOciChartModels(appNames []string, allTags map[string]TagList, ociChartRepo *OCIChartRepository, repo *sourcev1.HelmRepository) ([]models.Chart, error) { + charts := []models.Chart{} + for _, fullAppName := range appNames { + appName, err := ociChartRepo.shortRepoName(fullAppName) +@@ -756,7 +756,7 @@ func getOciChartModels(appNames []string, allTags map[string]TagList, ociChartRe + return charts, nil + } + +-func getOciChartModel(appName string, tags TagList, ociChartRepo *OCIChartRepository, repo *sourcev1beta2.HelmRepository) (*models.Chart, error) { ++func getOciChartModel(appName string, tags TagList, ociChartRepo *OCIChartRepository, repo *sourcev1.HelmRepository) (*models.Chart, error) { + // Encode repository names to store them in the database. + encodedAppName := url.PathEscape(appName) + chartID := path.Join(repo.Name, encodedAppName) +@@ -870,8 +870,8 @@ func downloadOCIChartFn(ociRepo *OCIChartRepository) func(chartID, chartUrl, cha + } + + // oidcAuth generates the OIDC credential authenticator based on the specified cloud provider. +-func oidcAuth(ctx context.Context, repo sourcev1beta2.HelmRepository) (*orasregistryauthv2.Credential, error) { +- url := strings.TrimPrefix(repo.Spec.URL, sourcev1beta2.OCIRepositoryPrefix) ++func oidcAuth(ctx context.Context, repo sourcev1.HelmRepository) (*orasregistryauthv2.Credential, error) { ++ url := strings.TrimPrefix(repo.Spec.URL, "oci://") + ref, err := name.ParseReference(url) + if err != nil { + return nil, fmt.Errorf("failed to parse URL '%s': %w", repo.Spec.URL, err) +@@ -888,11 +888,11 @@ func oidcAuth(ctx context.Context, repo sourcev1beta2.HelmRepository) (*orasregi + func loginWithManager(ctx context.Context, provider, url string, ref name.Reference) (*orasregistryauthv2.Credential, error) { + opts := login.ProviderOptions{} + switch provider { +- case sourcev1beta2.AmazonOCIProvider: ++ case "amazon": + opts.AwsAutoLogin = true +- case sourcev1beta2.AzureOCIProvider: ++ case "azure": + opts.AzureAutoLogin = true +- case sourcev1beta2.GoogleOCIProvider: ++ case "gcp": + opts.GcpAutoLogin = true + } + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +index c489cb6ca..37593c166 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +@@ -12,9 +12,9 @@ import ( + "time" + + "github.com/bufbuild/connect-go" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/common" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/connecterror" +@@ -40,7 +40,7 @@ var ( + ) + + // namespace maybe "", in which case releases from all namespaces are returned +-func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, namespace string) ([]helmv2beta2.HelmRelease, error) { ++func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, namespace string) ([]helmv2.HelmRelease, error) { + client, err := s.getClient(headers, namespace) + if err != nil { + return nil, err +@@ -53,7 +53,7 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, + // 2) there is a "consistent snapshot" problem, where the client doesn't want to + // see any results created/updated/deleted after the first request is issued + // To fix this, we must make use of resourceVersion := relList.GetResourceVersion() +- var relList helmv2beta2.HelmReleaseList ++ var relList helmv2.HelmReleaseList + if err = client.List(ctx, &relList); err != nil { + return nil, connecterror.FromK8sError("list", "HelmRelease", namespace+"/*", err) + } else { +@@ -61,13 +61,13 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, + } + } + +-func (s *Server) getReleaseInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*helmv2beta2.HelmRelease, error) { ++func (s *Server) getReleaseInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*helmv2.HelmRelease, error) { + client, err := s.getClient(headers, key.Namespace) + if err != nil { + return nil, err + } + +- var rel helmv2beta2.HelmRelease ++ var rel helmv2.HelmRelease + if err = client.Get(ctx, key, &rel); err != nil { + return nil, connecterror.FromK8sError("get", "HelmRelease", key.String(), err) + } +@@ -106,7 +106,7 @@ func (s *Server) paginatedInstalledPkgSummaries(ctx context.Context, headers htt + return installedPkgSummaries, nil + } + +-func (s *Server) installedPkgSummaryFromRelease(ctx context.Context, headers http.Header, rel helmv2beta2.HelmRelease) (*corev1.InstalledPackageSummary, error) { ++func (s *Server) installedPkgSummaryFromRelease(ctx context.Context, headers http.Header, rel helmv2.HelmRelease) (*corev1.InstalledPackageSummary, error) { + name, err := common.NamespacedName(&rel) + if err != nil { + return nil, err +@@ -236,11 +236,7 @@ func (s *Server) installedPackageDetail(ctx context.Context, headers http.Header + + // this will only be present if install/upgrade succeeded + // TODO(agamez): flux upgrade - migrate to Status.History, see https://github.com/fluxcd/flux2/releases/tag/v2.2.0 +- pkgVersion := rel.Status.LastAppliedRevision +- if pkgVersion == "" { +- // this is the back-up option: will be there if the reconciliation is in progress or has failed +- pkgVersion = rel.Status.LastAttemptedRevision +- } ++ pkgVersion := rel.Status.LastAttemptedRevision + + availablePackageRef, err := installedPackageAvailablePackageRef(rel) + if err != nil { +@@ -288,7 +284,7 @@ func (s *Server) installedPackageDetail(ctx context.Context, headers http.Header + }, nil + } + +-func (s *Server) getReleaseViaHelmApi(headers http.Header, key types.NamespacedName, rel *helmv2beta2.HelmRelease) (*release.Release, error) { ++func (s *Server) getReleaseViaHelmApi(headers http.Header, key types.NamespacedName, rel *helmv2.HelmRelease) (*release.Release, error) { + // post installation notes can only be retrieved via helm APIs, flux doesn't do it + // see discussion in https://cloud-native.slack.com/archives/CLAJ40HV3/p1629244025187100 + if s.actionConfigGetter == nil { +@@ -458,7 +454,7 @@ func (s *Server) updateRelease(ctx context.Context, headers http.Header, package + // process and the current status no longer applies. metadata and spec I want + // to keep, as they may have had added labels and/or annotations and/or + // even other changes made by the user. +- rel.Status = helmv2beta2.HelmReleaseStatus{} ++ rel.Status = helmv2.HelmReleaseStatus{} + + client, err := s.getClient(headers, packageRef.Context.Namespace) + if err != nil { +@@ -489,7 +485,7 @@ func (s *Server) deleteRelease(ctx context.Context, headers http.Header, package + + log.V(4).Infof("Deleting release: [%s]", packageRef.Identifier) + +- rel := &helmv2beta2.HelmRelease{ ++ rel := &helmv2.HelmRelease{ + ObjectMeta: metav1.ObjectMeta{ + Name: packageRef.Identifier, + Namespace: packageRef.Context.Namespace, +@@ -507,19 +503,19 @@ func (s *Server) deleteRelease(ctx context.Context, headers http.Header, package + // 2. metadata.namespace, where this HelmRelease CRD will exist, same as (3) below + // per https://github.com/vmware-tanzu/kubeapps/pull/3640#issuecomment-949315105 + // 3. spec.targetNamespace, where flux will install any artifacts from the release +-func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.NamespacedName, versionExpr string, reconcile *corev1.ReconciliationOptions, values map[string]interface{}) (*helmv2beta2.HelmRelease, error) { +- fluxRelease := &helmv2beta2.HelmRelease{ ++func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.NamespacedName, versionExpr string, reconcile *corev1.ReconciliationOptions, values map[string]interface{}) (*helmv2.HelmRelease, error) { ++ fluxRelease := &helmv2.HelmRelease{ + ObjectMeta: metav1.ObjectMeta{ + Name: targetName.Name, + Namespace: targetName.Namespace, + }, +- Spec: helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ Spec: helmv2.HelmReleaseSpec{ ++ Chart: &helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: chart.Name, +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ ++ SourceRef: helmv2.CrossNamespaceObjectReference{ + Name: chart.Repo.Name, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Kind: sourcev1.HelmRepositoryKind, + Namespace: chart.Repo.Namespace, + }, + }, +@@ -581,7 +577,7 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp + // when install completes with success + // - "reason" field: failure only when flux returns "InstallFailed" reason + // otherwise pending or unspecified when there are no status conditions to go by +-func isHelmReleaseReady(rel helmv2beta2.HelmRelease) (ready bool, status corev1.InstalledPackageStatus_StatusReason, userReason string) { ++func isHelmReleaseReady(rel helmv2.HelmRelease) (ready bool, status corev1.InstalledPackageStatus_StatusReason, userReason string) { + if !checkReleaseGeneration(rel) { + // according to https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties + // observedGeneration represents the .metadata.generation that the condition was set based upon. +@@ -601,9 +597,8 @@ func isHelmReleaseReady(rel helmv2beta2.HelmRelease) (ready bool, status corev1. + // "reason": "InstallFailed" + // i.e. not super useful + userReason = readyCond.Reason +- if userReason == helmv2beta2.InstallFailedReason || +- userReason == helmv2beta2.UpgradeFailedReason || +- userReason == helmv2beta2.GetLastReleaseFailedReason { ++ if userReason == helmv2.InstallFailedReason || ++ userReason == helmv2.UpgradeFailedReason { + isInstallFailed = true + } + } +@@ -627,7 +622,7 @@ func isHelmReleaseReady(rel helmv2beta2.HelmRelease) (ready bool, status corev1. + return false, corev1.InstalledPackageStatus_STATUS_REASON_PENDING, userReason + } + +-func installedPackageStatus(rel helmv2beta2.HelmRelease) *corev1.InstalledPackageStatus { ++func installedPackageStatus(rel helmv2.HelmRelease) *corev1.InstalledPackageStatus { + ready, reason, userReason := isHelmReleaseReady(rel) + return &corev1.InstalledPackageStatus{ + Ready: ready, +@@ -636,7 +631,7 @@ func installedPackageStatus(rel helmv2beta2.HelmRelease) *corev1.InstalledPackag + } + } + +-func installedPackageReconciliationOptions(rel *helmv2beta2.HelmRelease) *corev1.ReconciliationOptions { ++func installedPackageReconciliationOptions(rel *helmv2.HelmRelease) *corev1.ReconciliationOptions { + reconciliationOptions := &corev1.ReconciliationOptions{} + reconciliationOptions.Interval = pkgutils.FromDuration(&rel.Spec.Interval) + reconciliationOptions.Suspend = rel.Spec.Suspend +@@ -644,7 +639,7 @@ func installedPackageReconciliationOptions(rel *helmv2beta2.HelmRelease) *corev1 + return reconciliationOptions + } + +-func installedPackageAvailablePackageRef(rel *helmv2beta2.HelmRelease) (*corev1.AvailablePackageReference, error) { ++func installedPackageAvailablePackageRef(rel *helmv2.HelmRelease) (*corev1.AvailablePackageReference, error) { + repoName := rel.Spec.Chart.Spec.SourceRef.Name + if repoName == "" { + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Missing required field spec.chart.spec.sourceRef.name")) +@@ -670,7 +665,7 @@ func installedPackageAvailablePackageRef(rel *helmv2beta2.HelmRelease) (*corev1. + } + + // ref https://fluxcd.io/docs/components/helm/helmreleases/ +-func helmReleaseName(key types.NamespacedName, rel *helmv2beta2.HelmRelease) types.NamespacedName { ++func helmReleaseName(key types.NamespacedName, rel *helmv2.HelmRelease) types.NamespacedName { + helmReleaseName := rel.Spec.ReleaseName + // according to docs ReleaseName is optional and defaults to a composition of + // '[TargetNamespace-]Name'. +@@ -691,7 +686,7 @@ func helmReleaseName(key types.NamespacedName, rel *helmv2beta2.HelmRelease) typ + return types.NamespacedName{Name: helmReleaseName, Namespace: helmReleaseNamespace} + } + +-func checkReleaseGeneration(rel helmv2beta2.HelmRelease) bool { ++func checkReleaseGeneration(rel helmv2.HelmRelease) bool { + generation := rel.GetGeneration() + observedGeneration := rel.Status.ObservedGeneration + return generation > 0 && generation == observedGeneration +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go +index ba46e9633..dd5507e60 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_integration_test.go +@@ -12,8 +12,8 @@ import ( + "testing" + "time" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -949,7 +949,7 @@ func TestKindClusterRBAC_ReadRelease(t *testing.T) { + rules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get", "list"}, + }, +@@ -1044,14 +1044,14 @@ func TestKindClusterRBAC_ReadRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns1: { + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{"helmcharts"}, + Verbs: []string{"get", "list"}, + }, + }, + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get", "list"}, + }, +@@ -1188,7 +1188,7 @@ func TestKindClusterRBAC_CreateRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"create"}, + }, +@@ -1218,14 +1218,14 @@ func TestKindClusterRBAC_CreateRelease(t *testing.T) { + nsToRules = map[string][]rbacv1.PolicyRule{ + ns1: { + { +- APIGroups: []string{sourcev1beta2.GroupVersion.Group}, ++ APIGroups: []string{sourcev1.GroupVersion.Group}, + Resources: []string{"helmcharts"}, + Verbs: []string{"get"}, + }, + }, + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"create"}, + }, +@@ -1335,7 +1335,7 @@ func TestKindClusterRBAC_UpdateRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get"}, + }, +@@ -1368,7 +1368,7 @@ func TestKindClusterRBAC_UpdateRelease(t *testing.T) { + nsToRules = map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"get", "update"}, + }, +@@ -1476,7 +1476,7 @@ func TestKindClusterRBAC_DeleteRelease(t *testing.T) { + nsToRules := map[string][]rbacv1.PolicyRule{ + ns2: { + { +- APIGroups: []string{helmv2beta2.GroupVersion.Group}, ++ APIGroups: []string{helmv2.GroupVersion.Group}, + Resources: []string{fluxHelmReleases}, + Verbs: []string{"delete"}, + }, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go +index 824afc678..8827ccdbe 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release_test.go +@@ -12,10 +12,10 @@ import ( + "time" + + "github.com/bufbuild/connect-go" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -43,7 +43,7 @@ type testSpecGetInstalledPackages struct { + releaseValues *v1.JSON + releaseSuspend bool + releaseServiceAccountName string +- releaseStatus helmv2beta2.HelmReleaseStatus ++ releaseStatus helmv2.HelmReleaseStatus + // only used to test edge cases now, most tests should not set this + targetNamespace string + } +@@ -511,7 +511,7 @@ func TestCreateInstalledPackage(t *testing.T) { + existingObjs testSpecCreateInstalledPackage + expectedStatusCode codes.Code + expectedResponse *corev1.CreateInstalledPackageResponse +- expectedRelease *helmv2beta2.HelmRelease ++ expectedRelease *helmv2.HelmRelease + defaultUpgradePolicyStr string + }{ + { +@@ -637,7 +637,7 @@ func TestCreateInstalledPackage(t *testing.T) { + } + defer ts.Close() + +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{*repo}) + if err != nil { + t.Fatal(err) + } +@@ -686,12 +686,12 @@ func TestCreateInstalledPackage(t *testing.T) { + t.Fatal(err) + } else { + key := types.NamespacedName{Namespace: tc.request.TargetContext.Namespace, Name: tc.request.Name} +- var actualRel helmv2beta2.HelmRelease ++ var actualRel helmv2.HelmRelease + if err = ctrlClient.Get(context.Background(), key, &actualRel); err != nil { + t.Fatal(err) + } else { + // Values are JSON string and need to be compared as such +- opts = cmpopts.IgnoreFields(helmv2beta2.HelmReleaseSpec{}, "Values") ++ opts = cmpopts.IgnoreFields(helmv2.HelmReleaseSpec{}, "Values") + + // Manually setting TypeMeta, as the fakeclient doesn't do it anymore: + // https://github.com/kubernetes-sigs/controller-runtime/pull/2633 +@@ -714,7 +714,7 @@ func TestUpdateInstalledPackage(t *testing.T) { + existingK8sObjs *testSpecGetInstalledPackages + expectedErrorCode connect.Code + expectedResponse *corev1.UpdateInstalledPackageResponse +- expectedRelease *helmv2beta2.HelmRelease ++ expectedRelease *helmv2.HelmRelease + defaultUpgradePolicyStr string + }{ + { +@@ -894,7 +894,7 @@ func TestUpdateInstalledPackage(t *testing.T) { + Name: tc.expectedResponse.InstalledPackageRef.Identifier, + } + ctx := context.Background() +- var actualRel helmv2beta2.HelmRelease ++ var actualRel helmv2.HelmRelease + if ctrlClient, err := s.clientGetter.ControllerRuntime(http.Header{}, s.kubeappsCluster); err != nil { + t.Fatal(err) + } else if err = ctrlClient.Get(ctx, key, &actualRel); err != nil { +@@ -902,7 +902,7 @@ func TestUpdateInstalledPackage(t *testing.T) { + } + + // Values are JSON string and need to be compared as such +- opts = cmpopts.IgnoreFields(helmv2beta2.HelmReleaseSpec{}, "Values") ++ opts = cmpopts.IgnoreFields(helmv2.HelmReleaseSpec{}, "Values") + + // Manually setting TypeMeta, as the fakeclient doesn't do it anymore: + // https://github.com/kubernetes-sigs/controller-runtime/pull/2633 +@@ -985,7 +985,7 @@ func TestDeleteInstalledPackage(t *testing.T) { + Name: tc.request.InstalledPackageRef.Identifier, + } + ctx := context.Background() +- var actualRel helmv2beta2.HelmRelease ++ var actualRel helmv2.HelmRelease + if ctrlClient, err := s.clientGetter.ControllerRuntime(http.Header{}, s.kubeappsCluster); err != nil { + t.Fatal(err) + } else if err = ctrlClient.Get(ctx, key, &actualRel); !errors.IsNotFound(err) { +@@ -1129,15 +1129,15 @@ func TestGetInstalledPackageResourceRefs(t *testing.T) { + } + } + +-func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPackages) (charts []sourcev1beta2.HelmChart, releases []helmv2beta2.HelmRelease, cleanup func()) { ++func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPackages) (charts []sourcev1.HelmChart, releases []helmv2.HelmRelease, cleanup func()) { + httpServers := []*httptest.Server{} + cleanup = func() { + for _, ts := range httpServers { + ts.Close() + } + } +- charts = []sourcev1beta2.HelmChart{} +- releases = []helmv2beta2.HelmRelease{} ++ charts = []sourcev1.HelmChart{} ++ releases = []helmv2.HelmRelease{} + + for _, existing := range existingK8sObjs { + tarGzBytes, err := os.ReadFile(existing.chartTarGz) +@@ -1155,24 +1155,24 @@ func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPa + })) + httpServers = append(httpServers, ts) + +- chartSpec := &sourcev1beta2.HelmChartSpec{ ++ chartSpec := &sourcev1.HelmChartSpec{ + Chart: existing.chartName, +- SourceRef: sourcev1beta2.LocalHelmChartSourceReference{ ++ SourceRef: sourcev1.LocalHelmChartSourceReference{ + Name: existing.repoName, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Kind: sourcev1.HelmRepositoryKind, + }, + Version: existing.chartSpecVersion, + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } + +- chartStatus := &sourcev1beta2.HelmChartStatus{ ++ chartStatus := &sourcev1.HelmChartStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, + Message: "Fetched revision: " + existing.chartSpecVersion, + Type: fluxmeta.ReadyCondition, + Status: metav1.ConditionTrue, +- Reason: sourcev1beta2.ChartPullSucceededReason, ++ Reason: sourcev1.ChartPullSucceededReason, + }, + }, + Artifact: &sourcev1.Artifact{ +@@ -1183,14 +1183,14 @@ func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPa + chart := newChart(existing.chartName, existing.repoNamespace, chartSpec, chartStatus) + charts = append(charts, chart) + +- releaseSpec := &helmv2beta2.HelmReleaseSpec{ +- Chart: helmv2beta2.HelmChartTemplate{ +- Spec: helmv2beta2.HelmChartTemplateSpec{ ++ releaseSpec := &helmv2.HelmReleaseSpec{ ++ Chart: helmv2.HelmChartTemplate{ ++ Spec: helmv2.HelmChartTemplateSpec{ + Chart: existing.chartName, + Version: existing.chartSpecVersion, +- SourceRef: helmv2beta2.CrossNamespaceObjectReference{ ++ SourceRef: helmv2.CrossNamespaceObjectReference{ + Name: existing.repoName, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Kind: sourcev1.HelmRepositoryKind, + Namespace: existing.repoNamespace, + }, + }, +@@ -1217,8 +1217,8 @@ func newChartsAndReleases(t *testing.T, existingK8sObjs []testSpecGetInstalledPa + return charts, releases, cleanup + } + +-func newRelease(meta metav1.ObjectMeta, spec *helmv2beta2.HelmReleaseSpec, status *helmv2beta2.HelmReleaseStatus) helmv2beta2.HelmRelease { +- helmRelease := helmv2beta2.HelmRelease{ ++func newRelease(meta metav1.ObjectMeta, spec *helmv2.HelmReleaseSpec, status *helmv2.HelmReleaseStatus) helmv2.HelmRelease { ++ helmRelease := helmv2.HelmRelease{ + ObjectMeta: meta, + } + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go +index 790b21514..5154ed7f7 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go +@@ -18,7 +18,7 @@ import ( + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/k8sutils" + + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/plugins/fluxv2/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/cache" +@@ -52,7 +52,7 @@ var ( + // returns a list of HelmRepositories from specified namespace. + // ns can be "", in which case all namespaces (cluster-wide), excluding + // the ones that the caller has no read access to +-func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, ns string) ([]sourcev1beta2.HelmRepository, error) { ++func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, ns string) ([]sourcev1.HelmRepository, error) { + // the actual List(...) call will be executed in the context of + // kubeapps-internal-kubeappsapis service account + // ref https://github.com/vmware-tanzu/kubeapps/issues/4390 for explanation +@@ -62,7 +62,7 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, + return nil, err + } + +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + listOptions := ctrlclient.ListOptions{ + Namespace: ns, + } +@@ -83,7 +83,7 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, + return nil, err + } + } +- items := []sourcev1beta2.HelmRepository{} ++ items := []sourcev1.HelmRepository{} + for _, item := range repoList.Items { + if allowedNamespaces.Has(item.GetNamespace()) { + items = append(items, item) +@@ -93,7 +93,7 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, + } + } + +-func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1beta2.HelmRepository, error) { ++func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key types.NamespacedName) (*sourcev1.HelmRepository, error) { + // unlike List(), there is no need to execute Get() in the context of + // kubeapps-internal-kubeappsapis service account and then filter out results based on + // whether or not the caller hasAccessToNamespace(). We can just pass the caller +@@ -103,7 +103,7 @@ func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key + if err != nil { + return nil, err + } +- var repo sourcev1beta2.HelmRepository ++ var repo sourcev1.HelmRepository + if err = client.Get(ctx, key, &repo); err != nil { + return nil, connecterror.FromK8sError("get", "HelmRepository", key.String(), err) + } +@@ -111,7 +111,7 @@ func (s *Server) getRepoInCluster(ctx context.Context, headers http.Header, key + } + + // regexp expressions are used for matching actual names against expected patters +-func (s *Server) filterReadyReposByName(repoList []sourcev1beta2.HelmRepository, match []string) (sets.Set[string], error) { ++func (s *Server) filterReadyReposByName(repoList []sourcev1.HelmRepository, match []string) (sets.Set[string], error) { + if s.repoCache == nil { + return nil, connect.NewError(connect.CodeFailedPrecondition, fmt.Errorf("Server cache has not been properly initialized")) + } +@@ -232,7 +232,7 @@ func (s *Server) newRepo(ctx context.Context, request *connect.Request[corev1.Ad + } + + typ := request.Msg.GetType() +- if typ != "helm" && typ != sourcev1beta2.HelmRepositoryTypeOCI { ++ if typ != "helm" && typ != sourcev1.HelmRepositoryTypeOCI { + return nil, connect.NewError(connect.CodeUnimplemented, fmt.Errorf("Repository type [%s] not supported", typ)) + } + +@@ -323,7 +323,7 @@ func (s *Server) repoDetail(ctx context.Context, headers http.Header, repoRef *c + // will have a FluxPackageRepositoryCustomDetail in it. Flux spec already clearly states + // If you do not specify .spec.provider, it defaults to generic. + // https://fluxcd.io/flux/components/source/helmrepositories/#provider +- if repo.Spec.Provider != "" && repo.Spec.Provider != sourcev1beta2.GenericOCIProvider { ++ if repo.Spec.Provider != "" && repo.Spec.Provider != "generic" { + if customDetail, err = anypb.New(&v1alpha1.FluxPackageRepositoryCustomDetail{ + Provider: repo.Spec.Provider, + }); err != nil { +@@ -357,7 +357,7 @@ func (s *Server) repoDetail(ctx context.Context, headers http.Header, repoRef *c + + func (s *Server) repoSummaries(ctx context.Context, headers http.Header, ns string) ([]*corev1.PackageRepositorySummary, error) { + summaries := []*corev1.PackageRepositorySummary{} +- var repos []sourcev1beta2.HelmRepository ++ var repos []sourcev1.HelmRepository + var err error + if ns == apiv1.NamespaceAll { + if repos, err = s.listReposInNamespace(ctx, headers, ns); err != nil { +@@ -368,7 +368,7 @@ func (s *Server) repoSummaries(ctx context.Context, headers http.Header, ns stri + // namely, if a specific namespace is passed in, we need to list repos in that namespace + // and if the caller happens not to have 'read' access to that namespace, a PermissionDenied + // error should be raised, as opposed to returning an empty list with no error +- var repoList sourcev1beta2.HelmRepositoryList ++ var repoList sourcev1.HelmRepositoryList + var client ctrlclient.Client + if client, err = s.getClient(headers, ns); err != nil { + return nil, err +@@ -491,7 +491,7 @@ func (s *Server) updateRepo(ctx context.Context, repoRef *corev1.PackageReposito + // process and the current status no longer applies. metadata and spec I want + // to keep, as they may have had added labels and/or annotations and/or + // even other changes made by the user. +- repo.Status = sourcev1beta2.HelmRepositoryStatus{} ++ repo.Status = sourcev1.HelmRepositoryStatus{} + + if client, err := s.getClient(request.Header(), key.Namespace); err != nil { + return nil, err +@@ -529,7 +529,7 @@ func (s *Server) deleteRepo(ctx context.Context, headers http.Header, repoRef *c + // For kubeapps-managed secrets environment secrets will be deleted (garbage-collected) + // when the owner repo is deleted + +- repo := &sourcev1beta2.HelmRepository{ ++ repo := &sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: repoRef.Identifier, + Namespace: repoRef.Context.Namespace, +@@ -562,10 +562,10 @@ func (s *repoEventSink) onAddRepo(key string, obj ctrlclient.Object) (interface{ + log.V(4).Infof("+onAddRepo(%s)", key) + defer log.V(4).Info("-onAddRepo()") + +- if repo, ok := obj.(*sourcev1beta2.HelmRepository); !ok { +- return nil, false, fmt.Errorf("expected an instance of *sourcev1beta2.HelmRepository, got: %T", obj) ++ if repo, ok := obj.(*sourcev1.HelmRepository); !ok { ++ return nil, false, fmt.Errorf("expected an instance of *sourcev1.HelmRepository, got: %T", obj) + } else if isRepoReady(*repo) { +- if repo.Spec.Type == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI { + return s.onAddOciRepo(*repo) + } else { + return s.onAddHttpRepo(*repo) +@@ -579,7 +579,7 @@ func (s *repoEventSink) onAddRepo(key string, obj ctrlclient.Object) (interface{ + } + + // ref https://fluxcd.io/docs/components/source/helmrepositories/#status +-func (s *repoEventSink) onAddHttpRepo(repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onAddHttpRepo(repo sourcev1.HelmRepository) ([]byte, bool, error) { + if artifact := repo.GetArtifact(); artifact != nil { + if checksum := artifact.Digest; checksum == "" { + return nil, false, connect.NewError(connect.CodeInternal, +@@ -595,7 +595,7 @@ func (s *repoEventSink) onAddHttpRepo(repo sourcev1beta2.HelmRepository) ([]byte + } + } + +-func (s *repoEventSink) indexAndEncode(checksum string, repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) indexAndEncode(checksum string, repo sourcev1.HelmRepository) ([]byte, bool, error) { + charts, err := s.indexOneRepo(repo) + if err != nil { + return nil, false, err +@@ -637,7 +637,7 @@ func (s *repoEventSink) indexAndEncode(checksum string, repo sourcev1beta2.HelmR + + // it is assumed the caller has already checked that this repo is ready + // At present, there is only one caller of indexOneRepo() and this check is already done by it +-func (s *repoEventSink) indexOneRepo(repo sourcev1beta2.HelmRepository) ([]models.Chart, error) { ++func (s *repoEventSink) indexOneRepo(repo sourcev1.HelmRepository) ([]models.Chart, error) { + startTime := time.Now() + + // ref https://fluxcd.io/docs/components/source/helmrepositories/#status +@@ -698,12 +698,12 @@ func (s *repoEventSink) indexOneRepo(repo sourcev1beta2.HelmRepository) ([]model + + // onModifyRepo essentially tells the cache whether or not to and what to store for a given key + func (s *repoEventSink) onModifyRepo(key string, obj ctrlclient.Object, oldValue interface{}) (interface{}, bool, error) { +- if repo, ok := obj.(*sourcev1beta2.HelmRepository); !ok { +- return nil, false, fmt.Errorf("expected an instance of *sourcev1beta2.HelmRepository, got: %T", obj) ++ if repo, ok := obj.(*sourcev1.HelmRepository); !ok { ++ return nil, false, fmt.Errorf("expected an instance of *sourcev1.HelmRepository, got: %T", obj) + } else if isRepoReady(*repo) { + // first check the repo is ready + +- if repo.Spec.Type == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repo.Spec.Type == sourcev1.HelmRepositoryTypeOCI { + return s.onModifyOciRepo(key, oldValue, *repo) + } else { + return s.onModifyHttpRepo(key, oldValue, *repo) +@@ -716,7 +716,7 @@ func (s *repoEventSink) onModifyRepo(key string, obj ctrlclient.Object, oldValue + } + } + +-func (s *repoEventSink) onModifyHttpRepo(key string, oldValue interface{}, repo sourcev1beta2.HelmRepository) ([]byte, bool, error) { ++func (s *repoEventSink) onModifyHttpRepo(key string, oldValue interface{}, repo sourcev1.HelmRepository) ([]byte, bool, error) { + // We should to compare checksums on what's stored in the cache + // vs the modified object to see if the contents has really changed before embarking on + // expensive operation indexOneRepo() below. +@@ -796,7 +796,7 @@ func (s *repoEventSink) fromKey(key string) (*types.NamespacedName, error) { + return &types.NamespacedName{Namespace: parts[1], Name: parts[2]}, nil + } + +-func (s *repoEventSink) getRepoSecret(ctx context.Context, repo sourcev1beta2.HelmRepository) (*apiv1.Secret, error) { ++func (s *repoEventSink) getRepoSecret(ctx context.Context, repo sourcev1.HelmRepository) (*apiv1.Secret, error) { + if repo.Spec.SecretRef == nil { + return nil, nil + } +@@ -825,7 +825,7 @@ func (s *repoEventSink) getRepoSecret(ctx context.Context, repo sourcev1beta2.He + + // The reason I do this here is to set up auth that may be needed to fetch chart tarballs by + // ChartCache +-func (s *repoEventSink) clientOptionsForHttpRepo(ctx context.Context, repo sourcev1beta2.HelmRepository) (*common.HttpClientOptions, error) { ++func (s *repoEventSink) clientOptionsForHttpRepo(ctx context.Context, repo sourcev1.HelmRepository) (*common.HttpClientOptions, error) { + if secret, err := s.getRepoSecret(ctx, repo); err == nil && secret != nil { + return common.HttpClientOptionsFromSecret(*secret) + } else { +@@ -837,7 +837,7 @@ func (s *repoEventSink) clientOptionsForHttpRepo(ctx context.Context, repo sourc + // repo-related utilities + // + +-func isRepoReady(repo sourcev1beta2.HelmRepository) bool { ++func isRepoReady(repo sourcev1.HelmRepository) bool { + // see docs at https://fluxcd.io/docs/components/source/helmrepositories/ + // Confirm the state we are observing is for the current generation + if !checkRepoGeneration(repo) { +@@ -854,7 +854,7 @@ func isRepoReady(repo sourcev1beta2.HelmRepository) bool { + // - reason: if present + // docs: + // 1. https://fluxcd.io/docs/components/source/helmrepositories/#status-examples +-func isHelmRepositoryReady(repo sourcev1beta2.HelmRepository) (complete bool, success bool, reason string) { ++func isHelmRepositoryReady(repo sourcev1.HelmRepository) (complete bool, success bool, reason string) { + // flux source-controller v1beta2 API made a change so that we can no longer + // rely on a simple "metadata.generation" vs "status.observedGeneration" check for a + // quick answer. The resource may now exist with "observedGeneration": -1 either in +@@ -882,7 +882,7 @@ func isHelmRepositoryReady(repo sourcev1beta2.HelmRepository) (complete bool, su + return false, false, reason + } + +-func repoStatus(repo sourcev1beta2.HelmRepository) *corev1.PackageRepositoryStatus { ++func repoStatus(repo sourcev1.HelmRepository) *corev1.PackageRepositoryStatus { + complete, success, reason := isHelmRepositoryReady(repo) + s := &corev1.PackageRepositoryStatus{ + Ready: complete && success, +@@ -899,7 +899,7 @@ func repoStatus(repo sourcev1beta2.HelmRepository) *corev1.PackageRepositoryStat + return s + } + +-func checkRepoGeneration(repo sourcev1beta2.HelmRepository) bool { ++func checkRepoGeneration(repo sourcev1.HelmRepository) bool { + generation := repo.GetGeneration() + observedGeneration := repo.Status.ObservedGeneration + return generation > 0 && generation == observedGeneration +@@ -914,7 +914,7 @@ func newFluxHelmRepo( + interval string, + secret *apiv1.Secret, + passCredentials bool, +- provider string) (*sourcev1beta2.HelmRepository, error) { ++ provider string) (*sourcev1.HelmRepository, error) { + pollInterval := defaultPollInterval + if interval != "" { + if duration, err := pkgutils.ToDuration(interval); err != nil { +@@ -923,18 +923,18 @@ func newFluxHelmRepo( + pollInterval = *duration + } + } +- fluxRepo := &sourcev1beta2.HelmRepository{ ++ fluxRepo := &sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: targetName.Name, + Namespace: targetName.Namespace, + }, +- Spec: sourcev1beta2.HelmRepositorySpec{ ++ Spec: sourcev1.HelmRepositorySpec{ + URL: url, + Interval: pollInterval, + }, + } +- if typ == sourcev1beta2.HelmRepositoryTypeOCI { +- fluxRepo.Spec.Type = sourcev1beta2.HelmRepositoryTypeOCI ++ if typ == sourcev1.HelmRepositoryTypeOCI { ++ fluxRepo.Spec.Type = sourcev1.HelmRepositoryTypeOCI + } + if desc != "" { + k8sutils.SetDescription(&fluxRepo.ObjectMeta, desc) +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go +index 517a503ec..f811e0297 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_auth.go +@@ -10,7 +10,7 @@ import ( + "net/http" + + "github.com/bufbuild/connect-go" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/connecterror" + "github.com/vmware-tanzu/kubeapps/pkg/kube" +@@ -79,7 +79,7 @@ func (s *Server) handleRepoSecretForCreate( + func (s *Server) handleRepoSecretForUpdate( + ctx context.Context, + headers http.Header, +- repo *sourcev1beta2.HelmRepository, ++ repo *sourcev1.HelmRepository, + newTlsConfig *corev1.PackageRepositoryTlsConfig, + newAuth *corev1.PackageRepositoryAuth) (updatedSecret *apiv1.Secret, isKubeappsManagedSecret bool, isSecretUpdated bool, err error) { + +@@ -208,7 +208,7 @@ func (s *Server) validateUserManagedRepoSecret( + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Specified secret [%s] missing fields 'username' and/or 'password'", secretRef)) + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_TLS: +- if repoType == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType == sourcev1.HelmRepositoryTypeOCI { + // ref https://fluxcd.io/flux/components/source/helmrepositories/#tls-authentication + // Note: TLS authentication is not yet supported by OCI Helm repositories. + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Package repository authentication type %q is not supported for OCI repositories", auth.Type)) +@@ -218,7 +218,7 @@ func (s *Server) validateUserManagedRepoSecret( + } + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_DOCKER_CONFIG_JSON: +- if repoType == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType == sourcev1.HelmRepositoryTypeOCI { + if secret.Data[apiv1.DockerConfigJsonKey] == nil { + return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("Specified secret [%s] missing field '%s'", secretRef, apiv1.DockerConfigJsonKey)) + } +@@ -251,7 +251,7 @@ func (s *Server) setOwnerReferencesForRepoSecret( + ctx context.Context, + headers http.Header, + secret *apiv1.Secret, +- repo *sourcev1beta2.HelmRepository) error { ++ repo *sourcev1.HelmRepository) error { + + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 + if repo.Spec.SecretRef != nil && secret != nil { +@@ -263,9 +263,9 @@ func (s *Server) setOwnerReferencesForRepoSecret( + *metav1.NewControllerRef( + repo, + schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmRepositoryKind, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmRepositoryKind, + }), + } + if _, err := secretsInterface.Update(ctx, secret, metav1.UpdateOptions{}); err != nil { +@@ -276,7 +276,7 @@ func (s *Server) setOwnerReferencesForRepoSecret( + return nil + } + +-func (s *Server) getRepoTlsConfigAndAuth(ctx context.Context, headers http.Header, repo sourcev1beta2.HelmRepository) (*corev1.PackageRepositoryTlsConfig, *corev1.PackageRepositoryAuth, error) { ++func (s *Server) getRepoTlsConfigAndAuth(ctx context.Context, headers http.Header, repo sourcev1.HelmRepository) (*corev1.PackageRepositoryTlsConfig, *corev1.PackageRepositoryAuth, error) { + var tlsConfig *corev1.PackageRepositoryTlsConfig + var auth *corev1.PackageRepositoryAuth + +@@ -385,7 +385,7 @@ func newSecretFromTlsConfigAndAuth(repoName types.NamespacedName, + } + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_TLS: +- if repoType == sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType == sourcev1.HelmRepositoryTypeOCI { + // ref https://fluxcd.io/flux/components/source/helmrepositories/#tls-authentication + // Note: TLS authentication is not yet supported by OCI Helm repositories. + return nil, false, connect.NewError(connect.CodeInternal, fmt.Errorf("Package repository authentication type %q is not supported for OCI repositories", auth.Type)) +@@ -413,7 +413,7 @@ func newSecretFromTlsConfigAndAuth(repoName types.NamespacedName, + } + } + case corev1.PackageRepositoryAuth_PACKAGE_REPOSITORY_AUTH_TYPE_DOCKER_CONFIG_JSON: +- if repoType != sourcev1beta2.HelmRepositoryTypeOCI { ++ if repoType != sourcev1.HelmRepositoryTypeOCI { + return nil, false, connect.NewError(connect.CodeInternal, fmt.Errorf("Unsupported package repository authentication type: %q", auth.Type)) + } + +@@ -569,7 +569,7 @@ func getRepoTlsConfigAndAuthWithKubeappsManagedSecrets(secret *apiv1.Secret) (*c + return tlsConfig, auth, nil + } + +-func isSecretKubeappsManaged(secret *apiv1.Secret, repo *sourcev1beta2.HelmRepository) bool { ++func isSecretKubeappsManaged(secret *apiv1.Secret, repo *sourcev1.HelmRepository) bool { + if !metav1.IsControlledBy(secret, repo) { + return false + } +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go +index e90758d47..23d9e3e68 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo_test.go +@@ -19,7 +19,7 @@ import ( + "github.com/bufbuild/connect-go" + fluxmeta "github.com/fluxcd/pkg/apis/meta" + sourcev1 "github.com/fluxcd/source-controller/api/v1" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redismock/v8" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" +@@ -414,7 +414,7 @@ func TestGetAvailablePackageSummariesWithoutPagination(t *testing.T) { + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { +- repos := []sourcev1beta2.HelmRepository{} ++ repos := []sourcev1.HelmRepository{} + + for _, rs := range tc.repos { + ts2, repo, err := newHttpRepoAndServeIndex(rs.index, rs.name, rs.namespace, nil, "") +@@ -479,7 +479,7 @@ func TestGetAvailablePackageSummariesWithPagination(t *testing.T) { + index: testYaml("index-with-categories.yaml"), + }, + } +- repos := []sourcev1beta2.HelmRepository{} ++ repos := []sourcev1.HelmRepository{} + for _, rs := range existingRepos { + ts2, repo, err := newHttpRepoAndServeIndex(rs.index, rs.name, rs.namespace, nil, "") + if err != nil { +@@ -616,12 +616,12 @@ func TestGetAvailablePackageSummaryAfterRepoIndexUpdate(t *testing.T) { + })) + defer ts.Close() + +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Digest: "651f952130ea96823711d08345b85e82be011dc6", + LastUpdateTime: metav1.Time{Time: lastUpdateTime}, +@@ -640,7 +640,7 @@ func TestGetAvailablePackageSummaryAfterRepoIndexUpdate(t *testing.T) { + repoName := types.NamespacedName{Namespace: "ns2", Name: "testrepo"} + repo := newRepo(repoName.Name, repoName.Namespace, repoSpec, repoStatus) + +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{repo}) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -752,7 +752,7 @@ func TestGetAvailablePackageSummaryAfterFluxHelmRepoDelete(t *testing.T) { + } + defer ts.Close() + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, charts, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, charts, nil) + if err != nil { + t.Fatalf("%+v", err) + } +@@ -847,7 +847,7 @@ func TestGetAvailablePackageSummaryAfterCacheResync(t *testing.T) { + } + defer ts2.Close() + +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{*repo}) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -932,7 +932,7 @@ func TestGetAvailablePackageSummariesAfterCacheResyncQueueNotIdle(t *testing.T) + } + + // first, I'd like to fill up the work queue with a whole bunch of work items +- repos := []*sourcev1beta2.HelmRepository{} ++ repos := []*sourcev1.HelmRepository{} + mapReposCached := make(map[string][]byte) + keysInOrder := []string{} + +@@ -1181,7 +1181,7 @@ func TestAddPackageRepository(t *testing.T) { + name string + request *corev1.AddPackageRepositoryRequest + expectedResponse *corev1.AddPackageRepositoryResponse +- expectedRepo *sourcev1beta2.HelmRepository ++ expectedRepo *sourcev1.HelmRepository + errorCode connect.Code + existingSecret *apiv1.Secret + expectedCreatedSecret *apiv1.Secret +@@ -1411,7 +1411,7 @@ func TestAddPackageRepository(t *testing.T) { + if ctrlClient, err := s.clientGetter.ControllerRuntime(http.Header{}, s.kubeappsCluster); err != nil { + t.Fatal(err) + } else { +- var actualRepo sourcev1beta2.HelmRepository ++ var actualRepo sourcev1.HelmRepository + if err = ctrlClient.Get(ctx, nsname, &actualRepo); err != nil { + t.Fatal(err) + } else { +@@ -1429,7 +1429,7 @@ func TestAddPackageRepository(t *testing.T) { + } + } else { + // TODO(agamez): flux upgrade - migrate to CertSecretRef, see https://github.com/fluxcd/flux2/releases/tag/v2.1.0 +- opt1 := cmpopts.IgnoreFields(sourcev1beta2.HelmRepositorySpec{}, "SecretRef") ++ opt1 := cmpopts.IgnoreFields(sourcev1.HelmRepositorySpec{}, "SecretRef") + + // Manually setting TypeMeta, as the fakeclient doesn't do it anymore: + // https://github.com/kubernetes-sigs/controller-runtime/pull/2633 +@@ -1637,7 +1637,7 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + secretRef = tc.repoSecret.Name + secrets = append(secrets, tc.repoSecret) + } +- var repo *sourcev1beta2.HelmRepository ++ var repo *sourcev1.HelmRepository + if !tc.pending && !tc.failed { + var ts *httptest.Server + var err error +@@ -1647,11 +1647,11 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + } + defer ts.Close() + } else if tc.pending { +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1665,11 +1665,11 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + repo1 := newRepo(tc.repoName, tc.repoNamespace, repoSpec, repoStatus) + repo = &repo1 + } else { // failed +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -1686,7 +1686,7 @@ func TestGetPackageRepositoryDetail(t *testing.T) { + + // the index.yaml will contain links to charts but for the purposes + // of this test they do not matter +- s, _, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, secrets) ++ s, _, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, secrets) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -1744,7 +1744,7 @@ func TestGetOciPackageRepositoryDetail(t *testing.T) { + t.Fatal(err) + } + +- s, mock, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, nil) ++ s, mock, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, nil) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -1786,7 +1786,7 @@ func TestGetPackageRepositorySummaries(t *testing.T) { + testCases := []struct { + name string + request *corev1.GetPackageRepositorySummariesRequest +- existingRepos []sourcev1beta2.HelmRepository ++ existingRepos []sourcev1.HelmRepository + expectedErrorCode connect.Code + expectedResponse *corev1.GetPackageRepositorySummariesResponse + }{ +@@ -1795,7 +1795,7 @@ func TestGetPackageRepositorySummaries(t *testing.T) { + request: &corev1.GetPackageRepositorySummariesRequest{ + Context: &corev1.Context{}, + }, +- existingRepos: []sourcev1beta2.HelmRepository{ ++ existingRepos: []sourcev1.HelmRepository{ + get_summaries_repo_1, + get_summaries_repo_2, + get_summaries_repo_3, +@@ -1815,7 +1815,7 @@ func TestGetPackageRepositorySummaries(t *testing.T) { + request: &corev1.GetPackageRepositorySummariesRequest{ + Context: &corev1.Context{Namespace: "foo"}, + }, +- existingRepos: []sourcev1beta2.HelmRepository{ ++ existingRepos: []sourcev1.HelmRepository{ + get_summaries_repo_1, + get_summaries_repo_2, + get_summaries_repo_3, +@@ -2124,7 +2124,7 @@ func TestUpdatePackageRepository(t *testing.T) { + if tc.newRepoSecret != nil { + secrets = append(secrets, tc.newRepoSecret) + } +- var repo *sourcev1beta2.HelmRepository ++ var repo *sourcev1.HelmRepository + if !tc.pending { + var ts *httptest.Server + var err error +@@ -2134,11 +2134,11 @@ func TestUpdatePackageRepository(t *testing.T) { + } + defer ts.Close() + } else { +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2156,7 +2156,7 @@ func TestUpdatePackageRepository(t *testing.T) { + + // the index.yaml will contain links to charts but for the purposes + // of this test they do not matter +- s, _, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, secrets) ++ s, _, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, secrets) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -2219,7 +2219,7 @@ func TestUpdatePackageRepository(t *testing.T) { + + // check the created/updated secret + if tc.expectedCreatedSecret != nil { +- var actualRepo sourcev1beta2.HelmRepository ++ var actualRepo sourcev1.HelmRepository + if err = ctrlClient.Get(ctx, types.NamespacedName{Namespace: tc.repoNamespace, Name: tc.repoName}, &actualRepo); err != nil { + t.Fatal(err) + } +@@ -2285,7 +2285,7 @@ func TestDeletePackageRepository(t *testing.T) { + if tc.newRepoSecret != nil { + secrets = append(secrets, tc.newRepoSecret) + } +- var repo *sourcev1beta2.HelmRepository ++ var repo *sourcev1.HelmRepository + if !tc.pending { + var ts *httptest.Server + var err error +@@ -2295,11 +2295,11 @@ func TestDeletePackageRepository(t *testing.T) { + } + defer ts.Close() + } else { +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + LastTransitionTime: metav1.Time{Time: lastTransitionTime}, +@@ -2317,7 +2317,7 @@ func TestDeletePackageRepository(t *testing.T) { + + // the index.yaml will contain links to charts but for the purposes + // of this test they do not matter +- s, _, err := newServerWithRepos(t, []sourcev1beta2.HelmRepository{*repo}, nil, secrets) ++ s, _, err := newServerWithRepos(t, []sourcev1.HelmRepository{*repo}, nil, secrets) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -2331,7 +2331,7 @@ func TestDeletePackageRepository(t *testing.T) { + Namespace: tc.request.PackageRepoRef.Context.Namespace, + Name: tc.request.PackageRepoRef.Identifier, + } +- var actualRepo sourcev1beta2.HelmRepository ++ var actualRepo sourcev1.HelmRepository + if tc.expectedErrorCode == 0 { + if err = ctrlClient.Get(ctx, nsname, &actualRepo); err != nil { + t.Fatal(err) +@@ -2414,7 +2414,7 @@ func TestGetOciAvailablePackageSummariesWithoutPagination(t *testing.T) { + t.Run(tc.name, func(t *testing.T) { + initOciFakeClientBuilder(t, *tc.seedData) + +- repos := []sourcev1beta2.HelmRepository{} ++ repos := []sourcev1.HelmRepository{} + + for _, rs := range tc.repos { + repo, err := newOciRepo(rs.repoName, rs.repoNamespace, rs.repoUrl) +@@ -2451,8 +2451,8 @@ func TestGetOciAvailablePackageSummariesWithoutPagination(t *testing.T) { + } + } + +-func newRepo(name string, namespace string, spec *sourcev1beta2.HelmRepositorySpec, status *sourcev1beta2.HelmRepositoryStatus) sourcev1beta2.HelmRepository { +- helmRepository := sourcev1beta2.HelmRepository{ ++func newRepo(name string, namespace string, spec *sourcev1.HelmRepositorySpec, status *sourcev1.HelmRepositoryStatus) sourcev1.HelmRepository { ++ helmRepository := sourcev1.HelmRepository{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Generation: 1, +@@ -2489,7 +2489,7 @@ func newRepo(name string, namespace string, spec *sourcev1beta2.HelmRepositorySp + + // these functions should affect only unit test, not production code + // does a series of mock.ExpectGet(...) +-func (s *Server) redisMockExpectGetFromRepoCache(mock redismock.ClientMock, filterOptions *corev1.FilterOptions, repos ...sourcev1beta2.HelmRepository) error { ++func (s *Server) redisMockExpectGetFromRepoCache(mock redismock.ClientMock, filterOptions *corev1.FilterOptions, repos ...sourcev1.HelmRepository) error { + mapVals := make(map[string][]byte) + ociRepoKeys := sets.Set[string]{} + for _, r := range repos { +@@ -2532,7 +2532,7 @@ func (s *Server) redisMockExpectGetFromRepoCache(mock redismock.ClientMock, filt + return nil + } + +-func (s *Server) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1beta2.HelmRepository, oldValue []byte) (key string, bytes []byte, err error) { ++func (s *Server) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1.HelmRepository, oldValue []byte) (key string, bytes []byte, err error) { + bg := &clientgetter.FixedClusterClientProvider{ClientsFunc: func(ctx context.Context) (*clientgetter.ClientGetter, error) { + return s.clientGetter.GetClients(http.Header{}, s.kubeappsCluster) + }} +@@ -2540,7 +2540,7 @@ func (s *Server) redisMockSetValueForRepo(mock redismock.ClientMock, repo source + return sinkNoCache.redisMockSetValueForRepo(mock, repo, oldValue) + } + +-func (sink *repoEventSink) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1beta2.HelmRepository, oldValue []byte) (key string, newValue []byte, err error) { ++func (sink *repoEventSink) redisMockSetValueForRepo(mock redismock.ClientMock, repo sourcev1.HelmRepository, oldValue []byte) (key string, newValue []byte, err error) { + if key, newValue, err = sink.redisKeyValueForRepo(repo); err != nil { + if oldValue == nil { + mock.ExpectGet(key).RedisNil() +@@ -2565,7 +2565,7 @@ func redisMockSetValueForRepo(mock redismock.ClientMock, key string, newValue, o + mock.ExpectInfo("memory").SetVal("used_memory_rss_human:NA\r\nmaxmemory_human:NA") + } + +-func (s *Server) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) (key string, byteArray []byte, err error) { ++func (s *Server) redisKeyValueForRepo(r sourcev1.HelmRepository) (key string, byteArray []byte, err error) { + cg := &clientgetter.FixedClusterClientProvider{ClientsFunc: func(ctx context.Context) (*clientgetter.ClientGetter, error) { + return s.clientGetter.GetClients(http.Header{}, s.kubeappsCluster) + }} +@@ -2573,7 +2573,7 @@ func (s *Server) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) (key strin + return sinkNoChartCache.redisKeyValueForRepo(r) + } + +-func (sink *repoEventSink) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) (key string, byteArray []byte, err error) { ++func (sink *repoEventSink) redisKeyValueForRepo(r sourcev1.HelmRepository) (key string, byteArray []byte, err error) { + if key, err = redisKeyForRepo(r); err != nil { + return key, nil, err + } else { +@@ -2591,7 +2591,7 @@ func (sink *repoEventSink) redisKeyValueForRepo(r sourcev1beta2.HelmRepository) + } + } + +-func redisKeyForRepo(r sourcev1beta2.HelmRepository) (string, error) { ++func redisKeyForRepo(r sourcev1.HelmRepository) (string, error) { + // redis convention on key format + // https://redis.io/topics/data-types-intro + // Try to stick with a schema. For instance "object-type:id" is a good idea, as in "user:1000". +@@ -2612,7 +2612,7 @@ func redisKeyForRepoNamespacedName(name types.NamespacedName) (string, error) { + return fmt.Sprintf("%s:%s:%s", fluxHelmRepositories, name.Namespace, name.Name), nil + } + +-func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replaceUrls map[string]string, secretRef string) (*httptest.Server, *sourcev1beta2.HelmRepository, error) { ++func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replaceUrls map[string]string, secretRef string) (*httptest.Server, *sourcev1.HelmRepository, error) { + indexYAMLBytes, err := os.ReadFile(repoIndex) + if err != nil { + return nil, nil, err +@@ -2631,7 +2631,7 @@ func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replace + fmt.Fprintln(w, string(indexYAMLBytes)) + })) + +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: "https://example.repo.com/charts", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + } +@@ -2644,7 +2644,7 @@ func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replace + revision := "651f952130ea96823711d08345b85e82be011dc6" + sz := int64(31989) + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Artifact: &sourcev1.Artifact{ + Path: fmt.Sprintf("helmrepository/%s/%s/index-%s.yaml", repoNamespace, repoName, revision), + Digest: revision, +@@ -2669,16 +2669,16 @@ func newHttpRepoAndServeIndex(repoIndex, repoName, repoNamespace string, replace + return ts, &repo, nil + } + +-func newOciRepo(repoName, repoNamespace, repoUrl string) (*sourcev1beta2.HelmRepository, error) { ++func newOciRepo(repoName, repoNamespace, repoUrl string) (*sourcev1.HelmRepository, error) { + timeout := metav1.Duration{Duration: 60 * time.Second} +- repoSpec := &sourcev1beta2.HelmRepositorySpec{ ++ repoSpec := &sourcev1.HelmRepositorySpec{ + URL: repoUrl, + Interval: metav1.Duration{Duration: 1 * time.Minute}, + Timeout: &timeout, + Type: "oci", + } + +- repoStatus := &sourcev1beta2.HelmRepositoryStatus{ ++ repoStatus := &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go +index 53fac6474..ef3d506b3 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server.go +@@ -13,8 +13,8 @@ import ( + + "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/plugins/pkg/helm" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + authorizationv1 "k8s.io/api/authorization/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +@@ -89,11 +89,11 @@ func NewServer(configGetter core.KubernetesConfigGetter, kubeappsCluster string, + + // register the GitOps Toolkit schema definitions + scheme := runtime.NewScheme() +- err = sourcev1beta2.AddToScheme(scheme) ++ err = sourcev1.AddToScheme(scheme) + if err != nil { + log.Fatalf("%s", err) + } +- err = helmv2beta2.AddToScheme(scheme) ++ err = helmv2.AddToScheme(scheme) + if err != nil { + log.Fatalf("%s", err) + } +@@ -112,11 +112,11 @@ func NewServer(configGetter core.KubernetesConfigGetter, kubeappsCluster string, + OnGetFunc: s.onGetRepo, + OnDeleteFunc: s.onDeleteRepo, + OnResyncFunc: s.onResync, +- NewObjFunc: func() ctrlclient.Object { return &sourcev1beta2.HelmRepository{} }, +- NewListFunc: func() ctrlclient.ObjectList { return &sourcev1beta2.HelmRepositoryList{} }, ++ NewObjFunc: func() ctrlclient.Object { return &sourcev1.HelmRepository{} }, ++ NewListFunc: func() ctrlclient.ObjectList { return &sourcev1.HelmRepositoryList{} }, + ListItemsFunc: func(ol ctrlclient.ObjectList) []ctrlclient.Object { +- if hl, ok := ol.(*sourcev1beta2.HelmRepositoryList); !ok { +- log.Errorf("Expected: *sourcev1beta2.HelmRepositoryList, got: %T", ol) ++ if hl, ok := ol.(*sourcev1.HelmRepositoryList); !ok { ++ log.Errorf("Expected: *sourcev1.HelmRepositoryList, got: %T", ol) + return nil + } else { + ret := make([]ctrlclient.Object, len(hl.Items)) +@@ -619,7 +619,7 @@ func (s *Server) GetPackageRepositoryPermissions(ctx context.Context, request *c + } + + resource := schema.GroupResource{ +- Group: sourcev1beta2.GroupVersion.Group, ++ Group: sourcev1.GroupVersion.Group, + Resource: fluxHelmRepositories, + } + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go +index abed61c06..14278399e 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/server_test.go +@@ -13,9 +13,9 @@ import ( + "time" + + "github.com/bufbuild/connect-go" +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" + fluxmeta "github.com/fluxcd/pkg/apis/meta" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/go-redis/redis/v8" + "github.com/go-redis/redismock/v8" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -46,13 +46,13 @@ import ( + func TestGetAvailablePackagesStatus(t *testing.T) { + testCases := []struct { + name string +- repo sourcev1beta2.HelmRepository ++ repo sourcev1.HelmRepository + statusCode codes.Code + }{ + { + name: "returns without error if response status does not contain conditions", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +@@ -62,21 +62,21 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + { + name: "returns without error if response status does not contain conditions (2)", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{}), ++ &sourcev1.HelmRepositoryStatus{}), + statusCode: codes.OK, + }, + { + name: "returns without error if response does not contain ready repos", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -91,7 +91,7 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + name: "returns without error if repo object does not contain namespace", + repo: newRepo("test", "", + nil, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -106,7 +106,7 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + name: "returns without error if repo object contains default spec", + repo: newRepo("test", "default", + nil, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -120,8 +120,8 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + { + name: "returns without error if repo object does not contain spec url", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{}, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositorySpec{}, ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -135,11 +135,11 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + { + name: "returns without error if repo object does not contain status url", + repo: newRepo("test", "default", +- &sourcev1beta2.HelmRepositorySpec{ ++ &sourcev1.HelmRepositorySpec{ + URL: "http://example.com", + Interval: metav1.Duration{Duration: 1 * time.Minute}, + }, +- &sourcev1beta2.HelmRepositoryStatus{ ++ &sourcev1.HelmRepositoryStatus{ + Conditions: []metav1.Condition{ + { + Type: fluxmeta.ReadyCondition, +@@ -154,7 +154,7 @@ func TestGetAvailablePackagesStatus(t *testing.T) { + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { +- s, mock, err := newSimpleServerWithRepos(t, []sourcev1beta2.HelmRepository{tc.repo}) ++ s, mock, err := newSimpleServerWithRepos(t, []sourcev1.HelmRepository{tc.repo}) + if err != nil { + t.Fatalf("error instantiating the server: %v", err) + } +@@ -204,11 +204,11 @@ type testSpecChartWithUrl struct { + numRetries int + } + +-func newSimpleServerWithRepos(t *testing.T, repos []sourcev1beta2.HelmRepository) (*Server, redismock.ClientMock, error) { ++func newSimpleServerWithRepos(t *testing.T, repos []sourcev1.HelmRepository) (*Server, redismock.ClientMock, error) { + return newServerWithRepos(t, repos, nil, nil) + } + +-func newServerWithRepos(t *testing.T, repos []sourcev1beta2.HelmRepository, charts []testSpecChartWithUrl, secrets []runtime.Object) (*Server, redismock.ClientMock, error) { ++func newServerWithRepos(t *testing.T, repos []sourcev1.HelmRepository, charts []testSpecChartWithUrl, secrets []runtime.Object) (*Server, redismock.ClientMock, error) { + typedClient := typfake.NewSimpleClientset(secrets...) + + // ref https://stackoverflow.com/questions/68794562/kubernetes-fake-client-doesnt-handle-generatename-in-objectmeta/68794563#68794563 +@@ -243,7 +243,7 @@ func newServerWithRepos(t *testing.T, repos []sourcev1beta2.HelmRepository, char + return newServer(t, clientGetter, nil, repos, charts) + } + +-func newServerWithChartsAndReleases(t *testing.T, actionConfig *action.Configuration, charts []sourcev1beta2.HelmChart, releases []helmv2beta2.HelmRelease) (*Server, redismock.ClientMock, error) { ++func newServerWithChartsAndReleases(t *testing.T, actionConfig *action.Configuration, charts []sourcev1.HelmChart, releases []helmv2.HelmRelease) (*Server, redismock.ClientMock, error) { + typedClient := typfake.NewSimpleClientset() + // Creating an authorized clientGetter + typedClient.PrependReactor("create", "selfsubjectaccessreviews", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) { +@@ -316,7 +316,7 @@ func newHelmActionConfig(t *testing.T, namespace string, rels []helmReleaseStub) + func newServer(t *testing.T, + clientGetter clientgetter.ClientProviderInterface, + actionConfig *action.Configuration, +- repos []sourcev1beta2.HelmRepository, ++ repos []sourcev1.HelmRepository, + charts []testSpecChartWithUrl) (*Server, redismock.ClientMock, error) { + + stopCh := make(chan struct{}) +@@ -360,11 +360,11 @@ func newServer(t *testing.T, + OnGetFunc: sink.onGetRepo, + OnDeleteFunc: sink.onDeleteRepo, + OnResyncFunc: sink.onResync, +- NewObjFunc: func() ctrlclient.Object { return &sourcev1beta2.HelmRepository{} }, +- NewListFunc: func() ctrlclient.ObjectList { return &sourcev1beta2.HelmRepositoryList{} }, ++ NewObjFunc: func() ctrlclient.Object { return &sourcev1.HelmRepository{} }, ++ NewListFunc: func() ctrlclient.ObjectList { return &sourcev1.HelmRepositoryList{} }, + ListItemsFunc: func(ol ctrlclient.ObjectList) []ctrlclient.Object { +- if hl, ok := ol.(*sourcev1beta2.HelmRepositoryList); !ok { +- t.Fatalf("Expected: *sourcev1beta2.HelmRepositoryList, got: %T", ol) ++ if hl, ok := ol.(*sourcev1.HelmRepositoryList); !ok { ++ t.Fatalf("Expected: *sourcev1.HelmRepositoryList, got: %T", ol) + return nil + } else { + ret := make([]ctrlclient.Object, len(hl.Items)) +@@ -410,8 +410,8 @@ func newServer(t *testing.T, + func seedRepoCacheWithRepos(t *testing.T, + mock redismock.ClientMock, + sink repoEventSink, +- repos []sourcev1beta2.HelmRepository) map[string]sourcev1beta2.HelmRepository { +- okRepos := make(map[string]sourcev1beta2.HelmRepository) ++ repos []sourcev1.HelmRepository) map[string]sourcev1.HelmRepository { ++ okRepos := make(map[string]sourcev1.HelmRepository) + for _, r := range repos { + key, err := redisKeyForRepo(r) + if err != nil { +@@ -441,7 +441,7 @@ func seedChartCacheWithCharts(t *testing.T, + mock redismock.ClientMock, + sink repoEventSink, + stopCh <-chan struct{}, +- repos map[string]sourcev1beta2.HelmRepository, ++ repos map[string]sourcev1.HelmRepository, + charts []testSpecChartWithUrl) (*cache.ChartCache, func(), error) { + t.Logf("+seedChartCacheWithCharts(%v)", charts) + +diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go +index dfbcb10c8..8109f3f2f 100644 +--- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go ++++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/test_util_test.go +@@ -19,8 +19,8 @@ import ( + + k8stesting "k8s.io/client-go/testing" + +- helmv2beta2 "github.com/fluxcd/helm-controller/api/v2beta2" +- sourcev1beta2 "github.com/fluxcd/source-controller/api/v1beta2" ++ helmv2 "github.com/fluxcd/helm-controller/api/v2" ++ sourcev1 "github.com/fluxcd/source-controller/api/v1" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + corev1 "github.com/vmware-tanzu/kubeapps/cmd/kubeapps-apis/gen/core/packages/v1alpha1" +@@ -305,8 +305,8 @@ func setSecretOwnerRef(repoName string, secret *apiv1.Secret) *apiv1.Secret { + tRue := true + secret.OwnerReferences = []metav1.OwnerReference{ + { +- APIVersion: sourcev1beta2.GroupVersion.String(), +- Kind: sourcev1beta2.HelmRepositoryKind, ++ APIVersion: sourcev1.GroupVersion.String(), ++ Kind: sourcev1.HelmRepositoryKind, + Name: repoName, + Controller: &tRue, + BlockOwnerDeletion: &tRue, +@@ -353,45 +353,45 @@ func repoRef(id, namespace string) *corev1.PackageRepositoryReference { + } + } + +-func newCtrlClient(repos []sourcev1beta2.HelmRepository, charts []sourcev1beta2.HelmChart, releases []helmv2beta2.HelmRelease) withWatchWrapper { ++func newCtrlClient(repos []sourcev1.HelmRepository, charts []sourcev1.HelmChart, releases []helmv2.HelmRelease) withWatchWrapper { + // register the flux GitOps Toolkit schema definitions + scheme := runtime.NewScheme() +- err := sourcev1beta2.AddToScheme(scheme) ++ err := sourcev1.AddToScheme(scheme) + if err != nil { + log.Fatal(err) + } +- err = helmv2beta2.AddToScheme(scheme) ++ err = helmv2.AddToScheme(scheme) + if err != nil { + log.Fatal(err) + } + +- rm := apimeta.NewDefaultRESTMapper([]schema.GroupVersion{sourcev1beta2.GroupVersion, helmv2beta2.GroupVersion}) ++ rm := apimeta.NewDefaultRESTMapper([]schema.GroupVersion{sourcev1.GroupVersion, helmv2.GroupVersion}) + rm.Add(schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmRepositoryKind}, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmRepositoryKind}, + apimeta.RESTScopeNamespace) + rm.Add(schema.GroupVersionKind{ +- Group: sourcev1beta2.GroupVersion.Group, +- Version: sourcev1beta2.GroupVersion.Version, +- Kind: sourcev1beta2.HelmChartKind}, ++ Group: sourcev1.GroupVersion.Group, ++ Version: sourcev1.GroupVersion.Version, ++ Kind: sourcev1.HelmChartKind}, + apimeta.RESTScopeNamespace) + rm.Add(schema.GroupVersionKind{ +- Group: helmv2beta2.GroupVersion.Group, +- Version: helmv2beta2.GroupVersion.Version, +- Kind: helmv2beta2.HelmReleaseKind}, ++ Group: helmv2.GroupVersion.Group, ++ Version: helmv2.GroupVersion.Version, ++ Kind: helmv2.HelmReleaseKind}, + apimeta.RESTScopeNamespace) + + ctrlClientBuilder := ctrlfake.NewClientBuilder().WithScheme(scheme).WithRESTMapper(rm) + initLists := []client.ObjectList{} + if len(repos) > 0 { +- initLists = append(initLists, &sourcev1beta2.HelmRepositoryList{Items: repos}) ++ initLists = append(initLists, &sourcev1.HelmRepositoryList{Items: repos}) + } + if len(charts) > 0 { +- initLists = append(initLists, &sourcev1beta2.HelmChartList{Items: charts}) ++ initLists = append(initLists, &sourcev1.HelmChartList{Items: charts}) + } + if len(releases) > 0 { +- initLists = append(initLists, &helmv2beta2.HelmReleaseList{Items: releases}) ++ initLists = append(initLists, &helmv2.HelmReleaseList{Items: releases}) + } + if len(initLists) > 0 { + ctrlClientBuilder = ctrlClientBuilder.WithLists(initLists...) +diff --git a/go.mod b/go.mod +index fe893591e..6d380a0cf 100644 +--- a/go.mod ++++ b/go.mod +@@ -3,7 +3,9 @@ + + module github.com/vmware-tanzu/kubeapps + +-go 1.22 ++go 1.22.0 ++ ++toolchain go1.22.2 + + require ( + carvel.dev/vendir v0.40.0 +@@ -18,11 +20,11 @@ require ( + github.com/disintegration/imaging v1.6.2 + github.com/distribution/reference v0.6.0 + github.com/docker/cli v26.0.0+incompatible +- github.com/fluxcd/helm-controller/api v0.37.4 +- github.com/fluxcd/pkg/apis/meta v1.4.0 +- github.com/fluxcd/pkg/oci v0.36.0 +- github.com/fluxcd/pkg/version v0.3.0 +- github.com/fluxcd/source-controller/api v1.2.5 ++ github.com/fluxcd/helm-controller/api v1.0.1 ++ github.com/fluxcd/pkg/apis/meta v1.5.0 ++ github.com/fluxcd/pkg/oci v0.37.1 ++ github.com/fluxcd/pkg/version v0.4.0 ++ github.com/fluxcd/source-controller/api v1.3.0 + github.com/go-redis/redis/v8 v8.11.5 + github.com/go-redis/redismock/v8 v8.11.5 + github.com/google/go-cmp v0.6.0 +@@ -52,28 +54,28 @@ require ( + google.golang.org/protobuf v1.33.0 + gopkg.in/yaml.v3 v3.0.1 + helm.sh/helm/v3 v3.14.3 +- k8s.io/api v0.29.3 +- k8s.io/apiextensions-apiserver v0.29.3 +- k8s.io/apimachinery v0.29.3 +- k8s.io/apiserver v0.29.3 ++ k8s.io/api v0.30.0 ++ k8s.io/apiextensions-apiserver v0.30.0 ++ k8s.io/apimachinery v0.30.0 ++ k8s.io/apiserver v0.30.0 + k8s.io/cli-runtime v0.29.3 +- k8s.io/client-go v0.29.3 ++ k8s.io/client-go v0.30.0 + k8s.io/klog/v2 v2.120.1 + k8s.io/kubectl v0.29.3 + k8s.io/utils v0.0.0-20240310230437-4693a0247e57 + oras.land/oras-go v1.2.5 + oras.land/oras-go/v2 v2.5.0 +- sigs.k8s.io/controller-runtime v0.17.2 ++ sigs.k8s.io/controller-runtime v0.18.1 + sigs.k8s.io/yaml v1.4.0 + ) + + require ( + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect +- github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0 // indirect +- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect ++ github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect ++ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect +- github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect ++ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect + github.com/BurntSushi/toml v1.3.2 // indirect + github.com/MakeNowJust/heredoc v1.0.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect +@@ -82,8 +84,8 @@ require ( + github.com/Microsoft/hcsshim v0.11.4 // indirect + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect +- github.com/aws/aws-sdk-go-v2/config v1.27.10 // indirect +- github.com/aws/aws-sdk-go-v2/credentials v1.17.10 // indirect ++ github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect ++ github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect +@@ -91,7 +93,7 @@ require ( + github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect +- github.com/aws/aws-sdk-go-v2/service/sso v1.20.4 // indirect ++ github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect + github.com/aws/smithy-go v1.20.2 // indirect +@@ -113,13 +115,13 @@ require ( + github.com/docker/go-metrics v0.0.1 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/evanphx/json-patch v5.7.0+incompatible // indirect +- github.com/evanphx/json-patch/v5 v5.8.0 // indirect ++ github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect + github.com/fatih/camelcase v1.0.0 // indirect + github.com/fatih/color v1.15.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect +- github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect +- github.com/fluxcd/pkg/apis/kustomize v1.3.0 // indirect ++ github.com/fluxcd/pkg/apis/acl v0.3.0 // indirect ++ github.com/fluxcd/pkg/apis/kustomize v1.5.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fvbommel/sortorder v1.1.0 // indirect + github.com/go-errors/errors v1.4.2 // indirect +@@ -131,7 +133,7 @@ require ( + github.com/go-openapi/swag v0.22.4 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/gogo/protobuf v1.3.2 // indirect +- github.com/golang-jwt/jwt/v5 v5.2.0 // indirect ++ github.com/golang-jwt/jwt/v5 v5.2.1 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/btree v1.1.2 // indirect +@@ -217,19 +219,18 @@ require ( + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect + golang.org/x/image v0.10.0 // indirect +- golang.org/x/oauth2 v0.17.0 // indirect ++ golang.org/x/oauth2 v0.19.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/term v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.5.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect +- google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect +- k8s.io/component-base v0.29.3 // indirect +- k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e // indirect ++ k8s.io/component-base v0.30.0 // indirect ++ k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect + sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect +diff --git a/go.sum b/go.sum +index 4e1af959d..0d7a395a6 100644 +--- a/go.sum ++++ b/go.sum +@@ -50,16 +50,16 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 + dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= + github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= +-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0 h1:U/kwEXj0Y+1REAkV4kV8VO1CsEp8tSaQDG/7qC5XuqQ= +-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.0/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= +-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= ++github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= ++github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= ++github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2 h1:FDif4R1+UUR+00q6wquyX90K7A8dN+R5E8GEadoP7sU= ++github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2/go.mod h1:aiYBYui4BJ/BJCAIKs92XiPyQfTaBWqvHujDwKb6CBU= + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= + github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +-github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 h1:DzHpqpoJVaCgOUdVHxE8QB52S6NiVdDQvGlny1qvPqA= +-github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= ++github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= ++github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= + github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= + github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= + github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +@@ -103,10 +103,10 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d + github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= + github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= + github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +-github.com/aws/aws-sdk-go-v2/config v1.27.10 h1:PS+65jThT0T/snC5WjyfHHyUgG+eBoupSDV+f838cro= +-github.com/aws/aws-sdk-go-v2/config v1.27.10/go.mod h1:BePM7Vo4OBpHreKRUMuDXX+/+JWP38FLkzl5m27/Jjs= +-github.com/aws/aws-sdk-go-v2/credentials v1.17.10 h1:qDZ3EA2lv1KangvQB6y258OssCHD0xvaGiEDkG4X/10= +-github.com/aws/aws-sdk-go-v2/credentials v1.17.10/go.mod h1:6t3sucOaYDwDssHQa0ojH1RpmVmF5/jArkye1b2FKMI= ++github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA= ++github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE= ++github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs= ++github.com/aws/aws-sdk-go-v2/credentials v1.17.11/go.mod h1:AQtFPsDH9bI2O+71anW6EKL+NcD7LG3dpKGMV4SShgo= + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4= + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= +@@ -121,8 +121,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1x + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= +-github.com/aws/aws-sdk-go-v2/service/sso v1.20.4 h1:WzFol5Cd+yDxPAdnzTA5LmpHYSWinhmSj4rQChV0ee8= +-github.com/aws/aws-sdk-go-v2/service/sso v1.20.4/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= ++github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w= ++github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE= + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak= + github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 h1:cwIxeBttqPN3qkaAjcEcsh8NYr8n2HZPkcKgPAi1phU= +@@ -243,8 +243,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 + github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= + github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= + github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +-github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +-github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= ++github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= ++github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= + github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8= +@@ -256,20 +256,20 @@ github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= + github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= + github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= + github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +-github.com/fluxcd/helm-controller/api v0.37.4 h1:rkBMqYXexyf1s5BS8QpxGi691DsCi+yugIFCM5fNKLU= +-github.com/fluxcd/helm-controller/api v0.37.4/go.mod h1:KFdP5Lbrc4Vv+Jt4xRj6UUo3qiwdBqBPl1xiiAnBe9c= +-github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q= +-github.com/fluxcd/pkg/apis/acl v0.1.0/go.mod h1:zfEZzz169Oap034EsDhmCAGgnWlcWmIObZjYMusoXS8= +-github.com/fluxcd/pkg/apis/kustomize v1.3.0 h1:qvB46CfaOWcL1SyR2RiVWN/j7/035D0OtB1ltLN7rgI= +-github.com/fluxcd/pkg/apis/kustomize v1.3.0/go.mod h1:PCXf5kktTzNav0aH2Ns3jsowqwmA9xTcsrEOoPzx/K8= +-github.com/fluxcd/pkg/apis/meta v1.4.0 h1:nNdgB6FFHP3cubxZCViaCFDUVlAbpq9+hvKEIveOGMg= +-github.com/fluxcd/pkg/apis/meta v1.4.0/go.mod h1:81sZ01ShTuLc1C3M1dFJNkINareBysvmrO1b8zJFFKs= +-github.com/fluxcd/pkg/oci v0.36.0 h1:bC+Qkm6p8rN72McArNwYFjI9bt7M2vn6mnt7i/vOWv0= +-github.com/fluxcd/pkg/oci v0.36.0/go.mod h1:ocWsg1tjhjlIpdpdw0xZz7q9YQH8YzcrN1wi+Az0t7E= +-github.com/fluxcd/pkg/version v0.3.0 h1:+GSU3QKQK66Y09+cQMAEoyh7j4S0ZimXF6MyGgJwZB4= +-github.com/fluxcd/pkg/version v0.3.0/go.mod h1:NO3/EuKNn9g6aw9NN85Hdrz+5CVx90KZC6rPsOmgvVI= +-github.com/fluxcd/source-controller/api v1.2.5 h1:MgGrOfPh7Grhl40GUM9lEs+lmgTx3hLAwI0MVqaJkQ8= +-github.com/fluxcd/source-controller/api v1.2.5/go.mod h1:j3QSHpIPBP5sjaGIkVtsgWCx8JcOmcsutRmdJmRMOZg= ++github.com/fluxcd/helm-controller/api v1.0.1 h1:Gn9qEVuif6D5+gHmVwTEZkR4+nmLOcOhKx4Sw2gL2EA= ++github.com/fluxcd/helm-controller/api v1.0.1/go.mod h1:/6AD5a2qjo/ttxVM8GR33syLZwqigta60DCLdy8GrME= ++github.com/fluxcd/pkg/apis/acl v0.3.0 h1:UOrKkBTOJK+OlZX7n8rWt2rdBmDCoTK+f5TY2LcZi8A= ++github.com/fluxcd/pkg/apis/acl v0.3.0/go.mod h1:WVF9XjSMVBZuU+HTTiSebGAWMgM7IYexFLyVWbK9bNY= ++github.com/fluxcd/pkg/apis/kustomize v1.5.0 h1:ah4sfqccnio+/5Edz/tVz6LetFhiBoDzXAElj6fFCzU= ++github.com/fluxcd/pkg/apis/kustomize v1.5.0/go.mod h1:nEzhnhHafhWOUUV8VMFLojUOH+HHDEsL75y54mt/c30= ++github.com/fluxcd/pkg/apis/meta v1.5.0 h1:/G82d2Az5D9op3F+wJUpD8jw/eTV0suM6P7+cSURoUM= ++github.com/fluxcd/pkg/apis/meta v1.5.0/go.mod h1:Y3u7JomuuKtr5fvP1Iji2/50FdRe5GcBug2jawNVkdM= ++github.com/fluxcd/pkg/oci v0.37.1 h1:p4rfCHZlBWL+Q5Xey51iiBRmoje0IevCBT0/r8iae3M= ++github.com/fluxcd/pkg/oci v0.37.1/go.mod h1:LrVuX6VACenJ5ycQJxec+I7YJegCsE4nzRUV+6RuxcY= ++github.com/fluxcd/pkg/version v0.4.0 h1:3F6oeIZ+ug/f7pALIBhcUhfURel37EPPOn7nsGfsnOg= ++github.com/fluxcd/pkg/version v0.4.0/go.mod h1:izVsSDxac81qWRmpOL9qcxZYx+zAN1ajoP5SidGP6PA= ++github.com/fluxcd/source-controller/api v1.3.0 h1:Z5Lq0aJY87yg0cQDEuwGLKS60GhdErCHtsi546HUt10= ++github.com/fluxcd/source-controller/api v1.3.0/go.mod h1:+tfd0vltjcVs/bbnq9AlYR9AAHSVfM/Z4v4TpQmdJf4= + github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= + github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= + github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +@@ -332,8 +332,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x + github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= + github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= + github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +-github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +-github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= ++github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= ++github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= + github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= + github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= + github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +@@ -650,14 +650,14 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv + github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= + github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= + github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= +-github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= +-github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= ++github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= ++github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= + github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= + github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= + github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= + github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= +-github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk= +-github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg= ++github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= ++github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= + github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= + github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= + github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +@@ -931,8 +931,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= + golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= + golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= + golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= ++golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= ++golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= + golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= + golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= + golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +@@ -999,8 +999,8 @@ golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ + golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= + golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= + golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +-golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= +-golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= ++golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg= ++golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8= + golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +@@ -1119,7 +1119,6 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= + golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= + golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +@@ -1188,8 +1187,8 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= + golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= + golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= + golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= ++golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= ++golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= + golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= + golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= + golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +@@ -1236,8 +1235,6 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww + google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= + google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= + google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= + google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= + google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= + google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +@@ -1393,24 +1390,24 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh + honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= + honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= + honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +-k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= +-k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= +-k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI= +-k8s.io/apiextensions-apiserver v0.29.3/go.mod h1:po0XiY5scnpJfFizNGo6puNU6Fq6D70UJY2Cb2KwAVc= +-k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU= +-k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU= +-k8s.io/apiserver v0.29.3 h1:xR7ELlJ/BZSr2n4CnD3lfA4gzFivh0wwfNfz9L0WZcE= +-k8s.io/apiserver v0.29.3/go.mod h1:hrvXlwfRulbMbBgmWRQlFru2b/JySDpmzvQwwk4GUOs= ++k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA= ++k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE= ++k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs= ++k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y= ++k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA= ++k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= ++k8s.io/apiserver v0.30.0 h1:QCec+U72tMQ+9tR6A0sMBB5Vh6ImCEkoKkTDRABWq6M= ++k8s.io/apiserver v0.30.0/go.mod h1:smOIBq8t0MbKZi7O7SyIpjPsiKJ8qa+llcFCluKyqiY= + k8s.io/cli-runtime v0.29.3 h1:r68rephmmytoywkw2MyJ+CxjpasJDQY7AGc3XY2iv1k= + k8s.io/cli-runtime v0.29.3/go.mod h1:aqVUsk86/RhaGJwDhHXH0jcdqBrgdF3bZWk4Z9D4mkM= +-k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg= +-k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0= +-k8s.io/component-base v0.29.3 h1:Oq9/nddUxlnrCuuR2K/jp6aflVvc0uDvxMzAWxnGzAo= +-k8s.io/component-base v0.29.3/go.mod h1:Yuj33XXjuOk2BAaHsIGHhCKZQAgYKhqIxIjIr2UXYio= ++k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ= ++k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY= ++k8s.io/component-base v0.30.0 h1:cj6bp38g0ainlfYtaOQuRELh5KSYjhKxM+io7AUIk4o= ++k8s.io/component-base v0.30.0/go.mod h1:V9x/0ePFNaKeKYA3bOvIbrNoluTSG+fSJKjLdjOoeXQ= + k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= + k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +-k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e h1:snPmy96t93RredGRjKfMFt+gvxuVAncqSAyBveJtr4Q= +-k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= ++k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= ++k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= + k8s.io/kubectl v0.29.3 h1:RuwyyIU42MAISRIePaa8Q7A3U74Q9P4MoJbDFz9o3us= + k8s.io/kubectl v0.29.3/go.mod h1:yCxfY1dbwgVdEt2zkJ6d5NNLOhhWgTyrqACIoFhpdd4= + k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY= +@@ -1422,8 +1419,8 @@ oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZH + rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= + rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= + rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +-sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0= +-sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= ++sigs.k8s.io/controller-runtime v0.18.1 h1:RpWbigmuiylbxOCLy0tGnq1cU1qWPwNIQzoJk+QeJx4= ++sigs.k8s.io/controller-runtime v0.18.1/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= + sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= diff --git a/packages/system/dashboard/images/kubeapps-apis/labels.diff b/packages/system/dashboard/images/kubeapps-apis/labels.diff index 23bcdc93..e3b1823f 100644 --- a/packages/system/dashboard/images/kubeapps-apis/labels.diff +++ b/packages/system/dashboard/images/kubeapps-apis/labels.diff @@ -16,7 +16,7 @@ index c489cb6ca..8884a6484 100644 @@ -54,7 +56,10 @@ func (s *Server) listReleasesInCluster(ctx context.Context, headers http.Header, // see any results created/updated/deleted after the first request is issued // To fix this, we must make use of resourceVersion := relList.GetResourceVersion() - var relList helmv2beta2.HelmReleaseList + var relList helmv2.HelmReleaseList - if err = client.List(ctx, &relList); err != nil { + listOptions := ctrlclient.ListOptions{ + LabelSelector: labels.SelectorFromSet(labels.Set{"cozystack.io/ui": "true"}), @@ -33,8 +33,8 @@ index c489cb6ca..8884a6484 100644 + "cozystack.io/ui": "true", + }, }, - Spec: helmv2beta2.HelmReleaseSpec{ - Chart: helmv2beta2.HelmChartTemplate{ + Spec: helmv2.HelmReleaseSpec{ + Chart: helmv2.HelmChartTemplate{ diff --git a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go index 790b21514..539276a17 100644 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/repo.go @@ -49,7 +49,7 @@ index 790b21514..539276a17 100644 log "k8s.io/klog/v2" @@ -64,7 +65,8 @@ func (s *Server) listReposInNamespace(ctx context.Context, headers http.Header, - var repoList sourcev1beta2.HelmRepositoryList + var repoList sourcev1.HelmRepositoryList listOptions := ctrlclient.ListOptions{ - Namespace: ns, + Namespace: ns, @@ -65,5 +65,5 @@ index 790b21514..539276a17 100644 + "cozystack.io/ui": "true", + }, }, - Spec: sourcev1beta2.HelmRepositorySpec{ + Spec: sourcev1.HelmRepositorySpec{ URL: url, diff --git a/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff b/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff index f4f9b20a..74e3e738 100644 --- a/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff +++ b/packages/system/dashboard/images/kubeapps-apis/reconcile-strategy.diff @@ -3,7 +3,7 @@ index 8884a6484..4bf77071c 100644 --- a/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go +++ b/cmd/kubeapps-apis/plugins/fluxv2/packages/v1alpha1/release.go @@ -530,6 +530,7 @@ func (s *Server) newFluxHelmRelease(chart *models.Chart, targetName types.Namesp - Kind: sourcev1beta2.HelmRepositoryKind, + Kind: sourcev1.HelmRepositoryKind, Namespace: chart.Repo.Namespace, }, + ReconcileStrategy: "Revision", diff --git a/packages/system/etcd-operator/Makefile b/packages/system/etcd-operator/Makefile index 0c82cdb9..5c0dee74 100644 --- a/packages/system/etcd-operator/Makefile +++ b/packages/system/etcd-operator/Makefile @@ -1,5 +1,5 @@ -NAME=etcd-operator -NAMESPACE=cozy-${NAME} +export NAME=etcd-operator +export NAMESPACE=cozy-${NAME} include ../../../scripts/package-system.mk diff --git a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml index 36ad3b42..ca799e82 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.2.0 +appVersion: v0.3.1 name: etcd-operator type: application -version: 0.2.0 +version: 0.3.1 diff --git a/packages/system/etcd-operator/charts/etcd-operator/README.md b/packages/system/etcd-operator/charts/etcd-operator/README.md index 729dab25..33838106 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/README.md +++ b/packages/system/etcd-operator/charts/etcd-operator/README.md @@ -1,63 +1,54 @@ # etcd-operator -![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | | +| affinity | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | | etcdOperator.args[0] | string | `"--health-probe-bind-address=:8081"` | | | etcdOperator.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` | | | etcdOperator.args[2] | string | `"--leader-elect"` | | -| etcdOperator.envVars | object | `{}` | | -| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | | -| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | | -| etcdOperator.image.tag | string | `""` | | -| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | | -| etcdOperator.livenessProbe.httpGet.port | int | `8081` | | -| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | | -| etcdOperator.livenessProbe.periodSeconds | int | `20` | | -| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | | -| etcdOperator.readinessProbe.httpGet.port | int | `8081` | | -| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | | -| etcdOperator.readinessProbe.periodSeconds | int | `10` | | -| etcdOperator.resources.limits.cpu | string | `"500m"` | | -| etcdOperator.resources.limits.memory | string | `"128Mi"` | | -| etcdOperator.resources.requests.cpu | string | `"100m"` | | -| etcdOperator.resources.requests.memory | string | `"64Mi"` | | -| etcdOperator.securityContext.allowPrivilegeEscalation | bool | `false` | | -| etcdOperator.securityContext.capabilities.drop[0] | string | `"ALL"` | | -| etcdOperator.service.port | int | `9443` | | -| etcdOperator.service.type | string | `"ClusterIP"` | | -| fullnameOverride | string | `""` | | +| etcdOperator.envVars | object | `{}` | Empty environment variables section | +| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | Image repository | +| etcdOperator.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | Healthcheck liveness probe path | +| etcdOperator.livenessProbe.httpGet.port | int | `8081` | Healthcheck port | +| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.livenessProbe.periodSeconds | int | `20` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | Healthcheck readiness probe path | +| etcdOperator.readinessProbe.httpGet.port | int | `8081` | Healthcheck port | +| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.readinessProbe.periodSeconds | int | `10` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes | +| etcdOperator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| etcdOperator.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| etcdOperator.service.port | int | `9443` | Service port | +| etcdOperator.service.type | string | `"ClusterIP"` | Service type | +| fullnameOverride | string | `""` | Override a full name of helm release | | imagePullSecrets | list | `[]` | | | kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` | | | kubeRbacProxy.args[1] | string | `"--upstream=http://127.0.0.1:8080/"` | | | kubeRbacProxy.args[2] | string | `"--logtostderr=true"` | | | kubeRbacProxy.args[3] | string | `"--v=0"` | | -| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | | -| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | -| kubeRbacProxy.image.tag | string | `"v0.16.0"` | | -| kubeRbacProxy.livenessProbe | object | `{}` | | -| kubeRbacProxy.readinessProbe | object | `{}` | | -| kubeRbacProxy.resources.limits.cpu | string | `"500m"` | | -| kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | | -| kubeRbacProxy.resources.requests.cpu | string | `"100m"` | | -| kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | | -| kubeRbacProxy.securityContext.allowPrivilegeEscalation | bool | `false` | | -| kubeRbacProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | | -| kubeRbacProxy.service.port | int | `8443` | | -| kubeRbacProxy.service.type | string | `"ClusterIP"` | | -| kubernetesClusterDomain | string | `"cluster.local"` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podLabels | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| securityContext.runAsNonRoot | bool | `true` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| tolerations | list | `[]` | | +| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository | +| kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image | +| kubeRbacProxy.livenessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| kubeRbacProxy.readinessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ | +| kubeRbacProxy.resources | object | `{"limits":{"cpu":"250m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | +| kubeRbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| kubeRbacProxy.service.port | int | `8443` | Service port | +| kubeRbacProxy.service.type | string | `"ClusterIP"` | Service type | +| kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes cluster domain prefix | +| nameOverride | string | `""` | Override a name of helm release | +| nodeSelector | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ | +| podAnnotations | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | +| podLabels | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | +| podSecurityContext | object | `{}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | +| replicaCount | int | `1` | Count of pod replicas | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| tolerations | list | `[]` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | diff --git a/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl b/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl new file mode 100644 index 00000000..e1c25058 --- /dev/null +++ b/packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl @@ -0,0 +1,19 @@ +{{ template "chart.header" . }} + +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.typeBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml b/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml index 3abbf976..279e4b63 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml @@ -3,7 +3,7 @@ kind: CustomResourceDefinition metadata: annotations: cert-manager.io/inject-ca-from: etcd-operator-system/etcd-operator-serving-cert - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.15.0 name: etcdclusters.etcd.aenix.io spec: conversion: @@ -202,25 +202,43 @@ spec: security: description: Security describes security settings of etcd (authentication, certificates, rbac) properties: + enableAuth: + description: Section to enable etcd auth + type: boolean tls: description: Section for user-managed tls certificates properties: clientSecret: - description: Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret. + description: |- + Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string clientTrustedCASecret: - description: Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret. + description: |- + Trusted CA for client certificates that are provided by client to etcd. It is expected to have ca.crt field in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string peerSecret: - description: Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret. + description: |- + Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string peerTrustedCASecret: - description: Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret. + description: |- + Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have ca.crt field in the secret. + This secret must be created in the namespace with etcdCluster CR. type: string serverSecret: description: |- Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default). It is expected to have tls.crt and tls.key fields in the secret. + This secret must be created in the namespace with etcdCluster CR. + type: string + serverTrustedCASecret: + description: |- + Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd. + It is expected to have ca.crt field in the secret. If it is not specified, then insecure communication will be used. + This secret must be created in the namespace with etcdCluster CR. type: string type: object type: object @@ -581,6 +599,7 @@ spec: not set, the implementation will apply its default routing strategy. If set to "PreferClose", implementations should prioritize endpoints that are topologically close (e.g., same zone). + This is an alpha field and requires enabling ServiceTrafficDistribution feature. type: string type: description: |- diff --git a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml index ccb982ac..6cc79370 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml +++ b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml @@ -17,6 +17,22 @@ rules: - patch - update - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - watch - apiGroups: - "" resources: diff --git a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml index ece5bae8..17848ada 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml +++ b/packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml @@ -58,6 +58,12 @@ spec: - configMapRef: name: {{ include "etcd-operator.fullname" . }}-env {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: cert diff --git a/packages/system/etcd-operator/charts/etcd-operator/values.schema.json b/packages/system/etcd-operator/charts/etcd-operator/values.schema.json index 97400378..65836a6b 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/values.schema.json +++ b/packages/system/etcd-operator/charts/etcd-operator/values.schema.json @@ -256,14 +256,6 @@ "replicaCount": { "type": "integer" }, - "securityContext": { - "properties": { - "runAsNonRoot": { - "type": "boolean" - } - }, - "type": "object" - }, "serviceAccount": { "properties": { "annotations": { @@ -281,4 +273,4 @@ } }, "type": "object" -} \ No newline at end of file +} diff --git a/packages/system/etcd-operator/charts/etcd-operator/values.yaml b/packages/system/etcd-operator/charts/etcd-operator/values.yaml index 9c9ff75a..dcef802b 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/values.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/values.yaml @@ -1,98 +1,184 @@ etcdOperator: + image: + + # -- Image repository repository: ghcr.io/aenix-io/etcd-operator + + # -- Image pull policy pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. + + # -- Overrides the image tag whose default is the chart appVersion. tag: "" + args: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect + service: + + # -- Service type type: ClusterIP + + # -- Service port port: 9443 + + # -- Empty environment variables section envVars: {} + livenessProbe: + httpGet: + + # -- Healthcheck liveness probe path path: /healthz + + # -- Healthcheck port port: 8081 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes initialDelaySeconds: 15 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes periodSeconds: 20 + readinessProbe: + httpGet: + + # -- Healthcheck readiness probe path path: /readyz + + # -- Healthcheck port port: 8081 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes initialDelaySeconds: 5 + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes periodSeconds: 10 + + # -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: - ALL kubeRbacProxy: + image: + + # -- Image repository repository: gcr.io/kubebuilder/kube-rbac-proxy + + # -- Image pull policy pullPolicy: IfNotPresent + + # -- Version of image tag: v0.16.0 + args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=0 - service: - type: ClusterIP - port: 8443 - livenessProbe: {} - readinessProbe: {} - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + service: + + # -- Service type + type: ClusterIP + + # -- Service port + port: 8443 + + # -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: {} + + # -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + readinessProbe: {} + + # -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + + limits: + + cpu: 250m + + memory: 128Mi + + requests: + + cpu: 100m + + memory: 64Mi + + # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + securityContext: + + allowPrivilegeEscalation: false + + capabilities: + + drop: + - ALL + +# -- Kubernetes cluster domain prefix kubernetesClusterDomain: cluster.local +# -- Count of pod replicas replicaCount: 1 imagePullSecrets: [] +# -- Override a name of helm release nameOverride: "" +# -- Override a full name of helm release fullnameOverride: "" serviceAccount: - # Specifies whether a service account should be created + + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + + # -- Annotations to add to the service account annotations: {} +# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ podAnnotations: {} +# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} +# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ podSecurityContext: {} # fsGroup: 2000 -securityContext: - runAsNonRoot: true - +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ nodeSelector: {} +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] +# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} diff --git a/packages/core/fluxcd/.helmignore b/packages/system/fluxcd-operator/.helmignore similarity index 100% rename from packages/core/fluxcd/.helmignore rename to packages/system/fluxcd-operator/.helmignore diff --git a/packages/system/fluxcd-operator/Chart.yaml b/packages/system/fluxcd-operator/Chart.yaml new file mode 100644 index 00000000..42ed3feb --- /dev/null +++ b/packages/system/fluxcd-operator/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-fluxcd-operator +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/fluxcd-operator/Makefile b/packages/system/fluxcd-operator/Makefile new file mode 100644 index 00000000..26cf39a7 --- /dev/null +++ b/packages/system/fluxcd-operator/Makefile @@ -0,0 +1,12 @@ +NAME=fluxcd-operator +NAMESPACE=cozy-fluxcd + +include ../../../scripts/package-system.mk + +apply-locally: + helm upgrade -i -n $(NAMESPACE) $(NAME) . + +update: + rm -rf charts + helm pull oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --untar --untardir charts + patch --no-backup-if-mismatch -p1 < patches/kubernetesEnvs.diff diff --git a/packages/core/fluxcd/charts/flux2/.helmignore b/packages/system/fluxcd-operator/charts/flux-operator/.helmignore similarity index 95% rename from packages/core/fluxcd/charts/flux2/.helmignore rename to packages/system/fluxcd-operator/charts/flux-operator/.helmignore index 98229532..f24ae1c9 100644 --- a/packages/core/fluxcd/charts/flux2/.helmignore +++ b/packages/system/fluxcd-operator/charts/flux-operator/.helmignore @@ -21,5 +21,4 @@ .idea/ *.tmproj .vscode/ - -tests/ +helmdocs.gotmpl diff --git a/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml b/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml new file mode 100644 index 00000000..4d13ecdb --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + artifacthub.io/license: AGPL-3.0 + artifacthub.io/links: | + - name: Documentation + url: https://fluxcd.control-plane.io/operator + - name: Chart Source + url: https://github.com/controlplaneio-fluxcd/charts + - name: Upstream Project + url: https://github.com/controlplaneio-fluxcd/flux-operator +apiVersion: v2 +appVersion: v0.6.0 +description: 'A Helm chart for deploying the Flux Operator. ' +home: https://github.com/controlplaneio-fluxcd +icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png +keywords: +- flux +- fluxcd +- gitops +kubeVersion: '>=1.22.0-0' +maintainers: +- email: stefan.prodan@control-plane.io + name: Stefan Prodan +- name: Soule Ba + url: soule.ba@control-plane.io +name: flux-operator +sources: +- https://github.com/controlplaneio-fluxcd/flux-operator +- https://github.com/controlplaneio-fluxcd/charts +type: application +version: 0.6.0 diff --git a/packages/system/fluxcd-operator/charts/flux-operator/README.md b/packages/system/fluxcd-operator/charts/flux-operator/README.md new file mode 100644 index 00000000..7fea50d7 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/README.md @@ -0,0 +1,57 @@ +# flux-operator + +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.6.0](https://img.shields.io/badge/AppVersion-v0.6.0-informational?style=flat-square) + +The [Flux Operator](https://github.com/controlplaneio-fluxcd) provides a declarative API +for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the +ControlPlane [enterprise distribution](https://control-plane.io/enterprise-for-flux-cd/). + +The operator automates the patching for hotfixes and CVEs affecting the Flux controllers container images +and enables the configuration of multi-tenancy lockdown on Kubernetes and OpenShift clusters. + +## Prerequisites + +- Kubernetes 1.22+ +- Helm 3.8+ + +## Installing the Chart + +To install the operator in the `flux-system` namespace: + +```console +helm install flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \ + --namespace flux-system \ + --create-namespace \ + --wait +``` + +To deploy the Flux controllers and to configure automated updates, +see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/). + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}` | Pod affinity and anti-affinity settings. | +| commonAnnotations | object | `{}` | Common annotations to add to all deployed objects including pods. | +| commonLabels | object | `{}` | Common labels to add to all deployed objects including pods. | +| extraEnvs | list | `[]` | Container extra environment variables. | +| fullnameOverride | string | `""` | | +| hostNetwork | bool | `false` | If `true`, the container ports (`8080` and `8081`) are exposed on the host network. | +| image | object | `{"pullSecrets":[],"repository":"ghcr.io/controlplaneio-fluxcd/flux-operator","tag":""}` | Container image settings. The image tag defaults to the chart appVersion. | +| installCRDs | bool | `true` | Install and upgrade the custom resource definitions. | +| livenessProbe | object | `{"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}` | Container liveness probe settings. | +| marketplace | object | `{"account":"","license":"","type":""}` | Marketplace settings. | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | Pod security context settings. | +| priorityClassName | string | `""` | Pod priority class name. Recommended value is system-cluster-critical. | +| readinessProbe | object | `{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}` | Container readiness probe settings. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | Container resources requests and limits settings. | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context settings. The default is compliant with the pod security restricted profile. | +| serviceAccount | object | `{"automount":true,"create":true,"name":""}` | Pod service account settings. The name of the service account defaults to the release name. | +| tolerations | list | `[]` | Pod tolerations settings. | + +## Source Code + +* +* diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/NOTES.txt b/packages/system/fluxcd-operator/charts/flux-operator/templates/NOTES.txt new file mode 100644 index 00000000..b09e5e52 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/NOTES.txt @@ -0,0 +1 @@ +Documentation at https://fluxcd.control-plane.io/operator/ diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/_helpers.tpl b/packages/system/fluxcd-operator/charts/flux-operator/templates/_helpers.tpl new file mode 100644 index 00000000..996d71d6 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "flux-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "flux-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "flux-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "flux-operator.labels" -}} +helm.sh/chart: {{ include "flux-operator.chart" . }} +{{ include "flux-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "flux-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "flux-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "flux-operator.serviceAccountName" -}} +{{- default (include "flux-operator.fullname" .) .Values.serviceAccount.name }} +{{- end }} diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/clusterrole.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/clusterrole.yaml new file mode 100644 index 00000000..6a09fa77 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "flux-operator.fullname" . }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "flux-operator.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml new file mode 100644 index 00000000..ff6dfe83 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/crds.yaml @@ -0,0 +1,704 @@ +{{- if and .Values.installCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: '{{ .Chart.Name }}' + app.kubernetes.io/version: '{{ .Chart.AppVersion }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + name: fluxinstances.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: FluxInstance + listKind: FluxInstanceList + plural: fluxinstances + singular: fluxinstance + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .status.lastAttemptedRevision + name: Revision + type: string + name: v1 + schema: + openAPIV3Schema: + description: FluxInstance is the Schema for the fluxinstances API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FluxInstanceSpec defines the desired state of FluxInstance + properties: + cluster: + description: Cluster holds the specification of the Kubernetes cluster. + properties: + domain: + default: cluster.local + description: |- + Domain is the cluster domain used for generating the FQDN of services. + Defaults to 'cluster.local'. + type: string + multitenant: + description: Multitenant enables the multitenancy lockdown. + type: boolean + networkPolicy: + default: true + description: |- + NetworkPolicy restricts network access to the current namespace. + Defaults to true. + type: boolean + type: + default: kubernetes + description: |- + Type specifies the distro of the Kubernetes cluster. + Defaults to 'kubernetes'. + enum: + - kubernetes + - openshift + - aws + - azure + - gcp + type: string + required: + - domain + - networkPolicy + type: object + components: + description: |- + Components is the list of controllers to install. + Defaults to all controllers. + items: + description: Component is the name of a controller to install. + enum: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller + type: string + type: array + distribution: + description: Distribution specifies the version and container registry + to pull images from. + properties: + artifact: + description: |- + Artifact is the URL to the OCI artifact containing + the latest Kubernetes manifests for the distribution, + e.g. 'oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests:latest'. + pattern: ^oci://.*$ + type: string + imagePullSecret: + description: |- + ImagePullSecret is the name of the Kubernetes secret + to use for pulling images. + type: string + registry: + description: |- + Registry address to pull the distribution images from + e.g. 'ghcr.io/fluxcd'. + type: string + version: + description: Version semver expression e.g. '2.x', '2.3.x'. + type: string + required: + - registry + - version + type: object + kustomize: + description: |- + Kustomize holds a set of patches that can be applied to the + Flux installation, to customize the way Flux operates. + properties: + patches: + description: |- + Strategic merge and JSON patches, defined as inline YAML objects, + capable of targeting objects based on kind, label and annotation selectors. + items: + description: |- + Patch contains an inline StrategicMerge or JSON6902 patch, and the target the patch should + be applied to. + properties: + patch: + description: |- + Patch contains an inline StrategicMerge patch or an inline JSON6902 patch with + an array of operation objects. + type: string + target: + description: Target points to the resources that the patch + document should be applied to. + properties: + annotationSelector: + description: |- + AnnotationSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource annotations. + type: string + group: + description: |- + Group is the API group to select resources from. + Together with Version and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + kind: + description: |- + Kind of the API Group to select resources from. + Together with Group and Version it is capable of unambiguously + identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + labelSelector: + description: |- + LabelSelector is a string that follows the label selection expression + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches with the resource labels. + type: string + name: + description: Name to match resources with. + type: string + namespace: + description: Namespace to select resources from. + type: string + version: + description: |- + Version of the API Group to select resources from. + Together with Group and Kind it is capable of unambiguously identifying and/or selecting resources. + https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md + type: string + type: object + required: + - patch + type: object + type: array + type: object + storage: + description: |- + Storage holds the specification of the source-controller + persistent volume claim. + properties: + class: + description: Class is the storage class to use for the PVC. + type: string + size: + description: Size is the size of the PVC. + type: string + required: + - class + - size + type: object + sync: + description: |- + Sync specifies the source for the cluster sync operation. + When set, a Flux source (GitRepository, OCIRepository or Bucket) + and Flux Kustomization are created to sync the cluster state + with the source repository. + properties: + interval: + default: 1m + description: Interval is the time between syncs. + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))+$ + type: string + kind: + description: Kind is the kind of the source. + enum: + - OCIRepository + - GitRepository + - Bucket + type: string + path: + description: |- + Path is the path to the source directory containing + the kustomize overlay or plain Kubernetes manifests. + type: string + pullSecret: + description: |- + PullSecret specifies the Kubernetes Secret containing the + authentication credentials for the source. + For Git over HTTP/S sources, the secret must contain username and password fields. + For Git over SSH sources, the secret must contain known_hosts and identity fields. + For OCI sources, the secret must be of type kubernetes.io/dockerconfigjson. + For Bucket sources, the secret must contain accesskey and secretkey fields. + type: string + ref: + description: |- + Ref is the source reference, can be a Git ref name e.g. 'refs/heads/main', + an OCI tag e.g. 'latest' or a bucket name e.g. 'flux'. + type: string + url: + description: |- + URL is the source URL, can be a Git repository HTTP/S or SSH address, + an OCI repository address or a Bucket endpoint. + type: string + required: + - kind + - path + - ref + - url + type: object + wait: + default: true + description: |- + Wait instructs the controller to check the health of all the reconciled + resources. Defaults to true. + type: boolean + required: + - distribution + - wait + type: object + status: + description: FluxInstanceStatus defines the observed state of FluxInstance + properties: + components: + description: Components contains the container images used by the + components. + items: + description: ComponentImage represents a container image used by + a component. + properties: + digest: + description: Digest of the container image. + type: string + name: + description: Name of the component. + type: string + repository: + description: Repository address of the container image. + type: string + tag: + description: Tag of the container image. + type: string + required: + - name + - repository + - tag + type: object + type: array + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inventory: + description: |- + Inventory contains a list of Kubernetes resource object references + last applied on the cluster. + properties: + entries: + description: Entries of Kubernetes resource object references. + items: + description: ResourceRef contains the information necessary + to locate a resource within a cluster. + properties: + id: + description: |- + ID is the string representation of the Kubernetes resource object's metadata, + in the format '___'. + type: string + v: + description: Version is the API version of the Kubernetes + resource object's kind. + type: string + required: + - id + - v + type: object + type: array + required: + - entries + type: object + lastAppliedRevision: + description: |- + LastAppliedRevision is the version and digest of the + distribution config that was last reconcile. + type: string + lastAttemptedRevision: + description: |- + LastAttemptedRevision is the version and digest of the + distribution config that was last attempted to reconcile. + type: string + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: '{{ .Chart.Name }}' + app.kubernetes.io/version: '{{ .Chart.AppVersion }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + name: fluxreports.fluxcd.controlplane.io +spec: + group: fluxcd.controlplane.io + names: + kind: FluxReport + listKind: FluxReportList + plural: fluxreports + singular: fluxreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.distribution.entitlement + name: Entitlement + priority: 10 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].lastTransitionTime + name: LastUpdated + type: string + name: v1 + schema: + openAPIV3Schema: + description: FluxReport is the Schema for the fluxreports API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FluxReportSpec defines the observed state of a Flux installation. + properties: + components: + description: ComponentsStatus is the status of the Flux controller + deployments. + items: + description: FluxComponentStatus defines the observed state of a + Flux component. + properties: + image: + description: Image is the container image of the Flux component. + type: string + name: + description: Name is the name of the Flux component. + type: string + ready: + description: Ready is the readiness status of the Flux component. + type: boolean + status: + description: |- + Status is a human-readable message indicating details + about the Flux component observed state. + type: string + required: + - image + - name + - ready + - status + type: object + type: array + distribution: + description: Distribution is the version information of the Flux installation. + properties: + entitlement: + description: Entitlement is the entitlement verification status. + type: string + managedBy: + description: ManagedBy is the name of the operator managing the + Flux instance. + type: string + status: + description: |- + Status is a human-readable message indicating details + about the distribution observed state. + type: string + version: + description: Version is the version of the Flux instance. + type: string + required: + - entitlement + - status + type: object + reconcilers: + description: |- + ReconcilersStatus is the list of Flux reconcilers and + their statistics grouped by API kind. + items: + description: FluxReconcilerStatus defines the observed state of + a Flux reconciler. + properties: + apiVersion: + description: APIVersion is the API version of the Flux resource. + type: string + kind: + description: Kind is the kind of the Flux resource. + type: string + stats: + description: Stats is the reconcile statics of the Flux resource + kind. + properties: + failing: + description: |- + Failing is the number of reconciled + resources in the Failing state. + type: integer + running: + description: |- + Running is the number of reconciled + resources in the Running state. + type: integer + suspended: + description: |- + Suspended is the number of reconciled + resources in the Suspended state. + type: integer + totalSize: + description: TotalSize is the total size of the artifacts + in storage. + type: string + required: + - failing + - running + - suspended + type: object + required: + - apiVersion + - kind + type: object + type: array + sync: + description: |- + SyncStatus is the status of the cluster sync + Source and Kustomization resources. + properties: + id: + description: ID is the identifier of the sync. + type: string + path: + description: Path is the kustomize path of the sync. + type: string + ready: + description: Ready is the readiness status of the sync. + type: boolean + source: + description: Source is the URL of the source repository. + type: string + status: + description: |- + Status is a human-readable message indicating details + about the sync observed state. + type: string + required: + - id + - ready + - status + type: object + required: + - distribution + type: object + status: + description: FluxReportStatus defines the readiness of a FluxReport. + properties: + conditions: + description: Conditions contains the readiness conditions of the object. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastHandledReconcileAt: + description: |- + LastHandledReconcileAt holds the value of the most recent + reconcile request value, so a change of the annotation value + can be detected. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml new file mode 100644 index 00000000..7de88af2 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "flux-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "flux-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "flux-operator.labels" . | nindent 8 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "flux-operator.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.hostNetwork }} + hostNetwork: true + {{- end }} + containers: + - name: manager + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.marketplace.type }} + - name: MARKETPLACE_TYPE + value: {{ . }} + {{- end }} + {{- with .Values.marketplace.account }} + - name: MARKETPLACE_ACCOUNT + value: {{ . }} + {{- end }} + {{- with .Values.marketplace.license }} + - name: MARKETPLACE_LICENSE + value: {{ . }} + {{- end }} + {{- if .Values.extraEnvs }} + {{- toYaml .Values.extraEnvs | nindent 12 }} + {{- end }} + {{- include "cozy.kubernetes_envs" . | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: IfNotPresent + ports: + - name: http-metrics + containerPort: 8080 + protocol: TCP + - name: http + containerPort: 8081 + protocol: TCP + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: temp + mountPath: /tmp + volumes: + - name: temp + emptyDir: {} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/service.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/service.yaml new file mode 100644 index 00000000..37ad04c2 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "flux-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - port: 8080 + targetPort: http-metrics + protocol: TCP + name: http + selector: + {{- include "flux-operator.selectorLabels" . | nindent 4 }} diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/serviceaccount.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/serviceaccount.yaml new file mode 100644 index 00000000..2a481a59 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "flux-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "flux-operator.labels" . | nindent 4 }} + {{- with .Values.commonLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json b/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json new file mode 100644 index 00000000..1324083f --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json @@ -0,0 +1,309 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "properties": { + "affinity": { + "default": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchExpressions": [ + { + "key": "kubernetes.io/os", + "operator": "In", + "values": [ + "linux" + ] + } + ] + } + ] + } + } + }, + "properties": { + "nodeAffinity": { + "properties": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "commonAnnotations": { + "properties": {}, + "type": "object" + }, + "commonLabels": { + "properties": {}, + "type": "object" + }, + "extraEnvs": { + "items": { + "type": "object" + }, + "type": "array", + "uniqueItems": true + }, + "fullnameOverride": { + "type": "string" + }, + "hostNetwork": { + "default": false, + "type": "boolean" + }, + "image": { + "properties": { + "pullSecrets": { + "items": { + "type": "object" + }, + "type": "array", + "uniqueItems": true + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "repository" + ], + "type": "object" + }, + "installCRDs": { + "default": true, + "type": "boolean" + }, + "livenessProbe": { + "default": { + "httpGet": { + "path": "/healthz", + "port": 8081 + }, + "initialDelaySeconds": 15, + "periodSeconds": 20 + }, + "properties": { + "httpGet": { + "properties": { + "path": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "marketplace": { + "properties": { + "account": { + "type": "string" + }, + "license": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "podSecurityContext": { + "default": { + "fsGroup": 1337 + }, + "properties": {}, + "type": "object" + }, + "priorityClassName": { + "default": "system-cluster-critical", + "type": "string" + }, + "readinessProbe": { + "default": { + "httpGet": { + "path": "/readyz", + "port": 8081 + }, + "initialDelaySeconds": 5, + "periodSeconds": 10 + }, + "properties": { + "httpGet": { + "properties": { + "path": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "type": "object" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "type": "object" + }, + "resources": { + "properties": { + "limits": { + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "type": "object" + }, + "requests": { + "default": { + "cpu": "100m", + "memory": "64Mi" + }, + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "default": false, + "type": "boolean" + }, + "capabilities": { + "default": { + "drop": [ + "ALL" + ] + }, + "properties": { + "drop": { + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": true + } + }, + "type": "object" + }, + "readOnlyRootFilesystem": { + "default": true, + "type": "boolean" + }, + "runAsNonRoot": { + "default": true, + "type": "boolean" + }, + "seccompProfile": { + "default": { + "type": "RuntimeDefault" + }, + "properties": { + "type": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "serviceAccount": { + "default": { + "automount": true, + "create": true, + "name": "" + }, + "properties": { + "automount": { + "type": "boolean" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "tolerations": { + "items": { + "type": "object" + }, + "type": "array", + "uniqueItems": true + } + }, + "required": [ + "resources", + "securityContext" + ], + "type": "object" +} diff --git a/packages/system/fluxcd-operator/charts/flux-operator/values.yaml b/packages/system/fluxcd-operator/charts/flux-operator/values.yaml new file mode 100644 index 00000000..feebdf18 --- /dev/null +++ b/packages/system/fluxcd-operator/charts/flux-operator/values.yaml @@ -0,0 +1,97 @@ +# Default values for flux-operator. + +nameOverride: "" +fullnameOverride: "" + +# -- Install and upgrade the custom resource definitions. +installCRDs: true # @schema default: true + +# -- Common annotations to add to all deployed objects including pods. +commonAnnotations: { } + +# -- Common labels to add to all deployed objects including pods. +commonLabels: { } + +# -- Container image settings. +# The image tag defaults to the chart appVersion. +image: + repository: ghcr.io/controlplaneio-fluxcd/flux-operator # @schema required: true + tag: "" + pullSecrets: [ ] # @schema item: object ; uniqueItems: true + +# -- Pod priority class name. +# Recommended value is system-cluster-critical. +priorityClassName: "" # @schema default: "system-cluster-critical" + +# -- Container resources requests and limits settings. +resources: # @schema required: true + limits: + cpu: 1000m + memory: 1Gi + requests: # @schema default: {"cpu":"100m","memory":"64Mi"} + cpu: 100m + memory: 64Mi + +# -- Container liveness probe settings. +livenessProbe: # @schema default: {"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20} + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + +# -- Container readiness probe settings. +readinessProbe: # @schema default: {"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10} + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + +# -- Pod service account settings. +# The name of the service account defaults to the release name. +serviceAccount: # @schema default: {"create":true,"automount":true,"name":""} + create: true + automount: true + name: "" + +# -- Pod security context settings. +podSecurityContext: { } # @schema default: {"fsGroup":1337} + +# -- Container security context settings. +# The default is compliant with the pod security restricted profile. +securityContext: # @schema required: true + runAsNonRoot: true # @schema default: true + readOnlyRootFilesystem: true # @schema default: true + allowPrivilegeEscalation: false # @schema default: false + capabilities: # @schema default: {"drop":["ALL"]} + drop: # @schema item: string ; uniqueItems: true + - "ALL" + seccompProfile: # @schema default: {"type":"RuntimeDefault"} + type: "RuntimeDefault" + +# -- Pod affinity and anti-affinity settings. +affinity: # @schema default: {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + +# -- Pod tolerations settings. +tolerations: [ ] # @schema item: object ; uniqueItems: true + +# -- Marketplace settings. +marketplace: + type: "" + license: "" + account: "" + +# -- If `true`, the container ports (`8080` and `8081`) are exposed on the host network. +hostNetwork: false # @schema default: false + +# -- Container extra environment variables. +extraEnvs: [ ] # @schema item: object ; uniqueItems: true diff --git a/packages/system/fluxcd-operator/patches/kubernetesEnvs.diff b/packages/system/fluxcd-operator/patches/kubernetesEnvs.diff new file mode 100644 index 00000000..1c9c1c39 --- /dev/null +++ b/packages/system/fluxcd-operator/patches/kubernetesEnvs.diff @@ -0,0 +1,12 @@ +diff --git a/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml b/packages/core/fluxcd/charts/flux-operator/templates/deployment.yaml +index 8ffd8d8..5ad96a8 100644 +--- a/charts/flux-operator/templates/deployment.yaml ++++ b/charts/flux-operator/templates/deployment.yaml +@@ -58,6 +58,7 @@ spec: + {{- if .Values.extraEnvs }} + {{- toYaml .Values.extraEnvs | nindent 12 }} + {{- end }} ++ {{- include "cozy.kubernetes_envs" . | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" diff --git a/packages/system/fluxcd-operator/templates/_helpers.tpl b/packages/system/fluxcd-operator/templates/_helpers.tpl new file mode 100644 index 00000000..e22979ba --- /dev/null +++ b/packages/system/fluxcd-operator/templates/_helpers.tpl @@ -0,0 +1,13 @@ +{{- define "cozy.kubernetes_envs" }} +{{- $cozyDeployment := lookup "apps/v1" "Deployment" "cozy-system" "cozystack" }} +{{- $cozyContainers := dig "spec" "template" "spec" "containers" dict $cozyDeployment }} +{{- range $cozyContainers }} +{{- if eq .name "cozystack" }} +{{- range .env }} +{{- if has .name (list "KUBERNETES_SERVICE_HOST" "KUBERNETES_SERVICE_PORT") }} +- {{ toJson . }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/fluxcd-operator/values.yaml b/packages/system/fluxcd-operator/values.yaml new file mode 100644 index 00000000..654ca304 --- /dev/null +++ b/packages/system/fluxcd-operator/values.yaml @@ -0,0 +1,7 @@ +flux-operator: + fullnameOverride: flux-operator + tolerations: + - key: node.kubernetes.io/not-ready + operator: Exists + effect: NoSchedule + hostNetwork: true diff --git a/packages/core/fluxcd/Chart.yaml b/packages/system/fluxcd/Chart.yaml similarity index 100% rename from packages/core/fluxcd/Chart.yaml rename to packages/system/fluxcd/Chart.yaml diff --git a/packages/system/fluxcd/Makefile b/packages/system/fluxcd/Makefile new file mode 100644 index 00000000..de09740c --- /dev/null +++ b/packages/system/fluxcd/Makefile @@ -0,0 +1,7 @@ +NAME=fluxcd +NAMESPACE=cozy-$(NAME) + +apply-locally: + helm upgrade -i -n $(NAMESPACE) $(NAME) . + +include ../../../scripts/package-system.mk diff --git a/packages/system/fluxcd/templates/flux-instance.yaml b/packages/system/fluxcd/templates/flux-instance.yaml new file mode 100644 index 00000000..ce0fd133 --- /dev/null +++ b/packages/system/fluxcd/templates/flux-instance.yaml @@ -0,0 +1,25 @@ +apiVersion: fluxcd.controlplane.io/v1 +kind: FluxInstance +metadata: + name: flux +spec: + {{- with .Values.cluster }} + cluster: + {{- with .networkPolicy }} + networkPolicy: {{ . }} + {{- end }} + {{- with .domain }} + domain: {{ . }} + {{- end }} + {{- end }} + distribution: + version: {{ .Values.distribution.version }} + registry: {{ .Values.distribution.registry }} + components: + {{- if .Values.components }} + {{- toYaml .Values.components | nindent 4 }} + {{- end }} + kustomize: + {{- if .Values.kustomize }} + {{- toYaml .Values.kustomize | nindent 4 }} + {{- end }} diff --git a/packages/system/fluxcd/values.yaml b/packages/system/fluxcd/values.yaml new file mode 100644 index 00000000..9eba35ec --- /dev/null +++ b/packages/system/fluxcd/values.yaml @@ -0,0 +1,47 @@ +cluster: + networkPolicy: true +# domain: cozy.local +distribution: + version: 2.3.x + registry: ghcr.io/fluxcd +components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + - image-reflector-controller + - image-automation-controller +kustomize: + patches: + - target: + kind: Deployment + name: "(kustomize-controller|helm-controller|source-controller)" + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=20 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + - op: replace + path: /spec/template/spec/containers/0/resources/limits + value: + cpu: 2000m + memory: 2048Mi + - target: + kind: Deployment + name: source-controller + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --storage-adv-addr=source-controller.cozy-fluxcd.svc + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ + - target: + kind: Deployment + name: (kustomize-controller|helm-controller|image-reflector-controller|image-automation-controller) + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://notification-controller.cozy-fluxcd.svc/ diff --git a/packages/system/grafana-operator/Makefile b/packages/system/grafana-operator/Makefile index 05916ae5..38eed61c 100644 --- a/packages/system/grafana-operator/Makefile +++ b/packages/system/grafana-operator/Makefile @@ -1,5 +1,5 @@ -NAME=grafana-operator -NAMESPACE=cozy-grafana-operator +export NAME=grafana-operator +export NAMESPACE=cozy-grafana-operator include ../../../scripts/package-system.mk diff --git a/packages/system/ingress-nginx/Makefile b/packages/system/ingress-nginx/Makefile index 831ef0a0..a6b85f48 100644 --- a/packages/system/ingress-nginx/Makefile +++ b/packages/system/ingress-nginx/Makefile @@ -1,5 +1,5 @@ -NAME=ingress-nginx -NAMESPACE=cozy-$(NAME) +export NAME=ingress-nginx +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk @@ -8,7 +8,6 @@ update: helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update ingress-nginx helm pull ingress-nginx/ingress-nginx --untar --untardir charts - patch -p 3 < patches/add-metrics2.patch + patch --no-backup-if-mismatch -p 3 < patches/add-metrics2.patch rm -f charts/ingress-nginx/templates/controller-deployment.yaml.orig rm -rf charts/ingress-nginx/changelog/ - #sed -i '/ type:/a \ allocateLoadBalancerNodePorts: false' charts/ingress-nginx/templates/controller-service.yaml diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig deleted file mode 100644 index 3aaa9250..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml.orig +++ /dev/null @@ -1,243 +0,0 @@ -{{- if eq .Values.controller.kind "DaemonSet" -}} -{{- include "isControllerTagValid" . -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ include "ingress-nginx.namespace" . }} - {{- if .Values.controller.annotations }} - annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: controller - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - {{- if .Values.controller.updateStrategy }} - updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} - {{- end }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} - template: - metadata: - {{- if .Values.controller.podAnnotations }} - annotations: - {{- range $key, $value := .Values.controller.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - {{- include "ingress-nginx.labels" . | nindent 8 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.controller.podLabels }} - {{- toYaml .Values.controller.podLabels | nindent 8 }} - {{- end }} - spec: - {{- if .Values.controller.dnsConfig }} - dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} - {{- end }} - {{- if .Values.controller.hostAliases }} - hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} - {{- end }} - {{- if .Values.controller.hostname }} - hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} - {{- end }} - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} - {{- end }} - {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName | quote }} - {{- end }} - {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} - securityContext: - {{- if .Values.controller.podSecurityContext }} - {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} - sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.controller.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} - {{- end }} - containers: - - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" - {{- end }} - imagePullPolicy: {{ .Values.controller.image.pullPolicy }} - {{- if .Values.controller.lifecycle }} - lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} - {{- end }} - args: {{ include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.controller.enableMimalloc }} - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - {{- end }} - {{- if .Values.controller.extraEnvs }} - {{- toYaml .Values.controller.extraEnvs | nindent 12 }} - {{- end }} - {{- if .Values.controller.startupProbe }} - startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.livenessProbe }} - livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.readinessProbe }} - readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} - {{- end }} - ports: - {{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} - {{- end }} - {{- end }} - {{- if .Values.controller.metrics.enabled }} - - name: {{ .Values.controller.metrics.portName }} - containerPort: {{ .Values.controller.metrics.port }} - protocol: TCP - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook - containerPort: {{ .Values.controller.admissionWebhooks.port }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.tcp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp - containerPort: {{ $key }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp - containerPort: {{ $key }} - protocol: UDP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - - name: modules - {{- if .Values.controller.image.chroot }} - mountPath: /chroot/modules_mount - {{- else }} - mountPath: /modules_mount - {{- end }} - {{- end }} - {{- if .Values.controller.customTemplate.configMapName }} - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - {{- end }} - {{- if .Values.controller.extraVolumeMounts }} - {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.controller.resources }} - resources: {{ toYaml .Values.controller.resources | nindent 12 }} - {{- end }} - {{- if .Values.controller.extraContainers }} - {{- toYaml .Values.controller.extraContainers | nindent 8 }} - {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - initContainers: - {{- if .Values.controller.extraInitContainers }} - {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} - {{- end }} - {{- if .Values.controller.extraModules }} - {{- range .Values.controller.extraModules }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled }} - {{- with .Values.controller.opentelemetry }} - {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.controller.hostNetwork }} - hostNetwork: {{ .Values.controller.hostNetwork }} - {{- end }} - {{- if .Values.controller.nodeSelector }} - nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.controller.tolerations }} - tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.controller.affinity }} - affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} - {{- end }} - {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} - terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - volumes: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - - name: modules - emptyDir: {} - {{- end }} - {{- if .Values.controller.customTemplate.configMapName }} - - name: nginx-template-volume - configMap: - name: {{ .Values.controller.customTemplate.configMapName }} - items: - - key: {{ .Values.controller.customTemplate.configMapKey }} - path: nginx.tmpl - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - secret: - secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - {{- if .Values.controller.admissionWebhooks.certManager.enabled }} - items: - - key: tls.crt - path: cert - - key: tls.key - path: key - {{- end }} - {{- end }} - {{- if .Values.controller.extraVolumes }} - {{ toYaml .Values.controller.extraVolumes | nindent 8 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml index 1390e725..16018ed0 100644 --- a/packages/system/ingress-nginx/values.yaml +++ b/packages/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: extraArgs: - enable-ssl-passthrough: true + enable-ssl-passthrough: "" image: registry: ghcr.io image: kvaps/ingress-nginx-with-protobuf-exporter/controller @@ -32,8 +32,8 @@ ingress-nginx: #real-ip-header: "proxy_protocol" #enable-real-ip: "true" # keep-alive - proxy-connect-timeout: "10s" - proxy-read-timeout: "10s" + proxy-connect-timeout: "10" + proxy-read-timeout: "10" keep-alive-requests: "1000000" upstream-keepalive-requests: "100000" upstream-keepalive-time: '1m' diff --git a/packages/system/kafka-operator/Makefile b/packages/system/kafka-operator/Makefile index e68cb803..29c32688 100644 --- a/packages/system/kafka-operator/Makefile +++ b/packages/system/kafka-operator/Makefile @@ -1,5 +1,5 @@ -NAME=kafka-operator -NAMESPACE=cozy-$(NAME) +export NAME=kafka-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/kamaji-etcd/Makefile b/packages/system/kamaji-etcd/Makefile index b2f909b8..a5419dbb 100644 --- a/packages/system/kamaji-etcd/Makefile +++ b/packages/system/kamaji-etcd/Makefile @@ -4,6 +4,6 @@ update: helm repo update clastix helm pull clastix/kamaji-etcd --untar --untardir charts sed -i 's/hook-failed/before-hook-creation,hook-failed/' `grep -rl hook-failed charts` - patch -p4 < patches/fix-svc.diff - patch -p4 < patches/fullnameOverride.diff - patch -p4 < patches/remove-plus.patch + patch --no-backup-if-mismatch -p4 < patches/fix-svc.diff + patch --no-backup-if-mismatch -p4 < patches/fullnameOverride.diff + patch --no-backup-if-mismatch -p4 < patches/remove-plus.patch diff --git a/packages/system/kamaji/Makefile b/packages/system/kamaji/Makefile index 163d5548..bc4af6e9 100644 --- a/packages/system/kamaji/Makefile +++ b/packages/system/kamaji/Makefile @@ -1,5 +1,5 @@ -NAME=kamaji -NAMESPACE=cozy-$(NAME) +export NAME=kamaji +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/kamaji/charts/kamaji/Chart.yaml b/packages/system/kamaji/charts/kamaji/Chart.yaml index d4980db4..854242ba 100644 --- a/packages/system/kamaji/charts/kamaji/Chart.yaml +++ b/packages/system/kamaji/charts/kamaji/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: Kamaji catalog.cattle.io/release-name: kamaji apiVersion: v2 -appVersion: v0.5.0 +appVersion: v1.0.0 description: Kamaji is the Hosted Control Plane Manager for Kubernetes. home: https://github.com/clastix/kamaji icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png @@ -21,4 +21,4 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.15.2 +version: 1.0.0 diff --git a/packages/system/kamaji/charts/kamaji/README.md b/packages/system/kamaji/charts/kamaji/README.md index 6222e435..89a7d078 100644 --- a/packages/system/kamaji/charts/kamaji/README.md +++ b/packages/system/kamaji/charts/kamaji/README.md @@ -1,6 +1,6 @@ # kamaji -![Version: 0.15.2](https://img.shields.io/badge/Version-0.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.5.0](https://img.shields.io/badge/AppVersion-v0.5.0-informational?style=flat-square) +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0](https://img.shields.io/badge/AppVersion-v1.0.0-informational?style=flat-square) Kamaji is the Hosted Control Plane Manager for Kubernetes. @@ -77,7 +77,7 @@ Here the values you can override: | datastore.driver | string | `"etcd"` | (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). | | datastore.enabled | bool | `true` | (bool) Enable the Kamaji Datastore creation (default=true) | | datastore.endpoints | list | `[]` | (array) List of endpoints of the selected Datastore. When letting the Chart install the etcd datastore, this field is populated automatically. | -| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | +| datastore.nameOverride | string | `nil` | The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. | | datastore.tlsConfig.certificateAuthority.certificate.keyPath | string | `nil` | Key of the Secret which contains the content of the certificate. | | datastore.tlsConfig.certificateAuthority.certificate.name | string | `nil` | Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | | datastore.tlsConfig.certificateAuthority.certificate.namespace | string | `nil` | Namespace of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. | @@ -90,6 +90,7 @@ Here the values you can override: | datastore.tlsConfig.clientCertificate.privateKey.keyPath | string | `nil` | Key of the Secret which contains the content of the private key. | | datastore.tlsConfig.clientCertificate.privateKey.name | string | `nil` | Name of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | | datastore.tlsConfig.clientCertificate.privateKey.namespace | string | `nil` | Namespace of the Secret containing the client certificate private key required to establish the mandatory SSL/TLS connection to the datastore. | +| datastore.tlsConfig.enabled | bool | `true` | | | etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) | | etcd.deploy | bool | `true` | Install an etcd with enabled multi-tenancy along with Kamaji | | etcd.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.6"}` | Install specific etcd image | @@ -133,6 +134,7 @@ Here the values you can override: | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `"kamaji-controller-manager"` | | | serviceMonitor.enabled | bool | `false` | Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured | +| telemetry | object | `{"disabled":false}` | Disable the analytics traces collection | | temporaryDirectoryPath | string | `"/tmp/kamaji"` | Directory which will be used to work with temporary files. (default "/tmp/kamaji") | | tolerations | list | `[]` | Kubernetes node taints that the Kamaji controller pods would tolerate | diff --git a/packages/system/kamaji/charts/kamaji/crds/datastore.yaml b/packages/system/kamaji/charts/kamaji/crds/datastore.yaml index 0077a06e..97405495 100644 --- a/packages/system/kamaji/charts/kamaji/crds/datastore.yaml +++ b/packages/system/kamaji/charts/kamaji/crds/datastore.yaml @@ -71,10 +71,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -98,10 +100,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to reference + a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -118,6 +122,7 @@ spec: - etcd - MySQL - PostgreSQL + - NATS type: string endpoints: description: |- @@ -128,7 +133,9 @@ spec: minItems: 1 type: array tlsConfig: - description: Defines the TLS/SSL configuration required to connect to the data store in a secure way. + description: |- + Defines the TLS/SSL configuration required to connect to the data store in a secure way. + This value is optional. properties: certificateAuthority: description: |- @@ -152,10 +159,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -179,10 +188,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -193,7 +204,8 @@ spec: - certificate type: object clientCertificate: - description: Specifies the SSL/TLS key and private key pair used to connect to the data store. + description: Specifies the SSL/TLS key and private key pair used + to connect to the data store. properties: certificate: properties: @@ -212,10 +224,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -239,10 +253,12 @@ spec: minLength: 1 type: string name: - description: name is unique within a namespace to reference a secret resource. + description: name is unique within a namespace to + reference a secret resource. type: string namespace: - description: namespace defines the space within which the secret name must be unique. + description: namespace defines the space within which + the secret name must be unique. type: string required: - keyPath @@ -255,18 +271,17 @@ spec: type: object required: - certificateAuthority - - clientCertificate type: object required: - driver - endpoints - - tlsConfig type: object status: description: DataStoreStatus defines the observed state of DataStore. properties: usedBy: - description: List of the Tenant Control Planes, namespaced named, using this data store. + description: List of the Tenant Control Planes, namespaced named, + using this data store. items: type: string type: array diff --git a/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml b/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml index 2af86342..b94dd328 100644 --- a/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml +++ b/packages/system/kamaji/charts/kamaji/crds/tenantcontrolplane.yaml @@ -55,7 +55,8 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: TenantControlPlane is the Schema for the tenantcontrolplanes API. + description: TenantControlPlane is the Schema for the tenantcontrolplanes + API. properties: apiVersion: description: |- @@ -97,7 +98,8 @@ spec: type: string type: object konnectivity: - description: Enables the Konnectivity addon in the Tenant Cluster, required if the worker nodes are in a different network. + description: Enables the Konnectivity addon in the Tenant Cluster, + required if the worker nodes are in a different network. properties: agent: default: @@ -115,8 +117,53 @@ spec: type: array image: default: registry.k8s.io/kas-network-proxy/proxy-agent - description: AgentImage defines the container image for Konnectivity's agent. + description: AgentImage defines the container image for + Konnectivity's agent. type: string + tolerations: + default: + - key: CriticalAddonsOnly + operator: Exists + description: |- + Tolerations for the deployed agent. + Can be customized to start the konnectivity-agent even if the nodes are not ready or tainted. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array version: default: v0.0.32 description: Version for Konnectivity agent. @@ -139,14 +186,17 @@ spec: type: array image: default: registry.k8s.io/kas-network-proxy/proxy-server - description: Container image used by the Konnectivity server. + description: Container image used by the Konnectivity + server. type: string port: - description: The port which Konnectivity server is listening to. + description: The port which Konnectivity server is listening + to. format: int32 type: integer resources: - description: Resources define the amount of CPU and memory to allocate to the Konnectivity server. + description: Resources define the amount of CPU and memory + to allocate to the Konnectivity server. properties: claims: description: |- @@ -160,7 +210,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -202,7 +253,8 @@ spec: type: object version: default: v0.0.32 - description: Container image version of the Konnectivity server. + description: Container image version of the Konnectivity + server. type: string required: - port @@ -231,12 +283,15 @@ spec: such as the number of Pod replicas, the Service resource, or the Ingress. properties: deployment: - description: Defining the options for the deployed Tenant Control Plane as Deployment resource. + description: Defining the options for the deployed Tenant Control + Plane as Deployment resource. properties: additionalContainers: - description: AdditionalContainers allows adding additional containers to the Control Plane deployment. + description: AdditionalContainers allows adding additional + containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: description: |- @@ -271,10 +326,12 @@ spec: List of environment variables to set in the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: description: |- @@ -289,7 +346,8 @@ spec: Defaults to "". type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -304,7 +362,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - key @@ -316,10 +375,13 @@ spec: spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -331,13 +393,16 @@ spec: (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -348,10 +413,13 @@ spec: type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: description: |- @@ -360,7 +428,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - key @@ -383,7 +452,8 @@ spec: Values defined by an Env with a duplicate key will take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from @@ -395,12 +465,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from @@ -412,7 +484,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic @@ -462,7 +535,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -470,9 +544,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -489,7 +565,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -509,10 +586,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -525,7 +604,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -568,7 +648,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -576,9 +657,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -595,7 +678,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -615,10 +699,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -631,7 +717,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -676,10 +763,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -694,7 +783,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -702,9 +792,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -759,10 +851,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -814,7 +908,8 @@ spec: For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: description: |- @@ -823,7 +918,8 @@ spec: format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: description: |- @@ -882,10 +978,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -900,7 +998,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -908,9 +1007,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -965,10 +1066,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1007,7 +1110,8 @@ spec: resizePolicy: description: Resources resize policy for the container. items: - description: ContainerResizePolicy represents resource resize policy for the container. + description: ContainerResizePolicy represents resource + resize policy for the container. properties: resourceName: description: |- @@ -1043,7 +1147,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -1150,14 +1255,16 @@ spec: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic @@ -1219,16 +1326,20 @@ spec: Note that this field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: @@ -1272,7 +1383,8 @@ spec: GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: description: |- @@ -1322,10 +1434,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -1340,7 +1454,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1348,9 +1463,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1405,10 +1522,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1486,15 +1605,20 @@ spec: Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - devicePath @@ -1509,7 +1633,8 @@ spec: Pod volumes to mount into the container's filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: description: |- @@ -1588,9 +1713,11 @@ spec: type: object type: array additionalInitContainers: - description: AdditionalInitContainers allows adding additional init containers to the Control Plane deployment. + description: AdditionalInitContainers allows adding additional + init containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: description: |- @@ -1625,10 +1752,12 @@ spec: List of environment variables to set in the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: description: |- @@ -1643,7 +1772,8 @@ spec: Defaults to "". type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -1658,7 +1788,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - key @@ -1670,10 +1801,13 @@ spec: spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -1685,13 +1819,16 @@ spec: (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -1702,10 +1839,13 @@ spec: type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: description: |- @@ -1714,7 +1854,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - key @@ -1737,7 +1878,8 @@ spec: Values defined by an Env with a duplicate key will take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from @@ -1749,12 +1891,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from @@ -1766,7 +1910,8 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic @@ -1816,7 +1961,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1824,9 +1970,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1843,7 +1991,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -1863,10 +2012,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -1879,7 +2030,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -1922,7 +2074,8 @@ spec: x-kubernetes-list-type: atomic type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -1930,9 +2083,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -1949,7 +2104,8 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: @@ -1969,10 +2125,12 @@ spec: - port type: object sleep: - description: Sleep represents the duration that the container should sleep before being terminated. + description: Sleep represents the duration that + the container should sleep before being terminated. properties: seconds: - description: Seconds is the number of seconds to sleep. + description: Seconds is the number of seconds + to sleep. format: int64 type: integer required: @@ -1985,7 +2143,8 @@ spec: lifecycle hooks will fail in runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2030,10 +2189,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2048,7 +2209,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2056,9 +2218,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2113,10 +2277,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2168,7 +2334,8 @@ spec: For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: description: |- @@ -2177,7 +2344,8 @@ spec: format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: description: |- @@ -2236,10 +2404,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2254,7 +2424,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2262,9 +2433,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2319,10 +2492,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2361,7 +2536,8 @@ spec: resizePolicy: description: Resources resize policy for the container. items: - description: ContainerResizePolicy represents resource resize policy for the container. + description: ContainerResizePolicy represents resource + resize policy for the container. properties: resourceName: description: |- @@ -2397,7 +2573,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -2504,14 +2681,16 @@ spec: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array x-kubernetes-list-type: atomic @@ -2573,16 +2752,20 @@ spec: Note that this field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: @@ -2626,7 +2809,8 @@ spec: GMSA credential spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: description: |- @@ -2676,10 +2860,12 @@ spec: format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: @@ -2694,7 +2880,8 @@ spec: - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: description: |- @@ -2702,9 +2889,11 @@ spec: "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: description: |- @@ -2759,10 +2948,12 @@ spec: format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: @@ -2840,15 +3031,20 @@ spec: Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - devicePath @@ -2863,7 +3059,8 @@ spec: Pod volumes to mount into the container's filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: description: |- @@ -2942,7 +3139,9 @@ spec: type: object type: array additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -2960,7 +3159,8 @@ spec: properties: apiServer: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3026,7 +3226,8 @@ spec: type: array controllerManager: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3092,7 +3293,8 @@ spec: type: array scheduler: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: description: |- @@ -3158,9 +3360,11 @@ spec: type: array type: object additionalVolumes: - description: AdditionalVolumes allows to add additional volumes to the Control Plane deployment. + description: AdditionalVolumes allows to add additional volumes + to the Control Plane deployment. items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. properties: awsElasticBlockStore: description: |- @@ -3198,16 +3402,20 @@ spec: - volumeID type: object azureDisk: - description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. properties: cachingMode: - description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.' + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' type: string diskName: - description: diskName is the Name of the data disk in the blob storage + description: diskName is the Name of the data disk + in the blob storage type: string diskURI: - description: diskURI is the URI of data disk in the blob storage + description: diskURI is the URI of data disk in + the blob storage type: string fsType: description: |- @@ -3216,7 +3424,11 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: - description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' type: string readOnly: description: |- @@ -3228,7 +3440,8 @@ spec: - diskURI type: object azureFile: - description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. properties: readOnly: description: |- @@ -3236,7 +3449,8 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: secretName is the name of secret that contains Azure Storage Account Name and Key + description: secretName is the name of secret that + contains Azure Storage Account Name and Key type: string shareName: description: shareName is the azure share Name @@ -3246,7 +3460,8 @@ spec: - shareName type: object cephfs: - description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime properties: monitors: description: |- @@ -3257,7 +3472,9 @@ spec: type: array x-kubernetes-list-type: atomic path: - description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /' + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' type: string readOnly: description: |- @@ -3331,7 +3548,8 @@ spec: - volumeID type: object configMap: - description: configMap represents a configMap that should populate this volume + description: configMap represents a configMap that should + populate this volume properties: defaultMode: description: |- @@ -3354,7 +3572,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. @@ -3389,12 +3608,15 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap + or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic csi: - description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). properties: driver: description: |- @@ -3439,7 +3661,8 @@ spec: - driver type: object downwardAPI: - description: downwardAPI represents downward API about the pod that should populate this volume + description: downwardAPI represents downward API about + the pod that should populate this volume properties: defaultMode: description: |- @@ -3454,18 +3677,26 @@ spec: format: int32 type: integer items: - description: Items is a list of downward API volume file + description: Items is a list of downward API volume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - fieldPath @@ -3482,7 +3713,11 @@ spec: format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' type: string resourceFieldRef: description: |- @@ -3490,13 +3725,16 @@ spec: (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: @@ -3635,10 +3873,12 @@ spec: For any other third-party types, APIGroup is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string required: - kind @@ -3678,10 +3918,12 @@ spec: For any other third-party types, APIGroup is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string namespace: description: |- @@ -3727,17 +3969,22 @@ spec: type: object type: object selector: - description: selector is a label query over volumes to consider for binding. + description: selector is a label query over + volumes to consider for binding. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -3796,7 +4043,8 @@ spec: Value of Filesystem is implied when not included in claim spec. type: string volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. + description: volumeName is the binding reference + to the PersistentVolume backing this claim. type: string type: object required: @@ -3804,7 +4052,9 @@ spec: type: object type: object fc: - description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. properties: fsType: description: |- @@ -3823,7 +4073,8 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array @@ -3843,7 +4094,8 @@ spec: provisioned/attached using an exec based plugin. properties: driver: - description: driver is the name of the driver to use for this volume. + description: driver is the name of the driver to + use for this volume. type: string fsType: description: |- @@ -3854,7 +4106,8 @@ spec: options: additionalProperties: type: string - description: 'options is Optional: this field holds extra command options if any.' + description: 'options is Optional: this field holds + extra command options if any.' type: object readOnly: description: |- @@ -3881,7 +4134,9 @@ spec: - driver type: object flocker: - description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running properties: datasetName: description: |- @@ -3889,7 +4144,8 @@ spec: should be considered as deprecated type: string datasetUUID: - description: datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset type: string type: object gcePersistentDisk: @@ -3947,7 +4203,8 @@ spec: description: repository is the URL type: string revision: - description: revision is the commit hash for the specified revision. + description: revision is the commit hash for the + specified revision. type: string required: - repository @@ -4010,10 +4267,12 @@ spec: More info: https://examples.k8s.io/volumes/iscsi/README.md properties: chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: chapAuthSession defines whether support iSCSI Session CHAP authentication + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication type: boolean fsType: description: |- @@ -4055,7 +4314,8 @@ spec: Defaults to false. type: boolean secretRef: - description: secretRef is the CHAP Secret for iSCSI target and initiator authentication + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication properties: name: description: |- @@ -4126,7 +4386,9 @@ spec: - claimName type: object photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine properties: fsType: description: |- @@ -4135,13 +4397,15 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: - description: pdID is the ID that identifies Photon Controller persistent disk + description: pdID is the ID that identifies Photon + Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine properties: fsType: description: |- @@ -4155,13 +4419,15 @@ spec: the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: volumeID uniquely identifies a Portworx volume + description: volumeID uniquely identifies a Portworx + volume type: string required: - volumeID type: object projected: - description: projected items for all in one resources secrets, configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: description: |- @@ -4176,7 +4442,8 @@ spec: sources: description: sources is the list of volume projections items: - description: Projection that may be projected along with other supported volume types + description: Projection that may be projected + along with other supported volume types properties: clusterTrustBundle: description: |- @@ -4205,14 +4472,18 @@ spec: everything". properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -4259,7 +4530,8 @@ spec: ClusterTrustBundles. type: boolean path: - description: Relative path from the volume root to write the bundle. + description: Relative path from the volume + root to write the bundle. type: string signerName: description: |- @@ -4271,7 +4543,8 @@ spec: - path type: object configMap: - description: configMap information about the configMap data to project + description: configMap information about the + configMap data to project properties: items: description: |- @@ -4283,7 +4556,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. @@ -4318,26 +4592,38 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether + the ConfigMap or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic downwardAPI: - description: downwardAPI information about the downwardAPI data to project + description: downwardAPI information about + the downwardAPI data to project properties: items: - description: Items is a list of DownwardAPIVolume file + description: Items is a list of DownwardAPIVolume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.' + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field + to select in the specified + API version. type: string required: - fieldPath @@ -4354,7 +4640,13 @@ spec: format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' type: string resourceFieldRef: description: |- @@ -4362,17 +4654,22 @@ spec: (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: + required for volumes, optional + for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + description: Specifies the output + format of the exposed resources, + defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' + description: 'Required: resource + to select' type: string required: - resource @@ -4385,7 +4682,8 @@ spec: x-kubernetes-list-type: atomic type: object secret: - description: secret information about the secret data to project + description: secret information about the + secret data to project properties: items: description: |- @@ -4397,7 +4695,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. @@ -4432,12 +4731,14 @@ spec: TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: - description: optional field specify whether the Secret or its key must be defined + description: optional field specify whether + the Secret or its key must be defined type: boolean type: object x-kubernetes-map-type: atomic serviceAccountToken: - description: serviceAccountToken is information about the serviceAccountToken data to project + description: serviceAccountToken is information + about the serviceAccountToken data to project properties: audience: description: |- @@ -4469,7 +4770,8 @@ spec: x-kubernetes-list-type: atomic type: object quobyte: - description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime properties: group: description: |- @@ -4498,7 +4800,8 @@ spec: Defaults to serivceaccount user type: string volume: - description: volume is a string that references an already created Quobyte volume by name. + description: volume is a string that references + an already created Quobyte volume by name. type: string required: - registry @@ -4574,7 +4877,8 @@ spec: - monitors type: object scaleIO: - description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. properties: fsType: description: |- @@ -4584,10 +4888,12 @@ spec: Default is "xfs". type: string gateway: - description: gateway is the host address of the ScaleIO API Gateway. + description: gateway is the host address of the + ScaleIO API Gateway. type: string protectionDomain: - description: protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. type: string readOnly: description: |- @@ -4608,7 +4914,8 @@ spec: type: object x-kubernetes-map-type: atomic sslEnabled: - description: sslEnabled Flag enable/disable SSL communication with Gateway, default false + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false type: boolean storageMode: description: |- @@ -4616,10 +4923,12 @@ spec: Default is ThinProvisioned. type: string storagePool: - description: storagePool is the ScaleIO Storage Pool associated with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: system is the name of the storage system as configured in ScaleIO. + description: system is the name of the storage system + as configured in ScaleIO. type: string volumeName: description: |- @@ -4657,7 +4966,8 @@ spec: the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. @@ -4686,7 +4996,8 @@ spec: type: array x-kubernetes-list-type: atomic optional: - description: optional field specify whether the Secret or its keys must be defined + description: optional field specify whether the + Secret or its keys must be defined type: boolean secretName: description: |- @@ -4695,7 +5006,8 @@ spec: type: string type: object storageos: - description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. properties: fsType: description: |- @@ -4737,7 +5049,8 @@ spec: type: string type: object vsphereVolume: - description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine properties: fsType: description: |- @@ -4746,13 +5059,17 @@ spec: Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. type: string storagePolicyName: - description: storagePolicyName is the storage Policy Based Management (SPBM) profile name. + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. type: string volumePath: - description: volumePath is the path that identifies vSphere volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -4767,7 +5084,8 @@ spec: More info: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/ properties: nodeAffinity: - description: Describes node affinity scheduling rules for the pod. + description: Describes node affinity scheduling rules + for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -4786,17 +5104,20 @@ spec: (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: - description: A node selector term, associated with the corresponding weight. + description: A node selector term, associated + with the corresponding weight. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4821,14 +5142,16 @@ spec: type: array x-kubernetes-list-type: atomic matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4855,7 +5178,9 @@ spec: type: object x-kubernetes-map-type: atomic weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. format: int32 type: integer required: @@ -4873,7 +5198,8 @@ spec: may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. + description: Required. A list of node selector + terms. The terms are ORed. items: description: |- A null or empty node selector term matches no objects. The requirements of @@ -4881,14 +5207,16 @@ spec: The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4913,14 +5241,16 @@ spec: type: array x-kubernetes-list-type: atomic matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: description: |- @@ -4954,7 +5284,9 @@ spec: x-kubernetes-map-type: atomic type: object podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -4968,10 +5300,13 @@ spec: "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: description: |- @@ -4979,14 +5314,18 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5058,14 +5397,18 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5155,14 +5498,17 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5234,14 +5580,17 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5299,7 +5648,9 @@ spec: x-kubernetes-list-type: atomic type: object podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- @@ -5313,10 +5664,13 @@ spec: "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: description: |- @@ -5324,14 +5678,18 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5403,14 +5761,18 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: description: |- @@ -5500,14 +5862,17 @@ spec: If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5579,14 +5944,17 @@ spec: An empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: description: |- @@ -5660,7 +6028,8 @@ spec: type: string type: array kine: - description: Available only if Kamaji is running using Kine as backing storage. + description: Available only if Kamaji is running using + Kine as backing storage. items: type: string type: array @@ -5677,6 +6046,20 @@ spec: Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ type: object + podAdditionalMetadata: + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object registrySettings: default: apiServerImage: kube-apiserver @@ -5715,7 +6098,8 @@ spec: (kube-apiserver, controller-manager, and scheduler). properties: apiServer: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5729,7 +6113,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5770,7 +6155,8 @@ spec: type: object type: object controllerManager: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5784,7 +6170,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5841,7 +6228,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5882,7 +6270,8 @@ spec: type: object type: object scheduler: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: description: |- @@ -5896,7 +6285,8 @@ spec: This field is immutable. It can only be set for containers. items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: description: |- @@ -5945,6 +6335,11 @@ spec: empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class type: string + serviceAccountName: + default: default + description: ServiceAccountName allows to specify the service + account to be mounted to the pods of the Control plane deployment + type: string strategy: default: rollingUpdate: @@ -5998,7 +6393,8 @@ spec: x-kubernetes-int-or-string: true type: object type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. type: string type: object tolerations: @@ -6049,7 +6445,8 @@ spec: In case of nil underlying LabelSelector, the Kamaji one for the given Tenant Control Plane will be used. All topologySpreadConstraints are ANDed. items: - description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. properties: labelSelector: description: |- @@ -6058,14 +6455,16 @@ spec: in their corresponding topology domain. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: description: |- @@ -6225,10 +6624,13 @@ spec: type: array type: object ingress: - description: Defining the options for an Optional Ingress which will expose API Server of the Tenant Control Plane + description: Defining the options for an Optional Ingress which + will expose API Server of the Tenant Control Plane properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -6248,10 +6650,13 @@ spec: type: string type: object service: - description: Defining the options for the Tenant Control Plane Service resource. + description: Defining the options for the Tenant Control Plane + Service resource. properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -6263,7 +6668,8 @@ spec: type: object type: object serviceType: - description: ServiceType allows specifying how to expose the Tenant Control Plane. + description: ServiceType allows specifying how to expose the + Tenant Control Plane. enum: - ClusterIP - NodePort @@ -6445,7 +6851,8 @@ spec: - enabled type: object konnectivity: - description: KonnectivityStatus defines the status of Konnectivity as Addon. + description: KonnectivityStatus defines the status of Konnectivity + as Addon. properties: agent: properties: @@ -6490,7 +6897,8 @@ spec: enabled: type: boolean kubeconfig: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the + generated kubeconfig. properties: checksum: type: string @@ -6512,12 +6920,24 @@ spec: type: string type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for + the Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the + field path .status.conditions. For example,\n\n\n\ttype + FooStatus struct{\n\t // Represents the observations + of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: description: |- @@ -6551,7 +6971,8 @@ spec: pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, + False, Unknown. enum: - "True" - "False" @@ -6631,7 +7052,9 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of + the service port of which status is + recorded here format: int32 type: integer protocol: @@ -6654,7 +7077,8 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running @@ -6719,10 +7143,12 @@ spec: type: string type: object etcd: - description: ETCDCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificatesStatus defines the observed state + of ETCD Certificate for API server. properties: apiServer: - description: APIServerCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: APIServerCertificatesStatus defines the observed + state of ETCD Certificate for API server. properties: checksum: type: string @@ -6733,7 +7159,8 @@ spec: type: string type: object ca: - description: ETCDCertificateStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificateStatus defines the observed state + of ETCD Certificate for API server. properties: checksum: type: string @@ -6779,13 +7206,16 @@ spec: type: object type: object controlPlaneEndpoint: - description: ControlPlaneEndpoint contains the status of the kubernetes control plane + description: ControlPlaneEndpoint contains the status of the kubernetes + control plane type: string kubeadmPhase: - description: KubeadmPhase contains the status of the kubeadm phases action + description: KubeadmPhase contains the status of the kubeadm phases + action properties: bootstrapToken: - description: KubeadmPhaseStatus contains the status of a kubeadm phase action. + description: KubeadmPhaseStatus contains the status of a kubeadm + phase action. properties: checksum: type: string @@ -6797,7 +7227,8 @@ spec: - bootstrapToken type: object kubeadmconfig: - description: KubeadmConfig contains the status of the configuration required by kubeadm + description: KubeadmConfig contains the status of the configuration + required by kubeadm properties: checksum: description: Checksum of the kubeadm configuration to detect changes @@ -6809,10 +7240,12 @@ spec: type: string type: object kubeconfig: - description: KubeConfig contains information about the kubenconfigs that control plane pieces need + description: KubeConfig contains information about the kubenconfigs + that control plane pieces need properties: admin: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6823,7 +7256,8 @@ spec: type: string type: object controllerManager: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6834,7 +7268,8 @@ spec: type: string type: object scheduler: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -6846,13 +7281,16 @@ spec: type: object type: object kubernetesResources: - description: Kubernetes contains information about the reconciliation of the required Kubernetes resources deployed in the admin cluster + description: Kubernetes contains information about the reconciliation + of the required Kubernetes resources deployed in the admin cluster properties: deployment: - description: KubernetesDeploymentStatus defines the status for the Tenant Control Plane Deployment in the management cluster. + description: KubernetesDeploymentStatus defines the status for + the Tenant Control Plane Deployment in the management cluster. properties: availableReplicas: - description: Total number of available pods (ready for at least minReadySeconds) targeted by this deployment. + description: Total number of available pods (ready for at + least minReadySeconds) targeted by this deployment. format: int32 type: integer collisionCount: @@ -6863,12 +7301,15 @@ spec: format: int32 type: integer conditions: - description: Represents the latest available observations of a deployment's current state. + description: Represents the latest available observations + of a deployment's current state. items: - description: DeploymentCondition describes the state of a deployment at a certain point. + description: DeploymentCondition describes the state of + a deployment at a certain point. properties: lastTransitionTime: - description: Last time the condition transitioned from one status to another. + description: Last time the condition transitioned from + one status to another. format: date-time type: string lastUpdateTime: @@ -6876,13 +7317,15 @@ spec: format: date-time type: string message: - description: A human readable message indicating details about the transition. + description: A human readable message indicating details + about the transition. type: string reason: description: The reason for the condition's last transition. type: string status: - description: Status of the condition, one of True, False, Unknown. + description: Status of the condition, one of True, False, + Unknown. type: string type: description: Type of deployment condition. @@ -6903,22 +7346,26 @@ spec: description: The name of the Deployment for the given cluster. type: string namespace: - description: The namespace which the Deployment for the given cluster is deployed. + description: The namespace which the Deployment for the given + cluster is deployed. type: string observedGeneration: description: The generation observed by the deployment controller. format: int64 type: integer readyReplicas: - description: readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. + description: readyReplicas is the number of pods targeted + by this Deployment with a Ready Condition. format: int32 type: integer replicas: - description: Total number of non-terminated pods targeted by this deployment (their labels match the selector). + description: Total number of non-terminated pods targeted + by this deployment (their labels match the selector). format: int32 type: integer selector: - description: Selector is the label selector used to group the Tenant Control Plane Pods used by the scale subresource. + description: Selector is the label selector used to group + the Tenant Control Plane Pods used by the scale subresource. type: string unavailableReplicas: description: |- @@ -6928,7 +7375,8 @@ spec: format: int32 type: integer updatedReplicas: - description: Total number of non-terminated pods targeted by this deployment that have the desired template spec. + description: Total number of non-terminated pods targeted + by this deployment that have the desired template spec. format: int32 type: integer required: @@ -6937,26 +7385,34 @@ spec: - selector type: object ingress: - description: KubernetesIngressStatus defines the status for the Tenant Control Plane Ingress in the management cluster. + description: KubernetesIngressStatus defines the status for the + Tenant Control Plane Ingress in the management cluster. properties: loadBalancer: - description: loadBalancer contains the current status of the load-balancer. + description: loadBalancer contains the current status of the + load-balancer. properties: ingress: - description: ingress is a list containing ingress points for the load-balancer. + description: ingress is a list containing ingress points + for the load-balancer. items: - description: IngressLoadBalancerIngress represents the status of a load-balancer ingress point. + description: IngressLoadBalancerIngress represents the + status of a load-balancer ingress point. properties: hostname: - description: hostname is set for load-balancer ingress points that are DNS based. + description: hostname is set for load-balancer ingress + points that are DNS based. type: string ip: - description: ip is set for load-balancer ingress points that are IP based. + description: ip is set for load-balancer ingress + points that are IP based. type: string ports: - description: ports provides information about the ports exposed by this LoadBalancer. + description: ports provides information about the + ports exposed by this LoadBalancer. items: - description: IngressPortStatus represents the error condition of a service port + description: IngressPortStatus represents the + error condition of a service port properties: error: description: |- @@ -6972,7 +7428,8 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: port is the port number of the ingress port. + description: port is the port number of the + ingress port. format: int32 type: integer protocol: @@ -6995,19 +7452,32 @@ spec: description: The name of the Ingress for the given cluster. type: string namespace: - description: The namespace which the Ingress for the given cluster is deployed. + description: The namespace which the Ingress for the given + cluster is deployed. type: string required: - name - namespace type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for the + Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}" + description: "Condition contains details for one aspect + of the current state of this API Resource.\n---\nThis + struct is intended for direct use as an array at the field + path .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t + \ // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t + \ // +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: description: |- @@ -7041,7 +7511,8 @@ spec: pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, False, + Unknown. enum: - "True" - "False" @@ -7121,7 +7592,9 @@ spec: pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of the + service port of which status is recorded + here format: int32 type: integer protocol: @@ -7144,7 +7617,8 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running @@ -7156,11 +7630,13 @@ spec: - port type: object version: - description: KubernetesVersion contains the information regarding the running Kubernetes version, and its upgrade status. + description: KubernetesVersion contains the information regarding + the running Kubernetes version, and its upgrade status. properties: status: default: Provisioning - description: Status returns the current status of the Kubernetes version, such as its provisioning state, or completed upgrade. + description: Status returns the current status of the Kubernetes + version, such as its provisioning state, or completed upgrade. enum: - Provisioning - CertificateAuthorityRotating @@ -7170,12 +7646,14 @@ spec: - NotReady type: string version: - description: Version is the running Kubernetes version of the Tenant Control Plane. + description: Version is the running Kubernetes version of + the Tenant Control Plane. type: string type: object type: object storage: - description: Storage Status contains information about Kubernetes storage system + description: Storage Status contains information about Kubernetes + storage system properties: certificate: properties: diff --git a/packages/system/kamaji/charts/kamaji/templates/controller.yaml b/packages/system/kamaji/charts/kamaji/templates/controller.yaml index 82ddd5cb..e1a73e67 100644 --- a/packages/system/kamaji/charts/kamaji/templates/controller.yaml +++ b/packages/system/kamaji/charts/kamaji/templates/controller.yaml @@ -34,6 +34,9 @@ spec: - --metrics-bind-address={{ .Values.metricsBindAddress }} - --tmp-directory={{ .Values.temporaryDirectoryPath }} - --datastore={{ include "datastore.fullname" . }} + {{- if .Values.telemetry.disabled }} + - --disable-telemetry + {{- end }} {{- if .Values.loggingDevel.enable }} - --zap-devel {{- end }} diff --git a/packages/system/kamaji/charts/kamaji/templates/datastore.yaml b/packages/system/kamaji/charts/kamaji/templates/datastore.yaml index b54ef99a..08631b98 100644 --- a/packages/system/kamaji/charts/kamaji/templates/datastore.yaml +++ b/packages/system/kamaji/charts/kamaji/templates/datastore.yaml @@ -20,9 +20,14 @@ spec: secretReference: {{- .Values.datastore.basicAuth.passwordSecret | toYaml | nindent 8 }} {{- end }} +{{- if .Values.datastore.tlsConfig.enabled }} tlsConfig: certificateAuthority: {{- include "datastore.certificateAuthority" . | indent 6 }} + + {{- if .Values.datastore.tlsConfig.clientCertificate }} clientCertificate: {{- include "datastore.clientCertificate" . | indent 6 }} + {{- end }} +{{- end}} {{- end}} diff --git a/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml b/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml index d981e974..a347443f 100644 --- a/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml +++ b/packages/system/kamaji/charts/kamaji/templates/validatingwebhookconfiguration.yaml @@ -8,6 +8,27 @@ metadata: {{- include "kamaji.labels" $data | nindent 4 }} name: kamaji-validating-webhook-configuration webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "kamaji.webhookServiceName" . }} + namespace: {{ .Release.Namespace }} + path: /telemetry + failurePolicy: Ignore + name: telemetry.kamaji.clastix.io + rules: + - apiGroups: + - kamaji.clastix.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - tenantcontrolplanes + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/packages/system/kamaji/charts/kamaji/values.yaml b/packages/system/kamaji/charts/kamaji/values.yaml index 814f2aa9..03d4f635 100644 --- a/packages/system/kamaji/charts/kamaji/values.yaml +++ b/packages/system/kamaji/charts/kamaji/values.yaml @@ -60,7 +60,7 @@ etcd: # -- The custom annotations to add to the PVC customAnnotations: {} # volumeType: local - + # -- (array) Kubernetes affinity rules to apply to Kamaji etcd pods tolerations: [] @@ -162,7 +162,7 @@ loggingDevel: datastore: # -- (bool) Enable the Kamaji Datastore creation (default=true) enabled: true - # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. + # -- (string) The Datastore name override, if empty and enabled=true defaults to `default`, if enabled=false, this is the name of the Datastore to connect to. nameOverride: # -- (string) The Kamaji Datastore driver, supported: etcd, MySQL, PostgreSQL (defaults=etcd). driver: etcd @@ -184,6 +184,7 @@ datastore: # -- The Secret key where the data is stored. keyPath: tlsConfig: + enabled: true certificateAuthority: certificate: # -- Name of the Secret containing the CA required to establish the mandatory SSL/TLS connection to the datastore. @@ -218,4 +219,9 @@ datastore: cfssl: image: repository: cfssl/cfssl - tag: latest \ No newline at end of file + tag: latest + +# -- Disable the analytics traces collection +telemetry: + disabled: false + \ No newline at end of file diff --git a/packages/system/kamaji/values.yaml b/packages/system/kamaji/values.yaml index de677502..2ef13714 100644 --- a/packages/system/kamaji/values.yaml +++ b/packages/system/kamaji/values.yaml @@ -1,8 +1,3 @@ kamaji: etcd: deploy: false - - # Fix https://github.com/clastix/kamaji/pull/467 - image: - repository: ghcr.io/kvaps/test - tag: kamaji-v0.6.0-fix diff --git a/packages/system/kubeovn/Makefile b/packages/system/kubeovn/Makefile index 783005ba..ce53fcfe 100644 --- a/packages/system/kubeovn/Makefile +++ b/packages/system/kubeovn/Makefile @@ -1,7 +1,7 @@ KUBEOVN_TAG = v1.13.0 -NAME=kubeovn -NAMESPACE=cozy-$(NAME) +export NAME=kubeovn +export NAMESPACE=cozy-$(NAME) include ../../../scripts/common-envs.mk include ../../../scripts/package-system.mk @@ -10,7 +10,7 @@ update: rm -rf charts && mkdir -p charts/kube-ovn curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/heads/master.tar.gz | \ tar xzvf - --strip 1 kube-ovn-master/charts - patch -p4 --no-backup-if-mismatch < patches/cozyconfig.diff + patch --no-backup-if-mismatch -p4 < patches/cozyconfig.diff ln -s ../../images charts/kube-ovn/images sed -i '/image:/ s/{{.*}}/{{ include "kubeovn.image" . }}/g' `grep -rl image: charts/kube-ovn/templates/` diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json index b6bf0857..3c163b02 100644 --- a/packages/system/kubeovn/images/kubeovn.json +++ b/packages/system/kubeovn/images/kubeovn.json @@ -1,4 +1,41 @@ { - "containerimage.config.digest": "sha256:b3d76d1764c8c470a32b4d3b19e48592eda547710e8e6508666930e1db1b4cb3", - "containerimage.digest": "sha256:e5275d3a367aba3b4a7ec0bf25583cc21241e320da2ffd86f5c9cf4a7f6fac77" + "buildx.build.provenance": { + "buildType": "https://mobyproject.org/buildkit@v1", + "materials": [ + { + "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.13.0?platform=linux%2Famd64", + "digest": { + "sha256": "b383903ab2427169bfd27ac49ec1f835e01be552dd391aae92a63d6a5d04f05d" + } + }, + { + "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", + "digest": { + "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad" + } + } + ], + "invocation": { + "configSource": { + "entryPoint": "Dockerfile" + }, + "parameters": { + "frontend": "dockerfile.v0", + "locals": [ + { + "name": "context" + }, + { + "name": "dockerfile" + } + ] + }, + "environment": { + "platform": "linux/amd64" + } + } + }, + "buildx.build.ref": "amd64/amd64/59sogfe3191kwbdbmplhsarwj", + "containerimage.config.digest": "sha256:c60b915c03796938fee46e305997e540bd71f688f9f6b7c4b5846168501768fb", + "containerimage.digest": "sha256:731d2f079c6ef243731f2f7fd70f36b4da4c50626622b496241ecfe9f98913c0" } \ No newline at end of file diff --git a/packages/system/kubevirt-cdi-operator/Makefile b/packages/system/kubevirt-cdi-operator/Makefile index b34c0f0f..6cf08193 100644 --- a/packages/system/kubevirt-cdi-operator/Makefile +++ b/packages/system/kubevirt-cdi-operator/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt-cdi-operator -NAMESPACE=cozy-kubevirt-cdi +export NAME=kubevirt-cdi-operator +export NAMESPACE=cozy-kubevirt-cdi include ../../../scripts/package-system.mk diff --git a/packages/system/kubevirt-cdi/Makefile b/packages/system/kubevirt-cdi/Makefile index 09e37e3e..c6209a54 100644 --- a/packages/system/kubevirt-cdi/Makefile +++ b/packages/system/kubevirt-cdi/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt-cdi -NAMESPACE=cozy-$(NAME) +export NAME=kubevirt-cdi +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/kubevirt-operator/Makefile b/packages/system/kubevirt-operator/Makefile index 8f4de121..cea1a529 100644 --- a/packages/system/kubevirt-operator/Makefile +++ b/packages/system/kubevirt-operator/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt-operator -NAMESPACE=cozy-kubevirt +export NAME=kubevirt-operator +export NAMESPACE=cozy-kubevirt include ../../../scripts/package-system.mk diff --git a/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml b/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml index 236cd3de..ed9f9d03 100644 --- a/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml +++ b/packages/system/kubevirt-operator/templates/kubevirt-operator.yaml @@ -354,6 +354,7 @@ spec: type: boolean type: object emulatedMachines: + description: Deprecated. Use architectureConfiguration instead. items: type: string type: array @@ -624,6 +625,22 @@ spec: binding: additionalProperties: properties: + domainAttachmentType: + description: 'DomainAttachmentType is a standard domain + network attachment method kubevirt supports. Supported + values: "tap". The standard domain attachment can + be used instead or in addition to the sidecarImage. + version: 1alphav1' + type: string + migration: + description: 'Migration means the VM using the plugin + can be safely migrated version: 1alphav1' + properties: + method: + description: 'Method defines a pre-defined migration + methodology version: 1alphav1' + type: string + type: object networkAttachmentDefinition: description: 'NetworkAttachmentDefinition references to a NetworkAttachmentDefinition CR object. Format: @@ -650,6 +667,7 @@ spec: type: boolean type: object ovmfPath: + description: Deprecated. Use architectureConfiguration instead. type: string permittedHostDevices: description: PermittedHostDevices holds information about devices @@ -883,6 +901,14 @@ spec: AutoattachSerialConsole is disabled. type: object type: object + vmRolloutStrategy: + description: VMRolloutStrategy defines how changes to a VM object + propagate to its VMI + enum: + - Stage + - LiveUpdate + nullable: true + type: string vmStateStorageClass: description: VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM. @@ -3422,6 +3448,7 @@ spec: type: boolean type: object emulatedMachines: + description: Deprecated. Use architectureConfiguration instead. items: type: string type: array @@ -3692,6 +3719,22 @@ spec: binding: additionalProperties: properties: + domainAttachmentType: + description: 'DomainAttachmentType is a standard domain + network attachment method kubevirt supports. Supported + values: "tap". The standard domain attachment can + be used instead or in addition to the sidecarImage. + version: 1alphav1' + type: string + migration: + description: 'Migration means the VM using the plugin + can be safely migrated version: 1alphav1' + properties: + method: + description: 'Method defines a pre-defined migration + methodology version: 1alphav1' + type: string + type: object networkAttachmentDefinition: description: 'NetworkAttachmentDefinition references to a NetworkAttachmentDefinition CR object. Format: @@ -3718,6 +3761,7 @@ spec: type: boolean type: object ovmfPath: + description: Deprecated. Use architectureConfiguration instead. type: string permittedHostDevices: description: PermittedHostDevices holds information about devices @@ -3951,6 +3995,14 @@ spec: AutoattachSerialConsole is disabled. type: object type: object + vmRolloutStrategy: + description: VMRolloutStrategy defines how changes to a VM object + propagate to its VMI + enum: + - Stage + - LiveUpdate + nullable: true + type: string vmStateStorageClass: description: VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM. @@ -6970,6 +7022,13 @@ rules: - get - list - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list - apiGroups: - subresources.kubevirt.io resources: @@ -7275,6 +7334,13 @@ rules: - get - list - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list - apiGroups: - subresources.kubevirt.io resources: @@ -7439,14 +7505,14 @@ spec: - virt-operator env: - name: VIRT_OPERATOR_IMAGE - value: quay.io/kubevirt/virt-operator:v1.1.0 + value: quay.io/kubevirt/virt-operator:v1.2.2 - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.annotations['olm.targetNamespaces'] - name: KUBEVIRT_VERSION - value: v1.1.0 - image: quay.io/kubevirt/virt-operator:v1.1.0 + value: v1.2.2 + image: quay.io/kubevirt/virt-operator:v1.2.2 imagePullPolicy: IfNotPresent name: virt-operator ports: diff --git a/packages/system/kubevirt/Makefile b/packages/system/kubevirt/Makefile index 80636712..e939b0f1 100644 --- a/packages/system/kubevirt/Makefile +++ b/packages/system/kubevirt/Makefile @@ -1,5 +1,5 @@ -NAME=kubevirt -NAMESPACE=cozy-$(NAME) +export NAME=kubevirt +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/linstor/Makefile b/packages/system/linstor/Makefile index 9191aa74..34e8cd9c 100644 --- a/packages/system/linstor/Makefile +++ b/packages/system/linstor/Makefile @@ -1,4 +1,4 @@ -NAME=linstor -NAMESPACE=cozy-$(NAME) +export NAME=linstor +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/mariadb-operator/Makefile b/packages/system/mariadb-operator/Makefile index 292fa0aa..a94e4306 100644 --- a/packages/system/mariadb-operator/Makefile +++ b/packages/system/mariadb-operator/Makefile @@ -1,5 +1,5 @@ -NAME=mariadb-operator -NAMESPACE=cozy-$(NAME) +export NAME=mariadb-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/metallb/Makefile b/packages/system/metallb/Makefile index 423bbd50..09085f4e 100644 --- a/packages/system/metallb/Makefile +++ b/packages/system/metallb/Makefile @@ -1,5 +1,5 @@ -NAME=metallb -NAMESPACE=cozy-$(NAME) +export NAME=metallb +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/monitoring/Makefile b/packages/system/monitoring/Makefile index 8ebc1e4c..bfc68669 100644 --- a/packages/system/monitoring/Makefile +++ b/packages/system/monitoring/Makefile @@ -1,5 +1,5 @@ -NAME=monitoring -NAMESPACE=cozy-$(NAME) +export NAME=monitoring +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/piraeus-operator/Makefile b/packages/system/piraeus-operator/Makefile index 222d5ef7..ae459844 100644 --- a/packages/system/piraeus-operator/Makefile +++ b/packages/system/piraeus-operator/Makefile @@ -1,5 +1,5 @@ -NAME=piraeus-operator -NAMESPACE=cozy-linstor +export NAME=piraeus-operator +export NAMESPACE=cozy-linstor include ../../../scripts/package-system.mk diff --git a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml index f2ce5d79..ac8b65cf 100644 --- a/packages/system/piraeus-operator/charts/piraeus/Chart.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/Chart.yaml @@ -3,8 +3,8 @@ name: piraeus description: | The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes. type: application -version: 2.5.0 -appVersion: "v2.5.0" +version: 2.5.1 +appVersion: "v2.5.1" maintainers: - name: Piraeus Datastore url: https://piraeus.io diff --git a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml index 4ff5234e..a9e77bc6 100644 --- a/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/templates/config.yaml @@ -20,10 +20,11 @@ data: tag: v1.27.1 image: piraeus-server linstor-satellite: - tag: v1.27.1 + # Pin with digest to ensure we pull the version with downgraded thin-send-recv + tag: v1.27.1@sha256:26037f77d30d5487024e02a808d4ef913b93b745f2bb850cabc7f43a5359adff image: piraeus-server linstor-csi: - tag: v1.5.0 + tag: v1.6.0 image: piraeus-csi drbd-reactor: tag: v1.4.0 @@ -38,11 +39,11 @@ data: tag: v0.10 image: ktls-utils drbd-module-loader: - tag: v9.2.8 + tag: v9.2.9 # The special "match" attribute is used to select an image based on the node's reported OS. # The operator will first check the k8s node's ".status.nodeInfo.osImage" field, and compare it against the list # here. If one matches, that specific image name will be used instead of the fallback image. - image: drbd9-jammy # Fallback image: chose a fairly recent kernel, which can hopefully compile whatever config is actually in use + image: drbd9-noble # Fallback image: chose a recent kernel, which can hopefully compile whatever config is actually in use match: - osImage: CentOS Linux 7 image: drbd9-centos7 @@ -64,6 +65,8 @@ data: image: drbd9-focal - osImage: Ubuntu 22\.04 image: drbd9-jammy + - osImage: Ubuntu 24\.04 + image: drbd9-noble - osImage: Debian GNU/Linux 12 image: drbd9-bookworm - osImage: Debian GNU/Linux 11 diff --git a/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml b/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml index 275db553..75952f94 100644 --- a/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/templates/crds.yaml @@ -262,11 +262,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -294,14 +296,17 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object @@ -814,11 +819,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchFields: description: A list of node selector requirements by node's fields. @@ -846,14 +853,17 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic type: array + x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object diff --git a/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml b/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml index d10e931c..84cf2948 100644 --- a/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/templates/deployment.yaml @@ -92,6 +92,7 @@ spec: runAsNonRoot: true serviceAccountName: {{ include "piraeus-operator.serviceAccountName" . }} terminationGracePeriodSeconds: 10 + priorityClassName: {{ .Values.priorityClassName | default "system-cluster-critical" }} tolerations: {{- toYaml .Values.tolerations | nindent 8 }} volumes: diff --git a/packages/system/piraeus-operator/charts/piraeus/values.yaml b/packages/system/piraeus-operator/charts/piraeus/values.yaml index ada590fe..87ca5064 100644 --- a/packages/system/piraeus-operator/charts/piraeus/values.yaml +++ b/packages/system/piraeus-operator/charts/piraeus/values.yaml @@ -93,6 +93,8 @@ tolerations: effect: NoSchedule affinity: { } +priorityClassName: "" + podDisruptionBudget: enabled: true minAvailable: 1 diff --git a/packages/system/postgres-operator/Makefile b/packages/system/postgres-operator/Makefile index d5e25ee0..037948fc 100644 --- a/packages/system/postgres-operator/Makefile +++ b/packages/system/postgres-operator/Makefile @@ -1,5 +1,5 @@ -NAME=postgres-operator -NAMESPACE=cozy-$(NAME) +export NAME=postgres-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/rabbitmq-operator/Makefile b/packages/system/rabbitmq-operator/Makefile index 143ff227..999958c0 100644 --- a/packages/system/rabbitmq-operator/Makefile +++ b/packages/system/rabbitmq-operator/Makefile @@ -1,5 +1,5 @@ -NAME=rabbitmq-operator -NAMESPACE=cozy-$(NAME) +export NAME=rabbitmq-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/redis-operator/Makefile b/packages/system/redis-operator/Makefile index 1fc8474f..28007838 100644 --- a/packages/system/redis-operator/Makefile +++ b/packages/system/redis-operator/Makefile @@ -1,5 +1,5 @@ -NAME=redis-operator -NAMESPACE=cozy-$(NAME) +export NAME=redis-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/packages/system/telepresence/Makefile b/packages/system/telepresence/Makefile index ff48731b..31de4820 100644 --- a/packages/system/telepresence/Makefile +++ b/packages/system/telepresence/Makefile @@ -1,5 +1,5 @@ -NAME=traffic-manager -NAMESPACE=cozy-telepresence +export NAME=traffic-manager +export NAMESPACE=cozy-telepresence include ../../../scripts/package-system.mk diff --git a/packages/system/victoria-metrics-operator/Makefile b/packages/system/victoria-metrics-operator/Makefile index 99e28582..5221bfae 100644 --- a/packages/system/victoria-metrics-operator/Makefile +++ b/packages/system/victoria-metrics-operator/Makefile @@ -1,5 +1,5 @@ -NAME=victoria-metrics-operator -NAMESPACE=cozy-$(NAME) +export NAME=victoria-metrics-operator +export NAMESPACE=cozy-$(NAME) include ../../../scripts/package-system.mk diff --git a/scripts/fluxcd-kustomize.sh b/scripts/fluxcd-kustomize.sh new file mode 100755 index 00000000..a0af5a71 --- /dev/null +++ b/scripts/fluxcd-kustomize.sh @@ -0,0 +1,37 @@ +#!/bin/sh +# This scripts adds common fluxcd labels to all objects + +if [ -z "$NAME" ]; then + echo 'Variable $NAME is not set!' >&2 + exit 1 +fi + +if [ -z "$NAMESPACE" ]; then + echo 'Variable $NAMESPACE is not set!' >&2 + exit 1 +fi + +TMP_DIR=$(mktemp -d) +cat - > "${TMP_DIR}/helm-generated-output.yaml" +cat > "${TMP_DIR}/global-labels.yaml" < "${TMP_DIR}/kustomization.yaml" < Date: Thu, 18 Jul 2024 19:55:24 +0200 Subject: [PATCH 63/67] Unsuspend system helmreleases on cozystack restart (#219) Developers ofthen forget to unsuspend helm releases after the local development (I do!) This change make ensure that all system helm charts are getting reconciled by flux after cozystack container restart Signed-off-by: Andrei Kvapil --- packages/core/platform/templates/helmreleases.yaml | 1 + scripts/installer.sh | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/packages/core/platform/templates/helmreleases.yaml b/packages/core/platform/templates/helmreleases.yaml index eaee0ea6..54b2e6b5 100644 --- a/packages/core/platform/templates/helmreleases.yaml +++ b/packages/core/platform/templates/helmreleases.yaml @@ -19,6 +19,7 @@ metadata: namespace: {{ $x.namespace }} labels: cozystack.io/repository: system + cozystack.io/system-app: "true" spec: interval: 5m releaseName: {{ $x.releaseName | default $x.name }} diff --git a/scripts/installer.sh b/scripts/installer.sh index 6d08a3bf..5a924002 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -79,6 +79,11 @@ fi # Reconcile Helm repositories kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite +# Unsuspend all system charts +kubectl get hr -A -l cozystack.io/system-app=true --no-headers | while read namespace name rest; do + kubectl patch hr -n "$namespace" "$name" -p '{"spec": {"suspend": null}}' --type=merge --field-manager=flux-client-side-apply +done + # Reconcile platform chart trap 'exit' INT TERM while true; do From c9e0d63b770423cc26f25df0c1963b269f1cf8a1 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 18 Jul 2024 15:22:09 +0200 Subject: [PATCH 64/67] Rename system releases to have -system suffix Signed-off-by: Andrei Kvapil --- packages/extra/ingress/Chart.yaml | 2 +- packages/extra/ingress/templates/nginx-ingress.yaml | 2 +- packages/extra/monitoring/Chart.yaml | 2 +- .../extra/monitoring/templates/oncall/oncall-release.yaml | 2 +- packages/extra/versions_map | 6 ++++-- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index b646aedb..2242c766 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -3,4 +3,4 @@ name: ingress description: NGINX Ingress Controller icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg type: application -version: 1.2.0 +version: 1.3.0 diff --git a/packages/extra/ingress/templates/nginx-ingress.yaml b/packages/extra/ingress/templates/nginx-ingress.yaml index 43a3a9a6..646a156e 100644 --- a/packages/extra/ingress/templates/nginx-ingress.yaml +++ b/packages/extra/ingress/templates/nginx-ingress.yaml @@ -1,7 +1,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: ingress-nginx + name: ingress-nginx-system spec: chart: spec: diff --git a/packages/extra/monitoring/Chart.yaml b/packages/extra/monitoring/Chart.yaml index 0c28c1bf..6ee67af7 100644 --- a/packages/extra/monitoring/Chart.yaml +++ b/packages/extra/monitoring/Chart.yaml @@ -3,4 +3,4 @@ name: monitoring description: Monitoring and observability stack icon: https://www.svgrepo.com/download/184787/analytics-laptop.svg type: application -version: 1.1.0 +version: 1.2.0 diff --git a/packages/extra/monitoring/templates/oncall/oncall-release.yaml b/packages/extra/monitoring/templates/oncall/oncall-release.yaml index 48416776..7f7ede82 100644 --- a/packages/extra/monitoring/templates/oncall/oncall-release.yaml +++ b/packages/extra/monitoring/templates/oncall/oncall-release.yaml @@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: grafana-oncall + name: grafana-oncall-system labels: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} diff --git a/packages/extra/versions_map b/packages/extra/versions_map index 996103e5..e56c2dec 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -4,6 +4,8 @@ etcd 2.0.1 6fc1cc7d etcd 2.1.0 HEAD ingress 1.0.0 f642698 ingress 1.1.0 838bee5d -ingress 1.2.0 HEAD +ingress 1.2.0 07d666c0 +ingress 1.3.0 HEAD monitoring 1.0.0 f642698 -monitoring 1.1.0 HEAD +monitoring 1.1.0 15478a88 +monitoring 1.2.0 HEAD From 85feafc46ef73df0223642754140dcd7b38b65bb Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Fri, 19 Jul 2024 13:28:46 +0200 Subject: [PATCH 65/67] 71 configure GitHub ci (#113) Add CI to testing proxmox integration --------- Signed-off-by: Andrei Kvapil Signed-off-by: Kingdon Barrett Co-authored-by: Andrei Kvapil Co-authored-by: Nikita <166552198+nbykov0@users.noreply.github.com> Co-authored-by: Kingdon Barrett Co-authored-by: Kingdon Barrett --- .github/workflows/ci.yml | 48 +++ .github/workflows/lint.yml | 48 +++ .github/workflows/linters/.markdown-lint.yml | 7 + .github/workflows/linters/.yaml-lint.yml | 55 +++ Makefile | 2 + packages/apps/clickhouse/.helmignore | 3 + packages/apps/clickhouse/Chart.yaml | 2 +- packages/apps/clickhouse/logos/clickhouse.svg | 1 + packages/apps/ferretdb/.helmignore | 3 + packages/apps/ferretdb/Chart.yaml | 2 +- packages/apps/ferretdb/logos/ferretdb.svg | 54 +++ packages/apps/http-cache/.helmignore | 26 +- packages/apps/http-cache/Chart.yaml | 2 +- packages/apps/http-cache/logos/nginx.svg | 2 + packages/apps/kafka/.helmignore | 3 + packages/apps/kafka/Chart.yaml | 2 +- packages/apps/kafka/logos/kafka.svg | 1 + packages/apps/kubernetes/.helmignore | 26 +- packages/apps/kubernetes/Chart.yaml | 2 +- packages/apps/kubernetes/logos/kubernetes.svg | 84 +++++ packages/apps/mysql/.helmignore | 26 +- packages/apps/mysql/Chart.yaml | 2 +- packages/apps/mysql/logos/mariadb.svg | 12 + packages/apps/postgres/.helmignore | 26 +- packages/apps/postgres/Chart.yaml | 2 +- packages/apps/postgres/logos/postgres.svg | 22 ++ packages/apps/rabbitmq/.helmignore | 26 +- packages/apps/rabbitmq/Chart.yaml | 2 +- packages/apps/rabbitmq/logos/rabbitmq.svg | 2 + packages/apps/redis/.helmignore | 26 +- packages/apps/redis/Chart.yaml | 2 +- packages/apps/redis/logos/redis.svg | 2 + packages/apps/tcp-balancer/.helmignore | 26 +- packages/apps/tcp-balancer/Chart.yaml | 2 +- packages/apps/tcp-balancer/logos/haproxy.svg | 165 ++++++++ packages/apps/tenant/.helmignore | 3 + packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/logos/tenant.svg | 351 ++++++++++++++++++ packages/apps/virtual-machine/.helmignore | 26 +- packages/apps/virtual-machine/Chart.yaml | 2 +- packages/apps/virtual-machine/logos/vm.svg | 2 + packages/apps/vpn/.helmignore | 26 +- packages/apps/vpn/Chart.yaml | 2 +- packages/apps/vpn/logos/outline.svg | 64 ++++ .../installer/images/cozystack/Dockerfile | 1 + packages/core/installer/images/matchbox.tag | 2 +- .../core/platform/templates/helmreleases.yaml | 1 + packages/extra/etcd/.helmignore | 3 + packages/extra/etcd/Chart.yaml | 2 +- packages/extra/etcd/logos/etcd.svg | 8 + packages/extra/ingress/.helmignore | 3 + packages/extra/ingress/Chart.yaml | 2 +- .../extra/ingress/logos/ingress-nginx.svg | 57 +++ packages/extra/monitoring/.helmignore | 3 + packages/extra/monitoring/Chart.yaml | 2 +- .../extra/monitoring/logos/monitoring.svg | 51 +++ packages/system/dashboard/.helmignore | 1 + packages/system/dashboard/Makefile | 1 + .../templates/frontend/configmap.yaml | 6 + packages/system/dashboard/patches/logos.patch | 15 + scripts/common-envs.mk | 3 +- scripts/installer.sh | 5 + 62 files changed, 1135 insertions(+), 225 deletions(-) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/linters/.markdown-lint.yml create mode 100644 .github/workflows/linters/.yaml-lint.yml create mode 100644 packages/apps/clickhouse/.helmignore create mode 100644 packages/apps/clickhouse/logos/clickhouse.svg create mode 100644 packages/apps/ferretdb/.helmignore create mode 100644 packages/apps/ferretdb/logos/ferretdb.svg create mode 100644 packages/apps/http-cache/logos/nginx.svg create mode 100644 packages/apps/kafka/.helmignore create mode 100644 packages/apps/kafka/logos/kafka.svg create mode 100644 packages/apps/kubernetes/logos/kubernetes.svg create mode 100644 packages/apps/mysql/logos/mariadb.svg create mode 100644 packages/apps/postgres/logos/postgres.svg create mode 100644 packages/apps/rabbitmq/logos/rabbitmq.svg create mode 100644 packages/apps/redis/logos/redis.svg create mode 100644 packages/apps/tcp-balancer/logos/haproxy.svg create mode 100644 packages/apps/tenant/.helmignore create mode 100644 packages/apps/tenant/logos/tenant.svg create mode 100644 packages/apps/virtual-machine/logos/vm.svg create mode 100644 packages/apps/vpn/logos/outline.svg create mode 100644 packages/extra/etcd/.helmignore create mode 100644 packages/extra/etcd/logos/etcd.svg create mode 100644 packages/extra/ingress/.helmignore create mode 100644 packages/extra/ingress/logos/ingress-nginx.svg create mode 100644 packages/extra/monitoring/.helmignore create mode 100644 packages/extra/monitoring/logos/monitoring.svg create mode 100644 packages/system/dashboard/patches/logos.patch diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..9f401f87 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,48 @@ +--- +name: CI/CD Workflow + +on: + push: + branches: + - main + paths: + - '**.yaml' + - '**/Dockerfile' + - '**/charts/**' + tags: + - 'v*' + +env: + IMAGE_NGINX_CACHE: nginx-cache + REGISTRY: ghcr.io/${{ github.repository_owner }} + PUSH: 1 + LOAD: 1 + NGINX_CACHE_TAG: v0.1.0 + TAG: v0.3.1 + PLATFORM_ARCH: linux/amd64 + +jobs: + build-and-push: + name: Build Cozystack + runs-on: ubuntu-latest + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Set up Docker Registry + run: | + if [ "$GITHUB_ACTIONS" = "true" ]; then + echo "REGISTRY=ghcr.io/${{ github.repository_owner }}" >> $GITHUB_ENV + else + echo "REGISTRY=localhost:5000/cozystack_local" >> $GITHUB_ENV + fi + + - uses: actions/checkout@v3 + - name: Build usig make + run: | + make + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..a79650b4 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,48 @@ +name: Lint + +on: + push: + branches: [ main ] # Lint only on pushes to the main branch + pull_request: + branches: [ main ] # Lint on PRs targeting the main branch + +permissions: + contents: read + +jobs: + lint: + name: Super-Linter + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Run Super-Linter + uses: github/super-linter@v4 + env: + # To report GitHub Actions status checks + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VALIDATE_ALL_CODEBASE: false # Lint only changed files + VALIDATE_TERRAFORM: false # Disable Terraform linting (remove if you need it) + DEFAULT_BRANCH: main # Set your default branch + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Enable only the linters you need for your project + VALIDATE_JAVASCRIPT_ES: true + VALIDATE_PYTHON_BLACK: true + VALIDATE_HTML: false + VALIDATE_GO: false + VALIDATE_XML: false + VALIDATE_JAVA: false + VALIDATE_DOCKERFILE: false + # turn off JSCPD copy/paste detection, which results in lots of results for examples and devops repos + VALIDATE_JSCPD: false + # turn off shfmt shell formatter as we already have shellcheck + VALIDATE_SHELL_SHFMT: false + VALIDATE_EDITORCONFIG: false + # prevent Kubernetes CRD API's from causing kubeval to fail + # also change schema location to an up-to-date list + # https://github.com/yannh/kubernetes-json-schema/#kubeval + KUBERNETES_KUBEVAL_OPTIONS: --ignore-missing-schemas --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/ diff --git a/.github/workflows/linters/.markdown-lint.yml b/.github/workflows/linters/.markdown-lint.yml new file mode 100644 index 00000000..335724b4 --- /dev/null +++ b/.github/workflows/linters/.markdown-lint.yml @@ -0,0 +1,7 @@ +--- + # MD013/line-length - Line length + MD013: + # Number of characters, default is 80 + line_length: 9999 + # check code blocks? + code_blocks: false diff --git a/.github/workflows/linters/.yaml-lint.yml b/.github/workflows/linters/.yaml-lint.yml new file mode 100644 index 00000000..95afab76 --- /dev/null +++ b/.github/workflows/linters/.yaml-lint.yml @@ -0,0 +1,55 @@ + +yaml-files: +- '*.yaml' +- '*.yml' +- '.yamllint' + +rules: + braces: + level: warning + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: 1 + max-spaces-inside-empty: 5 + brackets: + level: warning + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: 1 + max-spaces-inside-empty: 5 + colons: + level: warning + max-spaces-before: 0 + max-spaces-after: 1 + commas: + level: warning + max-spaces-before: 0 + min-spaces-after: 1 + max-spaces-after: 1 + comments: disable + comments-indentation: disable + document-end: disable + document-start: disable + empty-lines: + level: warning + max: 2 + max-start: 0 + max-end: 0 + hyphens: + level: warning + max-spaces-after: 1 + indentation: + level: warning + spaces: consistent + indent-sequences: true + check-multi-line-strings: false + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + line-length: + max: 130 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: false diff --git a/Makefile b/Makefile index 9ac01626..10a78ae7 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,8 @@ repos: make -C packages/system repo make -C packages/apps repo make -C packages/extra repo + mkdir -p _out/logos + cp ./packages/apps/*/logos/*.svg ./packages/extra/*/logos/*.svg _out/logos/ assets: make -C packages/core/installer/ assets diff --git a/packages/apps/clickhouse/.helmignore b/packages/apps/clickhouse/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/clickhouse/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/clickhouse/Chart.yaml b/packages/apps/clickhouse/Chart.yaml index d5ad8600..be47e494 100644 --- a/packages/apps/clickhouse/Chart.yaml +++ b/packages/apps/clickhouse/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: clickhouse description: Managed ClickHouse service -icon: https://cdn.worldvectorlogo.com/logos/clickhouse.svg +icon: /logos/clickhouse.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/clickhouse/logos/clickhouse.svg b/packages/apps/clickhouse/logos/clickhouse.svg new file mode 100644 index 00000000..f2144b5d --- /dev/null +++ b/packages/apps/clickhouse/logos/clickhouse.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/apps/ferretdb/.helmignore b/packages/apps/ferretdb/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/ferretdb/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/ferretdb/Chart.yaml b/packages/apps/ferretdb/Chart.yaml index 6d35a52b..2b7c86e5 100644 --- a/packages/apps/ferretdb/Chart.yaml +++ b/packages/apps/ferretdb/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: ferretdb description: Managed FerretDB service -icon: ferretdb.svg +icon: /logos/ferretdb.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/ferretdb/logos/ferretdb.svg b/packages/apps/ferretdb/logos/ferretdb.svg new file mode 100644 index 00000000..196871e1 --- /dev/null +++ b/packages/apps/ferretdb/logos/ferretdb.svg @@ -0,0 +1,54 @@ + + + + + + + + + + + + diff --git a/packages/apps/http-cache/.helmignore b/packages/apps/http-cache/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/http-cache/.helmignore +++ b/packages/apps/http-cache/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/http-cache/Chart.yaml b/packages/apps/http-cache/Chart.yaml index 716252ae..eb17a386 100644 --- a/packages/apps/http-cache/Chart.yaml +++ b/packages/apps/http-cache/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: http-cache description: Layer7 load balacner and caching service -icon: https://www.svgrepo.com/show/373924/nginx.svg +icon: /logos/nginx.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/http-cache/logos/nginx.svg b/packages/apps/http-cache/logos/nginx.svg new file mode 100644 index 00000000..27062a83 --- /dev/null +++ b/packages/apps/http-cache/logos/nginx.svg @@ -0,0 +1,2 @@ + +file_type_nginx \ No newline at end of file diff --git a/packages/apps/kafka/.helmignore b/packages/apps/kafka/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/kafka/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/kafka/Chart.yaml b/packages/apps/kafka/Chart.yaml index 78be0ce6..193e8d7e 100644 --- a/packages/apps/kafka/Chart.yaml +++ b/packages/apps/kafka/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: kafka description: Managed Kafka service -icon: https://upload.wikimedia.org/wikipedia/commons/0/05/Apache_kafka.svg +icon: /logos/kafka.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/kafka/logos/kafka.svg b/packages/apps/kafka/logos/kafka.svg new file mode 100644 index 00000000..305d8764 --- /dev/null +++ b/packages/apps/kafka/logos/kafka.svg @@ -0,0 +1 @@ + diff --git a/packages/apps/kubernetes/.helmignore b/packages/apps/kubernetes/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/kubernetes/.helmignore +++ b/packages/apps/kubernetes/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index cd846685..30811454 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: kubernetes description: Managed Kubernetes service -icon: https://upload.wikimedia.org/wikipedia/commons/thumb/3/39/Kubernetes_logo_without_workmark.svg/723px-Kubernetes_logo_without_workmark.svg.png +icon: /logos/kubernetes.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/kubernetes/logos/kubernetes.svg b/packages/apps/kubernetes/logos/kubernetes.svg new file mode 100644 index 00000000..bedd3b88 --- /dev/null +++ b/packages/apps/kubernetes/logos/kubernetes.svg @@ -0,0 +1,84 @@ + + + + + + + + + + image/svg+xml + + + + + + + + + + + + diff --git a/packages/apps/mysql/.helmignore b/packages/apps/mysql/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/mysql/.helmignore +++ b/packages/apps/mysql/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/mysql/Chart.yaml b/packages/apps/mysql/Chart.yaml index 25f3132d..07321d2a 100644 --- a/packages/apps/mysql/Chart.yaml +++ b/packages/apps/mysql/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: mysql description: Managed MariaDB service -icon: https://static-00.iconduck.com/assets.00/mariadb-icon-512x340-txozryr2.png +icon: /logos/mariadb.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/mysql/logos/mariadb.svg b/packages/apps/mysql/logos/mariadb.svg new file mode 100644 index 00000000..82ff6f87 --- /dev/null +++ b/packages/apps/mysql/logos/mariadb.svg @@ -0,0 +1,12 @@ + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/apps/postgres/.helmignore b/packages/apps/postgres/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/postgres/.helmignore +++ b/packages/apps/postgres/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml index eb9ab8cc..0bc35560 100644 --- a/packages/apps/postgres/Chart.yaml +++ b/packages/apps/postgres/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: postgres description: Managed PostgreSQL service -icon: https://cdn-icons-png.flaticon.com/512/5968/5968342.png +icon: /logos/postgres.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/postgres/logos/postgres.svg b/packages/apps/postgres/logos/postgres.svg new file mode 100644 index 00000000..d98e3659 --- /dev/null +++ b/packages/apps/postgres/logos/postgres.svg @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/apps/rabbitmq/.helmignore b/packages/apps/rabbitmq/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/rabbitmq/.helmignore +++ b/packages/apps/rabbitmq/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/rabbitmq/Chart.yaml b/packages/apps/rabbitmq/Chart.yaml index f8f02830..2c43a6b6 100644 --- a/packages/apps/rabbitmq/Chart.yaml +++ b/packages/apps/rabbitmq/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: rabbitmq description: Managed RabbitMQ service -icon: https://static-00.iconduck.com/assets.00/rabbitmq-icon-484x512-s9lfaapn.png +icon: /logos/rabbitmq.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/rabbitmq/logos/rabbitmq.svg b/packages/apps/rabbitmq/logos/rabbitmq.svg new file mode 100644 index 00000000..ab4c8693 --- /dev/null +++ b/packages/apps/rabbitmq/logos/rabbitmq.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/packages/apps/redis/.helmignore b/packages/apps/redis/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/redis/.helmignore +++ b/packages/apps/redis/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/redis/Chart.yaml b/packages/apps/redis/Chart.yaml index 3159738e..8daa1619 100644 --- a/packages/apps/redis/Chart.yaml +++ b/packages/apps/redis/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: redis description: Managed Redis service -icon: https://cdn4.iconfinder.com/data/icons/redis-2/1451/Untitled-2-512.png +icon: /logos/redis.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/redis/logos/redis.svg b/packages/apps/redis/logos/redis.svg new file mode 100644 index 00000000..ed312206 --- /dev/null +++ b/packages/apps/redis/logos/redis.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/packages/apps/tcp-balancer/.helmignore b/packages/apps/tcp-balancer/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/tcp-balancer/.helmignore +++ b/packages/apps/tcp-balancer/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/tcp-balancer/Chart.yaml b/packages/apps/tcp-balancer/Chart.yaml index 8f3a6551..c4e9744f 100644 --- a/packages/apps/tcp-balancer/Chart.yaml +++ b/packages/apps/tcp-balancer/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: tcp-balancer description: Layer4 load balancer service -icon: https://cdn.icon-icons.com/icons2/2699/PNG/512/haproxy_logo_icon_171017.png +icon: /logos/haproxy.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/tcp-balancer/logos/haproxy.svg b/packages/apps/tcp-balancer/logos/haproxy.svg new file mode 100644 index 00000000..e2e54609 --- /dev/null +++ b/packages/apps/tcp-balancer/logos/haproxy.svg @@ -0,0 +1,165 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/apps/tenant/.helmignore b/packages/apps/tenant/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/tenant/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 9a866e0f..5f531c11 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: tenant description: Separated tenant namespace -icon: https://upload.wikimedia.org/wikipedia/commons/0/04/User_icon_1.svg +icon: /logos/tenant.svg type: application version: 1.2.0 diff --git a/packages/apps/tenant/logos/tenant.svg b/packages/apps/tenant/logos/tenant.svg new file mode 100644 index 00000000..ea647590 --- /dev/null +++ b/packages/apps/tenant/logos/tenant.svg @@ -0,0 +1,351 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/apps/virtual-machine/.helmignore b/packages/apps/virtual-machine/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/virtual-machine/.helmignore +++ b/packages/apps/virtual-machine/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/virtual-machine/Chart.yaml b/packages/apps/virtual-machine/Chart.yaml index 1e2a3c5a..4699d936 100644 --- a/packages/apps/virtual-machine/Chart.yaml +++ b/packages/apps/virtual-machine/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 #name: Virtual Machine name: virtual-machine description: Virtual machine instance -icon: https://www.svgrepo.com/show/448273/azure-vms.svg +icon: /logos/vm.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/virtual-machine/logos/vm.svg b/packages/apps/virtual-machine/logos/vm.svg new file mode 100644 index 00000000..78911027 --- /dev/null +++ b/packages/apps/virtual-machine/logos/vm.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/packages/apps/vpn/.helmignore b/packages/apps/vpn/.helmignore index 0e8a0eb3..1ea0ae84 100644 --- a/packages/apps/vpn/.helmignore +++ b/packages/apps/vpn/.helmignore @@ -1,23 +1,3 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +.helmignore +/logos +/Makefile diff --git a/packages/apps/vpn/Chart.yaml b/packages/apps/vpn/Chart.yaml index f19008c9..b40fe8b2 100644 --- a/packages/apps/vpn/Chart.yaml +++ b/packages/apps/vpn/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: vpn description: Managed VPN service -icon: https://upload.wikimedia.org/wikipedia/commons/thumb/6/60/Outline_VPN_icon.png/600px-Outline_VPN_icon.png +icon: /logos/outline.svg # A chart can be either an 'application' or a 'library' chart. # diff --git a/packages/apps/vpn/logos/outline.svg b/packages/apps/vpn/logos/outline.svg new file mode 100644 index 00000000..b4af2c6d --- /dev/null +++ b/packages/apps/vpn/logos/outline.svg @@ -0,0 +1,64 @@ + + + + + + + Outline web assets + + + + + + + Outline web assets + + + + diff --git a/packages/core/installer/images/cozystack/Dockerfile b/packages/core/installer/images/cozystack/Dockerfile index 7c9652b3..19878805 100644 --- a/packages/core/installer/images/cozystack/Dockerfile +++ b/packages/core/installer/images/cozystack/Dockerfile @@ -33,6 +33,7 @@ COPY scripts /cozystack/scripts COPY --from=builder /src/packages/core /cozystack/packages/core COPY --from=builder /src/packages/system /cozystack/packages/system COPY --from=builder /src/_out/repos /cozystack/assets/repos +COPY --from=builder /src/_out/logos /cozystack/assets/logos COPY --from=k8s-await-election-builder /k8s-await-election /usr/bin/k8s-await-election COPY dashboards /cozystack/assets/dashboards diff --git a/packages/core/installer/images/matchbox.tag b/packages/core/installer/images/matchbox.tag index 7974106d..dadda235 100644 --- a/packages/core/installer/images/matchbox.tag +++ b/packages/core/installer/images/matchbox.tag @@ -1 +1 @@ -mgr.cp.if.ua/matchbox:v1.7.1 +ghcr.io/aenix-io/cozystack/matchbox:v1.7.1 diff --git a/packages/core/platform/templates/helmreleases.yaml b/packages/core/platform/templates/helmreleases.yaml index eaee0ea6..54b2e6b5 100644 --- a/packages/core/platform/templates/helmreleases.yaml +++ b/packages/core/platform/templates/helmreleases.yaml @@ -19,6 +19,7 @@ metadata: namespace: {{ $x.namespace }} labels: cozystack.io/repository: system + cozystack.io/system-app: "true" spec: interval: 5m releaseName: {{ $x.releaseName | default $x.name }} diff --git a/packages/extra/etcd/.helmignore b/packages/extra/etcd/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/extra/etcd/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml index 76d426a9..dc79f3f5 100644 --- a/packages/extra/etcd/Chart.yaml +++ b/packages/extra/etcd/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: etcd description: Storage for Kubernetes clusters -icon: https://www.svgrepo.com/show/353714/etcd.svg +icon: /logos/etcd.svg type: application version: 2.1.0 diff --git a/packages/extra/etcd/logos/etcd.svg b/packages/extra/etcd/logos/etcd.svg new file mode 100644 index 00000000..2d5b9fa9 --- /dev/null +++ b/packages/extra/etcd/logos/etcd.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/packages/extra/ingress/.helmignore b/packages/extra/ingress/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/extra/ingress/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index b646aedb..664a41c5 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: ingress description: NGINX Ingress Controller -icon: https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg +icon: /logos/ingress-nginx.svg type: application version: 1.2.0 diff --git a/packages/extra/ingress/logos/ingress-nginx.svg b/packages/extra/ingress/logos/ingress-nginx.svg new file mode 100644 index 00000000..52d351c0 --- /dev/null +++ b/packages/extra/ingress/logos/ingress-nginx.svg @@ -0,0 +1,57 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/extra/monitoring/.helmignore b/packages/extra/monitoring/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/extra/monitoring/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/extra/monitoring/Chart.yaml b/packages/extra/monitoring/Chart.yaml index 0c28c1bf..0dfcd509 100644 --- a/packages/extra/monitoring/Chart.yaml +++ b/packages/extra/monitoring/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: monitoring description: Monitoring and observability stack -icon: https://www.svgrepo.com/download/184787/analytics-laptop.svg +icon: /logos/monitoring.svg type: application version: 1.1.0 diff --git a/packages/extra/monitoring/logos/monitoring.svg b/packages/extra/monitoring/logos/monitoring.svg new file mode 100644 index 00000000..1b5a27bf --- /dev/null +++ b/packages/extra/monitoring/logos/monitoring.svg @@ -0,0 +1,51 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/system/dashboard/.helmignore b/packages/system/dashboard/.helmignore index 43b1c5aa..fd9deb8f 100644 --- a/packages/system/dashboard/.helmignore +++ b/packages/system/dashboard/.helmignore @@ -1,3 +1,4 @@ hack .gitkeep images/*/* +/patches diff --git a/packages/system/dashboard/Makefile b/packages/system/dashboard/Makefile index d17d36aa..b628f3c8 100644 --- a/packages/system/dashboard/Makefile +++ b/packages/system/dashboard/Makefile @@ -15,6 +15,7 @@ update-chart: rm -rf charts/kubeapps/charts/postgresql/ ln -s ../../images charts/kubeapps/images sed -i 's/.cluster.local//g' charts/kubeapps/templates/kubeappsapis/deployment.yaml + patch --no-backup-if-mismatch charts/kubeapps/templates/frontend/configmap.yaml < patches/logos.patch update-dockerfiles: tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/vmware-tanzu/kubeapps | awk -F'[/^]' 'END{print $$3}') && \ diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml index d43f521c..955e5fb9 100644 --- a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml +++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml @@ -136,4 +136,10 @@ data: proxy_pass {{ printf "http://%s:%d" (include "kubeapps.dashboard.fullname" .) (int .Values.dashboard.service.ports.http) }}; } {{- end }} + + location /logos { + # Add the Authorization header if exists + add_header Authorization $http_authorization; + proxy_pass http://cozystack.cozy-system.svc:80; + } } diff --git a/packages/system/dashboard/patches/logos.patch b/packages/system/dashboard/patches/logos.patch new file mode 100644 index 00000000..e00492db --- /dev/null +++ b/packages/system/dashboard/patches/logos.patch @@ -0,0 +1,15 @@ +diff --git a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml +index d43f521..31ff7d5 100644 +--- a/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml ++++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/configmap.yaml +@@ -136,4 +136,10 @@ data: + proxy_pass {{ printf "http://%s:%d" (include "kubeapps.dashboard.fullname" .) (int .Values.dashboard.service.ports.http) }}; + } + {{- end }} ++ ++ location /logos { ++ # Add the Authorization header if exists ++ add_header Authorization $http_authorization; ++ proxy_pass http://cozystack.cozy-system.svc:80; ++ } + } diff --git a/scripts/common-envs.mk b/scripts/common-envs.mk index cf823444..222814d7 100644 --- a/scripts/common-envs.mk +++ b/scripts/common-envs.mk @@ -1,4 +1,5 @@ -REGISTRY ?= ghcr.io/aenix-io/cozystack +REGISTRY := ghcr.io/aenix-io/cozystack + PUSH := 1 LOAD := 0 VERSION = $(patsubst v%,%,$(shell git describe --tags --abbrev=0)) diff --git a/scripts/installer.sh b/scripts/installer.sh index ef9add0a..da3d8fd4 100755 --- a/scripts/installer.sh +++ b/scripts/installer.sh @@ -79,6 +79,11 @@ fi # Reconcile Helm repositories kubectl annotate helmrepositories.source.toolkit.fluxcd.io -A -l cozystack.io/repository reconcile.fluxcd.io/requestedAt=$(date +"%Y-%m-%dT%H:%M:%SZ") --overwrite +# Unsuspend all system charts +kubectl get hr -A -l cozystack.io/system-app=true --no-headers | while read namespace name rest; do + kubectl patch hr -n "$namespace" "$name" -p '{"spec": {"suspend": null}}' --type=merge --field-manager=flux-client-side-apply +done + # Reconcile platform chart trap 'exit' INT TERM while true; do From af75a32430b0226607efb6ec089466e32b414f6a Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Fri, 19 Jul 2024 13:30:23 +0200 Subject: [PATCH 66/67] fix kubevirt infrastructure-provider version (#225) Fix wrong version for KubeVirt CAPI provider Signed-off-by: Andrei Kvapil --- packages/system/capi-providers/templates/providers.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/system/capi-providers/templates/providers.yaml b/packages/system/capi-providers/templates/providers.yaml index d3416c1e..7173bef2 100644 --- a/packages/system/capi-providers/templates/providers.yaml +++ b/packages/system/capi-providers/templates/providers.yaml @@ -28,5 +28,5 @@ kind: InfrastructureProvider metadata: name: kubevirt spec: - # https://github.com/kubevirt/cloud-provider-kubevirt - version: v0.5.1 + # https://github.com/kubernetes-sigs/cluster-api-provider-kubevirt + version: v0.1.8 From 0222e417df45b2806c2b1ea405c45aa4a6683ac9 Mon Sep 17 00:00:00 2001 From: Marian Koreniuk Date: Tue, 30 Jul 2024 16:33:51 +0300 Subject: [PATCH 67/67] Sync 0.10.1 to proxmox integration (#242) Signed-off-by: Andrei Kvapil Co-authored-by: Mr Khachaturov <105451445+mrkhachaturov@users.noreply.github.com> Co-authored-by: Andrei Kvapil --- manifests/cozystack-installer.yaml | 4 +- packages/apps/ferretdb/values2.yaml | 56 ++ .../apps/http-cache/images/nginx-cache.json | 16 +- packages/apps/kafka/Chart.yaml | 2 +- packages/apps/kafka/templates/kafka.yaml | 14 + packages/apps/kafka/templates/topics.yaml | 4 +- packages/apps/kubernetes/Chart.yaml | 2 +- .../images/ubuntu-container-disk.json | 16 +- .../cluster-autoscaler/deployment.yaml | 1 + .../apps/kubernetes/templates/cluster.yaml | 39 +- .../apps/kubernetes/templates/csi/deploy.yaml | 1 + .../apps/kubernetes/templates/ingress.yaml | 15 + .../kubernetes/templates/kccm/manager.yaml | 1 + packages/apps/kubernetes/values.yaml | 1 + packages/apps/nats/.helmignore | 3 + packages/apps/nats/Chart.yaml | 25 + packages/apps/nats/Makefile | 2 + packages/apps/nats/README.md | 11 + packages/apps/nats/logos/nats.svg | 76 ++ packages/apps/nats/templates/nats.yaml | 43 ++ packages/apps/nats/values.schema.json | 16 + packages/apps/nats/values.yaml | 8 + packages/apps/postgres/Chart.yaml | 2 +- .../apps/postgres/templates/init-script.yaml | 99 ++- packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/README.md | 1 + .../apps/tenant/templates/networkpolicy.yaml | 136 ++++ packages/apps/tenant/values.schema.json | 5 + packages/apps/tenant/values.yaml | 2 + packages/apps/versions_map | 14 +- packages/core/installer/images/cozystack.json | 8 +- packages/core/installer/images/cozystack.tag | 2 +- packages/core/installer/images/matchbox.json | 10 +- .../core/platform/bundles/distro-full.yaml | 10 +- packages/core/platform/bundles/paas-full.yaml | 6 + .../core/platform/templates/namespaces.yaml | 6 +- packages/extra/etcd/Chart.yaml | 2 +- .../extra/etcd/templates/etcd-cluster.yaml | 4 + packages/extra/ingress/Chart.yaml | 2 +- packages/extra/ingress/Makefile | 5 + packages/extra/ingress/README.md | 12 +- .../ingress/templates/_cloudflare-ips.tpl | 3 + .../extra/ingress/templates/dashboard.yaml | 29 + .../ingress/templates/nginx-ingress.yaml | 14 + packages/extra/ingress/values.schema.json | 16 + packages/extra/ingress/values.yaml | 13 + packages/extra/versions_map | 6 +- .../templates/cluster-issuers.yaml | 7 + packages/system/cilium/images/cilium.json | 18 +- .../system/dashboard/images/dashboard.json | 16 +- .../system/dashboard/images/dashboard.tag | 2 +- .../dashboard/images/kubeapps-apis.json | 20 +- .../system/dashboard/images/kubeapps-apis.tag | 2 +- .../charts/etcd-operator/Chart.yaml | 4 +- .../rbac/clusterrole-manager-role.yml | 16 + .../charts/ingress-nginx/Chart.yaml | 12 +- .../ingress-nginx/charts/ingress-nginx/OWNERS | 2 +- .../charts/ingress-nginx/README.md | 120 ++-- .../ci/daemonset-extra-modules.yaml | 5 +- ...modules-default-container-sec-context.yaml | 5 +- ...odules-specific-container-sec-context.yaml | 5 +- .../ci/deployment-extra-modules.yaml | 5 +- ...t-opentelemetry-customregistry-values.yaml | 9 + .../ingress-nginx/templates/_helpers.tpl | 25 +- .../ingress-nginx/templates/_params.tpl | 11 +- .../job-patch/clusterrole.yaml | 2 +- .../job-patch/clusterrolebinding.yaml | 4 +- .../job-patch/job-createSecret.yaml | 4 +- .../job-patch/job-patchWebhook.yaml | 4 +- .../admission-webhooks/job-patch/role.yaml | 2 +- .../job-patch/rolebinding.yaml | 4 +- .../job-patch/serviceaccount.yaml | 5 +- .../templates/controller-configmap.yaml | 2 +- .../templates/controller-daemonset.yaml | 8 +- .../templates/controller-deployment.yaml | 10 +- .../controller-ingressclass-aliases.yaml | 23 + .../templates/controller-ingressclass.yaml | 15 +- .../templates/controller-keda.yaml | 2 +- .../controller-poddisruptionbudget.yaml | 12 +- .../templates/controller-prometheusrules.yaml | 2 +- .../templates/controller-role.yaml | 3 + .../controller-service-internal.yaml | 55 +- .../templates/controller-service-webhook.yaml | 2 +- .../templates/controller-service.yaml | 12 +- .../templates/controller-servicemonitor.yaml | 3 + .../templates/default-backend-deployment.yaml | 9 +- .../default-backend-extra-configmaps.yaml | 10 +- .../templates/default-backend-hpa.yaml | 16 +- .../templates/default-backend-service.yaml | 2 +- .../job-patch/clusterrole_test.yaml | 11 + .../job-patch/clusterrolebinding_test.yaml | 11 + .../job-patch/role_test.yaml | 11 + .../job-patch/rolebinding_test.yaml | 11 + .../job-patch/serviceaccount_test.yaml | 47 ++ .../controller-configmap-addheaders_test.yaml | 27 + ...ontroller-configmap-proxyheaders_test.yaml | 27 + .../tests/controller-configmap_test.yaml | 31 + .../tests/controller-daemonset_test.yaml | 140 ++++ .../tests/controller-deployment_test.yaml | 162 +++++ .../tests/controller-hpa_test.yaml | 31 + .../controller-ingressclass-aliases_test.yaml | 110 +++ .../tests/controller-ingressclass_test.yaml | 93 +++ .../tests/controller-keda_test.yaml | 31 + .../tests/controller-networkpolicy_test.yaml | 23 + .../controller-poddisruptionbudget_test.yaml | 73 ++ .../controller-service-internal_test.yaml | 25 + .../controller-service-metrics_test.yaml | 23 + .../tests/controller-service_test.yaml | 32 + .../default-backend-deployment_test.yaml | 137 ++++ ...default-backend-extra-configmaps_test.yaml | 17 +- .../tests/default-backend-service_test.yaml | 32 + .../charts/ingress-nginx/values.yaml | 397 ++++++++--- packages/system/ingress-nginx/values.yaml | 6 +- packages/system/kubeovn/images/kubeovn.json | 20 +- packages/system/nats/Chart.yaml | 3 + packages/system/nats/Makefile | 5 + packages/system/nats/charts/nats/.helmignore | 26 + packages/system/nats/charts/nats/Chart.yaml | 16 + packages/system/nats/charts/nats/README.md | 329 +++++++++ packages/system/nats/charts/nats/UPGRADING.md | 155 ++++ .../nats/charts/nats/files/config-map.yaml | 10 + .../charts/nats/files/config/cluster.yaml | 32 + .../nats/charts/nats/files/config/config.yaml | 114 +++ .../charts/nats/files/config/gateway.yaml | 11 + .../charts/nats/files/config/jetstream.yaml | 23 + .../charts/nats/files/config/leafnodes.yaml | 11 + .../nats/charts/nats/files/config/mqtt.yaml | 10 + .../charts/nats/files/config/protocol.yaml | 10 + .../charts/nats/files/config/resolver.yaml | 3 + .../nats/charts/nats/files/config/tls.yaml | 16 + .../charts/nats/files/config/websocket.yaml | 12 + .../charts/nats/files/headless-service.yaml | 24 + .../nats/charts/nats/files/ingress.yaml | 34 + .../nats/files/nats-box/contents-secret.yaml | 17 + .../nats-box/contexts-secret/context.yaml | 51 ++ .../contexts-secret/contexts-secret.yaml | 13 + .../files/nats-box/deployment/container.yaml | 46 ++ .../files/nats-box/deployment/deployment.yaml | 16 + .../nats-box/deployment/pod-template.yaml | 44 ++ .../nats/files/nats-box/service-account.yaml | 7 + .../nats/files/pod-disruption-budget.yaml | 12 + .../nats/charts/nats/files/pod-monitor.yaml | 13 + .../charts/nats/files/service-account.yaml | 7 + .../nats/charts/nats/files/service.yaml | 23 + .../files/stateful-set/jetstream-pvc.yaml | 13 + .../files/stateful-set/nats-container.yaml | 106 +++ .../nats/files/stateful-set/pod-template.yaml | 71 ++ .../stateful-set/prom-exporter-container.yaml | 30 + .../stateful-set/reloader-container.yaml | 27 + .../nats/files/stateful-set/resolver-pvc.yaml | 13 + .../nats/files/stateful-set/stateful-set.yaml | 37 + .../nats/charts/nats/templates/_helpers.tpl | 281 ++++++++ .../nats/charts/nats/templates/_jsonpatch.tpl | 219 ++++++ .../nats/templates/_toPrettyRawJson.tpl | 28 + .../nats/charts/nats/templates/_tplYaml.tpl | 114 +++ .../charts/nats/templates/config-map.yaml | 4 + .../nats/templates/extra-resources.yaml | 5 + .../nats/templates/headless-service.yaml | 4 + .../nats/charts/nats/templates/ingress.yaml | 6 + .../templates/nats-box/contents-secret.yaml | 10 + .../templates/nats-box/contexts-secret.yaml | 8 + .../nats/templates/nats-box/deployment.yaml | 8 + .../templates/nats-box/service-account.yaml | 8 + .../nats/templates/pod-disruption-budget.yaml | 6 + .../charts/nats/templates/pod-monitor.yaml | 8 + .../nats/templates/service-account.yaml | 6 + .../nats/charts/nats/templates/service.yaml | 6 + .../charts/nats/templates/stateful-set.yaml | 4 + .../nats/templates/tests/request-reply.yaml | 37 + packages/system/nats/charts/nats/values.yaml | 669 ++++++++++++++++++ packages/system/nats/values.yaml | 7 + .../system/snapshot-controller/.helmignore | 3 + .../system/snapshot-controller/Chart.yaml | 3 + packages/system/snapshot-controller/Makefile | 10 + .../charts/snapshot-controller/.helmignore | 25 + .../charts/snapshot-controller/Chart.yaml | 22 + .../charts/snapshot-controller/LICENSE | 201 ++++++ .../charts/snapshot-controller/README.md | 200 ++++++ ...age.k8s.io_volumegroupsnapshotclasses.yaml | 94 +++ ...ge.k8s.io_volumegroupsnapshotcontents.yaml | 335 +++++++++ ...t.storage.k8s.io_volumegroupsnapshots.yaml | 273 +++++++ ....storage.k8s.io_volumesnapshotclasses.yaml | 143 ++++ ...storage.k8s.io_volumesnapshotcontents.yaml | 457 ++++++++++++ ...apshot.storage.k8s.io_volumesnapshots.yaml | 351 +++++++++ .../snapshot-controller/templates/NOTES.txt | 30 + .../templates/_helpers.tpl | 134 ++++ .../templates/deployment_controller.yaml | 89 +++ .../deployment_validation_webhook.yaml | 91 +++ .../templates/networkpolicy.yaml | 20 + .../poddisruptionbudget_controller.yaml | 13 + ...oddisruptionbudget_validation_webhook.yaml | 13 + .../templates/service_controller.yaml | 16 + .../templates/service_validation_webhook.yaml | 17 + .../templates/serviceaccount_controller.yaml | 96 +++ .../serviceaccount_validation_webhook.yaml | 38 + .../templates/servicemonitor.yaml | 15 + .../templates/volumesnapshotclass.yaml | 22 + .../templates/webhook.yaml | 112 +++ .../charts/snapshot-controller/values.yaml | 180 +++++ .../system/snapshot-controller/values.yaml | 13 + 200 files changed, 8261 insertions(+), 371 deletions(-) create mode 100644 packages/apps/ferretdb/values2.yaml create mode 100644 packages/apps/nats/.helmignore create mode 100644 packages/apps/nats/Chart.yaml create mode 100644 packages/apps/nats/Makefile create mode 100644 packages/apps/nats/README.md create mode 100644 packages/apps/nats/logos/nats.svg create mode 100644 packages/apps/nats/templates/nats.yaml create mode 100644 packages/apps/nats/values.schema.json create mode 100644 packages/apps/nats/values.yaml create mode 100644 packages/apps/tenant/templates/networkpolicy.yaml create mode 100644 packages/extra/ingress/templates/_cloudflare-ips.tpl create mode 100644 packages/extra/ingress/templates/dashboard.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-hpa_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-keda_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-internal_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-metrics_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-service_test.yaml create mode 100644 packages/system/nats/Chart.yaml create mode 100644 packages/system/nats/Makefile create mode 100644 packages/system/nats/charts/nats/.helmignore create mode 100644 packages/system/nats/charts/nats/Chart.yaml create mode 100644 packages/system/nats/charts/nats/README.md create mode 100644 packages/system/nats/charts/nats/UPGRADING.md create mode 100644 packages/system/nats/charts/nats/files/config-map.yaml create mode 100644 packages/system/nats/charts/nats/files/config/cluster.yaml create mode 100644 packages/system/nats/charts/nats/files/config/config.yaml create mode 100644 packages/system/nats/charts/nats/files/config/gateway.yaml create mode 100644 packages/system/nats/charts/nats/files/config/jetstream.yaml create mode 100644 packages/system/nats/charts/nats/files/config/leafnodes.yaml create mode 100644 packages/system/nats/charts/nats/files/config/mqtt.yaml create mode 100644 packages/system/nats/charts/nats/files/config/protocol.yaml create mode 100644 packages/system/nats/charts/nats/files/config/resolver.yaml create mode 100644 packages/system/nats/charts/nats/files/config/tls.yaml create mode 100644 packages/system/nats/charts/nats/files/config/websocket.yaml create mode 100644 packages/system/nats/charts/nats/files/headless-service.yaml create mode 100644 packages/system/nats/charts/nats/files/ingress.yaml create mode 100644 packages/system/nats/charts/nats/files/nats-box/contents-secret.yaml create mode 100644 packages/system/nats/charts/nats/files/nats-box/contexts-secret/context.yaml create mode 100644 packages/system/nats/charts/nats/files/nats-box/contexts-secret/contexts-secret.yaml create mode 100644 packages/system/nats/charts/nats/files/nats-box/deployment/container.yaml create mode 100644 packages/system/nats/charts/nats/files/nats-box/deployment/deployment.yaml create mode 100644 packages/system/nats/charts/nats/files/nats-box/deployment/pod-template.yaml create mode 100644 packages/system/nats/charts/nats/files/nats-box/service-account.yaml create mode 100644 packages/system/nats/charts/nats/files/pod-disruption-budget.yaml create mode 100644 packages/system/nats/charts/nats/files/pod-monitor.yaml create mode 100644 packages/system/nats/charts/nats/files/service-account.yaml create mode 100644 packages/system/nats/charts/nats/files/service.yaml create mode 100644 packages/system/nats/charts/nats/files/stateful-set/jetstream-pvc.yaml create mode 100644 packages/system/nats/charts/nats/files/stateful-set/nats-container.yaml create mode 100644 packages/system/nats/charts/nats/files/stateful-set/pod-template.yaml create mode 100644 packages/system/nats/charts/nats/files/stateful-set/prom-exporter-container.yaml create mode 100644 packages/system/nats/charts/nats/files/stateful-set/reloader-container.yaml create mode 100644 packages/system/nats/charts/nats/files/stateful-set/resolver-pvc.yaml create mode 100644 packages/system/nats/charts/nats/files/stateful-set/stateful-set.yaml create mode 100644 packages/system/nats/charts/nats/templates/_helpers.tpl create mode 100644 packages/system/nats/charts/nats/templates/_jsonpatch.tpl create mode 100644 packages/system/nats/charts/nats/templates/_toPrettyRawJson.tpl create mode 100644 packages/system/nats/charts/nats/templates/_tplYaml.tpl create mode 100644 packages/system/nats/charts/nats/templates/config-map.yaml create mode 100644 packages/system/nats/charts/nats/templates/extra-resources.yaml create mode 100644 packages/system/nats/charts/nats/templates/headless-service.yaml create mode 100644 packages/system/nats/charts/nats/templates/ingress.yaml create mode 100644 packages/system/nats/charts/nats/templates/nats-box/contents-secret.yaml create mode 100644 packages/system/nats/charts/nats/templates/nats-box/contexts-secret.yaml create mode 100644 packages/system/nats/charts/nats/templates/nats-box/deployment.yaml create mode 100644 packages/system/nats/charts/nats/templates/nats-box/service-account.yaml create mode 100644 packages/system/nats/charts/nats/templates/pod-disruption-budget.yaml create mode 100644 packages/system/nats/charts/nats/templates/pod-monitor.yaml create mode 100644 packages/system/nats/charts/nats/templates/service-account.yaml create mode 100644 packages/system/nats/charts/nats/templates/service.yaml create mode 100644 packages/system/nats/charts/nats/templates/stateful-set.yaml create mode 100644 packages/system/nats/charts/nats/templates/tests/request-reply.yaml create mode 100644 packages/system/nats/charts/nats/values.yaml create mode 100644 packages/system/nats/values.yaml create mode 100644 packages/system/snapshot-controller/.helmignore create mode 100644 packages/system/snapshot-controller/Chart.yaml create mode 100644 packages/system/snapshot-controller/Makefile create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/.helmignore create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/Chart.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/LICENSE create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/README.md create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotclasses.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotcontents.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshots.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotclasses.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotcontents.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshots.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/NOTES.txt create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/_helpers.tpl create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_controller.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_validation_webhook.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/networkpolicy.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_controller.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_validation_webhook.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/service_controller.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/service_validation_webhook.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_validation_webhook.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/servicemonitor.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/volumesnapshotclass.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/templates/webhook.yaml create mode 100644 packages/system/snapshot-controller/charts/snapshot-controller/values.yaml create mode 100644 packages/system/snapshot-controller/values.yaml diff --git a/manifests/cozystack-installer.yaml b/manifests/cozystack-installer.yaml index e88aa4c5..685401a4 100644 --- a/manifests/cozystack-installer.yaml +++ b/manifests/cozystack-installer.yaml @@ -68,7 +68,7 @@ spec: serviceAccountName: cozystack containers: - name: cozystack - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1" env: - name: KUBERNETES_SERVICE_HOST value: localhost @@ -87,7 +87,7 @@ spec: fieldRef: fieldPath: metadata.name - name: darkhttpd - image: "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" + image: "ghcr.io/aenix-io/cozystack/cozystack:v0.10.1" command: - /usr/bin/darkhttpd - /cozystack/assets diff --git a/packages/apps/ferretdb/values2.yaml b/packages/apps/ferretdb/values2.yaml new file mode 100644 index 00000000..9964dfe8 --- /dev/null +++ b/packages/apps/ferretdb/values2.yaml @@ -0,0 +1,56 @@ +## @section Common parameters + +## @param external Enable external access from outside the cluster +## @param size Persistent Volume size +## @param replicas Number of Postgres replicas +## +external: false +size: 10Gi +replicas: 1 + +## Configuration for the quorum-based synchronous replication +## @param quorum.minSyncReplicas Minimum number of synchronous replicas that must acknowledge a transaction before it is considered committed. +## @param quorum.maxSyncReplicas Maximum number of synchronous replicas that can acknowledge a transaction (must be lower than the number of instances). +quorum: + minSyncReplicas: 0 + maxSyncReplicas: 0 + +## @section Configuration parameters + +## @param users [object] Users configuration +## Example: +## users: +## user1: +## password: strongpassword +## user2: +## password: hackme +## +users: + foo: + password: asd + bar: + password: asd + baz: + password: asd + boo: + password: asd + +## @section Backup parameters + +## @param backup.enabled Enable pereiodic backups +## @param backup.s3Region The AWS S3 region where backups are stored +## @param backup.s3Bucket The S3 bucket used for storing backups +## @param backup.schedule Cron schedule for automated backups +## @param backup.cleanupStrategy The strategy for cleaning up old backups +## @param backup.s3AccessKey The access key for S3, used for authentication +## @param backup.s3SecretKey The secret key for S3, used for authentication +## @param backup.resticPassword The password for Restic backup encryption +backup: + enabled: false + s3Region: us-east-1 + s3Bucket: s3.example.org/postgres-backups + schedule: "0 2 * * *" + cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m" + s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu + s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog + resticPassword: ChaXoveekoh6eigh4siesheeda2quai0 diff --git a/packages/apps/http-cache/images/nginx-cache.json b/packages/apps/http-cache/images/nginx-cache.json index bd54b58a..11b058c6 100644 --- a/packages/apps/http-cache/images/nginx-cache.json +++ b/packages/apps/http-cache/images/nginx-cache.json @@ -32,7 +32,17 @@ } } }, - "buildx.build.ref": "amd64/amd64/gaibgudlqaxqxufa236q5ffdk", - "containerimage.config.digest": "sha256:677b0b84d7a11a31971857863a6a83b5bb863583eca86a2c2b1b89c61659e549", - "containerimage.digest": "sha256:7f864e2c9c86b77e08953258521117503309f84783ea11c617db8c2534f8b545" + "buildx.build.ref": "cozystack/cozystack0/7j4plhjjn8onm0o8q0omik63x", + "containerimage.config.digest": "sha256:f30f57d817c596f7a7d0ecfe734b7b41994eca9d36d43307206314ee37bdb286", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c", + "size": 1094, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:f7d86b1a72a12b60434a12a604e9ddd3779d9fa605205c7968fe9495e764c94c", + "image.name": "ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0,ghcr.io/aenix-io/cozystack/nginx-cache:v0.1.0-v0.10.1" } \ No newline at end of file diff --git a/packages/apps/kafka/Chart.yaml b/packages/apps/kafka/Chart.yaml index 193e8d7e..716f871c 100644 --- a/packages/apps/kafka/Chart.yaml +++ b/packages/apps/kafka/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.1 +version: 0.2.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/kafka/templates/kafka.yaml b/packages/apps/kafka/templates/kafka.yaml index bb53c1b5..8cc9f019 100644 --- a/packages/apps/kafka/templates/kafka.yaml +++ b/packages/apps/kafka/templates/kafka.yaml @@ -26,11 +26,25 @@ spec: {{- end }} tls: false config: + {{- if eq (int .Values.kafka.replicas) 1 }} + offsets.topic.replication.factor: 1 + transaction.state.log.replication.factor: 1 + transaction.state.log.min.isr: 1 + default.replication.factor: 1 + min.insync.replicas: 1 + {{- else if eq (int .Values.kafka.replicas) 2 }} + offsets.topic.replication.factor: 2 + transaction.state.log.replication.factor: 2 + transaction.state.log.min.isr: 2 + default.replication.factor: 2 + min.insync.replicas: 2 + {{- else }} offsets.topic.replication.factor: 3 transaction.state.log.replication.factor: 3 transaction.state.log.min.isr: 2 default.replication.factor: 3 min.insync.replicas: 2 + {{- end }} storage: type: jbod volumes: diff --git a/packages/apps/kafka/templates/topics.yaml b/packages/apps/kafka/templates/topics.yaml index 63d4e6fb..712b5d67 100644 --- a/packages/apps/kafka/templates/topics.yaml +++ b/packages/apps/kafka/templates/topics.yaml @@ -9,10 +9,10 @@ metadata: spec: topicName: "{{ $topic.name }}" {{- with $topic.partitions }} - partitions: "{{ . }}" + partitions: {{ . }} {{- end }} {{- with $topic.replicas }} - replicas: "{{ . }}" + replicas: {{ . }} {{- end }} {{- with $topic.config }} config: diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml index 30811454..af3ce9d1 100644 --- a/packages/apps/kubernetes/Chart.yaml +++ b/packages/apps/kubernetes/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.6.0 +version: 0.8.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/kubernetes/images/ubuntu-container-disk.json b/packages/apps/kubernetes/images/ubuntu-container-disk.json index e249d0e4..65729082 100644 --- a/packages/apps/kubernetes/images/ubuntu-container-disk.json +++ b/packages/apps/kubernetes/images/ubuntu-container-disk.json @@ -32,7 +32,17 @@ } } }, - "buildx.build.ref": "amd64/amd64/kk2drcq44gorgb3xwa8908pfc", - "containerimage.config.digest": "sha256:363589eb47379eb7548f047aae24045278f14db0b2026022b6bec33a04370f15", - "containerimage.digest": "sha256:f242fd77903f5f5a94ed157e98b0c4532e5ba91734d9653eaf26cfe4b23b017b" + "buildx.build.ref": "cozystack/cozystack0/xkanpm0dojuj7v0lo951qocfb", + "containerimage.config.digest": "sha256:c144c5f12a47af7880ee5f056b14177c07b585b8ab1e68b7e7900e1c923083cf", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805", + "size": 506, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:81caf89efe252ae2ca1990d08a3a314552d70ff36bcd4022b173c7150fbec805", + "image.name": "ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1,ghcr.io/aenix-io/cozystack/ubuntu-container-disk:v1.30.1-v0.10.1" } \ No newline at end of file diff --git a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml index 7c2a7e50..9ecf1bf4 100644 --- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml +++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml @@ -14,6 +14,7 @@ spec: metadata: labels: app: {{ .Release.Name }}-cluster-autoscaler + policy.cozystack.io/allow-to-apiserver: "true" spec: tolerations: - key: CriticalAddonsOnly diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml index 0ce5d542..ed610fa9 100644 --- a/packages/apps/kubernetes/templates/cluster.yaml +++ b/packages/apps/kubernetes/templates/cluster.yaml @@ -17,6 +17,11 @@ spec: spec: runStrategy: Always template: + metadata: + labels: + {{- range .group.roles }} + node-role.kubernetes.io/{{ . }}: "" + {{- end }} spec: domain: cpu: @@ -29,14 +34,10 @@ spec: disk: bus: virtio pciAddress: 0000:07:00.0 - - name: containerd + - name: ephemeral disk: bus: virtio pciAddress: 0000:08:00.0 - - name: kubelet - disk: - bus: virtio - pciAddress: 0000:09:00.0 networkInterfaceMultiqueue: true memory: guest: {{ .group.resources.memory }} @@ -45,15 +46,10 @@ spec: - name: system containerDisk: image: "{{ $.Files.Get "images/ubuntu-container-disk.tag" | trim }}@{{ index ($.Files.Get "images/ubuntu-container-disk.json" | fromJson) "containerimage.digest" }}" - - name: containerd + - name: ephemeral emptyDisk: - capacity: 20Gi - - name: kubelet - emptyDisk: - capacity: 20Gi + capacity: {{ .group.ephemeralStorage | default "20Gi" }} {{- end }} - - --- apiVersion: cluster.x-k8s.io/v1beta1 kind: Cluster @@ -108,6 +104,9 @@ spec: hostname: {{ .Values.host | default (printf "%s.%s" .Release.Name $host) }}:443 className: "{{ $ingress }}" deployment: + podAdditionalMetadata: + labels: + policy.cozystack.io/allow-to-etcd: "true" replicas: 2 version: 1.30.1 --- @@ -132,17 +131,19 @@ spec: filesystems: - device: /dev/vdb filesystem: xfs - label: containerd - partition: "none" - - device: /dev/vdc - filesystem: xfs - label: kubelet + label: ephemeral partition: "none" mounts: - - ["LABEL=containerd", "/var/lib/containerd"] - - ["LABEL=kubelet", "/var/lib/kubelet"] + - ["LABEL=ephemeral", "/ephemeral"] + - ["/ephemeral/kubelet", "/var/lib/kubelet", "none", "bind,nofail"] + - ["/ephemeral/containerd", "/var/lib/containerd", "none", "bind,nofail"] preKubeadmCommands: - sed -i 's|root:x:|root::|' /etc/passwd + - systemctl stop containerd.service + - mkdir -p /ephemeral/kubelet /ephemeral/containerd + - mount -o bind /ephemeral/kubelet /var/lib/kubelet + - mount -o bind /ephemeral/containerd /var/lib/containerd + - systemctl start containerd.service joinConfiguration: nodeRegistration: kubeletExtraArgs: {} diff --git a/packages/apps/kubernetes/templates/csi/deploy.yaml b/packages/apps/kubernetes/templates/csi/deploy.yaml index f4fbb64d..cb21208b 100644 --- a/packages/apps/kubernetes/templates/csi/deploy.yaml +++ b/packages/apps/kubernetes/templates/csi/deploy.yaml @@ -13,6 +13,7 @@ spec: metadata: labels: app: {{ .Release.Name }}-kcsi-driver + policy.cozystack.io/allow-to-apiserver: "true" spec: serviceAccountName: {{ .Release.Name }}-kcsi priorityClassName: system-cluster-critical diff --git a/packages/apps/kubernetes/templates/ingress.yaml b/packages/apps/kubernetes/templates/ingress.yaml index e677afab..622b46ed 100644 --- a/packages/apps/kubernetes/templates/ingress.yaml +++ b/packages/apps/kubernetes/templates/ingress.yaml @@ -9,6 +9,14 @@ metadata: annotations: nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/backend-protocol: "AUTO_HTTP" + nginx.ingress.kubernetes.io/configuration-snippet: | + set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-80"; + if ($scheme = https) { + set $proxy_upstream_name "{{ .Release.Namespace }}-{{ .Release.Name }}-ingress-nginx-443"; + set $service_port 443; + } + set $proxy_host $proxy_upstream_name; spec: ingressClassName: "{{ $ingress }}" rules: @@ -16,6 +24,13 @@ spec: - host: {{ . | quote }} http: paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: {{ $.Release.Name }}-ingress-nginx + port: + number: 80 - path: / pathType: ImplementationSpecific backend: diff --git a/packages/apps/kubernetes/templates/kccm/manager.yaml b/packages/apps/kubernetes/templates/kccm/manager.yaml index 586fdbf4..69dd58aa 100644 --- a/packages/apps/kubernetes/templates/kccm/manager.yaml +++ b/packages/apps/kubernetes/templates/kccm/manager.yaml @@ -13,6 +13,7 @@ spec: metadata: labels: k8s-app: {{ .Release.Name }}-kccm + policy.cozystack.io/allow-to-apiserver: "true" spec: tolerations: - key: CriticalAddonsOnly diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml index 548e344d..38859eb2 100644 --- a/packages/apps/kubernetes/values.yaml +++ b/packages/apps/kubernetes/values.yaml @@ -16,6 +16,7 @@ nodeGroups: resources: cpu: 2 memory: 1024Mi + ephemeralStorage: 20Gi roles: - ingress-nginx diff --git a/packages/apps/nats/.helmignore b/packages/apps/nats/.helmignore new file mode 100644 index 00000000..1ea0ae84 --- /dev/null +++ b/packages/apps/nats/.helmignore @@ -0,0 +1,3 @@ +.helmignore +/logos +/Makefile diff --git a/packages/apps/nats/Chart.yaml b/packages/apps/nats/Chart.yaml new file mode 100644 index 00000000..c5477111 --- /dev/null +++ b/packages/apps/nats/Chart.yaml @@ -0,0 +1,25 @@ +apiVersion: v2 +name: nats +description: Managed NATS service +icon: /logos/nats.svg + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.4.1" diff --git a/packages/apps/nats/Makefile b/packages/apps/nats/Makefile new file mode 100644 index 00000000..207e2133 --- /dev/null +++ b/packages/apps/nats/Makefile @@ -0,0 +1,2 @@ +generate: + readme-generator -v values.yaml -s values.schema.json -r README.md diff --git a/packages/apps/nats/README.md b/packages/apps/nats/README.md new file mode 100644 index 00000000..a8b4ba2d --- /dev/null +++ b/packages/apps/nats/README.md @@ -0,0 +1,11 @@ +# Managed NATS Service + +## Parameters + +### Common parameters + +| Name | Description | Value | +| ---------- | ----------------------------------------------- | ------- | +| `external` | Enable external access from outside the cluster | `false` | +| `replicas` | Persistent Volume size for NATS | `3` | + diff --git a/packages/apps/nats/logos/nats.svg b/packages/apps/nats/logos/nats.svg new file mode 100644 index 00000000..c0c0965f --- /dev/null +++ b/packages/apps/nats/logos/nats.svg @@ -0,0 +1,76 @@ + + + + + + + + + + + + + diff --git a/packages/apps/nats/templates/nats.yaml b/packages/apps/nats/templates/nats.yaml new file mode 100644 index 00000000..cc78209f --- /dev/null +++ b/packages/apps/nats/templates/nats.yaml @@ -0,0 +1,43 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: {{ .Release.Name }}-system +spec: + chart: + spec: + chart: cozy-nats + reconcileStrategy: Revision + sourceRef: + kind: HelmRepository + name: cozystack-system + namespace: cozy-system + version: '*' + interval: 1m0s + timeout: 5m0s + values: + nats: + fullnameOverride: {{ .Release.Name }} + config: + cluster: + enabled: true + replicas: {{ .Values.replicas }} + monitor: + enabled: true + jetstream: + enabled: true + fileStore: + enabled: true + pvc: + enabled: true + size: 10Gi + storageClassName: local + promExporter: + enabled: true + podMonitor: + enabled: true + {{- if .Values.external }} + service: + merge: + spec: + type: LoadBalancer + {{- end }} diff --git a/packages/apps/nats/values.schema.json b/packages/apps/nats/values.schema.json new file mode 100644 index 00000000..676ac1f0 --- /dev/null +++ b/packages/apps/nats/values.schema.json @@ -0,0 +1,16 @@ +{ + "title": "Chart Values", + "type": "object", + "properties": { + "external": { + "type": "boolean", + "description": "Enable external access from outside the cluster", + "default": false + }, + "replicas": { + "type": "number", + "description": "Persistent Volume size for NATS", + "default": 3 + } + } +} \ No newline at end of file diff --git a/packages/apps/nats/values.yaml b/packages/apps/nats/values.yaml new file mode 100644 index 00000000..91adc14b --- /dev/null +++ b/packages/apps/nats/values.yaml @@ -0,0 +1,8 @@ + +## @section Common parameters + +## @param external Enable external access from outside the cluster +## @param replicas Persistent Volume size for NATS +## +external: false +replicas: 2 diff --git a/packages/apps/postgres/Chart.yaml b/packages/apps/postgres/Chart.yaml index 0bc35560..f7bd834b 100644 --- a/packages/apps/postgres/Chart.yaml +++ b/packages/apps/postgres/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.0 +version: 0.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/packages/apps/postgres/templates/init-script.yaml b/packages/apps/postgres/templates/init-script.yaml index f5f6431c..68ee856f 100644 --- a/packages/apps/postgres/templates/init-script.yaml +++ b/packages/apps/postgres/templates/init-script.yaml @@ -53,47 +53,80 @@ stringData: echo "== grant privileges on databases to roles" {{- range $database, $d := .Values.databases }} - - # admin psql -v ON_ERROR_STOP=1 --echo-all -d "{{ $database }}" <<\EOT - DO $$DECLARE r record; + ALTER DATABASE {{ $database }} OWNER TO {{ $database }}_admin; + GRANT CONNECT ON DATABASE {{ $database }} TO {{ $database }}_readonly; + + DO $$ DECLARE - v_schema varchar := 'public'; - v_new_owner varchar := '{{ $database }}_admin'; + schema_record record; BEGIN - FOR r IN - select 'ALTER TABLE "' || table_schema || '"."' || table_name || '" OWNER TO ' || v_new_owner || ';' as a from information_schema.tables where table_schema = v_schema - union all - select 'ALTER TABLE "' || sequence_schema || '"."' || sequence_name || '" OWNER TO ' || v_new_owner || ';' as a from information_schema.sequences where sequence_schema = v_schema - union all - select 'ALTER TABLE "' || table_schema || '"."' || table_name || '" OWNER TO ' || v_new_owner || ';' as a from information_schema.views where table_schema = v_schema - union all - select 'ALTER FUNCTION "'||nsp.nspname||'"."'||p.proname||'"('||pg_get_function_identity_arguments(p.oid)||') OWNER TO ' || v_new_owner || ';' as a from pg_proc p join pg_namespace nsp ON p.pronamespace = nsp.oid where nsp.nspname = v_schema - LOOP - EXECUTE r.a; + -- Loop over all schemas + FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP + -- Changing Schema Ownership + EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, '{{ $database }}_admin'); + + -- Add rights for the admin role + EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin'); + EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin'); + EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin'); + EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_admin'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, '{{ $database }}_admin'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, '{{ $database }}_admin'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, '{{ $database }}_admin'); + + -- Add rights for the readonly role + EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly'); + EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly'); + EXECUTE format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly'); + EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, '{{ $database }}_readonly'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT SELECT ON TABLES TO %I', schema_record.schema_name, '{{ $database }}_readonly'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT USAGE ON SEQUENCES TO %I', schema_record.schema_name, '{{ $database }}_readonly'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT EXECUTE ON FUNCTIONS TO %I', schema_record.schema_name, '{{ $database }}_readonly'); END LOOP; END$$; - ALTER DATABASE {{ $database }} OWNER TO {{ $database }}_admin; - ALTER SCHEMA public OWNER TO {{ $database }}_admin; - GRANT ALL ON SCHEMA public TO {{ $database }}_admin; - GRANT ALL ON ALL TABLES IN SCHEMA public TO {{ $database }}_admin; - GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO {{ $database }}_admin; - GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO {{ $database }}_admin; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO {{ $database }}_admin; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO {{ $database }}_admin; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON FUNCTIONS TO {{ $database }}_admin; EOT - # readonly + echo "== setup event trigger for schema creation" psql -v ON_ERROR_STOP=1 --echo-all -d "{{ $database }}" <<\EOT - GRANT CONNECT ON DATABASE {{ $database }} TO {{ $database }}_readonly; - GRANT USAGE ON SCHEMA public TO {{ $database }}_readonly; - GRANT SELECT ON ALL TABLES IN SCHEMA public TO {{ $database }}_readonly; - GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO {{ $database }}_readonly; - GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO {{ $database }}_readonly; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO {{ $database }}_readonly; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO {{ $database }}_readonly; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO {{ $database }}_readonly; + CREATE OR REPLACE FUNCTION auto_grant_schema_privileges() + RETURNS event_trigger LANGUAGE plpgsql AS $$ + DECLARE + obj record; + BEGIN + FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP + EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, '{{ $database }}_admin'); + EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_admin'); + EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + + -- Set owner for schema + EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, '{{ $database }}_admin'); + + -- Set privileges for admin role + EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_admin'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, '{{ $database }}_admin'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, '{{ $database }}_admin'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, '{{ $database }}_admin'); + + -- Set privileges for readonly role + EXECUTE format('GRANT USAGE ON SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('GRANT SELECT ON ALL TABLES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('GRANT USAGE ON ALL SEQUENCES IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA %I TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT SELECT ON TABLES TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT USAGE ON SEQUENCES TO %I', obj.object_identity, '{{ $database }}_readonly'); + EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT EXECUTE ON FUNCTIONS TO %I', obj.object_identity, '{{ $database }}_readonly'); + END LOOP; + END; + $$; + + DROP EVENT TRIGGER IF EXISTS trigger_auto_grant; + CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end + WHEN TAG IN ('CREATE SCHEMA') + EXECUTE PROCEDURE auto_grant_schema_privileges(); EOT {{- end }} diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index 5f531c11..700952cf 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: /logos/tenant.svg type: application -version: 1.2.0 +version: 1.3.0 diff --git a/packages/apps/tenant/README.md b/packages/apps/tenant/README.md index 9b17e8fc..6d0373e2 100644 --- a/packages/apps/tenant/README.md +++ b/packages/apps/tenant/README.md @@ -56,3 +56,4 @@ tenant-u1 | `etcd` | Deploy own Etcd cluster | `false` | | `monitoring` | Deploy own Monitoring Stack | `false` | | `ingress` | Deploy own Ingress Controller | `false` | +| `isolated` | Enforce tenant namespace with network policies | `false` | diff --git a/packages/apps/tenant/templates/networkpolicy.yaml b/packages/apps/tenant/templates/networkpolicy.yaml new file mode 100644 index 00000000..8b26e75a --- /dev/null +++ b/packages/apps/tenant/templates/networkpolicy.yaml @@ -0,0 +1,136 @@ +{{- if .Values.isolated }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-internal-communication + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + ingress: + - fromEndpoints: + - {} + egress: + - toEndpoints: + - {} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-external-communication + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + ingress: + - fromEntities: + - world + egress: + - toEntities: + - world +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-from-system + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + ingress: + - fromEntities: + - cluster +--- +{{- if ne (include "tenant.name" .) "tenant-root" }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-from-upper-tenants + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + ingress: + - fromEndpoints: + - matchLabels: + "kubernetes.io/metadata.name": "tenant-root" + {{- if hasPrefix "tenant-" .Release.Namespace }} + {{- $parts := splitList "-" .Release.Namespace }} + {{- range $i, $v := $parts }} + {{- if ne $i 0 }} + - matchLabels: + "kubernetes.io/metadata.name": {{ join "-" (slice $parts 0 (add $i 1)) }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +--- +{{- if not .Values.etcd }} +{{- $existingNS := lookup "v1" "Namespace" "" .Release.Namespace }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-to-etcd + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: + matchLabels: + policy.cozystack.io/allow-to-etcd: "true" + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: "{{ index $existingNS.metadata.annotations "namespace.cozystack.io/etcd" }}" + cozystack.io/service: etcd +{{- end }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-to-apiserver + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: + matchLabels: + policy.cozystack.io/allow-to-apiserver: "true" + egress: + - toEntities: + - kube-apiserver + - toPorts: + - ports: + - port: "6443" + protocol: TCP +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-to-dns + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-to-dashboard + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: cozy-dashboard +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-to-ingress + namespace: {{ include "tenant.name" . }} +spec: + endpointSelector: {} + egress: + - toEndpoints: + - matchLabels: + cozystack.io/service: ingress +{{- end }} diff --git a/packages/apps/tenant/values.schema.json b/packages/apps/tenant/values.schema.json index a02ffa71..7f87cda1 100644 --- a/packages/apps/tenant/values.schema.json +++ b/packages/apps/tenant/values.schema.json @@ -21,6 +21,11 @@ "type": "boolean", "description": "Deploy own Ingress Controller", "default": false + }, + "isolated": { + "type": "boolean", + "description": "Enforce tenant namespace with network policies", + "default": false } } } \ No newline at end of file diff --git a/packages/apps/tenant/values.yaml b/packages/apps/tenant/values.yaml index 3c980c00..d52e99ca 100644 --- a/packages/apps/tenant/values.yaml +++ b/packages/apps/tenant/values.yaml @@ -4,7 +4,9 @@ ## @param etcd Deploy own Etcd cluster ## @param monitoring Deploy own Monitoring Stack ## @param ingress Deploy own Ingress Controller +## @param isolated Enforce tenant namespace with network policies host: "" etcd: false monitoring: false ingress: false +isolated: false diff --git a/packages/apps/versions_map b/packages/apps/versions_map index d2968be0..a76e6701 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -6,20 +6,25 @@ http-cache 0.1.0 a956713 http-cache 0.2.0 HEAD kafka 0.1.0 760f86d2 kafka 0.2.0 a2cc83d -kafka 0.2.1 HEAD +kafka 0.2.1 3ac17018 +kafka 0.2.2 HEAD kubernetes 0.1.0 f642698 kubernetes 0.2.0 7cd7de73 kubernetes 0.3.0 7caccec1 kubernetes 0.4.0 6cae6ce8 kubernetes 0.5.0 6bd2d455 -kubernetes 0.6.0 HEAD +kubernetes 0.6.0 4cbc8a2c +kubernetes 0.7.0 ceefae03 +kubernetes 0.8.0 HEAD mysql 0.1.0 f642698 mysql 0.2.0 8b975ff0 mysql 0.3.0 HEAD +nats 0.1.0 HEAD postgres 0.1.0 f642698 postgres 0.2.0 7cd7de73 postgres 0.2.1 4a97e297 -postgres 0.3.0 HEAD +postgres 0.3.0 995dea6f +postgres 0.4.0 HEAD rabbitmq 0.1.0 f642698 rabbitmq 0.2.0 HEAD redis 0.1.1 f642698 @@ -31,7 +36,8 @@ tenant 0.1.4 d200480 tenant 0.1.5 e3ab858 tenant 1.0.0 7cd7de7 tenant 1.1.0 4da8ac3b -tenant 1.2.0 HEAD +tenant 1.2.0 15478a88 +tenant 1.3.0 HEAD virtual-machine 0.1.4 f2015d6 virtual-machine 0.1.5 7cd7de7 virtual-machine 0.2.0 HEAD diff --git a/packages/core/installer/images/cozystack.json b/packages/core/installer/images/cozystack.json index 571f9aa7..5bd2cc81 100644 --- a/packages/core/installer/images/cozystack.json +++ b/packages/core/installer/images/cozystack.json @@ -1,10 +1,10 @@ { - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/ta5cc9q3mqtwjyuvg8fviqhe6", + "buildx.build.ref": "cozystack/cozystack0/zk58yqp4vkrfgx3gdjumn9k70", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", - "digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f", + "digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c", "size": 685 }, - "containerimage.digest": "sha256:bcaef325861d91b955f536bdd57ae3a6099d8657f081054a6dee3c027cfce97f", - "image.name": "ghcr.io/aenix-io/cozystack/cozystack:v0.9.0" + "containerimage.digest": "sha256:b92988122fa68adc85751384170a46895b5761cc5bf27e80b0b53b12b89b6d6c", + "image.name": "ghcr.io/aenix-io/cozystack/cozystack:latest" } \ No newline at end of file diff --git a/packages/core/installer/images/cozystack.tag b/packages/core/installer/images/cozystack.tag index aff03e70..602d7b26 100644 --- a/packages/core/installer/images/cozystack.tag +++ b/packages/core/installer/images/cozystack.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/cozystack:v0.9.0 +ghcr.io/aenix-io/cozystack/cozystack:latest diff --git a/packages/core/installer/images/matchbox.json b/packages/core/installer/images/matchbox.json index 930a0ce7..c93aacbb 100644 --- a/packages/core/installer/images/matchbox.json +++ b/packages/core/installer/images/matchbox.json @@ -29,17 +29,17 @@ } } }, - "buildx.build.ref": "priceless_leavitt/priceless_leavitt0/k5n5is33n6zu6an3nmlnylejx", - "containerimage.config.digest": "sha256:4676a205eae74f1b16a9065921c612ee85e123ab6566a238edb4bbaf79b2e148", + "buildx.build.ref": "cozystack/cozystack0/qu2ygr61roizh7ga2l4kkmdx6", + "containerimage.config.digest": "sha256:94aa5abc006ac672ccdd91b8d9361fd14de6e0b286299f4e44dd09002becc3b7", "containerimage.descriptor": { "mediaType": "application/vnd.docker.distribution.manifest.v2+json", - "digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7", + "digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e", "size": 1488, "platform": { "architecture": "amd64", "os": "linux" } }, - "containerimage.digest": "sha256:7aa044756c40c2a222668f735ad9490b52341b57dca27e57b98f5de235d87ad7", - "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.9.0,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.9.0" + "containerimage.digest": "sha256:b1e6084402619dde9dcdc8251cd581cbfc3940c885e938547b7b7306376a411e", + "image.name": "ghcr.io/aenix-io/cozystack/matchbox:v0.10.1,ghcr.io/aenix-io/cozystack/matchbox:v1.7.1-v0.10.1" } \ No newline at end of file diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index c3e65e3f..59a32fa9 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -93,13 +93,13 @@ releases: releaseName: kafka-operator chart: cozy-kafka-operator namespace: cozy-kafka-operator - dependsOn: [cilium,kubeovn] + dependsOn: [cilium] - name: clickhouse-operator releaseName: clickhouse-operator chart: cozy-clickhouse-operator namespace: cozy-clickhouse-operator - dependsOn: [cilium,kubeovn] + dependsOn: [cilium] - name: rabbitmq-operator releaseName: rabbitmq-operator @@ -119,6 +119,12 @@ releases: namespace: cozy-linstor dependsOn: [cilium,cert-manager] +- name: snapshot-controller + releaseName: snapshot-controller + chart: cozy-snapshot-controller + namespace: cozy-snapshot-controller + dependsOn: [cilium,cert-manager-issuers] + - name: linstor releaseName: linstor chart: cozy-linstor diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 4ed95257..65c259a6 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -155,6 +155,12 @@ releases: privileged: true dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager] +- name: snapshot-controller + releaseName: snapshot-controller + chart: cozy-snapshot-controller + namespace: cozy-snapshot-controller + dependsOn: [cilium,kubeovn,cert-manager-issuers] + - name: telepresence releaseName: traffic-manager chart: cozy-telepresence diff --git a/packages/core/platform/templates/namespaces.yaml b/packages/core/platform/templates/namespaces.yaml index 0d35d7ec..669d852c 100644 --- a/packages/core/platform/templates/namespaces.yaml +++ b/packages/core/platform/templates/namespaces.yaml @@ -15,6 +15,7 @@ {{- end }} {{/* Add extra namespaces */}} +{{- $_ := set $namespaces "cozy-system" true }} {{- $_ := set $namespaces "cozy-public" false }} {{- range $namespace, $privileged := $namespaces }} @@ -24,9 +25,10 @@ kind: Namespace metadata: annotations: "helm.sh/resource-policy": keep - {{- if $privileged }} labels: + cozystack.io/system: "true" + {{- if $privileged }} pod-security.kubernetes.io/enforce: privileged - {{- end }} + {{- end }} name: {{ $namespace }} {{- end }} diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml index dc79f3f5..c56e2ade 100644 --- a/packages/extra/etcd/Chart.yaml +++ b/packages/extra/etcd/Chart.yaml @@ -3,4 +3,4 @@ name: etcd description: Storage for Kubernetes clusters icon: /logos/etcd.svg type: application -version: 2.1.0 +version: 2.2.0 diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml index 6edf5616..b717031e 100644 --- a/packages/extra/etcd/templates/etcd-cluster.yaml +++ b/packages/extra/etcd/templates/etcd-cluster.yaml @@ -33,6 +33,9 @@ spec: clientTrustedCASecret: etcd-ca-tls clientSecret: etcd-client-tls podTemplate: + metadata: + labels: + cozystack.io/service: etcd spec: topologySpreadConstraints: - maxSkew: 1 @@ -41,6 +44,7 @@ spec: labelSelector: matchLabels: app.kubernetes.io/instance: etcd + podDisruptionBudgetTemplate: {} --- apiVersion: cert-manager.io/v1 kind: Issuer diff --git a/packages/extra/ingress/Chart.yaml b/packages/extra/ingress/Chart.yaml index f0ff843f..664a41c5 100644 --- a/packages/extra/ingress/Chart.yaml +++ b/packages/extra/ingress/Chart.yaml @@ -3,4 +3,4 @@ name: ingress description: NGINX Ingress Controller icon: /logos/ingress-nginx.svg type: application -version: 1.3.0 +version: 1.2.0 diff --git a/packages/extra/ingress/Makefile b/packages/extra/ingress/Makefile index 207e2133..ae3389f5 100644 --- a/packages/extra/ingress/Makefile +++ b/packages/extra/ingress/Makefile @@ -1,2 +1,7 @@ +update: get-cloudflare-ips + +get-cloudflare-ips: + printf '{{- define "ingress.cloudflare-ips" -}}\n%s,%s\n{{- end }}\n' "$$(curl -s https://www.cloudflare.com/ips-v4/ | tr '\n' ,)" "$$(curl -s https://www.cloudflare.com/ips-v6/ | tr '\n' ,)" > templates/_cloudflare-ips.tpl + generate: readme-generator -v values.yaml -s values.schema.json -r README.md diff --git a/packages/extra/ingress/README.md b/packages/extra/ingress/README.md index 6167256a..0d00844c 100644 --- a/packages/extra/ingress/README.md +++ b/packages/extra/ingress/README.md @@ -4,7 +4,11 @@ ### Common parameters -| Name | Description | Value | -| ------------- | -------------------------------- | ----- | -| `replicas` | Number of ingress-nginx replicas | `2` | -| `externalIPs` | List of externalIPs for service. | `[]` | +| Name | Description | Value | +| ---------------- | ----------------------------------------------------------------- | ------- | +| `replicas` | Number of ingress-nginx replicas | `2` | +| `externalIPs` | List of externalIPs for service. | `[]` | +| `whitelist` | List of client networks | `[]` | +| `clouflareProxy` | Restoring original visitor IPs when Cloudflare proxied is enabled | `false` | +| `dashboard` | Should ingress serve Cozystack service dashboard | `false` | + diff --git a/packages/extra/ingress/templates/_cloudflare-ips.tpl b/packages/extra/ingress/templates/_cloudflare-ips.tpl new file mode 100644 index 00000000..91439284 --- /dev/null +++ b/packages/extra/ingress/templates/_cloudflare-ips.tpl @@ -0,0 +1,3 @@ +{{- define "ingress.cloudflare-ips" -}} +173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32 +{{- end }} diff --git a/packages/extra/ingress/templates/dashboard.yaml b/packages/extra/ingress/templates/dashboard.yaml new file mode 100644 index 00000000..940fdefe --- /dev/null +++ b/packages/extra/ingress/templates/dashboard.yaml @@ -0,0 +1,29 @@ +{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }} +{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }} +{{- if .Values.dashboard }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + acme.cert-manager.io/http01-ingress-class: tenant-root + name: dashboard-{{ .Release.Namespace }} + namespace: cozy-dashboard +spec: + ingressClassName: {{ .Release.Namespace }} + rules: + - host: dashboard.{{ $host }} + http: + paths: + - backend: + service: + name: dashboard + port: + number: 80 + path: / + pathType: Prefix + tls: + - hosts: + - dashboard.{{ $host }} + secretName: dashboard-{{ .Release.Namespace }}-tls +{{- end }} diff --git a/packages/extra/ingress/templates/nginx-ingress.yaml b/packages/extra/ingress/templates/nginx-ingress.yaml index 646a156e..d0b67be4 100644 --- a/packages/extra/ingress/templates/nginx-ingress.yaml +++ b/packages/extra/ingress/templates/nginx-ingress.yaml @@ -23,6 +23,9 @@ spec: ingressClassResource: name: {{ .Release.Namespace }} controllerValue: k8s.io/ingress-nginx-{{ .Release.Namespace }} + podLabels: + cozystack.io/service: ingress + policy.cozystack.io/allow-to-apiserver: "true" {{- if not (eq .Release.Namespace "tenant-root") }} admissionWebhooks: enabled: false @@ -37,3 +40,14 @@ spec: type: LoadBalancer externalTrafficPolicy: Local {{- end }} + {{- if or .Values.whitelist .Values.clouflareProxy }} + config: + {{- with .Values.whitelist }} + whitelist-source-range: "{{ join "," . }}" + {{- end }} + {{- if .Values.clouflareProxy }} + set_real_ip_from: "{{ include "ingress.cloudflare-ips" . }}" + use-forwarded-headers: "true" + server-snippet: "real_ip_header CF-Connecting-IP;" + {{- end }} + {{- end }} diff --git a/packages/extra/ingress/values.schema.json b/packages/extra/ingress/values.schema.json index 48b05272..e669d70e 100644 --- a/packages/extra/ingress/values.schema.json +++ b/packages/extra/ingress/values.schema.json @@ -14,6 +14,22 @@ "items": { "type": "string" } + }, + "whitelist": { + "type": "array", + "description": "List of client networks", + "default": [], + "items": {} + }, + "clouflareProxy": { + "type": "boolean", + "description": "Restoring original visitor IPs when Cloudflare proxied is enabled", + "default": false + }, + "dashboard": { + "type": "boolean", + "description": "Should ingress serve Cozystack service dashboard", + "default": false } } } \ No newline at end of file diff --git a/packages/extra/ingress/values.yaml b/packages/extra/ingress/values.yaml index 85b78e6f..b05d6bb5 100644 --- a/packages/extra/ingress/values.yaml +++ b/packages/extra/ingress/values.yaml @@ -14,3 +14,16 @@ replicas: 2 ## - "11.22.33.46" ## externalIPs: [] + +## @param whitelist List of client networks +## Example: +## whitelist: +## - "1.2.3.4" +## - "10.100.0.0/16" +whitelist: [] + +## @param clouflareProxy Restoring original visitor IPs when Cloudflare proxied is enabled +clouflareProxy: false + +## @param dashboard Should ingress serve Cozystack service dashboard +dashboard: false diff --git a/packages/extra/versions_map b/packages/extra/versions_map index e56c2dec..8453643d 100644 --- a/packages/extra/versions_map +++ b/packages/extra/versions_map @@ -1,11 +1,11 @@ etcd 1.0.0 f7eaab0 etcd 2.0.0 a6d0f7cf etcd 2.0.1 6fc1cc7d -etcd 2.1.0 HEAD +etcd 2.1.0 2b00fcf8 +etcd 2.2.0 HEAD ingress 1.0.0 f642698 ingress 1.1.0 838bee5d -ingress 1.2.0 07d666c0 -ingress 1.3.0 HEAD +ingress 1.2.0 HEAD monitoring 1.0.0 f642698 monitoring 1.1.0 15478a88 monitoring 1.2.0 HEAD diff --git a/packages/system/cert-manager-issuers/templates/cluster-issuers.yaml b/packages/system/cert-manager-issuers/templates/cluster-issuers.yaml index 83f9be1b..ec52575f 100644 --- a/packages/system/cert-manager-issuers/templates/cluster-issuers.yaml +++ b/packages/system/cert-manager-issuers/templates/cluster-issuers.yaml @@ -26,3 +26,10 @@ spec: - http01: ingress: class: nginx +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned-cluster-issuer +spec: + selfSigned: {} diff --git a/packages/system/cilium/images/cilium.json b/packages/system/cilium/images/cilium.json index d42c822d..fb74829e 100644 --- a/packages/system/cilium/images/cilium.json +++ b/packages/system/cilium/images/cilium.json @@ -11,7 +11,7 @@ { "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", "digest": { - "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad" + "sha256": "af9b40f2b1851be993763b85288f8434af87b5678af04355b1e33ff530b5765f" } }, { @@ -45,7 +45,17 @@ } } }, - "buildx.build.ref": "amd64/amd64/ydz7c2pwlqaadvlo84t1spegq", - "containerimage.config.digest": "sha256:1f918c5f4bd8a1c90596b7d4256c8a208482141ae3363ab0b4627203b3fa3b32", - "containerimage.digest": "sha256:90e2235e75febcac777c0338fa93d5e7522d82d029facb0c318305ed178a42ac" + "buildx.build.ref": "cozystack/cozystack0/3a5uyqqyj3lnwkgdniwjp341a", + "containerimage.config.digest": "sha256:db99b8b1e565f406af5b240b1ef76b5cc3ba1b510c6e035e1497c5089d65ee12", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282", + "size": 2083, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:0e9fa8f6f5194b84227ea7e7b93ef77244b5550ec62671e04d398818dccfb282", + "image.name": "ghcr.io/aenix-io/cozystack/cilium:1.15.5,ghcr.io/aenix-io/cozystack/cilium:1.15.5-v0.10.1" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.json b/packages/system/dashboard/images/dashboard.json index b5de5c91..a97ddb95 100644 --- a/packages/system/dashboard/images/dashboard.json +++ b/packages/system/dashboard/images/dashboard.json @@ -35,7 +35,17 @@ } } }, - "buildx.build.ref": "amd64/amd64/vvxs4dbzlno0vtdl1zudk54fj", - "containerimage.config.digest": "sha256:52a7ac58f30de8bec104f3fa9b3dcc674f37edfee184c5d4229e24f69f4ddcb2", - "containerimage.digest": "sha256:8906436ebd6452549f0634c6db693c7c3248c123f0c882bb8b1bde34ec05aeb6" + "buildx.build.ref": "cozystack/cozystack0/puq8k1x2nsc986l15a2vanb8s", + "containerimage.config.digest": "sha256:2c68c6ce6620a8c8afd84fed1c2265738d661a47ded0be21b2517b0309ed7307", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17", + "size": 703, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:fdabfe2caa3fe2d92ca4a07b60a55c91163d7db25aa12cc4c6034c32ac1dcb17", + "image.name": "ghcr.io/aenix-io/cozystack/dashboard:v0.10.1" } \ No newline at end of file diff --git a/packages/system/dashboard/images/dashboard.tag b/packages/system/dashboard/images/dashboard.tag index bff2f641..2158032b 100644 --- a/packages/system/dashboard/images/dashboard.tag +++ b/packages/system/dashboard/images/dashboard.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/dashboard:v0.9.0 +ghcr.io/aenix-io/cozystack/dashboard:v0.10.1 diff --git a/packages/system/dashboard/images/kubeapps-apis.json b/packages/system/dashboard/images/kubeapps-apis.json index c3dd111a..15913615 100644 --- a/packages/system/dashboard/images/kubeapps-apis.json +++ b/packages/system/dashboard/images/kubeapps-apis.json @@ -11,13 +11,13 @@ { "uri": "pkg:docker/bitnami/minideb@bookworm?platform=linux%2Famd64", "digest": { - "sha256": "29b77c65b015126298b9b5d6c20a389f538145c619c8e049ccf2e7cd436e023a" + "sha256": "b13cb4b41be91e22858e9b050a51137b636a34694a92ff17c27cb010e5f93f04" } }, { "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64", "digest": { - "sha256": "b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0" + "sha256": "0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5" } } ], @@ -41,7 +41,17 @@ } } }, - "buildx.build.ref": "amd64/amd64/p2w3cwt8rnd7ivkbmg86ugjj0", - "containerimage.config.digest": "sha256:28621d87b70bc82caf060b33313051703456a2915e95371bcbe5c0e1e5b9daa3", - "containerimage.digest": "sha256:1b6826f030c6d288f9d91476b636300e544bbf55687e59f6de1765d1320faf7b" + "buildx.build.ref": "cozystack/cozystack0/nk99hhpt81cl5xu6eecdk86qs", + "containerimage.config.digest": "sha256:662ea8b8642d1c6662e5eef79ea8329863f5178a80457e1faf983506efe7a611", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d", + "size": 1890, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:eaedcb64abd1c245bd2959c66df430d0fcbbb5968334501f484231707de7ed7d", + "image.name": "ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1" } \ No newline at end of file diff --git a/packages/system/dashboard/images/kubeapps-apis.tag b/packages/system/dashboard/images/kubeapps-apis.tag index 231ec10a..0f05e344 100644 --- a/packages/system/dashboard/images/kubeapps-apis.tag +++ b/packages/system/dashboard/images/kubeapps-apis.tag @@ -1 +1 @@ -ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.9.0 +ghcr.io/aenix-io/cozystack/kubeapps-apis:v0.10.1 diff --git a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml index ca799e82..a68aca7b 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml +++ b/packages/system/etcd-operator/charts/etcd-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.3.1 +appVersion: v0.4.0 name: etcd-operator type: application -version: 0.3.1 +version: 0.4.0 diff --git a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml index 6cc79370..534e00ad 100644 --- a/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml +++ b/packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml @@ -57,6 +57,22 @@ rules: - patch - update - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "storage.k8s.io" + resources: + - storageclasses + verbs: + - get + - list - apiGroups: - etcd.aenix.io resources: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml index 7e633f4f..62c880fc 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml @@ -1,8 +1,9 @@ annotations: - artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.9.4"' + artifacthub.io/changes: | + - Update Ingress-Nginx version controller-v1.11.1 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.9.4 +appVersion: 1.11.1 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -10,12 +11,15 @@ icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/5 keywords: - ingress - nginx -kubeVersion: '>=1.20.0-0' +kubeVersion: '>=1.21.0-0' maintainers: +- name: cpanato +- name: Gacko +- name: puerco - name: rikatz - name: strongjz - name: tao12345666333 name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.8.4 +version: 4.11.1 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS index 6b7e049c..d588ede6 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS +++ b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS @@ -1,4 +1,4 @@ -# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md +# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners approvers: - ingress-nginx-helm-maintainers diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/README.md b/packages/system/ingress-nginx/charts/ingress-nginx/README.md index c03f290d..0acf3da9 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md +++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.8.4](https://img.shields.io/badge/Version-4.8.4-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square) +![Version: 4.11.1](https://img.shields.io/badge/Version-4.11.1-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -10,7 +10,7 @@ This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kuber ## Requirements -Kubernetes: `>=1.20.0-0` +Kubernetes: `>=1.21.0-0` ## Get Repo Info @@ -253,17 +253,23 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v20231011-8b53cabe0"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | +| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC | +| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not | | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods | +| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account | +| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not | +| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not | +| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name | | controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | @@ -285,7 +291,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | controller.autoscalingTemplate | list | `[]` | | -| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | +| controller.config | object | `{}` | Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | | controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.containerName | string | `"controller"` | Configures the controller container name | @@ -293,9 +299,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.containerSecurityContext | object | `{}` | Security context for controller containers | | controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapName | string | `""` | | +| controller.disableLeaderElection | bool | `false` | This configuration disable Nginx Controller Leader Election | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | +| controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) | | controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | @@ -317,8 +325,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | | -| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | | +| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` | | +| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | @@ -326,14 +334,17 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.image.tag | string | `"v1.9.4"` | | +| controller.image.tag | string | `"v1.11.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | -| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | -| controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster | -| controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not | -| controller.ingressClassResource.name | string | `"nginx"` | Name of the ingressClass | -| controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. | +| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | +| controller.ingressClassResource.aliases | list | `[]` | Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. Useful for development environments with only one Ingress Controller but production-like Ingress resources. `default` gets enabled on the original IngressClass only. | +| controller.ingressClassResource.annotations | object | `{}` | Annotations to be added to the IngressClass resource. | +| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. This value is also being set as the `--controller-class` argument of this Ingress Controller. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class | +| controller.ingressClassResource.default | bool | `false` | If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. Ingress creation gets rejected if there are multiple default IngressClasses. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class | +| controller.ingressClassResource.enabled | bool | `true` | Create the IngressClass or not | +| controller.ingressClassResource.name | string | `"nginx"` | Name of the IngressClass | +| controller.ingressClassResource.parameters | object | `{}` | A link to a custom resource containing additional configuration for the controller. This is optional if the controller consuming this IngressClass does not require additional parameters. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class | | controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` | | | controller.keda.behavior | object | `{}` | | | controller.keda.cooldownPeriod | int | `300` | | @@ -369,6 +380,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | +| controller.metrics.serviceMonitor.annotations | object | `{}` | | | controller.metrics.serviceMonitor.enabled | bool | `false` | | | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | @@ -387,9 +399,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.opentelemetry.distroless | bool | `true` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.image.distroless | bool | `true` | | +| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | +| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | +| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | | | controller.opentelemetry.name | string | `"opentelemetry"` | | | controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | @@ -415,34 +430,50 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | -| controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. | -| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # | -| controller.service.enableHttp | bool | `true` | | -| controller.service.enableHttps | bool | `true` | | -| controller.service.enabled | bool | `true` | | -| controller.service.external.enabled | bool | `true` | | -| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | -| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. | -| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | -| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. | -| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | -| controller.service.internal.ports | object | `{}` | Custom port mapping for internal service | -| controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service | -| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | -| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | -| controller.service.labels | object | `{}` | | -| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | -| controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | -| controller.service.loadBalancerSourceRanges | list | `[]` | | -| controller.service.nodePorts.http | string | `""` | | -| controller.service.nodePorts.https | string | `""` | | -| controller.service.nodePorts.tcp | object | `{}` | | -| controller.service.nodePorts.udp | object | `{}` | | -| controller.service.ports.http | int | `80` | | -| controller.service.ports.https | int | `443` | | -| controller.service.targetPorts.http | string | `"http"` | | -| controller.service.targetPorts.https | string | `"https"` | | -| controller.service.type | string | `"LoadBalancer"` | | +| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. | +| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | +| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. | +| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | +| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | +| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | +| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | +| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | +| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | +| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | +| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | +| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | +| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | +| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. | +| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 | +| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | +| controller.service.internal.ports | object | `{}` | | +| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.internal.targetPorts | object | `{}` | | +| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | +| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.labels | object | `{}` | Labels to be added to both controller services. | +| controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | +| controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | +| controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. | +| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 | +| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | +| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. | +| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. | +| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | +| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | +| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.shareProcessNamespace | bool | `false` | | | controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap | @@ -454,7 +485,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | -| defaultBackend.affinity | object | `{}` | | +| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | | defaultBackend.autoscaling.annotations | object | `{}` | | | defaultBackend.autoscaling.enabled | bool | `false` | | | defaultBackend.autoscaling.maxReplicas | int | `2` | | @@ -510,6 +541,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.serviceAccount.create | bool | `true` | | | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | +| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml index f299dbf1..52a32fcb 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml index 2310c344..91b1b98a 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml @@ -9,4 +9,7 @@ controller: allowPrivilegeEscalation: false extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml index bd2f011c..b6013c7d 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml @@ -7,6 +7,9 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest containerSecurityContext: allowPrivilegeEscalation: false diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml index ec592354..2fbe1cc0 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml new file mode 100644 index 00000000..fb3ef444 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml @@ -0,0 +1,9 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + opentelemetry: + enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl index c936dab7..0c6a3e20 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl @@ -167,6 +167,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create the name of the admission webhook patch job service account to use +*/}} +{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}} +{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}} + {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified admission webhook secret creation job name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -242,22 +253,13 @@ Check the ingress controller version tag is at most three versions behind the la {{- end -}} {{- end -}} -{{/* -IngressClass parameters. -*/}} -{{- define "ingressClass.parameters" -}} - {{- if .Values.controller.ingressClassResource.parameters -}} - parameters: -{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}} - {{ end }} -{{- end -}} - {{/* Extra modules. */}} {{- define "extraModules" -}} - name: {{ .name }} - image: {{ .image }} + {{- with .image }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} command: {{- if .distroless }} - /init_module @@ -266,6 +268,7 @@ Extra modules. - -c - /usr/local/bin/init_module.sh {{- end }} + {{- end }} {{- if .containerSecurityContext }} securityContext: {{ toYaml .containerSecurityContext | nindent 4 }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_params.tpl b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_params.tpl index 47d024e8..48569a8b 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_params.tpl +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_params.tpl @@ -29,7 +29,7 @@ - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} {{- end }} {{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }} -- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }} +- --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }} {{- end }} {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} @@ -54,9 +54,18 @@ {{- if .Values.controller.watchIngressWithoutClass }} - --watch-ingress-without-class=true {{- end }} +{{- if not .Values.controller.metrics.enabled }} +- --enable-metrics={{ .Values.controller.metrics.enabled }} +{{- end }} {{- if .Values.controller.enableTopologyAwareRouting }} - --enable-topology-aware-routing=true {{- end }} +{{- if .Values.controller.disableLeaderElection }} +- --disable-leader-election=true +{{- end }} +{{- if .Values.controller.electionTTL }} +- --election-ttl={{ .Values.controller.electionTTL }} +{{- end }} {{- range $key, $value := .Values.controller.extraArgs }} {{- /* Accept keys without values or with false as value */}} {{- if eq ($value | quote | len) 2 }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 8271dc40..a2184820 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 3fe842d1..b8938843 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -18,6 +18,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index c29083f2..17661646 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -43,7 +43,7 @@ spec: containers: - name: create {{- with .Values.controller.admissionWebhooks.patch.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: @@ -66,7 +66,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index cbc4a761..f7d44a24 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -43,7 +43,7 @@ spec: containers: - name: patch {{- with .Values.controller.admissionWebhooks.patch.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: @@ -68,7 +68,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index 5b05d9b0..c4b23aa0 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml index 48a17556..425e8d82 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -19,6 +19,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml index 91bbf22b..52f94dcc 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade @@ -13,4 +13,5 @@ metadata: {{- with .Values.controller.admissionWebhooks.patch.labels }} {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-configmap.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-configmap.yaml index 662a1620..22080d11 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-configmap.yaml @@ -24,5 +24,5 @@ data: ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }} {{- end }} {{- range $key, $value := .Values.controller.config }} - {{- $key | nindent 2 }}: {{ $value | quote }} + {{- $key | nindent 2 }}: {{ tpl (toString $value) $ | quote }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml index 887d7a20..80ad656b 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -77,7 +77,7 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} @@ -186,13 +186,13 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled }} {{- with .Values.controller.opentelemetry }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -206,7 +206,7 @@ spec: tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} {{- end }} {{- if .Values.controller.affinity }} - affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml index b504faec..e2915a76 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml @@ -19,7 +19,7 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }} + {{- if eq .Values.controller.autoscaling.enabled .Values.controller.keda.enabled }} replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} @@ -80,7 +80,7 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} @@ -189,13 +189,13 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled }} {{- with .Values.controller.opentelemetry }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -209,7 +209,7 @@ spec: tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} {{- end }} {{- if .Values.controller.affinity }} - affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml new file mode 100644 index 00000000..ffe22310 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.ingressClassResource.enabled -}} +{{- range .Values.controller.ingressClassResource.aliases }} +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + {{- include "ingress-nginx.labels" $ | nindent 4 }} + app.kubernetes.io/component: controller + {{- with $.Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ . }} + {{- if $.Values.controller.ingressClassResource.annotations }} + annotations: {{ toYaml $.Values.controller.ingressClassResource.annotations | nindent 4 }} + {{- end }} +spec: + controller: {{ $.Values.controller.ingressClassResource.controllerValue }} + {{- with $.Values.controller.ingressClassResource.parameters }} + parameters: {{ toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass.yaml index 9492784a..98479a52 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-ingressclass.yaml @@ -1,6 +1,4 @@ {{- if .Values.controller.ingressClassResource.enabled -}} -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: @@ -11,11 +9,18 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ .Values.controller.ingressClassResource.name }} -{{- if .Values.controller.ingressClassResource.default }} + {{- if or .Values.controller.ingressClassResource.default .Values.controller.ingressClassResource.annotations }} annotations: + {{- if .Values.controller.ingressClassResource.default }} ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} + {{- end }} + {{- if .Values.controller.ingressClassResource.annotations }} + {{- toYaml .Values.controller.ingressClassResource.annotations | nindent 4 }} + {{- end }} + {{- end }} spec: controller: {{ .Values.controller.ingressClassResource.controllerValue }} - {{ template "ingressClass.parameters" . }} + {{- with .Values.controller.ingressClassResource.parameters }} + parameters: {{ toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-keda.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-keda.yaml index 6ff9c0b2..24d30fa0 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-keda.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-keda.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}} +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) -}} apiVersion: {{ .Values.controller.keda.apiVersion }} kind: ScaledObject metadata: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 8cb7d4b9..8e0181f9 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -1,4 +1,13 @@ -{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (and (not .Values.controller.autoscaling.enabled) (gt (.Values.controller.replicaCount | int) 1)) }} +# PDB is not supported for DaemonSets. +# https://github.com/kubernetes/kubernetes/issues/108124 +{{- if eq .Values.controller.kind "Deployment" }} +{{- $replicas := .Values.controller.replicaCount }} +{{- if and .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) }} +{{- $replicas = .Values.controller.autoscaling.minReplicas }} +{{- else if and .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) }} +{{- $replicas = .Values.controller.keda.minReplicas }} +{{- end }} +{{- if gt ($replicas | int) 1 }} apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} kind: PodDisruptionBudget metadata: @@ -24,3 +33,4 @@ spec: maxUnavailable: {{ .Values.controller.maxUnavailable }} {{- end }} {{- end }} +{{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml index f0b93cc8..41684c37 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml @@ -1,4 +1,4 @@ -{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}} +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}} apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-role.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-role.yaml index f6217a29..a94b3997 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-role.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-role.yaml @@ -44,12 +44,15 @@ rules: - get - list - watch + # Omit Ingress status permissions if `--update-status` is disabled. + {{- if ne (index .Values.controller.extraArgs "update-status") "false" }} - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update + {{- end }} - apiGroups: - networking.k8s.io resources: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-internal.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-internal.yaml index b69a09f6..6d0b47ca 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}} +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}} apiVersion: v1 kind: Service metadata: @@ -15,9 +15,12 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }}-internal namespace: {{ include "ingress-nginx.namespace" . }} spec: - type: "{{ .Values.controller.service.type }}" -{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }} + type: {{ .Values.controller.service.internal.type | default .Values.controller.service.type }} +{{- if .Values.controller.service.internal.clusterIP }} + clusterIP: {{ .Values.controller.service.internal.clusterIP }} +{{- end }} +{{- if .Values.controller.service.internal.externalIPs }} + externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }} {{- end }} {{- if .Values.controller.service.internal.loadBalancerIP }} loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }} @@ -25,8 +28,28 @@ spec: {{- if .Values.controller.service.internal.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }} {{- end }} +{{- if .Values.controller.service.internal.loadBalancerClass }} + loadBalancerClass: {{ .Values.controller.service.internal.loadBalancerClass }} +{{- end }} +{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }} +{{- end }} {{- if .Values.controller.service.internal.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.service.internal.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.internal.sessionAffinity }} +{{- end }} +{{- if .Values.controller.service.internal.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }} +{{- end }} +{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} +{{- if .Values.controller.service.internal.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }} +{{- end }} +{{- if .Values.controller.service.internal.ipFamilies }} + ipFamilies: {{ toYaml .Values.controller.service.internal.ipFamilies | nindent 4 }} +{{- end }} {{- end }} ports: {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} @@ -35,11 +58,11 @@ spec: port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }} protocol: TCP targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }} - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }} appProtocol: http {{- end }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} - nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.internal.nodePorts.http }} {{- end }} {{- end }} {{- if .Values.controller.service.enableHttps }} @@ -47,11 +70,11 @@ spec: port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }} protocol: TCP targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }} - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }} appProtocol: https {{- end }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} - nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.internal.nodePorts.https }} {{- end }} {{- end }} {{- range $key, $value := .Values.tcp }} @@ -59,9 +82,9 @@ spec: port: {{ $key }} protocol: TCP targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp - {{- if $.Values.controller.service.nodePorts.tcp }} - {{- if index $.Values.controller.service.nodePorts.tcp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- if $.Values.controller.service.internal.nodePorts.tcp }} + {{- if index $.Values.controller.service.internal.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.internal.nodePorts.tcp $key }} {{- end }} {{- end }} {{- end }} @@ -70,9 +93,9 @@ spec: port: {{ $key }} protocol: UDP targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp - {{- if $.Values.controller.service.nodePorts.udp }} - {{- if index $.Values.controller.service.nodePorts.udp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- if $.Values.controller.service.internal.nodePorts.udp }} + {{- if index $.Values.controller.service.internal.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.internal.nodePorts.udp $key }} {{- end }} {{- end }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml index 2d02e23a..6dcf1a10 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -31,7 +31,7 @@ spec: - name: https-webhook port: 443 targetPort: webhook - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} appProtocol: https {{- end }} selector: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service.yaml index d8163501..cb78a703 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service.yaml @@ -16,9 +16,6 @@ metadata: namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.service.type }} -{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} -{{- end }} {{- if .Values.controller.service.clusterIP }} clusterIP: {{ .Values.controller.service.clusterIP }} {{- end }} @@ -34,6 +31,9 @@ spec: {{- if .Values.controller.service.loadBalancerClass }} loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }} {{- end }} +{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} +{{- end }} {{- if .Values.controller.service.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} {{- end }} @@ -47,8 +47,6 @@ spec: {{- if .Values.controller.service.ipFamilyPolicy }} ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} {{- end }} -{{- end }} -{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} {{- if .Values.controller.service.ipFamilies }} ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }} {{- end }} @@ -60,7 +58,7 @@ spec: port: {{ .Values.controller.service.ports.http }} protocol: TCP targetPort: {{ .Values.controller.service.targetPorts.http }} - {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} appProtocol: http {{- end }} {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} @@ -72,7 +70,7 @@ spec: port: {{ .Values.controller.service.ports.https }} protocol: TCP targetPort: {{ .Values.controller.service.targetPorts.https }} - {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} appProtocol: https {{- end }} {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 585fd0cb..62301da4 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -14,6 +14,9 @@ metadata: {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.annotations }} + annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.controller.metrics.portName }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml index ed88e6bc..c6ccdd5c 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -30,7 +30,7 @@ spec: annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }} {{- end }} labels: - {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + {{- include "ingress-nginx.labels" . | nindent 8 }} app.kubernetes.io/component: default-backend {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 8 }} @@ -51,7 +51,7 @@ spec: containers: - name: {{ template "ingress-nginx.name" . }}-default-backend {{- with .Values.defaultBackend.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} {{- if .Values.defaultBackend.extraArgs }} @@ -107,7 +107,10 @@ spec: tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} {{- end }} {{- if .Values.defaultBackend.affinity }} - affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }} + affinity: {{ tpl (toYaml .Values.defaultBackend.affinity) $ | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.topologySpreadConstraints }} + topologySpreadConstraints: {{ tpl (toYaml .Values.defaultBackend.topologySpreadConstraints) $ | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 60 {{- if .Values.defaultBackend.extraVolumes }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml index 88b59280..9af56cf3 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml @@ -1,23 +1,23 @@ {{- if .Values.defaultBackend.enabled }} - {{- range .Values.defaultBackend.extraConfigMaps }} +{{- range .Values.defaultBackend.extraConfigMaps }} --- apiVersion: v1 kind: ConfigMap metadata: - name: {{ .name }} - namespace: {{ include "ingress-nginx.namespace" $ | quote }} labels: {{- include "ingress-nginx.labels" $ | nindent 4 }} + app.kubernetes.io/component: default-backend {{- with $.Values.defaultBackend.labels }} {{- toYaml . | nindent 4 }} {{- end }} {{- with .labels }} {{- toYaml . | nindent 4 }} {{- end }} + name: {{ .name }} + namespace: {{ include "ingress-nginx.namespace" $ }} data: {{- with .data }} {{- toYaml . | nindent 2 }} {{- end }} - {{- end }} {{- end }} - +{{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-hpa.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-hpa.yaml index 69932389..49bcdcfd 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -21,14 +21,6 @@ spec: minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} metrics: - {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ . }} - {{- end }} {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: @@ -37,4 +29,12 @@ spec: type: Utilization averageUtilization: {{ . }} {{- end }} + {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-service.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-service.yaml index 2cccd6e9..65b6b836 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-service.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-service.yaml @@ -32,7 +32,7 @@ spec: port: {{ .Values.defaultBackend.service.servicePort }} protocol: TCP targetPort: http - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} appProtocol: http {{- end }} selector: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml new file mode 100644 index 00000000..d7a8b885 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > ClusterRole +templates: + - admission-webhooks/job-patch/clusterrole.yaml + +tests: + - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml new file mode 100644 index 00000000..d7c3266d --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > ClusterRoleBinding +templates: + - admission-webhooks/job-patch/clusterrolebinding.yaml + +tests: + - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml new file mode 100644 index 00000000..a236f3d7 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > Role +templates: + - admission-webhooks/job-patch/role.yaml + +tests: + - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml new file mode 100644 index 00000000..74abaa16 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > RoleBinding +templates: + - admission-webhooks/job-patch/rolebinding.yaml + +tests: + - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml new file mode 100644 index 00000000..7c30d1e6 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml @@ -0,0 +1,47 @@ +suite: Admission Webhooks > Patch Job > ServiceAccount +templates: + - admission-webhooks/job-patch/serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false + set: + controller.admissionWebhooks.patch.serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true + set: + controller.admissionWebhooks.patch.serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission + + - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set + set: + controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml new file mode 100644 index 00000000..e831d50c --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml @@ -0,0 +1,27 @@ +suite: Controller > ConfigMap > Add Headers +templates: + - controller-configmap-addheaders.yaml + +tests: + - it: should not create a ConfigMap if `controller.addHeaders` is not set + set: + controller.addHeaders: null + asserts: + - hasDocuments: + count: 0 + + - it: should create a ConfigMap if `controller.addHeaders` is set + set: + controller.addHeaders: + X-Another-Custom-Header: Value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-custom-add-headers + - equal: + path: data.X-Another-Custom-Header + value: Value diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml new file mode 100644 index 00000000..0634a373 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml @@ -0,0 +1,27 @@ +suite: Controller > ConfigMap > Proxy Headers +templates: + - controller-configmap-proxyheaders.yaml + +tests: + - it: should not create a ConfigMap if `controller.proxySetHeaders` is not set + set: + controller.proxySetHeaders: null + asserts: + - hasDocuments: + count: 0 + + - it: should create a ConfigMap if `controller.proxySetHeaders` is set + set: + controller.proxySetHeaders: + X-Custom-Header: Value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-custom-proxy-headers + - equal: + path: data.X-Custom-Header + value: Value diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml new file mode 100644 index 00000000..9cfea980 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml @@ -0,0 +1,31 @@ +suite: Controller > ConfigMap +templates: + - controller-configmap.yaml + +tests: + - it: should create a ConfigMap + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a ConfigMap with templated values if `controller.config` contains templates + set: + controller.config: + global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local" + global-rate-limit-memcached-port: 11211 + use-gzip: true + asserts: + - equal: + path: data.global-rate-limit-memcached-host + value: memcached.NAMESPACE.svc.kubernetes.local + - equal: + path: data.global-rate-limit-memcached-port + value: "11211" + - equal: + path: data.use-gzip + value: "true" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml new file mode 100644 index 00000000..6ee794af --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -0,0 +1,140 @@ +suite: Controller > DaemonSet +templates: + - controller-daemonset.yaml + +tests: + - it: should create a DaemonSet if `controller.kind` is "DaemonSet" + set: + controller.kind: DaemonSet + asserts: + - hasDocuments: + count: 1 + - isKind: + of: DaemonSet + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false + set: + controller.kind: DaemonSet + controller.metrics.enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + set: + controller.kind: DaemonSet + controller.metrics.enabled: true + asserts: + - notContains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a DaemonSet with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.kind: DaemonSet + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --controller-class=k8s.io/ingress-nginx-internal + + - it: should create a DaemonSet with resource limits if `controller.resources.limits` is set + set: + controller.kind: DaemonSet + controller.resources.limits.cpu: 500m + controller.resources.limits.memory: 512Mi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 500m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi + + - it: should create a DaemonSet with topology spread constraints if `controller.topologySpreadConstraints` is set + set: + controller.kind: DaemonSet + controller.topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + + - it: should create a DaemonSet with affinity if `controller.affinity` is set + set: + controller.kind: DaemonSet + controller.affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "ingress-nginx.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - RELEASE-NAME + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml new file mode 100644 index 00000000..82b97a0f --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -0,0 +1,162 @@ +suite: Controller > Deployment +templates: + - controller-deployment.yaml + +tests: + - it: should create a Deployment + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3 + set: + controller.replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + + - it: should create a Deployment without replicas if `controller.autoscaling.enabled` is true + set: + controller.autoscaling.enabled: true + asserts: + - notExists: + path: spec.replicas + + - it: should create a Deployment without replicas if `controller.keda.enabled` is true + set: + controller.keda.enabled: true + asserts: + - notExists: + path: spec.replicas + + - it: should create a Deployment with replicas if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true + set: + controller.autoscaling.enabled: true + controller.keda.enabled: true + asserts: + - exists: + path: spec.replicas + + - it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false + set: + controller.metrics.enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + set: + controller.metrics.enabled: true + asserts: + - notContains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a Deployment with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --controller-class=k8s.io/ingress-nginx-internal + + - it: should create a Deployment with resource limits if `controller.resources.limits` is set + set: + controller.resources.limits.cpu: 500m + controller.resources.limits.memory: 512Mi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 500m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi + + - it: should create a Deployment with topology spread constraints if `controller.topologySpreadConstraints` is set + set: + controller.topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + + - it: should create a Deployment with affinity if `controller.affinity` is set + set: + controller.affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "ingress-nginx.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - RELEASE-NAME + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-hpa_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-hpa_test.yaml new file mode 100644 index 00000000..869d3a69 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-hpa_test.yaml @@ -0,0 +1,31 @@ +suite: Controller > HPA +templates: + - controller-hpa.yaml + +tests: + - it: should create an HPA if `controller.autoscaling.enabled` is true + set: + controller.autoscaling.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: HorizontalPodAutoscaler + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create an HPA if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true + set: + controller.autoscaling.enabled: true + controller.keda.enabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should not create an HPA if `controller.kind` is "DaemonSet" + set: + controller.kind: DaemonSet + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml new file mode 100644 index 00000000..9a4a576b --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml @@ -0,0 +1,110 @@ +suite: Controller > IngressClass > Aliases +templates: + - controller-ingressclass-aliases.yaml + +tests: + - it: should not create IngressClass aliases + asserts: + - hasDocuments: + count: 0 + + - it: should create an IngressClass alias with name "nginx-alias" if `controller.ingressClassResource.aliases` is set + set: + controller.ingressClassResource.aliases: + - nginx-alias + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + + - it: should create an IngressClass alias without annotation `ingressclass.kubernetes.io/is-default-class` if `controller.ingressClassResource.default` is true + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.default: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - notExists: + path: metadata.annotations["ingressclass.kubernetes.io/is-default-class"] + + - it: should create an IngressClass alias with annotations if `controller.ingressClassResource.annotations` is set + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.annotations: + my-fancy-annotation: has-a-value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - equal: + path: metadata.annotations.my-fancy-annotation + value: has-a-value + + - it: should create an IngressClass alias with controller "k8s.io/ingress-nginx-internal" if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - equal: + path: spec.controller + value: k8s.io/ingress-nginx-internal + + - it: should create an IngressClass alias with parameters if `controller.ingressClassResource.parameters` is set + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.parameters: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - equal: + path: spec.parameters + value: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb + + - it: should create two IngressClass aliases if `controller.ingressClassResource.aliases` has two elements + set: + controller.ingressClassResource.aliases: + - nginx-alias-1 + - nginx-alias-2 + asserts: + - hasDocuments: + count: 2 + - isKind: + of: IngressClass + - matchRegex: + path: metadata.name + pattern: nginx-alias-(1|2) diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass_test.yaml new file mode 100644 index 00000000..b3384af3 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-ingressclass_test.yaml @@ -0,0 +1,93 @@ +suite: Controller > IngressClass +templates: + - controller-ingressclass.yaml + +tests: + - it: should create an IngressClass + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + + - it: should create an IngressClass with name "nginx-internal" if `controller.ingressClassResource.name` is "nginx-internal" + set: + controller.ingressClassResource.name: nginx-internal + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-internal + + - it: "should create an IngressClass with annotation `ingressclass.kubernetes.io/is-default-class: \"true\"` if `controller.ingressClassResource.default` is true" + set: + controller.ingressClassResource.default: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: metadata.annotations["ingressclass.kubernetes.io/is-default-class"] + value: "true" + + - it: should create an IngressClass with annotations if `controller.ingressClassResource.annotations` is set + set: + controller.ingressClassResource.annotations: + my-fancy-annotation: has-a-value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: metadata.annotations.my-fancy-annotation + value: has-a-value + + - it: should create an IngressClass with controller "k8s.io/ingress-nginx-internal" if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: spec.controller + value: k8s.io/ingress-nginx-internal + + - it: should create an IngressClass with parameters if `controller.ingressClassResource.parameters` is set + set: + controller.ingressClassResource.parameters: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: spec.parameters + value: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-keda_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-keda_test.yaml new file mode 100644 index 00000000..80028348 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-keda_test.yaml @@ -0,0 +1,31 @@ +suite: Controller > KEDA +templates: + - controller-keda.yaml + +tests: + - it: should create a ScaledObject if `controller.keda.enabled` is true + set: + controller.keda.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ScaledObject + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a ScaledObject if `controller.keda.enabled` is true and `controller.autoscaling.enabled` is true + set: + controller.keda.enabled: true + controller.autoscaling.enabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should not create a ScaledObject if `controller.kind` is "DaemonSet" + set: + controller.kind: DaemonSet + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml new file mode 100644 index 00000000..5de12e9c --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml @@ -0,0 +1,23 @@ +suite: Controller > NetworkPolicy +templates: + - controller-networkpolicy.yaml + +tests: + - it: should not create a NetworkPolicy if `controller.networkPolicy.enabled` is false + set: + controller.networkPolicy.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a NetworkPolicy if `controller.networkPolicy.enabled` is true + set: + controller.networkPolicy.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: NetworkPolicy + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml new file mode 100644 index 00000000..48b4fafc --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml @@ -0,0 +1,73 @@ +suite: Controller > PodDisruptionBudget +templates: + - controller-poddisruptionbudget.yaml + +tests: + - it: should create a PodDisruptionBudget if `controller.replicaCount` is greater than 1 + set: + controller.replicaCount: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a PodDisruptionBudget if `controller.replicaCount` is less than or equal 1 + set: + controller.replicaCount: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.autoscaling.minReplicas` is greater than 1 + set: + controller.autoscaling.enabled: true + controller.autoscaling.minReplicas: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.autoscaling.minReplicas` is less than or equal 1 + set: + controller.autoscaling.enabled: true + controller.autoscaling.minReplicas: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should create a PodDisruptionBudget if `controller.keda.enabled` is true and `controller.keda.minReplicas` is greater than 1 + set: + controller.keda.enabled: true + controller.keda.minReplicas: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a PodDisruptionBudget if `controller.keda.enabled` is true and `controller.keda.minReplicas` is less than or equal 1 + set: + controller.keda.enabled: true + controller.keda.minReplicas: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should not create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true + set: + controller.autoscaling.enabled: true + controller.keda.enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-internal_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-internal_test.yaml new file mode 100644 index 00000000..5465e1a2 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-internal_test.yaml @@ -0,0 +1,25 @@ +suite: Controller > Service > Internal +templates: + - controller-service-internal.yaml + +tests: + - it: should not create an internal Service if `controller.service.internal.enabled` is false + set: + controller.service.internal.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create an internal Service if `controller.service.internal.enabled` is true and `controller.service.internal.annotations` are set + set: + controller.service.internal.enabled: true + controller.service.internal.annotations: + test.annotation: "true" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-internal diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-metrics_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-metrics_test.yaml new file mode 100644 index 00000000..afdb9404 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-metrics_test.yaml @@ -0,0 +1,23 @@ +suite: Controller > Service > Metrics +templates: + - controller-service-metrics.yaml + +tests: + - it: should not create a metrics Service if `controller.metrics.enabled` is false + set: + controller.metrics.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a metrics Service if `controller.metrics.enabled` is true + set: + controller.metrics.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-metrics diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service_test.yaml new file mode 100644 index 00000000..10574f22 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service_test.yaml @@ -0,0 +1,32 @@ +suite: Controller > Service +templates: + - controller-service.yaml + +tests: + - it: should not create a Service if `controller.service.external.enabled` is false + set: + controller.service.external.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service if `controller.service.external.enabled` is true + set: + controller.service.external.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort" + set: + controller.service.external.enabled: true + controller.service.type: NodePort + asserts: + - equal: + path: spec.type + value: NodePort diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml new file mode 100644 index 00000000..e237fe7e --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -0,0 +1,137 @@ +suite: Default Backend > Deployment +templates: + - default-backend-deployment.yaml + +tests: + - it: should not create a Deployment if `defaultBackend.enabled` is false + set: + defaultBackend.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Deployment if `defaultBackend.enabled` is true + set: + defaultBackend.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should create a Deployment with 3 replicas if `defaultBackend.replicaCount` is 3 + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + + - it: should create a Deployment without replicas if `defaultBackend.autoscaling.enabled` is true + set: + defaultBackend.enabled: true + defaultBackend.autoscaling.enabled: true + asserts: + - notExists: + path: spec.replicas + + - it: should create a Deployment with resource limits if `defaultBackend.resources.limits` is set + set: + defaultBackend.enabled: true + defaultBackend.resources.limits.cpu: 500m + defaultBackend.resources.limits.memory: 512Mi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 500m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi + + - it: should create a Deployment with topology spread constraints if `defaultBackend.topologySpreadConstraints` is set + set: + defaultBackend.enabled: true + defaultBackend.topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: default-backend + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: default-backend + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: default-backend + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: default-backend + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + + - it: should create a Deployment with affinity if `defaultBackend.affinity` is set + set: + defaultBackend.enabled: true + defaultBackend.affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "ingress-nginx.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app.kubernetes.io/component + operator: In + values: + - default-backend + topologyKey: kubernetes.io/hostname + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - RELEASE-NAME + - key: app.kubernetes.io/component + operator: In + values: + - default-backend + topologyKey: kubernetes.io/hostname diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml index b18ceedf..aa600e74 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml @@ -1,19 +1,18 @@ -suite: test default backend extra ConfigMaps +suite: Default Backend > Extra ConfigMaps templates: - default-backend-extra-configmaps.yaml tests: - - it: should not create any ConfigMap by default + - it: should not create a ConfigMap if `defaultBackend.extraConfigMaps` is empty set: - Release.Namespace: default defaultBackend.enabled: true + defaultBackend.extraConfigMaps: [] asserts: - hasDocuments: count: 0 - - it: should create one ConfigMap + - it: should create one ConfigMap if `defaultBackend.extraConfigMaps` has one element set: - Release.Namespace: default defaultBackend.enabled: true defaultBackend.extraConfigMaps: - name: my-configmap-1 @@ -27,10 +26,12 @@ tests: - equal: path: metadata.name value: my-configmap-1 + - equal: + path: data.key1 + value: value1 - - it: should correctly render multiple ConfigMaps + - it: should create two ConfigMaps if `defaultBackend.extraConfigMaps` has two elements set: - Release.Namespace: nginx defaultBackend.enabled: true defaultBackend.extraConfigMaps: - name: my-configmap-1 @@ -46,4 +47,4 @@ tests: of: ConfigMap - matchRegex: path: metadata.name - pattern: "my-configmap-\\d+" + pattern: my-configmap-(1|2) diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-service_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-service_test.yaml new file mode 100644 index 00000000..f16904f9 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-service_test.yaml @@ -0,0 +1,32 @@ +suite: Default Backend > Service +templates: + - default-backend-service.yaml + +tests: + - it: should not create a Service if `defaultBackend.enabled` is false + set: + defaultBackend.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service if `defaultBackend.enabled` is true + set: + defaultBackend.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should create a Service with port 80 if `defaultBackend.service.port` is 80 + set: + defaultBackend.enabled: true + defaultBackend.service.port: 80 + asserts: + - equal: + path: spec.ports[0].port + value: 80 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml index c1e89d77..92735d2a 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml @@ -9,7 +9,6 @@ # -- Override the deployment namespace; defaults to .Release.Namespace namespaceOverride: "" - ## Labels to apply to all resources ## commonLabels: {} @@ -27,9 +26,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.9.4" - digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3 - digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26 + tag: "v1.11.1" + digest: sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a + digestChroot: sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d pullPolicy: IfNotPresent runAsNonRoot: true # www-data -> uid 101 @@ -46,7 +45,8 @@ controller: containerPort: http: 80 https: 443 - # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. + # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ config: {} # -- Annotations to be added to the controller config configuration configmap. configAnnotations: {} @@ -84,6 +84,10 @@ controller: # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" # Defaults to false enableTopologyAwareRouting: false + # -- This configuration disable Nginx Controller Leader Election + disableLeaderElection: false + # -- Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) + electionTTL: "" # -- This configuration defines if Ingress Controller should allow users to set # their own *-snippet annotations, otherwise this is forbidden / dropped # when users add those annotations. @@ -109,21 +113,39 @@ controller: enabled: false # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' electionID: "" - ## This section refers to the creation of the IngressClass resource - ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + # -- This section refers to the creation of the IngressClass resource. + # IngressClasses are immutable and cannot be changed after creation. + # We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. ingressClassResource: - # -- Name of the ingressClass + # -- Name of the IngressClass name: nginx - # -- Is this ingressClass enabled or not + # -- Create the IngressClass or not enabled: true - # -- Is this the default ingressClass for the cluster + # -- If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. + # Ingress creation gets rejected if there are multiple default IngressClasses. + # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class default: false - # -- Controller-value of the controller that is processing this ingressClass - controllerValue: "k8s.io/ingress-nginx" - # -- Parameters is a link to a custom resource containing additional - # configuration for the controller. This is optional if the controller - # does not require extra parameters. + # -- Annotations to be added to the IngressClass resource. + annotations: {} + # -- Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. + # This value is also being set as the `--controller-class` argument of this Ingress Controller. + # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + controllerValue: k8s.io/ingress-nginx + # -- Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. + # Useful for development environments with only one Ingress Controller but production-like Ingress resources. + # `default` gets enabled on the original IngressClass only. + aliases: [] + # aliases: + # - nginx-alias-1 + # - nginx-alias-2 + # -- A link to a custom resource containing additional configuration for the controller. + # This is optional if the controller consuming this IngressClass does not require additional parameters. + # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class parameters: {} + # parameters: + # apiGroup: k8s.example.com + # kind: IngressParameters + # name: external-lb # -- For backwards compatibility with ingress.class annotation, use ingressClass. # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation ingressClass: nginx @@ -140,7 +162,6 @@ controller: # "net.core.somaxconn": "8192" # -- Security context for controller containers containerSecurityContext: {} - # -- Allows customization of the source of the IP address or FQDN to report # in the ingress status field. By default, it reads the information provided # by the service. If disable, the status field reports the IP address of the @@ -239,11 +260,11 @@ controller: # - key: app.kubernetes.io/name # operator: In # values: - # - ingress-nginx + # - '{{ include "ingress-nginx.name" . }}' # - key: app.kubernetes.io/instance # operator: In # values: - # - ingress-nginx + # - '{{ .Release.Name }}' # - key: app.kubernetes.io/component # operator: In # values: @@ -258,16 +279,16 @@ controller: # - key: app.kubernetes.io/name # operator: In # values: - # - ingress-nginx + # - '{{ include "ingress-nginx.name" . }}' # - key: app.kubernetes.io/instance # operator: In # values: - # - ingress-nginx + # - '{{ .Release.Name }}' # - key: app.kubernetes.io/component # operator: In # values: # - controller - # topologyKey: "kubernetes.io/hostname" + # topologyKey: kubernetes.io/hostname # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ @@ -445,102 +466,170 @@ controller: configMapName: "" configMapKey: "" service: + # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. enabled: true - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 - ## - appProtocol: true - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. + external: + # -- Enable the external controller service or not. Useful for internal-only deployments. + enabled: true + # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. annotations: {} + # -- Labels to be added to both controller services. labels: {} - # clusterIP: "" - - # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips - ## + # -- Type of the external controller service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: LoadBalancer + # -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIP: "" + # -- List of node IP addresses at which the external controller service is available. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips externalIPs: [] - # -- Set to false to disable loadbalancer node port allocation - # See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation - # allocateLoadBalancerNodePorts: true - # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + # -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" + # -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. loadBalancerSourceRanges: [] - # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + # -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class loadBalancerClass: "" - enableHttp: true - enableHttps: true - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" + # -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + # allocateLoadBalancerNodePorts: true - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" - - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: "" + # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". + # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity + sessionAffinity: "" + # -- Specifies the health check node port (numeric port number) for the external controller service. + # If not specified, the service controller allocates a port from your cluster's node port range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # healthCheckNodePort: 0 - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilyPolicy: "SingleStack" - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. + # Fields `ipFamilies` and `clusterIP` depend on the value of this field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: SingleStack + # -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ipFamilies: - IPv4 + # -- Enable the HTTP listener on both controller services or not. + enableHttp: true + # -- Enable the HTTPS listener on both controller services or not. + enableHttps: true ports: + # -- Port the external HTTP listener is published with. http: 80 + # -- Port the external HTTPS listener is published with. https: 443 targetPorts: + # -- Port of the ingress controller the external HTTP listener is mapped to. http: http + # -- Port of the ingress controller the external HTTPS listener is mapped to. https: https - type: LoadBalancer - ## type: NodePort - ## nodePorts: - ## http: 32080 - ## https: 32443 - ## tcp: - ## 8080: 32808 + # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + appProtocol: true nodePorts: + # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. http: "" + # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. https: "" + # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # tcp: + # 8080: 30080 tcp: {} + # -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # udp: + # 53: 30053 udp: {} - external: - enabled: true internal: - # -- Enables an additional internal load balancer (besides the external one). + # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. + # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} - # -- Set to false to disable loadbalancer node port allocation - # See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation - # allocateLoadBalancerNodePorts: true - # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. + # -- Type of the internal controller service. + # Defaults to the value of `controller.service.type`. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: "" + # -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIP: "" + # -- List of node IP addresses at which the internal controller service is available. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + externalIPs: [] + # -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + # -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. loadBalancerSourceRanges: [] - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" + # -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + # -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + # allocateLoadBalancerNodePorts: true - # -- Custom port mapping for internal service + # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: "" + # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". + # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity + sessionAffinity: "" + # -- Specifies the health check node port (numeric port number) for the internal controller service. + # If not specified, the service controller allocates a port from your cluster's node port range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. + # Fields `ipFamilies` and `clusterIP` depend on the value of this field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: SingleStack + # -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilies: + - IPv4 ports: {} - # http: 80 - # https: 443 + # -- Port the internal HTTP listener is published with. + # Defaults to the value of `controller.service.ports.http`. + # http: 80 + # -- Port the internal HTTPS listener is published with. + # Defaults to the value of `controller.service.ports.https`. + # https: 443 - # -- Custom target port mapping for internal service targetPorts: {} - # http: http - # https: https + # -- Port of the ingress controller the internal HTTP listener is mapped to. + # Defaults to the value of `controller.service.targetPorts.http`. + # http: http + # -- Port of the ingress controller the internal HTTPS listener is mapped to. + # Defaults to the value of `controller.service.targetPorts.https`. + # https: https + + # -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + appProtocol: true + nodePorts: + # -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. + http: "" + # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. + https: "" + # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # tcp: + # 8080: 30080 + tcp: {} + # -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # udp: + # 53: 30053 + udp: {} # shareProcessNamespace enables process namespace sharing within the pod. # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. shareProcessNamespace: false @@ -587,8 +676,15 @@ controller: # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] # - name: mytestmodule - # image: registry.k8s.io/ingress-nginx/mytestmodule - # distroless: false + # image: + # registry: registry.k8s.io + # image: ingress-nginx/mytestmodule + # ## for backwards compatibility consider setting the full image url via the repository value below + # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # ## repository: + # tag: "v1.0.0" + # digest: "" + # distroless: false # containerSecurityContext: # runAsNonRoot: true # runAsUser: @@ -608,8 +704,15 @@ controller: opentelemetry: enabled: false name: opentelemetry - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 - distroless: true + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v20230721-3e2062ee5" + digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 + distroless: true containerSecurityContext: runAsNonRoot: true # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. @@ -619,7 +722,7 @@ controller: type: RuntimeDefault capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true resources: {} admissionWebhooks: @@ -670,7 +773,7 @@ controller: type: RuntimeDefault capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true resources: {} # limits: @@ -690,7 +793,7 @@ controller: type: RuntimeDefault capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true resources: {} patch: @@ -701,8 +804,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v20231011-8b53cabe0 - digest: sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80 + tag: v1.4.1 + digest: sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -719,6 +822,18 @@ controller: labels: {} # -- Security context for secret creation & webhook patch pods securityContext: {} + # -- Admission webhook patch job RBAC + rbac: + # -- Create RBAC or not + create: true + # -- Admission webhook patch job service account + serviceAccount: + # -- Create a service account or not + create: true + # -- Custom service account name + name: "" + # -- Auto-mount service account token or not + automountServiceAccountToken: true # Use certmanager to generate webhook certs certManager: enabled: false @@ -758,6 +873,7 @@ controller: serviceMonitor: enabled: false additionalLabels: {} + annotations: {} ## The label to use to retrieve the job name from. ## jobLabel: "app.kubernetes.io/name" namespace: "" @@ -895,7 +1011,68 @@ defaultBackend: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Affinity and anti-affinity rules for server scheduling to nodes + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - '{{ include "ingress-nginx.name" . }}' + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - '{{ .Release.Name }}' + # - key: app.kubernetes.io/component + # operator: In + # values: + # - default-backend + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - '{{ include "ingress-nginx.name" . }}' + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - '{{ .Release.Name }}' + # - key: app.kubernetes.io/component + # operator: In + # values: + # - default-backend + # topologyKey: kubernetes.io/hostname + + # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: default-backend + # topologyKey: topology.kubernetes.io/zone + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: default-backend + # topologyKey: kubernetes.io/hostname + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway # -- Security context for default backend pods podSecurityContext: {} # -- Security context for default backend containers @@ -931,21 +1108,21 @@ defaultBackend: ## Additional volumes to the default backend pod. # - name: copy-portal-skins # emptyDir: {} + extraConfigMaps: [] - ## Additional configmaps to the default backend pod. - # Example ConfigMap, uncomment and configure as needed - # - name: my-extra-configmap-1 - # labels: - # type: config-1 - # data: - # extra_file_1.html: | - # - # - name: my-extra-configmap-2 - # labels: - # type: config-2 - # data: - # extra_file_2.html: | - # + ## Additional configmaps to the default backend pod. + # - name: my-extra-configmap-1 + # labels: + # type: config-1 + # data: + # extra_file_1.html: | + # + # - name: my-extra-configmap-2 + # labels: + # type: config-2 + # data: + # extra_file_2.html: | + # autoscaling: annotations: {} @@ -996,13 +1173,13 @@ imagePullSecrets: [] ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md ## tcp: {} -# 8080: "default/example-tcp-svc:9000" +# "8080": "default/example-tcp-svc:9000" # -- UDP service key-value pairs ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md ## udp: {} -# 53: "kube-system/kube-dns:53" +# "53": "kube-system/kube-dns:53" # -- Prefix for TCP and UDP ports names in ingress controller service ## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml index 16018ed0..f355dd48 100644 --- a/packages/system/ingress-nginx/values.yaml +++ b/packages/system/ingress-nginx/values.yaml @@ -5,8 +5,8 @@ ingress-nginx: image: registry: ghcr.io image: kvaps/ingress-nginx-with-protobuf-exporter/controller - tag: v1.8.1 - digest: "sha256:7933a0729c716a8bf879218451ff43ee9c1a8f4850feffb12f81eb9439aefc23" + tag: v1.11.1 + digest: sha256:76ca6d7898445140785091ff4a2b21df8c2b50fd1922fff6bd5118af75d33ab2 allowSnippetAnnotations: true replicaCount: 2 admissionWebhooks: @@ -16,7 +16,7 @@ ingress-nginx: enabled: true extraContainers: - name: protobuf-exporter - image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.8.1@sha256:9b6f3f2688592a0f25038bc15e107642d7374359cbd87442920df1c45f27fe4d + image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.1@sha256:82abdc9ab80b406dbeb8cd43fd8759b25c5ea77eb95f924bedc61453b9a3f693 args: - --server.telemetry-address=0.0.0.0:9090 - --server.exporter-address=0.0.0.0:9091 diff --git a/packages/system/kubeovn/images/kubeovn.json b/packages/system/kubeovn/images/kubeovn.json index 3c163b02..02e20ede 100644 --- a/packages/system/kubeovn/images/kubeovn.json +++ b/packages/system/kubeovn/images/kubeovn.json @@ -5,13 +5,13 @@ { "uri": "pkg:docker/kubeovn/kube-ovn-base@v1.13.0?platform=linux%2Famd64", "digest": { - "sha256": "b383903ab2427169bfd27ac49ec1f835e01be552dd391aae92a63d6a5d04f05d" + "sha256": "789041d6e02edaa9a28f9385e2175d47cecd564d163e7a0fb89d225de8ada2a2" } }, { "uri": "pkg:docker/golang@1.22-bookworm?platform=linux%2Famd64", "digest": { - "sha256": "6c2780255bb7b881e904e303be0d7a079054160b2ce1efde446693c0850a39ad" + "sha256": "800e361142daeb47b5e5bce2ede55be8d67159be75748cb31cbb48798ebec39d" } } ], @@ -35,7 +35,17 @@ } } }, - "buildx.build.ref": "amd64/amd64/59sogfe3191kwbdbmplhsarwj", - "containerimage.config.digest": "sha256:c60b915c03796938fee46e305997e540bd71f688f9f6b7c4b5846168501768fb", - "containerimage.digest": "sha256:731d2f079c6ef243731f2f7fd70f36b4da4c50626622b496241ecfe9f98913c0" + "buildx.build.ref": "mybuild/mybuild0/sgrxqzg8w1l4zxyi2tpcluk8p", + "containerimage.config.digest": "sha256:7bdcdea14eb90de0b87b53e79e1b1fbe35ead5be316a7b4f83859454cb5506af", + "containerimage.descriptor": { + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "digest": "sha256:89cac6416d9a8bae534d1f5276b0d0a399e873d6b919bb6a3ad780ecf71c8b81", + "size": 4621, + "platform": { + "architecture": "amd64", + "os": "linux" + } + }, + "containerimage.digest": "sha256:89cac6416d9a8bae534d1f5276b0d0a399e873d6b919bb6a3ad780ecf71c8b81", + "image.name": "ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0,ghcr.io/aenix-io/cozystack/kubeovn:v1.13.0-v0.10.0" } \ No newline at end of file diff --git a/packages/system/nats/Chart.yaml b/packages/system/nats/Chart.yaml new file mode 100644 index 00000000..25947dad --- /dev/null +++ b/packages/system/nats/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-nats +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/nats/Makefile b/packages/system/nats/Makefile new file mode 100644 index 00000000..738b387d --- /dev/null +++ b/packages/system/nats/Makefile @@ -0,0 +1,5 @@ +update: + rm -rf charts + helm repo add nats https://nats-io.github.io/k8s/helm/charts/ + helm repo update nats + helm pull nats/nats --untar --untardir charts diff --git a/packages/system/nats/charts/nats/.helmignore b/packages/system/nats/charts/nats/.helmignore new file mode 100644 index 00000000..240dfde2 --- /dev/null +++ b/packages/system/nats/charts/nats/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# template tests +/test diff --git a/packages/system/nats/charts/nats/Chart.yaml b/packages/system/nats/charts/nats/Chart.yaml new file mode 100644 index 00000000..e59601a9 --- /dev/null +++ b/packages/system/nats/charts/nats/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +appVersion: 2.10.17 +description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications + Technology. +home: http://github.com/nats-io/k8s +icon: https://nats.io/img/nats-icon-color.png +keywords: +- nats +- messaging +- cncf +maintainers: +- email: info@nats.io + name: The NATS Authors + url: https://github.com/nats-io +name: nats +version: 1.2.1 diff --git a/packages/system/nats/charts/nats/README.md b/packages/system/nats/charts/nats/README.md new file mode 100644 index 00000000..0916999d --- /dev/null +++ b/packages/system/nats/charts/nats/README.md @@ -0,0 +1,329 @@ +# NATS Server + +--- + +[NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. +NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). +NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. +NATS can secure and simplify design and operation of modern distributed systems. + +```shell +helm repo add nats https://nats-io.github.io/k8s/helm/charts/ +helm upgrade --install nats nats/nats +``` + +## Upgrade Nodes + +- **Upgrading from 0.x**: The `values.yaml` schema changed significantly from 0.x to 1.x. Read [UPGRADING.md](UPGRADING.md) for instructions on upgrading a 0.x release to 1.x. + +## Values + +There are a handful of explicitly defined options which are documented with comments in the [values.yaml](values.yaml) file. + +Everything in the NATS Config or Kubernetes Resources can be overridden by `merge` and `patch`, which is supported for the following values: + +| key | type | enabled by default | +|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------| +| `config` | [NATS Config](https://docs.nats.io/running-a-nats-service/configuration) | yes | +| `config.cluster` | [NATS Cluster](https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config) | no | +| `config.cluster.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.jetstream` | [NATS JetStream](https://docs.nats.io/running-a-nats-service/configuration#jetstream) | no | +| `config.jetstream.fileStore.pvc` | [k8s PVC](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core) | yes, when `config.jetstream` is enabled | +| `config.nats.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.leafnodes` | [NATS LeafNodes](https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf) | no | +| `config.leafnodes.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.websocket` | [NATS WebSocket](https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf) | no | +| `config.websocket.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.websocket.ingress` | [k8s Ingress](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io) | no | +| `config.mqtt` | [NATS MQTT](https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config) | no | +| `config.mqtt.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.gateway` | [NATS Gateway](https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block) | no | +| `config.gateway.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.resolver` | [NATS Resolver](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver) | no | +| `config.resolver.pvc` | [k8s PVC](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core) | yes, when `config.resolver` is enabled | +| `container` | nats [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `reloader` | config reloader [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `promExporter` | prometheus exporter [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | no | +| `promExporter.podMonitor` | [prometheus PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) | no | +| `service` | [k8s Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core) | yes | +| `statefulSet` | [k8s StatefulSet](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps) | yes | +| `podTemplate` | [k8s PodTemplate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core) | yes | +| `headlessService` | [k8s Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core) | yes | +| `configMap` | [k8s ConfigMap](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core) | yes | +| `natsBox.contexts.default` | [NATS Context](https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts) | yes | +| `natsBox.contexts.[name]` | [NATS Context](https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts) | no | +| `natsBox.container` | nats-box [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `natsBox.deployment` | [k8s Deployment](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps) | yes | +| `natsBox.podTemplate` | [k8s PodTemplate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core) | yes | +| `natsBox.contextsSecret` | [k8s Secret](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core) | yes | +| `natsBox.contentsSecret` | [k8s Secret](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core) | yes | + +### Merge + +Merging is performed using the Helm `merge` function. Example - add NATS accounts and container resources: + +```yaml +config: + merge: + accounts: + A: + users: + - {user: a, password: a} + B: + users: + - {user: b, password: b} +natsBox: + contexts: + a: + merge: {user: a, password: a} + b: + merge: {user: b, password: b} + defaultContextName: a +``` + +## Patch + +Patching is performed using [JSON Patch](https://jsonpatch.com/). Example - add additional route to end of route list: + +```yaml +config: + cluster: + enabled: true + patch: + - op: add + path: /routes/- + value: nats://demo.nats.io:6222 +``` + +## Common Configurations + +### JetStream Cluster on 3 separate hosts + +```yaml +config: + cluster: + enabled: true + replicas: 3 + jetstream: + enabled: true + fileStore: + pvc: + size: 10Gi + +podTemplate: + topologySpreadConstraints: + kubernetes.io/hostname: + maxSkew: 1 + whenUnsatisfiable: DoNotSchedule +``` + +### NATS Container Resources + +```yaml +container: + env: + # different from k8s units, suffix must be B, KiB, MiB, GiB, or TiB + # should be ~90% of memory limit + GOMEMLIMIT: 7GiB + merge: + # recommended limit is at least 2 CPU cores and 8Gi Memory for production JetStream clusters + resources: + requests: + cpu: "2" + memory: 8Gi + limits: + cpu: "2" + memory: 8Gi +``` + +### Specify Image Version + +```yaml +container: + image: + tag: x.y.z-alpine +``` + +### Operator Mode with NATS Resolver + +Run `nsc generate config --nats-resolver` and replace the `OPERATOR_JWT`, `SYS_ACCOUNT_ID`, and `SYS_ACCOUNT_JWT` with your values. +Make sure that you do not include the trailing `,` in the `SYS_ACCOUNT_JWT`. + +``` +config: + resolver: + enabled: true + merge: + type: full + interval: 2m + timeout: 1.9s + merge: + operator: OPERATOR_JWT + system_account: SYS_ACCOUNT_ID + resolver_preload: + SYS_ACCOUNT_ID: SYS_ACCOUNT_JWT +``` + + +## Accessing NATS + +The chart contains 2 services by default, `service` and `headlessService`. + +### `service` + +The `service` is intended to be accessed by NATS Clients. It is a `ClusterIP` service by default, however it can easily be changed to a different service type. + +The `nats`, `websocket`, `leafnodes`, and `mqtt` ports will be exposed through this service by default if they are enabled. + +Example: change this service type to a `LoadBalancer`: + +```yaml +service: + merge: + spec: + type: LoadBalancer +``` + +### `headlessService` + +The `headlessService` is used for NATS Servers in the Stateful Set to discover one another. It is primarily intended to be used for Cluster Route connections. + +### TLS Considerations + +The TLS Certificate used for Client Connections should have a SAN covering DNS Name that clients access the `service` at. + +The TLS Certificate used for Cluster Route Connections should have a SAN covering the DNS Name that routes access each other on the `headlessService` at. This is `*.` by default. + +## Advanced Features + +### Templating Values + +Anything in `values.yaml` can be templated: + +- maps matching the following syntax will be templated and parsed as YAML: + ```yaml + $tplYaml: | + yaml template + ``` +- maps matching the follow syntax will be templated, parsed as YAML, and spread into the parent map/slice + ```yaml + $tplYamlSpread: | + yaml template + ``` + +Example - change service name: + +```yaml +service: + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-svc +``` + +### NATS Config Units and Variables + +NATS configuration extends JSON, and can represent Units and Variables. They must be wrapped in `<< >>` in order to template correctly. Example: + +```yaml +config: + merge: + authorization: + # variable + token: << $TOKEN >> + # units + max_payload: << 2MB >> +``` + +templates to the `nats.conf`: + +``` +{ + "authorization": { + "token": $TOKEN + }, + "max_payload": 2MB, + "port": 4222, + ... +} +``` + +### NATS Config Includes + +Any NATS Config key ending in `$include` will be replaced with an include directive. Included files should be in paths relative to `/etc/nats-config`. Multiple `$include` keys are supported by using a prefix, and will be sorted alphabetically. Example: + +```yaml +config: + merge: + 00$include: auth.conf + 01$include: params.conf +configMap: + merge: + data: + auth.conf: | + accounts: { + A: { + users: [ + {user: a, password: a} + ] + }, + B: { + users: [ + {user: b, password: b} + ] + }, + } + params.conf: | + max_payload: 2MB +``` + +templates to the `nats.conf`: + +``` +include auth.conf; +"port": 4222, +... +include params.conf; +``` + +### Extra Resources + +Enables adding additional arbitrary resources. Example - expose WebSocket via VirtualService in Istio: + +```yaml +config: + websocket: + enabled: true +extraResources: +- apiVersion: networking.istio.io/v1beta1 + kind: VirtualService + metadata: + namespace: + $tplYamlSpread: > + {{ include "nats.metadataNamespace" $ }} + name: + $tplYaml: > + {{ include "nats.fullname" $ | quote }} + labels: + $tplYaml: | + {{ include "nats.labels" $ }} + spec: + hosts: + - demo.nats.io + gateways: + - my-gateway + http: + - name: default + match: + - name: root + uri: + exact: / + route: + - destination: + host: + $tplYaml: > + {{ .Values.service.name | quote }} + port: + number: + $tplYaml: > + {{ .Values.config.websocket.port }} +``` diff --git a/packages/system/nats/charts/nats/UPGRADING.md b/packages/system/nats/charts/nats/UPGRADING.md new file mode 100644 index 00000000..9cc17799 --- /dev/null +++ b/packages/system/nats/charts/nats/UPGRADING.md @@ -0,0 +1,155 @@ +# Upgrading from 0.x to 1.x + +Instructions for upgrading an existing `nats` 0.x release to 1.x. + +## Rename Immutable Fields + +There are a number of immutable fields in the NATS Stateful Set and NATS Box deployment. All 1.x `values.yaml` files targeting an existing 0.x release will require some or all of these settings: + +```yaml +config: + # required if using JetStream file storage + jetstream: + # uncomment the next line if using JetStream file storage + # enabled: true + fileStore: + pvc: + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-js-pvc + # set other PVC options here to make it match 0.x, refer to values.yaml for schema + + # required if using a full or cache resolver + resolver: + # uncomment the next line if using a full or cache resolver + # enabled: true + pvc: + name: nats-jwt-pvc + # set other PVC options here to make it match 0.x, refer to values.yaml for schema + +# required +statefulSet: + patch: + - op: remove + path: /spec/selector/matchLabels/app.kubernetes.io~1component + - $tplYamlSpread: |- + {{- if and + .Values.config.jetstream.enabled + .Values.config.jetstream.fileStore.enabled + .Values.config.jetstream.fileStore.pvc.enabled + .Values.config.resolver.enabled + .Values.config.resolver.pvc.enabled + }} + - op: move + from: /spec/volumeClaimTemplates/0 + path: /spec/volumeClaimTemplates/1 + {{- else}} + [] + {{- end }} + +# required +headlessService: + name: + $tplYaml: >- + {{ include "nats.fullname" . }} + +# required unless 0.x values explicitly set nats.serviceAccount.create=false +serviceAccount: + enabled: true + +# required to use new ClusterIP service for Clients accessing NATS +# if using TLS, this may require adding another SAN +service: + # uncomment the next line to disable the new ClusterIP service + # enabled: false + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-svc + +# required if using NatsBox +natsBox: + deployment: + patch: + - op: replace + path: /spec/selector/matchLabels + value: + app: nats-box + - op: add + path: /spec/template/metadata/labels/app + value: nats-box +``` + +## Update NATS Config to new values.yaml schema + +Most values that control the NATS Config have changed and moved under the `config` key. Refer to the 1.x Chart's [values.yaml](values.yaml) for the complete schema. + +After migrating to the new values schema, ensure that changes you expect in the NATS Config files match by templating the old and new config files. + +Template your old 0.x Config Map, this example uses a file called `values-old.yaml`: + +```sh +helm template \ + --version "0.x" \ + -f values-old.yaml \ + -s templates/configmap.yaml \ + nats \ + nats/nats +``` + +Template your new 1.x Config Map, this example uses a file called `values.yaml`: + +```sh +helm template \ + --version "^1-beta" \ + -f values.yaml \ + -s templates/config-map.yaml \ + nats \ + nats/nats +``` + +## Update Kubernetes Resources to new values.yaml schema + +Most values that control Kubernetes Resources have been changed. Refer to the 1.x Chart's [values.yaml](values.yaml) for the complete schema. + +After migrating to the new values schema, ensure that changes you expect in resources match by templating the old and new resources. + +| Resource | 0.x Template File | 1.x Template File | +|-------------------------|---------------------------------|-------------------------------------------| +| Config Map | `templates/configmap.yaml` | `templates/config-map.yaml` | +| Stateful Set | `templates/statefulset.yaml` | `templates/stateful-set.yaml` | +| Headless Service | `templates/service.yaml` | `templates/headless-service.yaml` | +| ClusterIP Service | N/A | `templates/service.yaml` | +| Network Policy | `templates/networkpolicy.yaml` | N/A | +| Pod Disruption Budget | `templates/pdb.yaml` | `templates/pod-disruption-budget.yaml` | +| Service Account | `templates/rbac.yaml` | `templates/service-account.yaml` | +| Resource | `templates/` | `templates/` | +| Resource | `templates/` | `templates/` | +| Prometheus Monitor | `templates/serviceMonitor.yaml` | `templates/pod-monitor.yaml` | +| NatsBox Deployment | `templates/nats-box.yaml` | `templates/nats-box/deployment.yaml` | +| NatsBox Service Account | N/A | `templates/nats-box/service-account.yaml` | +| NatsBox Contents Secret | N/A | `templates/nats-box/contents-secret.yaml` | +| NatsBox Contexts Secret | N/A | `templates/nats-box/contexts-secret.yaml` | + +For example, to check that the Stateful Set matches: + +Template your old 0.x Stateful Set, this example uses a file called `values-old.yaml`: + +```sh +helm template \ + --version "0.x" \ + -f values-old.yaml \ + -s templates/statefulset.yaml \ + nats \ + nats/nats +``` + +Template your new 1.x Stateful Set, this example uses a file called `values.yaml`: + +```sh +helm template \ + --version "^1-beta" \ + -f values.yaml \ + -s templates/stateful-set.yaml \ + nats \ + nats/nats +``` diff --git a/packages/system/nats/charts/nats/files/config-map.yaml b/packages/system/nats/charts/nats/files/config-map.yaml new file mode 100644 index 00000000..89ee3c28 --- /dev/null +++ b/packages/system/nats/charts/nats/files/config-map.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.configMap.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +data: + nats.conf: | + {{- include "nats.formatConfig" .config | nindent 4 }} diff --git a/packages/system/nats/charts/nats/files/config/cluster.yaml b/packages/system/nats/charts/nats/files/config/cluster.yaml new file mode 100644 index 00000000..719cb8ad --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/cluster.yaml @@ -0,0 +1,32 @@ +{{- with .Values.config.cluster }} +name: {{ $.Values.statefulSet.name }} +port: {{ .port }} +no_advertise: true +routes: +{{- $proto := ternary "tls" "nats" .tls.enabled }} +{{- $auth := "" }} +{{- if and .routeURLs.user .routeURLs.password }} + {{- $auth = printf "%s:%s@" (urlquery .routeURLs.user) (urlquery .routeURLs.password) -}} +{{- end }} +{{- $domain := $.Values.headlessService.name }} +{{- if .routeURLs.useFQDN }} + {{- $domain = printf "%s.%s.svc.%s" $domain (include "nats.namespace" $) .routeURLs.k8sClusterDomain }} +{{- end }} +{{- $port := (int .port) }} +{{- range $i, $_ := until (int .replicas) }} +- {{ printf "%s://%s%s-%d.%s:%d" $proto $auth $.Values.statefulSet.name $i $domain $port }} +{{- end }} + +{{- if and .routeURLs.user .routeURLs.password }} +authorization: + user: {{ .routeURLs.user | quote }} + password: {{ .routeURLs.password | quote }} +{{- end }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/config.yaml b/packages/system/nats/charts/nats/files/config/config.yaml new file mode 100644 index 00000000..92fd96f1 --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/config.yaml @@ -0,0 +1,114 @@ +{{- with .Values.config }} + +server_name: << $SERVER_NAME >> +lame_duck_grace_period: 10s +lame_duck_duration: 30s +pid_file: /var/run/nats/nats.pid + +######################################## +# NATS +######################################## +{{- with .nats }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} + +######################################## +# leafnodes +######################################## +{{- with .leafnodes }} +{{- if .enabled }} +leafnodes: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/leafnodes.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# websocket +######################################## +{{- with .websocket }} +{{- if .enabled }} +websocket: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/websocket.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# MQTT +######################################## +{{- with .mqtt }} +{{- if .enabled }} +mqtt: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/mqtt.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# cluster +######################################## +{{- with .cluster }} +{{- if .enabled }} +cluster: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/cluster.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# gateway +######################################## +{{- with .gateway }} +{{- if .enabled }} +gateway: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/gateway.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# monitor +######################################## +{{- with .monitor }} +{{- if .enabled }} +{{- if .tls.enabled }} +https_port: {{ .port }} +{{- else }} +http_port: {{ .port }} +{{- end }} +{{- end }} +{{- end }} + +######################################## +# profiling +######################################## +{{- with .profiling }} +{{- if .enabled }} +prof_port: {{ .port }} +{{- end }} +{{- end }} + +######################################## +# jetstream +######################################## +{{- with $.Values.config.jetstream -}} +{{- if .enabled }} +jetstream: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/jetstream.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# resolver +######################################## +{{- with $.Values.config.resolver -}} +{{- if .enabled }} +resolver: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/resolver.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/gateway.yaml b/packages/system/nats/charts/nats/files/config/gateway.yaml new file mode 100644 index 00000000..32d4ed9f --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/gateway.yaml @@ -0,0 +1,11 @@ +{{- with .Values.config.gateway }} +name: {{ $.Values.statefulSet.name }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/jetstream.yaml b/packages/system/nats/charts/nats/files/config/jetstream.yaml new file mode 100644 index 00000000..17262f64 --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/jetstream.yaml @@ -0,0 +1,23 @@ +{{- with .Values.config.jetstream }} +{{- with .memoryStore }} +{{- if .enabled }} +{{- with .maxSize }} +max_memory_store: << {{ . }} >> +{{- end }} +{{- else }} +max_memory_store: 0 +{{- end }} +{{- end }} +{{- with .fileStore }} +{{- if .enabled }} +store_dir: {{ .dir }} +{{- if .maxSize }} +max_file_store: << {{ .maxSize }} >> +{{- else if .pvc.enabled }} +max_file_store: << {{ .pvc.size }} >> +{{- end }} +{{- else }} +max_file_store: 0 +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/leafnodes.yaml b/packages/system/nats/charts/nats/files/config/leafnodes.yaml new file mode 100644 index 00000000..3a1d9a14 --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/leafnodes.yaml @@ -0,0 +1,11 @@ +{{- with .Values.config.leafnodes }} +port: {{ .port }} +no_advertise: true + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/mqtt.yaml b/packages/system/nats/charts/nats/files/config/mqtt.yaml new file mode 100644 index 00000000..e25d8a3e --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/mqtt.yaml @@ -0,0 +1,10 @@ +{{- with .Values.config.mqtt }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/protocol.yaml b/packages/system/nats/charts/nats/files/config/protocol.yaml new file mode 100644 index 00000000..288c80d7 --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/protocol.yaml @@ -0,0 +1,10 @@ +{{- with .protocol }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/resolver.yaml b/packages/system/nats/charts/nats/files/config/resolver.yaml new file mode 100644 index 00000000..a6761c40 --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/resolver.yaml @@ -0,0 +1,3 @@ +{{- with .Values.config.resolver }} +dir: {{ .dir }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/tls.yaml b/packages/system/nats/charts/nats/files/config/tls.yaml new file mode 100644 index 00000000..26aee015 --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/tls.yaml @@ -0,0 +1,16 @@ +# tls +{{- with .tls }} +{{- if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +cert_file: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }} +key_file: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }} +{{- end }} +{{- end }} + +# tlsCA +{{- with $.Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +{{- $dir := trimSuffix "/" .dir }} +ca_file: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/config/websocket.yaml b/packages/system/nats/charts/nats/files/config/websocket.yaml new file mode 100644 index 00000000..afcd178a --- /dev/null +++ b/packages/system/nats/charts/nats/files/config/websocket.yaml @@ -0,0 +1,12 @@ +{{- with .Values.config.websocket }} +port: {{ .port }} + +{{- if .tls.enabled }} +{{- with .tls }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- else }} +no_tls: true +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/headless-service.yaml b/packages/system/nats/charts/nats/files/headless-service.yaml new file mode 100644 index 00000000..da6552b3 --- /dev/null +++ b/packages/system/nats/charts/nats/files/headless-service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.headlessService.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + {{- include "nats.selectorLabels" $ | nindent 4 }} + clusterIP: None + publishNotReadyAddresses: true + ports: + {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- if or (eq $protocol "nats") $configProtocol.enabled }} + {{- $tlsEnabled := false }} + {{- if hasKey $configProtocol "tls" }} + {{- $tlsEnabled = $configProtocol.tls.enabled }} + {{- end }} + {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }} + - {{ dict "name" $protocol "port" $configProtocol.port "targetPort" $protocol "appProtocol" $appProtocol | toYaml | nindent 4 }} + {{- end }} + {{- end }} diff --git a/packages/system/nats/charts/nats/files/ingress.yaml b/packages/system/nats/charts/nats/files/ingress.yaml new file mode 100644 index 00000000..b59f0fa5 --- /dev/null +++ b/packages/system/nats/charts/nats/files/ingress.yaml @@ -0,0 +1,34 @@ +{{- with .Values.config.websocket.ingress }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + {{- with .className }} + ingressClassName: {{ . | quote }} + {{- end }} + rules: + {{- $path := .path }} + {{- $pathType := .pathType }} + {{- range .hosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $path | quote }} + pathType: {{ $pathType | quote }} + backend: + service: + name: {{ $.Values.service.name }} + port: + name: websocket + {{- end }} + {{- if .tlsSecretName }} + tls: + - secretName: {{ .tlsSecretName | quote }} + hosts: + {{- toYaml .hosts | nindent 4 }} + {{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/nats-box/contents-secret.yaml b/packages/system/nats/charts/nats/files/nats-box/contents-secret.yaml new file mode 100644 index 00000000..6e8fdb26 --- /dev/null +++ b/packages/system/nats/charts/nats/files/nats-box/contents-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.contentsSecret.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +type: Opaque +stringData: + {{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + {{- range $secretKey, $secretVal := dict "creds" "creds" "nkey" "nk" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if and $secret $secret.contents }} + "{{ $ctxKey }}.{{ $secretVal }}": {{ $secret.contents | quote }} + {{- end }} + {{- end }} + {{- end }} diff --git a/packages/system/nats/charts/nats/files/nats-box/contexts-secret/context.yaml b/packages/system/nats/charts/nats/files/nats-box/contexts-secret/context.yaml new file mode 100644 index 00000000..54480eac --- /dev/null +++ b/packages/system/nats/charts/nats/files/nats-box/contexts-secret/context.yaml @@ -0,0 +1,51 @@ +{{- $contextName := .contextName }} + +# url +{{- if .Values.service.enabled }} +url: nats://{{ .Values.service.name }} +{{- else }} +url: nats://{{ .Values.headlessService.name }} +{{- end }} + +{{- with .context }} + +# creds +{{- with .creds}} +{{- if .contents }} +creds: /etc/nats-contents/{{ $contextName }}.creds +{{- else if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +creds: {{ printf "%s/%s" $dir (.key | default "nats.creds") | quote }} +{{- end }} +{{- end }} + +# nkey +{{- with .nkey}} +{{- if .contents }} +nkey: /etc/nats-contents/{{ $contextName }}.nk +{{- else if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +nkey: {{ printf "%s/%s" $dir (.key | default "nats.nk") | quote }} +{{- end }} +{{- end }} + +# tls +{{- with .tls }} +{{- if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +cert: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }} +key: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }} +{{- end }} +{{- end }} + +# tlsCA +{{- if $.Values.config.nats.tls.enabled }} +{{- with $.Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +{{- $dir := trimSuffix "/" .dir }} +ca: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/packages/system/nats/charts/nats/files/nats-box/contexts-secret/contexts-secret.yaml b/packages/system/nats/charts/nats/files/nats-box/contexts-secret/contexts-secret.yaml new file mode 100644 index 00000000..0ce8d1d8 --- /dev/null +++ b/packages/system/nats/charts/nats/files/nats-box/contexts-secret/contexts-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.contextsSecret.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +type: Opaque +stringData: +{{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + "{{ $ctxKey }}.json": | + {{- include "toPrettyRawJson" (include "nats.loadMergePatch" (dict "file" "nats-box/contexts-secret/context.yaml" "merge" (.merge | default dict) "patch" (.patch | default list) "ctx" (merge (dict "contextName" $ctxKey "context" $ctxVal) $)) | fromYaml) | nindent 4 }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/nats-box/deployment/container.yaml b/packages/system/nats/charts/nats/files/nats-box/deployment/container.yaml new file mode 100644 index 00000000..aa1753b4 --- /dev/null +++ b/packages/system/nats/charts/nats/files/nats-box/deployment/container.yaml @@ -0,0 +1,46 @@ +name: nats-box +{{ include "nats.image" (merge (pick $.Values "global") .Values.natsBox.container.image) }} + +{{- with .Values.natsBox.container.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +command: +- sh +- -ec +- | + work_dir="$(pwd)" + mkdir -p "$XDG_CONFIG_HOME/nats" + cd "$XDG_CONFIG_HOME/nats" + if ! [ -s context ]; then + ln -s /etc/nats-contexts context + fi + {{- if .Values.natsBox.defaultContextName }} + if ! [ -f context.txt ]; then + echo -n {{ .Values.natsBox.defaultContextName | quote }} > context.txt + fi + {{- end }} + cd "$work_dir" + exec /entrypoint.sh "$@" +- -- +args: +- sh +- -ec +- trap true INT TERM; sleep infinity & wait +volumeMounts: +# contexts secret +- name: contexts + mountPath: /etc/nats-contexts +# contents secret +{{- if .hasContentsSecret }} +- name: contents + mountPath: /etc/nats-contents +{{- end }} +# tlsCA +{{- include "nats.tlsCAVolumeMount" $ }} +# secrets +{{- range (include "natsBox.secretNames" $ | fromJson).secretNames }} +- name: {{ .name | quote }} + mountPath: {{ .dir | quote }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/nats-box/deployment/deployment.yaml b/packages/system/nats/charts/nats/files/nats-box/deployment/deployment.yaml new file mode 100644 index 00000000..bf39dd8d --- /dev/null +++ b/packages/system/nats/charts/nats/files/nats-box/deployment/deployment.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.deployment.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "natsBox.selectorLabels" $ | nindent 6 }} + replicas: 1 + template: + {{- with .Values.natsBox.podTemplate }} + {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/pod-template.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} diff --git a/packages/system/nats/charts/nats/files/nats-box/deployment/pod-template.yaml b/packages/system/nats/charts/nats/files/nats-box/deployment/pod-template.yaml new file mode 100644 index 00000000..71056bfb --- /dev/null +++ b/packages/system/nats/charts/nats/files/nats-box/deployment/pod-template.yaml @@ -0,0 +1,44 @@ +metadata: + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +spec: + containers: + {{- with .Values.natsBox.container }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/container.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + + # service discovery uses DNS; don't need service env vars + enableServiceLinks: false + + {{- with .Values.global.image.pullSecretNames }} + imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} + {{- end }} + + {{- with .Values.natsBox.serviceAccount }} + {{- if .enabled }} + serviceAccountName: {{ .name | quote }} + {{- end }} + {{- end }} + + volumes: + # contexts secret + - name: contexts + secret: + secretName: {{ .Values.natsBox.contextsSecret.name }} + # contents secret + {{- if .hasContentsSecret }} + - name: contents + secret: + secretName: {{ .Values.natsBox.contentsSecret.name }} + {{- end }} + # tlsCA + {{- include "nats.tlsCAVolume" $ | nindent 2 }} + # secrets + {{- range (include "natsBox.secretNames" $ | fromJson).secretNames }} + - name: {{ .name | quote }} + secret: + secretName: {{ .secretName | quote }} + {{- end }} diff --git a/packages/system/nats/charts/nats/files/nats-box/service-account.yaml b/packages/system/nats/charts/nats/files/nats-box/service-account.yaml new file mode 100644 index 00000000..c31e52f1 --- /dev/null +++ b/packages/system/nats/charts/nats/files/nats-box/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.serviceAccount.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} diff --git a/packages/system/nats/charts/nats/files/pod-disruption-budget.yaml b/packages/system/nats/charts/nats/files/pod-disruption-budget.yaml new file mode 100644 index 00000000..fd1fdead --- /dev/null +++ b/packages/system/nats/charts/nats/files/pod-disruption-budget.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.podDisruptionBudget.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} diff --git a/packages/system/nats/charts/nats/files/pod-monitor.yaml b/packages/system/nats/charts/nats/files/pod-monitor.yaml new file mode 100644 index 00000000..c6c8eae0 --- /dev/null +++ b/packages/system/nats/charts/nats/files/pod-monitor.yaml @@ -0,0 +1,13 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.promExporter.podMonitor.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} + podMetricsEndpoints: + - port: prom-metrics diff --git a/packages/system/nats/charts/nats/files/service-account.yaml b/packages/system/nats/charts/nats/files/service-account.yaml new file mode 100644 index 00000000..22c18cc7 --- /dev/null +++ b/packages/system/nats/charts/nats/files/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.serviceAccount.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} diff --git a/packages/system/nats/charts/nats/files/service.yaml b/packages/system/nats/charts/nats/files/service.yaml new file mode 100644 index 00000000..db08fe5b --- /dev/null +++ b/packages/system/nats/charts/nats/files/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.service.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + {{- include "nats.selectorLabels" $ | nindent 4 }} + ports: + {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- $servicePort := get $.Values.service.ports $protocol }} + {{- if and (or (eq $protocol "nats") $configProtocol.enabled) $servicePort.enabled }} + {{- $tlsEnabled := false }} + {{- if hasKey $configProtocol "tls" }} + {{- $tlsEnabled = $configProtocol.tls.enabled }} + {{- end }} + {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }} + - {{ merge (dict "name" $protocol "targetPort" $protocol "appProtocol" $appProtocol) (omit $servicePort "enabled") (dict "port" $configProtocol.port) | toYaml | nindent 4 }} + {{- end }} + {{- end }} diff --git a/packages/system/nats/charts/nats/files/stateful-set/jetstream-pvc.yaml b/packages/system/nats/charts/nats/files/stateful-set/jetstream-pvc.yaml new file mode 100644 index 00000000..a43f2005 --- /dev/null +++ b/packages/system/nats/charts/nats/files/stateful-set/jetstream-pvc.yaml @@ -0,0 +1,13 @@ +{{- with .Values.config.jetstream.fileStore.pvc }} +metadata: + name: {{ .name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .size | quote }} + {{- with .storageClassName }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/stateful-set/nats-container.yaml b/packages/system/nats/charts/nats/files/stateful-set/nats-container.yaml new file mode 100644 index 00000000..c5402efe --- /dev/null +++ b/packages/system/nats/charts/nats/files/stateful-set/nats-container.yaml @@ -0,0 +1,106 @@ +name: nats +{{ include "nats.image" (merge (pick $.Values "global") .Values.container.image) }} + +ports: +{{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} +{{- $configProtocol := get $.Values.config $protocol }} +{{- $containerPort := get $.Values.container.ports $protocol }} +{{- if or (eq $protocol "nats") $configProtocol.enabled }} +- {{ merge (dict "name" $protocol "containerPort" $configProtocol.port) $containerPort | toYaml | nindent 2 }} +{{- end }} +{{- end }} + +args: +- --config +- /etc/nats-config/nats.conf + +env: +- name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: SERVER_NAME + value: {{ printf "%s$(POD_NAME)" .Values.config.serverNamePrefix | quote }} +{{- with .Values.container.env }} +{{- include "nats.env" . }} +{{- end }} + +lifecycle: + preStop: + exec: + # send the lame duck shutdown signal to trigger a graceful shutdown + command: + - nats-server + - -sl=ldm=/var/run/nats/nats.pid + +{{- with .Values.config.monitor }} +{{- if .enabled }} +startupProbe: + httpGet: + path: /healthz + port: monitor + {{- if .tls.enabled }} + scheme: HTTPS + {{- end}} + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 90 +readinessProbe: + httpGet: + path: /healthz?js-server-only=true + port: monitor + {{- if .tls.enabled }} + scheme: HTTPS + {{- end}} + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 +livenessProbe: + httpGet: + path: /healthz?js-enabled-only=true + port: monitor + {{- if .tls.enabled }} + scheme: HTTPS + {{- end}} + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 30 + successThreshold: 1 + failureThreshold: 3 +{{- end }} +{{- end }} + +volumeMounts: +# nats config +- name: config + mountPath: /etc/nats-config +# PID volume +- name: pid + mountPath: /var/run/nats +# JetStream PVC +{{- with .Values.config.jetstream }} +{{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }} +{{- with .fileStore }} +- name: {{ .pvc.name }} + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +{{- end }} +# resolver PVC +{{- with .Values.config.resolver }} +{{- if and .enabled .pvc.enabled }} +- name: {{ .pvc.name }} + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +# tlsCA +{{- include "nats.tlsCAVolumeMount" $ }} +# secrets +{{- range (include "nats.secretNames" $ | fromJson).secretNames }} +- name: {{ .name | quote }} + mountPath: {{ .dir | quote }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/stateful-set/pod-template.yaml b/packages/system/nats/charts/nats/files/stateful-set/pod-template.yaml new file mode 100644 index 00000000..bb1d8d7b --- /dev/null +++ b/packages/system/nats/charts/nats/files/stateful-set/pod-template.yaml @@ -0,0 +1,71 @@ +metadata: + labels: + {{- include "nats.labels" $ | nindent 4 }} + annotations: + {{- if .Values.podTemplate.configChecksumAnnotation }} + {{- $configMap := include "nats.loadMergePatch" (merge (dict "file" "config-map.yaml" "ctx" $) $.Values.configMap) }} + checksum/config: {{ sha256sum $configMap }} + {{- end }} +spec: + containers: + # nats + {{- $nats := dict }} + {{- with .Values.container }} + {{- $nats = include "nats.loadMergePatch" (merge (dict "file" "stateful-set/nats-container.yaml" "ctx" $) .) | fromYaml }} + - {{ toYaml $nats | nindent 4 }} + {{- end }} + # reloader + {{- with .Values.reloader }} + {{- if .enabled }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/reloader-container.yaml" "ctx" (merge (dict "natsVolumeMounts" $nats.volumeMounts) $)) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- with .Values.promExporter }} + {{- if .enabled }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/prom-exporter-container.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + + # service discovery uses DNS; don't need service env vars + enableServiceLinks: false + + {{- with .Values.global.image.pullSecretNames }} + imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} + {{- end }} + + {{- with .Values.serviceAccount }} + {{- if .enabled }} + serviceAccountName: {{ .name | quote }} + {{- end }} + {{- end }} + + {{- if .Values.reloader.enabled }} + shareProcessNamespace: true + {{- end }} + + volumes: + # nats config + - name: config + configMap: + name: {{ .Values.configMap.name }} + # PID volume + - name: pid + emptyDir: {} + # tlsCA + {{- include "nats.tlsCAVolume" $ | nindent 2 }} + # secrets + {{- range (include "nats.secretNames" $ | fromJson).secretNames }} + - name: {{ .name | quote }} + secret: + secretName: {{ .secretName | quote }} + {{- end }} + + {{- with .Values.podTemplate.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $k, $v := . }} + - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} + {{- end }} + {{- end}} diff --git a/packages/system/nats/charts/nats/files/stateful-set/prom-exporter-container.yaml b/packages/system/nats/charts/nats/files/stateful-set/prom-exporter-container.yaml new file mode 100644 index 00000000..c3e1b6fb --- /dev/null +++ b/packages/system/nats/charts/nats/files/stateful-set/prom-exporter-container.yaml @@ -0,0 +1,30 @@ +name: prom-exporter +{{ include "nats.image" (merge (pick $.Values "global") .Values.promExporter.image) }} + +ports: +- name: prom-metrics + containerPort: {{ .Values.promExporter.port }} + +{{- with .Values.promExporter.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +args: +- -port={{ .Values.promExporter.port }} +- -connz +- -routez +- -subz +- -varz +- -prefix=nats +- -use_internal_server_id +{{- if .Values.config.jetstream.enabled }} +- -jsz=all +{{- end }} +{{- if .Values.config.leafnodes.enabled }} +- -leafz +{{- end }} +{{- if .Values.config.gateway.enabled }} +- -gatewayz +{{- end }} +- http://localhost:{{ .Values.config.monitor.port }}/ diff --git a/packages/system/nats/charts/nats/files/stateful-set/reloader-container.yaml b/packages/system/nats/charts/nats/files/stateful-set/reloader-container.yaml new file mode 100644 index 00000000..96722045 --- /dev/null +++ b/packages/system/nats/charts/nats/files/stateful-set/reloader-container.yaml @@ -0,0 +1,27 @@ +name: reloader +{{ include "nats.image" (merge (pick $.Values "global") .Values.reloader.image) }} + +{{- with .Values.reloader.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +args: +- -pid +- /var/run/nats/nats.pid +- -config +- /etc/nats-config/nats.conf +{{ include "nats.reloaderConfig" (dict "config" .config "dir" "/etc/nats-config") }} + +volumeMounts: +- name: pid + mountPath: /var/run/nats +{{- range $mnt := .natsVolumeMounts }} +{{- $found := false }} +{{- range $.Values.reloader.natsVolumeMountPrefixes }} +{{- if and (not $found) (hasPrefix . $mnt.mountPath) }} +{{- $found = true }} +- {{ toYaml $mnt | nindent 2}} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/stateful-set/resolver-pvc.yaml b/packages/system/nats/charts/nats/files/stateful-set/resolver-pvc.yaml new file mode 100644 index 00000000..3634cd82 --- /dev/null +++ b/packages/system/nats/charts/nats/files/stateful-set/resolver-pvc.yaml @@ -0,0 +1,13 @@ +{{- with .Values.config.resolver.pvc }} +metadata: + name: {{ .name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .size | quote }} + {{- with .storageClassName }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/files/stateful-set/stateful-set.yaml b/packages/system/nats/charts/nats/files/stateful-set/stateful-set.yaml new file mode 100644 index 00000000..cd8082cb --- /dev/null +++ b/packages/system/nats/charts/nats/files/stateful-set/stateful-set.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.statefulSet.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} + {{- if .Values.config.cluster.enabled }} + replicas: {{ .Values.config.cluster.replicas }} + {{- else }} + replicas: 1 + {{- end }} + serviceName: {{ .Values.headlessService.name }} + podManagementPolicy: Parallel + template: + {{- with .Values.podTemplate }} + {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/pod-template.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + volumeClaimTemplates: + {{- with .Values.config.jetstream }} + {{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }} + {{- with .fileStore.pvc }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/jetstream-pvc.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.config.resolver }} + {{- if and .enabled .pvc.enabled }} + {{- with .pvc }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/resolver-pvc.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- end }} diff --git a/packages/system/nats/charts/nats/templates/_helpers.tpl b/packages/system/nats/charts/nats/templates/_helpers.tpl new file mode 100644 index 00000000..ba831397 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/_helpers.tpl @@ -0,0 +1,281 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "nats.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nats.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nats.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Print the namespace +*/}} +{{- define "nats.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride }} +{{- end }} + +{{/* +Print the namespace for the metadata section +*/}} +{{- define "nats.metadataNamespace" -}} +{{- with .Values.namespaceOverride }} +namespace: {{ . | quote }} +{{- end }} +{{- end }} + +{{/* +Set default values. +*/}} +{{- define "nats.defaultValues" }} +{{- if not .defaultValuesSet }} + {{- $name := include "nats.fullname" . }} + {{- with .Values }} + {{- $_ := set .config.jetstream.fileStore.pvc "name" (.config.jetstream.fileStore.pvc.name | default (printf "%s-js" $name)) }} + {{- $_ := set .config.resolver.pvc "name" (.config.resolver.pvc.name | default (printf "%s-resolver" $name)) }} + {{- $_ := set .config.websocket.ingress "name" (.config.websocket.ingress.name | default (printf "%s-ws" $name)) }} + {{- $_ := set .configMap "name" (.configMap.name | default (printf "%s-config" $name)) }} + {{- $_ := set .headlessService "name" (.headlessService.name | default (printf "%s-headless" $name)) }} + {{- $_ := set .natsBox.contentsSecret "name" (.natsBox.contentsSecret.name | default (printf "%s-box-contents" $name)) }} + {{- $_ := set .natsBox.contextsSecret "name" (.natsBox.contextsSecret.name | default (printf "%s-box-contexts" $name)) }} + {{- $_ := set .natsBox.deployment "name" (.natsBox.deployment.name | default (printf "%s-box" $name)) }} + {{- $_ := set .natsBox.serviceAccount "name" (.natsBox.serviceAccount.name | default (printf "%s-box" $name)) }} + {{- $_ := set .podDisruptionBudget "name" (.podDisruptionBudget.name | default $name) }} + {{- $_ := set .service "name" (.service.name | default $name) }} + {{- $_ := set .serviceAccount "name" (.serviceAccount.name | default $name) }} + {{- $_ := set .statefulSet "name" (.statefulSet.name | default $name) }} + {{- $_ := set .promExporter.podMonitor "name" (.promExporter.podMonitor.name | default $name) }} + {{- end }} + + {{- $values := get (include "tplYaml" (dict "doc" .Values "ctx" $) | fromJson) "doc" }} + {{- $_ := set . "Values" $values }} + + {{- $hasContentsSecret := false }} + {{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + {{- range $secretKey, $secretVal := dict "creds" "nats-creds" "nkey" "nats-nkeys" "tls" "nats-certs" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if $secret }} + {{- $_ := set $secret "dir" ($secret.dir | default (printf "/etc/%s/%s" $secretVal $ctxKey)) }} + {{- if and (ne $secretKey "tls") $secret.contents }} + {{- $hasContentsSecret = true }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- $_ := set $ "hasContentsSecret" $hasContentsSecret }} + + {{- with .Values.config }} + {{- $config := include "nats.loadMergePatch" (merge (dict "file" "config/config.yaml" "ctx" $) .) | fromYaml }} + {{- $_ := set $ "config" $config }} + {{- end }} + + {{- $_ := set . "defaultValuesSet" true }} +{{- end }} +{{- end }} + +{{/* +NATS labels +*/}} +{{- define "nats.labels" -}} +{{- with .Values.global.labels -}} +{{ toYaml . }} +{{ end -}} +helm.sh/chart: {{ include "nats.chart" . }} +{{ include "nats.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +NATS selector labels +*/}} +{{- define "nats.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: nats +{{- end }} + +{{/* +NATS Box labels +*/}} +{{- define "natsBox.labels" -}} +{{- with .Values.global.labels -}} +{{ toYaml . }} +{{ end -}} +helm.sh/chart: {{ include "nats.chart" . }} +{{ include "natsBox.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +NATS Box selector labels +*/}} +{{- define "natsBox.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: nats-box +{{- end }} + +{{/* +Print the image +*/}} +{{- define "nats.image" }} +{{- $image := printf "%s:%s" .repository .tag }} +{{- if or .registry .global.image.registry }} +{{- $image = printf "%s/%s" (.registry | default .global.image.registry) $image }} +{{- end -}} +image: {{ $image }} +{{- if or .pullPolicy .global.image.pullPolicy }} +imagePullPolicy: {{ .pullPolicy | default .global.image.pullPolicy }} +{{- end }} +{{- end }} + +{{- define "nats.secretNames" -}} +{{- $secrets := list }} +{{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- if and (or (eq $protocol "nats") $configProtocol.enabled) $configProtocol.tls.enabled $configProtocol.tls.secretName }} + {{- $secrets = append $secrets (merge (dict "name" (printf "%s-tls" $protocol)) $configProtocol.tls) }} + {{- end }} +{{- end }} +{{- toJson (dict "secretNames" $secrets) }} +{{- end }} + +{{- define "natsBox.secretNames" -}} +{{- $secrets := list }} +{{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} +{{- range $secretKey, $secretVal := dict "creds" "nats-creds" "nkey" "nats-nkeys" "tls" "nats-certs" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if and $secret $secret.secretName }} + {{- $secrets = append $secrets (merge (dict "name" (printf "ctx-%s-%s" $ctxKey $secretKey)) $secret) }} + {{- end }} + {{- end }} +{{- end }} +{{- toJson (dict "secretNames" $secrets) }} +{{- end }} + +{{- define "nats.tlsCAVolume" -}} +{{- with .Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +- name: tls-ca +{{- if .configMapName }} + configMap: + name: {{ .configMapName | quote }} +{{- else if .secretName }} + secret: + secretName: {{ .secretName | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "nats.tlsCAVolumeMount" -}} +{{- with .Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +- name: tls-ca + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +translates env var map to list +*/}} +{{- define "nats.env" -}} +{{- range $k, $v := . }} +{{- if kindIs "string" $v }} +- name: {{ $k | quote }} + value: {{ $v | quote }} +{{- else if kindIs "map" $v }} +- {{ merge (dict "name" $k) $v | toYaml | nindent 2 }} +{{- else }} +{{- fail (cat "env var" $k "must be string or map, got" (kindOf $v)) }} +{{- end }} +{{- end }} +{{- end }} + +{{- /* +nats.loadMergePatch +input: map with 4 keys: +- file: name of file to load +- ctx: context to pass to tpl +- merge: interface{} to merge +- patch: []interface{} valid JSON Patch document +output: JSON encoded map with 1 key: +- doc: interface{} patched json result +*/}} +{{- define "nats.loadMergePatch" -}} +{{- $doc := tpl (.ctx.Files.Get (printf "files/%s" .file)) .ctx | fromYaml | default dict -}} +{{- $doc = mergeOverwrite $doc (deepCopy (.merge | default dict)) -}} +{{- get (include "jsonpatch" (dict "doc" $doc "patch" (.patch | default list)) | fromJson ) "doc" | toYaml -}} +{{- end }} + + +{{- /* +nats.reloaderConfig +input: map with 2 keys: +- config: interface{} nats config +- dir: dir config file is in +output: YAML list of reloader config files +*/}} +{{- define "nats.reloaderConfig" -}} + {{- $dir := trimSuffix "/" .dir -}} + {{- with .config -}} + {{- if kindIs "map" . -}} + {{- range $k, $v := . -}} + {{- if or (eq $k "cert_file") (eq $k "key_file") (eq $k "ca_file") }} +- -config +- {{ $v }} + {{- else if hasSuffix "$include" $k }} +- -config +- {{ clean (printf "%s/%s" $dir $v) }} + {{- else }} + {{- include "nats.reloaderConfig" (dict "config" $v "dir" $dir) }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + + +{{- /* +nats.formatConfig +input: map[string]interface{} +output: string with following format rules +1. keys ending in $natsRaw are unquoted +2. keys ending in $natsInclude are converted to include directives +*/}} +{{- define "nats.formatConfig" -}} + {{- + (regexReplaceAll "\"<<\\s+(.*)\\s+>>\"" + (regexReplaceAll "\".*\\$include\": \"(.*)\",?" (include "toPrettyRawJson" .) "include ${1};") + "${1}") + -}} +{{- end -}} diff --git a/packages/system/nats/charts/nats/templates/_jsonpatch.tpl b/packages/system/nats/charts/nats/templates/_jsonpatch.tpl new file mode 100644 index 00000000..cd42c3bb --- /dev/null +++ b/packages/system/nats/charts/nats/templates/_jsonpatch.tpl @@ -0,0 +1,219 @@ +{{- /* +jsonpatch +input: map with 2 keys: +- doc: interface{} valid JSON document +- patch: []interface{} valid JSON Patch document +output: JSON encoded map with 1 key: +- doc: interface{} patched json result +*/}} +{{- define "jsonpatch" -}} + {{- $params := fromJson (toJson .) -}} + {{- $patches := $params.patch -}} + {{- $docContainer := pick $params "doc" -}} + + {{- range $patch := $patches -}} + {{- if not (hasKey $patch "op") -}} + {{- fail "patch is missing op key" -}} + {{- end -}} + {{- if and (ne $patch.op "add") (ne $patch.op "remove") (ne $patch.op "replace") (ne $patch.op "copy") (ne $patch.op "move") (ne $patch.op "test") -}} + {{- fail (cat "patch has invalid op" $patch.op) -}} + {{- end -}} + {{- if not (hasKey $patch "path") -}} + {{- fail "patch is missing path key" -}} + {{- end -}} + {{- if and (or (eq $patch.op "add") (eq $patch.op "replace") (eq $patch.op "test")) (not (hasKey $patch "value")) -}} + {{- fail (cat "patch with op" $patch.op "is missing value key") -}} + {{- end -}} + {{- if and (or (eq $patch.op "copy") (eq $patch.op "move")) (not (hasKey $patch "from")) -}} + {{- fail (cat "patch with op" $patch.op "is missing from key") -}} + {{- end -}} + + {{- $opPathKeys := list "path" -}} + {{- if or (eq $patch.op "copy") (eq $patch.op "move") -}} + {{- $opPathKeys = append $opPathKeys "from" -}} + {{- end -}} + {{- $reSlice := list -}} + + {{- range $opPathKey := $opPathKeys -}} + {{- $obj := $docContainer -}} + {{- if and (eq $patch.op "copy") (eq $opPathKey "from") -}} + {{- $obj = (fromJson (toJson $docContainer)) -}} + {{- end -}} + {{- $key := "doc" -}} + {{- $lastMap := dict "root" $obj -}} + {{- $lastKey := "root" -}} + {{- $paths := (splitList "/" (get $patch $opPathKey)) -}} + {{- $firstPath := index $paths 0 -}} + {{- if ne (index $paths 0) "" -}} + {{- fail (cat "invalid" $opPathKey (get $patch $opPathKey) "must be empty string or start with /") -}} + {{- end -}} + {{- $paths = slice $paths 1 -}} + + {{- range $path := $paths -}} + {{- $path = replace "~1" "/" $path -}} + {{- $path = replace "~0" "~" $path -}} + + {{- if kindIs "slice" $obj -}} + {{- $mapObj := dict -}} + {{- range $i, $v := $obj -}} + {{- $_ := set $mapObj (toString $i) $v -}} + {{- end -}} + {{- $obj = $mapObj -}} + {{- $_ := set $lastMap $lastKey $obj -}} + {{- $reSlice = prepend $reSlice (dict "lastMap" $lastMap "lastKey" $lastKey "mapObj" $obj) -}} + {{- end -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat "key" $key "does not exist") -}} + {{- end -}} + {{- $lastKey = $key -}} + {{- $lastMap = $obj -}} + {{- $obj = index $obj $key -}} + {{- $key = $path -}} + {{- else -}} + {{- fail (cat "cannot iterate into path" $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- $_ := set $patch (printf "%sKey" $opPathKey) $key -}} + {{- $_ := set $patch (printf "%sLastKey" $opPathKey) $lastKey -}} + {{- $_ = set $patch (printf "%sLastMap" $opPathKey) $lastMap -}} + {{- end -}} + + {{- if eq $patch.op "move" }} + {{- if and (ne $patch.path $patch.from) (hasPrefix (printf "%s/" $patch.path) (printf "%s/" $patch.from)) -}} + {{- fail (cat "from" $patch.from "may not be a child of path" $patch.path) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "move") (eq $patch.op "copy") (eq $patch.op "test") }} + {{- $key := $patch.fromKey -}} + {{- $lastMap := $patch.fromLastMap -}} + {{- $lastKey := $patch.fromLastKey -}} + {{- $setKey := "value" -}} + {{- if eq $patch.op "test" }} + {{- $key = $patch.pathKey -}} + {{- $lastMap = $patch.pathLastMap -}} + {{- $lastKey = $patch.pathLastKey -}} + {{- $setKey = "testValue" -}} + {{- end -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat $key "does not exist") -}} + {{- end -}} + {{- $_ := set $patch $setKey (index $obj $key) -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if lt $i (len $obj) -}} + {{- $_ := set $patch $setKey (index $obj $i) -}} + {{- else -}} + {{- fail "slice index >= slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "remove") (eq $patch.op "replace") (eq $patch.op "move") }} + {{- $key := $patch.pathKey -}} + {{- $lastMap := $patch.pathLastMap -}} + {{- $lastKey := $patch.pathLastKey -}} + {{- if eq $patch.op "move" }} + {{- $key = $patch.fromKey -}} + {{- $lastMap = $patch.fromLastMap -}} + {{- $lastKey = $patch.fromLastKey -}} + {{- end -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat $key "does not exist") -}} + {{- end -}} + {{- $_ := unset $obj $key -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if eq $i 0 -}} + {{- $_ := set $lastMap $lastKey (slice $obj 1) -}} + {{- else if lt $i (sub (len $obj) 1) -}} + {{- $_ := set $lastMap $lastKey (concat (slice $obj 0 $i) (slice $obj (add $i 1) (len $obj))) -}} + {{- else if eq $i (sub (len $obj) 1) -}} + {{- $_ := set $lastMap $lastKey (slice $obj 0 (sub (len $obj) 1)) -}} + {{- else -}} + {{- fail "slice index >= slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "add") (eq $patch.op "replace") (eq $patch.op "move") (eq $patch.op "copy") }} + {{- $key := $patch.pathKey -}} + {{- $lastMap := $patch.pathLastMap -}} + {{- $lastKey := $patch.pathLastKey -}} + {{- $value := $patch.value -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- $_ := set $obj $key $value -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := 0 -}} + {{- if eq $key "-" -}} + {{- $i = len $obj -}} + {{- else -}} + {{- $i = atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if eq $i 0 -}} + {{- $_ := set $lastMap $lastKey (prepend $obj $value) -}} + {{- else if lt $i (len $obj) -}} + {{- $_ := set $lastMap $lastKey (concat (append (slice $obj 0 $i) $value) (slice $obj $i)) -}} + {{- else if eq $i (len $obj) -}} + {{- $_ := set $lastMap $lastKey (append $obj $value) -}} + {{- else -}} + {{- fail "slice index > slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if eq $patch.op "test" }} + {{- if not (deepEqual $patch.value $patch.testValue) }} + {{- fail (cat "test failed, expected" (toJson $patch.value) "but got" (toJson $patch.testValue)) -}} + {{- end -}} + {{- end -}} + + {{- range $reSliceOp := $reSlice -}} + {{- $sliceObj := list -}} + {{- range $i := until (len $reSliceOp.mapObj) -}} + {{- $sliceObj = append $sliceObj (index $reSliceOp.mapObj (toString $i)) -}} + {{- end -}} + {{- $_ := set $reSliceOp.lastMap $reSliceOp.lastKey $sliceObj -}} + {{- end -}} + + {{- end -}} + {{- toJson $docContainer -}} +{{- end -}} diff --git a/packages/system/nats/charts/nats/templates/_toPrettyRawJson.tpl b/packages/system/nats/charts/nats/templates/_toPrettyRawJson.tpl new file mode 100644 index 00000000..612a62f9 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/_toPrettyRawJson.tpl @@ -0,0 +1,28 @@ +{{- /* +toPrettyRawJson +input: interface{} valid JSON document +output: pretty raw JSON string +*/}} +{{- define "toPrettyRawJson" -}} + {{- include "toPrettyRawJsonStr" (toPrettyJson .) -}} +{{- end -}} + +{{- /* +toPrettyRawJsonStr +input: pretty JSON string +output: pretty raw JSON string +*/}} +{{- define "toPrettyRawJsonStr" -}} + {{- $s := + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u003e" + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u003c" + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u0026" . "${1}&") + "${1}<") + "${1}>") + -}} + {{- if regexMatch "([^\\\\](?:\\\\\\\\)*)\\\\u00(26|3c|3e)" $s -}} + {{- include "toPrettyRawJsonStr" $s -}} + {{- else -}} + {{- $s -}} + {{- end -}} +{{- end -}} diff --git a/packages/system/nats/charts/nats/templates/_tplYaml.tpl b/packages/system/nats/charts/nats/templates/_tplYaml.tpl new file mode 100644 index 00000000..f42b9c16 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/_tplYaml.tpl @@ -0,0 +1,114 @@ +{{- /* +tplYaml +input: map with 2 keys: +- doc: interface{} +- ctx: context to pass to tpl function +output: JSON encoded map with 1 key: +- doc: interface{} with any keys called tpl or tplSpread values templated and replaced + +maps matching the following syntax will be templated and parsed as YAML +{ + $tplYaml: string +} + +maps matching the follow syntax will be templated, parsed as YAML, and spread into the parent map/slice +{ + $tplYamlSpread: string +} +*/}} +{{- define "tplYaml" -}} + {{- $patch := get (include "tplYamlItr" (dict "ctx" .ctx "parentKind" "" "parentPath" "" "path" "/" "value" .doc) | fromJson) "patch" -}} + {{- include "jsonpatch" (dict "doc" .doc "patch" $patch) -}} +{{- end -}} + +{{- /* +tplYamlItr +input: map with 4 keys: +- path: string JSONPath to current element +- parentKind: string kind of parent element +- parentPath: string JSONPath to parent element +- value: interface{} +- ctx: context to pass to tpl function +output: JSON encoded map with 1 key: +- patch: list of patches to apply in order to template +*/}} +{{- define "tplYamlItr" -}} + {{- $params := . -}} + {{- $kind := kindOf $params.value -}} + {{- $patch := list -}} + {{- $joinPath := $params.path -}} + {{- if eq $params.path "/" -}} + {{- $joinPath = "" -}} + {{- end -}} + {{- $joinParentPath := $params.parentPath -}} + {{- if eq $params.parentPath "/" -}} + {{- $joinParentPath = "" -}} + {{- end -}} + + {{- if eq $kind "slice" -}} + {{- $iAdj := 0 -}} + {{- range $i, $v := $params.value -}} + {{- $iPath := printf "%s/%d" $joinPath (add $i $iAdj) -}} + {{- $itrPatch := get (include "tplYamlItr" (dict "ctx" $params.ctx "parentKind" $kind "parentPath" $params.path "path" $iPath "value" $v) | fromJson) "patch" -}} + {{- $itrLen := len $itrPatch -}} + {{- if gt $itrLen 0 -}} + {{- $patch = concat $patch $itrPatch -}} + {{- if eq (get (index $itrPatch 0) "op") "remove" -}} + {{- $iAdj = add $iAdj (sub $itrLen 2) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- else if eq $kind "map" -}} + {{- if and (eq (len $params.value) 1) (or (hasKey $params.value "$tplYaml") (hasKey $params.value "$tplYamlSpread")) -}} + {{- $tpl := get $params.value "$tplYaml" -}} + {{- $spread := false -}} + {{- if hasKey $params.value "$tplYamlSpread" -}} + {{- if eq $params.path "/" -}} + {{- fail "cannot $tplYamlSpread on root object" -}} + {{- end -}} + {{- $tpl = get $params.value "$tplYamlSpread" -}} + {{- $spread = true -}} + {{- end -}} + + {{- $res := tpl $tpl $params.ctx -}} + {{- $res = get (fromYaml (tpl "tpl: {{ nindent 2 .res }}" (merge (dict "res" $res) $params.ctx))) "tpl" -}} + + {{- if eq $spread false -}} + {{- $patch = append $patch (dict "op" "replace" "path" $params.path "value" $res) -}} + {{- else -}} + {{- $resKind := kindOf $res -}} + {{- if and (ne $resKind "invalid") (ne $resKind $params.parentKind) -}} + {{- fail (cat "can only $tplYamlSpread slice onto a slice or map onto a map; attempted to spread" $resKind "on" $params.parentKind "at path" $params.path) -}} + {{- end -}} + {{- $patch = append $patch (dict "op" "remove" "path" $params.path) -}} + {{- if eq $resKind "invalid" -}} + {{- /* no-op */ -}} + {{- else if eq $resKind "slice" -}} + {{- range $v := reverse $res -}} + {{- $patch = append $patch (dict "op" "add" "path" $params.path "value" $v) -}} + {{- end -}} + {{- else -}} + {{- range $k, $v := $res -}} + {{- $kPath := replace "~" "~0" $k -}} + {{- $kPath = replace "/" "~1" $kPath -}} + {{- $kPath = printf "%s/%s" $joinParentPath $kPath -}} + {{- $patch = append $patch (dict "op" "add" "path" $kPath "value" $v) -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- range $k, $v := $params.value -}} + {{- $kPath := replace "~" "~0" $k -}} + {{- $kPath = replace "/" "~1" $kPath -}} + {{- $kPath = printf "%s/%s" $joinPath $kPath -}} + {{- $itrPatch := get (include "tplYamlItr" (dict "ctx" $params.ctx "parentKind" $kind "parentPath" $params.path "path" $kPath "value" $v) | fromJson) "patch" -}} + {{- if gt (len $itrPatch) 0 -}} + {{- $patch = concat $patch $itrPatch -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- toJson (dict "patch" $patch) -}} +{{- end -}} diff --git a/packages/system/nats/charts/nats/templates/config-map.yaml b/packages/system/nats/charts/nats/templates/config-map.yaml new file mode 100644 index 00000000..b95afda2 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/config-map.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.configMap }} +{{- include "nats.loadMergePatch" (merge (dict "file" "config-map.yaml" "ctx" $) .) }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/extra-resources.yaml b/packages/system/nats/charts/nats/templates/extra-resources.yaml new file mode 100644 index 00000000..c11f0085 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/extra-resources.yaml @@ -0,0 +1,5 @@ +{{- include "nats.defaultValues" . }} +{{- range .Values.extraResources }} +--- +{{ . | toYaml }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/headless-service.yaml b/packages/system/nats/charts/nats/templates/headless-service.yaml new file mode 100644 index 00000000..f11a83d1 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/headless-service.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.headlessService }} +{{- include "nats.loadMergePatch" (merge (dict "file" "headless-service.yaml" "ctx" $) .) }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/ingress.yaml b/packages/system/nats/charts/nats/templates/ingress.yaml new file mode 100644 index 00000000..eccd73ff --- /dev/null +++ b/packages/system/nats/charts/nats/templates/ingress.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.config.websocket.ingress }} +{{- if and .enabled .hosts $.Values.config.websocket.enabled $.Values.service.enabled $.Values.service.ports.websocket.enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "ingress.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/nats-box/contents-secret.yaml b/packages/system/nats/charts/nats/templates/nats-box/contents-secret.yaml new file mode 100644 index 00000000..db629bf7 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/nats-box/contents-secret.yaml @@ -0,0 +1,10 @@ +{{- include "nats.defaultValues" . }} +{{- if .hasContentsSecret }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .contentsSecret}} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/contents-secret.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/nats-box/contexts-secret.yaml b/packages/system/nats/charts/nats/templates/nats-box/contexts-secret.yaml new file mode 100644 index 00000000..5ae20f45 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/nats-box/contexts-secret.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .contextsSecret}} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/contexts-secret/contexts-secret.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/nats-box/deployment.yaml b/packages/system/nats/charts/nats/templates/nats-box/deployment.yaml new file mode 100644 index 00000000..a063332a --- /dev/null +++ b/packages/system/nats/charts/nats/templates/nats-box/deployment.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .deployment }} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/deployment.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/nats-box/service-account.yaml b/packages/system/nats/charts/nats/templates/nats-box/service-account.yaml new file mode 100644 index 00000000..e11bdd36 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/nats-box/service-account.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- if .Values.natsBox.enabled }} +{{- with .Values.natsBox.serviceAccount }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/service-account.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/pod-disruption-budget.yaml b/packages/system/nats/charts/nats/templates/pod-disruption-budget.yaml new file mode 100644 index 00000000..91172262 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/pod-disruption-budget.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.podDisruptionBudget }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "pod-disruption-budget.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/pod-monitor.yaml b/packages/system/nats/charts/nats/templates/pod-monitor.yaml new file mode 100644 index 00000000..0e42a43a --- /dev/null +++ b/packages/system/nats/charts/nats/templates/pod-monitor.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.promExporter }} +{{- if and .enabled .podMonitor.enabled }} +{{- with .podMonitor }} +{{- include "nats.loadMergePatch" (merge (dict "file" "pod-monitor.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/service-account.yaml b/packages/system/nats/charts/nats/templates/service-account.yaml new file mode 100644 index 00000000..6c763bd3 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/service-account.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.serviceAccount }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "service-account.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/service.yaml b/packages/system/nats/charts/nats/templates/service.yaml new file mode 100644 index 00000000..04b0b37e --- /dev/null +++ b/packages/system/nats/charts/nats/templates/service.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.service }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "service.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/stateful-set.yaml b/packages/system/nats/charts/nats/templates/stateful-set.yaml new file mode 100644 index 00000000..bb198323 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/stateful-set.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.statefulSet }} +{{- include "nats.loadMergePatch" (merge (dict "file" "stateful-set/stateful-set.yaml" "ctx" $) .) }} +{{- end }} diff --git a/packages/system/nats/charts/nats/templates/tests/request-reply.yaml b/packages/system/nats/charts/nats/templates/tests/request-reply.yaml new file mode 100644 index 00000000..3e06edc0 --- /dev/null +++ b/packages/system/nats/charts/nats/templates/tests/request-reply.yaml @@ -0,0 +1,37 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox | deepCopy }} +{{- $natsBox := . }} +{{- if .enabled -}} +apiVersion: v1 +kind: Pod +{{- with .container }} +{{- $_ := set . "merge" (dict + "args" (list + "sh" + "-ec" + "nats reply --echo echo & pid=\"$!\"; sleep 1; nats request echo hi > /tmp/resp; kill \"$pid\"; wait; grep -qF hi /tmp/resp" + ) +) }} +{{- $_ := set . "patch" list }} +{{- end }} +{{- with .podTemplate }} +{{- $_ := set . "merge" (dict + "metadata" (dict + "name" (printf "%s-test-request-reply" $.Values.statefulSet.name) + "labels" (dict + "app.kubernetes.io/component" "test-request-reply" + ) + "annotations" (dict + "helm.sh/hook" "test" + "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded" + ) + ) + "spec" (dict + "restartPolicy" "Never" + ) +) }} +{{- $_ := set . "patch" list }} +{{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/pod-template.yaml" "ctx" (merge (dict "Values" (dict "natsBox" $natsBox)) $)) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/nats/charts/nats/values.yaml b/packages/system/nats/charts/nats/values.yaml new file mode 100644 index 00000000..0b14ebd4 --- /dev/null +++ b/packages/system/nats/charts/nats/values.yaml @@ -0,0 +1,669 @@ +################################################################################ +# Global options +################################################################################ +global: + image: + # global image pull policy to use for all container images in the chart + # can be overridden by individual image pullPolicy + pullPolicy: + # global list of secret names to use as image pull secrets for all pod specs in the chart + # secrets must exist in the same namespace + # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + pullSecretNames: [] + # global registry to use for all container images in the chart + # can be overridden by individual image registry + registry: + + # global labels will be applied to all resources deployed by the chart + labels: {} + +################################################################################ +# Common options +################################################################################ +# override name of the chart +nameOverride: +# override full name of the chart+release +fullnameOverride: +# override the namespace that resources are installed into +namespaceOverride: + +# reference a common CA Certificate or Bundle in all nats config `tls` blocks and nats-box contexts +# note: `tls.verify` still must be set in the appropriate nats config `tls` blocks to require mTLS +tlsCA: + enabled: false + # set configMapName in order to mount an existing configMap to dir + configMapName: + # set secretName in order to mount an existing secretName to dir + secretName: + # directory to mount the configMap or secret to + dir: /etc/nats-ca-cert + # key in the configMap or secret that contains the CA Certificate or Bundle + key: ca.crt + +################################################################################ +# NATS Stateful Set and associated resources +################################################################################ + +############################################################ +# NATS config +############################################################ +config: + cluster: + enabled: false + port: 6222 + # must be 2 or higher when jetstream is enabled + replicas: 3 + + # apply to generated route URLs that connect to other pods in the StatefulSet + routeURLs: + # if both user and password are set, they will be added to route URLs + # and the cluster authorization block + user: + password: + # set to true to use FQDN in route URLs + useFQDN: false + k8sClusterDomain: cluster.local + + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/cluster + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the cluster config + # https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config + merge: {} + patch: [] + + jetstream: + enabled: false + + fileStore: + enabled: true + dir: /data + + ############################################################ + # stateful set -> volume claim templates -> jetstream pvc + ############################################################ + pvc: + enabled: true + size: 10Gi + storageClassName: + + # merge or patch the jetstream pvc + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-js" + name: + + # defaults to the PVC size + maxSize: + + memoryStore: + enabled: false + # ensure that container has a sufficient memory limit greater than maxSize + maxSize: 1Gi + + # merge or patch the jetstream config + # https://docs.nats.io/running-a-nats-service/configuration#jetstream + merge: {} + patch: [] + + nats: + port: 4222 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/nats + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + leafnodes: + enabled: false + port: 7422 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/leafnodes + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the leafnodes config + # https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf + merge: {} + patch: [] + + websocket: + enabled: false + port: 8080 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/websocket + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + ############################################################ + # ingress + ############################################################ + # service must be enabled also + ingress: + enabled: false + # must contain at least 1 host otherwise ingress will not be created + hosts: [] + path: / + pathType: Exact + # sets to the ingress class name + className: + # set to an existing secret name to enable TLS on the ingress; applies to all hosts + tlsSecretName: + + # merge or patch the ingress + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-ws" + name: + + # merge or patch the websocket config + # https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf + merge: {} + patch: [] + + mqtt: + enabled: false + port: 1883 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/mqtt + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the mqtt config + # https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config + merge: {} + patch: [] + + gateway: + enabled: false + port: 7222 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/gateway + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the gateway config + # https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block + merge: {} + patch: [] + + monitor: + enabled: true + port: 8222 + tls: + # config.nats.tls must be enabled also + # when enabled, monitoring port will use HTTPS with the options from config.nats.tls + enabled: false + + profiling: + enabled: false + port: 65432 + + resolver: + enabled: false + dir: /data/resolver + + ############################################################ + # stateful set -> volume claim templates -> resolver pvc + ############################################################ + pvc: + enabled: true + size: 1Gi + storageClassName: + + # merge or patch the pvc + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-resolver" + name: + + # merge or patch the resolver + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver + merge: {} + patch: [] + + # adds a prefix to the server name, which defaults to the pod name + # helpful for ensuring server name is unique in a super cluster + serverNamePrefix: "" + + # merge or patch the nats config + # https://docs.nats.io/running-a-nats-service/configuration + # following special rules apply + # 1. strings that start with << and end with >> will be unquoted + # use this for variables and numbers with units + # 2. keys ending in $include will be switched to include directives + # keys are sorted alphabetically, use prefix before $includes to control includes ordering + # paths should be relative to /etc/nats-config/nats.conf + # example: + # + # merge: + # $include: ./my-config.conf + # zzz$include: ./my-config-last.conf + # server_name: nats + # authorization: + # token: << $TOKEN >> + # jetstream: + # max_memory_store: << 1GB >> + # + # will yield the config: + # { + # include ./my-config.conf; + # "authorization": { + # "token": $TOKEN + # }, + # "jetstream": { + # "max_memory_store": 1GB + # }, + # "server_name": "nats", + # include ./my-config-last.conf; + # } + merge: {} + patch: [] + +############################################################ +# stateful set -> pod template -> nats container +############################################################ +container: + image: + repository: nats + tag: 2.10.17-alpine + pullPolicy: + registry: + + # container port options + # must be enabled in the config section also + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#containerport-v1-core + ports: + nats: {} + leafnodes: {} + websocket: {} + mqtt: {} + cluster: {} + gateway: {} + monitor: {} + profiling: {} + + # map with key as env var name, value can be string or map + # example: + # + # env: + # GOMEMLIMIT: 7GiB + # TOKEN: + # valueFrom: + # secretKeyRef: + # name: nats-auth + # key: token + env: {} + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + +############################################################ +# stateful set -> pod template -> reloader container +############################################################ +reloader: + enabled: true + image: + repository: natsio/nats-server-config-reloader + tag: 0.15.0 + pullPolicy: + registry: + + # env var map, see nats.env for an example + env: {} + + # all nats container volume mounts with the following prefixes + # will be mounted into the reloader container + natsVolumeMountPrefixes: + - /etc/ + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + +############################################################ +# stateful set -> pod template -> prom-exporter container +############################################################ +# config.monitor must be enabled +promExporter: + enabled: false + image: + repository: natsio/prometheus-nats-exporter + tag: 0.15.0 + pullPolicy: + registry: + + port: 7777 + # env var map, see nats.env for an example + env: {} + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + + ############################################################ + # prometheus pod monitor + ############################################################ + podMonitor: + enabled: false + + # merge or patch the pod monitor + # https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + + +############################################################ +# service +############################################################ +service: + enabled: true + + # service port options + # additional boolean field enable to control whether port is exposed in the service + # must be enabled in the config section also + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceport-v1-core + ports: + nats: + enabled: true + leafnodes: + enabled: true + websocket: + enabled: true + mqtt: + enabled: true + cluster: + enabled: false + gateway: + enabled: false + monitor: + enabled: false + profiling: + enabled: false + + # merge or patch the service + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +############################################################ +# other nats extension points +############################################################ + +# stateful set +statefulSet: + # merge or patch the stateful set + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +# stateful set -> pod template +podTemplate: + # adds a hash of the ConfigMap as a pod annotation + # this will cause the StatefulSet to roll when the ConfigMap is updated + configChecksumAnnotation: true + + # map of topologyKey: topologySpreadConstraint + # labelSelector will be added to match StatefulSet pods + # + # topologySpreadConstraints: + # kubernetes.io/hostname: + # maxSkew: 1 + # + topologySpreadConstraints: {} + + # merge or patch the pod template + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core + merge: {} + patch: [] + +# headless service +headlessService: + # merge or patch the headless service + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-headless" + name: + +# config map +configMap: + # merge or patch the config map + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-config" + name: + +# pod disruption budget +podDisruptionBudget: + enabled: true + # merge or patch the pod disruption budget + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudget-v1-policy + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +# service account +serviceAccount: + enabled: false + # merge or patch the service account + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + + +############################################################ +# natsBox +# +# NATS Box Deployment and associated resources +############################################################ +natsBox: + enabled: true + + ############################################################ + # NATS contexts + ############################################################ + contexts: + default: + creds: + # set contents in order to create a secret with the creds file contents + contents: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-creds/ + dir: + key: nats.creds + nkey: + # set contents in order to create a secret with the nkey file contents + contents: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-nkeys/ + dir: + key: nats.nk + # used to connect with client certificates + tls: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-certs/ + dir: + cert: tls.crt + key: tls.key + + # merge or patch the context + # https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts + merge: {} + patch: [] + + # name of context to select by default + defaultContextName: default + + ############################################################ + # deployment -> pod template -> nats-box container + ############################################################ + container: + image: + repository: natsio/nats-box + tag: 0.14.3 + pullPolicy: + registry: + + # env var map, see nats.env for an example + env: {} + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + + ############################################################ + # other nats-box extension points + ############################################################ + + # deployment + deployment: + # merge or patch the deployment + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box" + name: + + # deployment -> pod template + podTemplate: + # merge or patch the pod template + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core + merge: {} + patch: [] + + # contexts secret + contextsSecret: + # merge or patch the context secret + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box-contexts" + name: + + # contents secret + contentsSecret: + # merge or patch the contents secret + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box-contents" + name: + + # service account + serviceAccount: + enabled: false + # merge or patch the service account + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box" + name: + + +################################################################################ +# Extra user-defined resources +################################################################################ +# +# add arbitrary user-generated resources +# example: +# +# config: +# websocket: +# enabled: true +# extraResources: +# - apiVersion: networking.istio.io/v1beta1 +# kind: VirtualService +# metadata: +# name: +# $tplYaml: > +# {{ include "nats.fullname" $ | quote }} +# labels: +# $tplYaml: | +# {{ include "nats.labels" $ }} +# spec: +# hosts: +# - demo.nats.io +# gateways: +# - my-gateway +# http: +# - name: default +# match: +# - name: root +# uri: +# exact: / +# route: +# - destination: +# host: +# $tplYaml: > +# {{ .Values.service.name | quote }} +# port: +# number: +# $tplYaml: > +# {{ .Values.config.websocket.port }} +# +extraResources: [] diff --git a/packages/system/nats/values.yaml b/packages/system/nats/values.yaml new file mode 100644 index 00000000..239b91c4 --- /dev/null +++ b/packages/system/nats/values.yaml @@ -0,0 +1,7 @@ +nats: + statefulSet: + merge: + spec: + persistentVolumeClaimRetentionPolicy: + whenDeleted: Delete + whenScaled: Delete diff --git a/packages/system/snapshot-controller/.helmignore b/packages/system/snapshot-controller/.helmignore new file mode 100644 index 00000000..d5c178e8 --- /dev/null +++ b/packages/system/snapshot-controller/.helmignore @@ -0,0 +1,3 @@ +images +hack +.gitkeep diff --git a/packages/system/snapshot-controller/Chart.yaml b/packages/system/snapshot-controller/Chart.yaml new file mode 100644 index 00000000..1f32123c --- /dev/null +++ b/packages/system/snapshot-controller/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-snapshot-controller +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/snapshot-controller/Makefile b/packages/system/snapshot-controller/Makefile new file mode 100644 index 00000000..d06f8967 --- /dev/null +++ b/packages/system/snapshot-controller/Makefile @@ -0,0 +1,10 @@ +export NAME=snapshot-controller +export NAMESPACE=cozy-$(NAME) + +include ../../../scripts/package-system.mk + +update: + rm -rf charts + helm repo add piraeus-charts https://piraeus.io/helm-charts/ + helm repo update piraeus-charts + helm pull piraeus-charts/snapshot-controller --untar --untardir charts \ No newline at end of file diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/.helmignore b/packages/system/snapshot-controller/charts/snapshot-controller/.helmignore new file mode 100644 index 00000000..8c796acd --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +crds/README.md +Makefile +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/Chart.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/Chart.yaml new file mode 100644 index 00000000..6ca53629 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: v8.0.1 +description: 'Deploys a Snapshot Controller in a cluster. Snapshot Controllers are + often bundled with the Kubernetes distribution, this chart is meant for cases where + it is not. Also deploys the Snapshot Validation Webhook and configures your cluster + to validate every `VolumeSnapshot` and `VolumeSnapshotContent` resource by sending + it to the webhook. ' +home: https://github.com/piraeusdatastore/helm-charts +icon: https://raw.githubusercontent.com/piraeusdatastore/piraeus/master/artwork/sandbox-artwork/icon/color.svg +keywords: +- storage +- snapshot +- validation +kubeVersion: '>= 1.25.0-0' +maintainers: +- name: The Piraeus Maintainers + url: https://github.com/piraeusdatastore/ +name: snapshot-controller +sources: +- https://github.com/kubernetes-csi/external-snapshotter/ +type: application +version: 3.0.5 diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/LICENSE b/packages/system/snapshot-controller/charts/snapshot-controller/LICENSE new file mode 100644 index 00000000..261eeb9e --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/README.md b/packages/system/snapshot-controller/charts/snapshot-controller/README.md new file mode 100644 index 00000000..9e6efb45 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/README.md @@ -0,0 +1,200 @@ +# snapshot-controller + +Deploys the [snapshot-controller](https://github.com/kubernetes-csi/external-snapshotter) and the +[snapshot-validation-webhook](https://github.com/kubernetes-csi/external-snapshotter/#validating-webhook) in a cluster. +The controller is required for CSI snapshotting to work and is not specific to any CSI driver. The webhook is configured +to validate every `VolumeSnapshot` and `VolumeSnapshotContent` resource by sending it to the validation webhook. + +While many Kubernetes distributions already package this controller, some do not. If your cluster does ***NOT*** +have the following CRDs, you likely also do not have a snapshot controller deployed: + +``` +kubectl get crd volumesnapshotclasses.snapshot.storage.k8s.io +kubectl get crd volumesnapshots.snapshot.storage.k8s.io +kubectl get crd volumesnapshotcontents.snapshot.storage.k8s.io +``` + +## Usage + +The *snapshot-controller* should be deployed together with the *snapshot-validation-webhook* which can be done by this +simple Helm commands. See [below](#configuration) for available configuration options. + +``` +helm repo add piraeus-charts https://piraeus.io/helm-charts/ +helm install snapshot-controller piraeus-charts/snapshot-controller +``` + +## Upgrades + +Upgrades can be done using the normal Helm upgrade mechanism + +``` +helm repo update +helm upgrade snapshot-controller piraeus-charts/snapshot-controller +``` + +To enjoy all the latest features of the snapshot controller, you may want to upgrade your CRDs as well: + +``` +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v5.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v5.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v5.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml +``` + +## Upgrade from older CRDs + +In an effort to tighten validation, the CSI project started enforcing stricter requirements on `VolumeSnapshot` and +`VolumeSnapshotContent` resources when switching from `v1beta1` to `v1` CRDs. This validation webhook is part of +enforcing these requirements. When upgrading you [have to ensure non of your resources violate the requirements for `v1`]. + +The upgrade procedure can be summarized by the following steps: + +1. Remove the old snapshot controller, if any (since you are upgrading, you probably already have one deployed manually). +2. Install the snapshot controller and the validation webhook using one of the [`3.x.x` releases]: + + ``` + helm install piraeus-charts/snapshot-controller --set controller.image.tag=v3.0.3 --set webhook.image.tag=v3.0.3 + ``` +3. Ensure that none of the resources are labelled as invalid: + + ``` + kubectl get volumesnapshots --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + kubectl get volumesnapshotcontents --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + ``` + + If the above commands output any resource, they have to be removed + +4. Upgrade the CRDs + + ``` + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v5.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v5.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml + kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/v5.0.0/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml + ``` + +5. Upgrade to the latest version: + + ``` + helm upgrade piraeus-charts/snapshot-controller --set controller.image.tag=v5.0.0 --set webhook.image.tag=v5.0.0 + ``` + +## Configuration + +### Snapshot controller +The following options are available: + +| Option | Usage | Default | +|------------------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------| +| `controller.enabled` | Toggle to disable the deployment of the snapshot controller. | `true` | +| `controller.fullnameOverride` | Set the base name of deployed resources. Defaults to `snapshot-controller`. | `""` | +| `controller.args` | Arguments to pass to the snapshot controller. Note: Keys will be converted to kebab-case, i.e. `oneArg` -> `--one-arg` | `...` | +| `controller.replicaCount` | Number of replicas to deploy. | `1` | +| `controller.revisionHistoryLimit` | Number of revisions to keep. | `10` | +| `controller.image.repository` | Repository to pull the image from. | `registry.k8s.io/sig-storage/snapshot-controller` | +| `controller.image.pullPolicy` | Pull policy to use. Possible values: `IfNotPresent`, `Always`, `Never` | `IfNotPresent` | +| `controller.image.tag` | Override the tag to pull. If not given, defaults to charts `AppVersion`. | `""` | +| `controller.imagePullSecrets` | Image pull secrets to add to the deployment. | `[]` | +| `controller.podAnnotations` | Annotations to add to every pod in the deployment. | `{}` | +| `controller.podLabels` | Labels to add to every pod in the deployment. | `{}` | +| `controller.podSecurityContext` | Security context to set on the webhook pod. | `{}` | +| `controller.priorityClassName` | Priority Class to set on the deployment pods. | `""` | +| `controller.securityContext` | Configure container security context. Defaults to dropping all capabilties and running as user 1000. | `{capabilities: {drop: [ALL]}, readOnlyRootFilesystem: true, runAsNonRoot: true, runAsUser: 1000}` | +| `controller.resources` | Resources to request and limit on the pod. | `{}` | +| `controller.nodeSelector` | Node selector to add to each webhook pod. | `{}` | +| `controller.tolerations` | Tolerations to add to each webhook pod. | `[]` | +| `controller.topologySpreadConstraints` | Topology spread constraints to set on each pod. | `[]` | +| `controller.affinity` | Affinity to set on each webhook pod. | `{}` | +| `controller.pdb` | PodDisruptionBudget to set on the webhook pod. | `{}` | +| `controller.rbac.create` | Create the necessary roles and bindings for the snapshot controller. | `true` | +| `controller.serviceAccount.create` | Create the service account resource | `true` | +| `controller.serviceAccount.name` | Sets the name of the service account. If left empty, will use the release name as default | `""` | +| `controller.hostNetwork` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. | `false` | +| `controller.dnsConfig` | DNS settings for controller pod. | `{}` | +| `controller.dnsPolicy` | DNS Policy for controller pod. For Pods running with hostNetwork, set to `ClusterFirstWithHostNet`. | `ClusterFirst` | + + +### Snapshot Validation Webhook +Webhooks in Kubernetes are required to run on HTTPS. To that end, this charts needs to be configured with one of the +following options: + +* An auto-generated certificate, valid for 10 years. This is the default. If you want to renew the certificate, + set `webhook.tls.renew` to `true` and run an upgrade. + +* A [cert-manager.io](https://cert-manager.io) issuer able to create a certificate for the webhook service. + + To use this method, create an override file like: + ```yaml + webhook: + tls: + certManagerIssuerRef: + name: internal-issuer + kind: ClusterIssuer + ``` + + To apply the override, use `--values `. + +* A pre-existing [`kubernetes.io/tls`] secret and the certificate of the CA used to sign said tls secret. + + To use this method, set `--set webhook.tls.certificateSecret=`. + The secret must be in the same namespace as the deployment and be valid for `..svc`. + +***NOTE:*** When using a custom CNI (such as Weave or Calico) on Amazon EKS, the webhook cannot be reached. + +> Internal error occurred: failed calling webhook "snapshot-validation-webhook.snapshot.storage.k8s.io": failed to call webhook: Post "https://snapshot-validation-webhook.kube-system.svc:443/volumesnapshot?timeout=2s": Address is not allowed + +This happens because the control plane cannot be configured to run on a custom CNI on EKS, so the CNIs +differ between control plane and worker nodes. + +To address this, the webhook can be run in the host network so it can be reached. +```yaml +webhook: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +``` + +There are additional options that allow customization outside of HTTPS concerns. This is the full list of options +available. + +| Option | Usage | Default | +|----------------------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------| +| `webhook.enabled` | Toggle to disable the deployment of the snapshot validation webhook. | `true` | +| `webhook.fullnameOverride` | Set the base name of deployed resources. Defaults to `snapshot-validation-webhook`. | `""` | +| `webhook.args` | Arguments to pass to the snapshot controller. Note: Keys will be converted to kebab-case, i.e. `oneArg` -> `--one-arg` | `...` | +| `webhook.replicaCount` | Number of replicas to deploy. | `1` | +| `webhook.revisionHistoryLimit` | Number of revisions to keep. | `10` | +| `webhook.image.repository` | Repository to pull the image from. | `registry.k8s.io/sig-storage/snapshot-validation-webhook` | +| `webhook.image.pullPolicy` | Pull policy to use. Possible values: `IfNotPresent`, `Always`, `Never` | `IfNotPresent` | +| `webhook.image.tag` | Override the tag to pull. If not given, defaults to charts `AppVersion`. | `""` | +| `webhook.webhook.timeoutSeconds` | Timeout to use when contacting webhook server. | `2` | +| `webhook.webhook.failurePolicy` | Policy to apply when webhook is unavailable. Possible values: `Fail`, `Ignore`. | `Fail` | +| `webhook.tls.certificateSecret` | Name of the static tls secret to use for serving the HTTPS endpoint. | `""` | +| `webhook.tls.autogenerate` | Automatically generate the TLS secret for serving the HTTPS endpoint. | `true` | +| `webhook.tls.renew` | Force renewal of certificate when auto-generating. | `false` | +| `webhook.tls.certManagerIssuerRef` | Issuer to use for provisioning the TLS certificate. If this is used, `tls.certificateSecret` can be left empty. | `{}` | +| `webhook.imagePullSecrets` | Image pull secrets to add to the deployment. | `[]` | +| `webhook.podAnnotations` | Annotations to add to every pod in the deployment. | `{}` | +| `webhook.podLabels` | Labels to add to every pod in the deployment. | `{}` | +| `webhook.networkPolicy.enabled` | Should a network policy be created. | `false` | +| `webhook.networkPolicy.ingress` | Additional ingress rules to be added to the network policy. | `{}` | +| `webhook.podDisruptionBudget.enabled` | Should a pod disruption budget be created. | `false` | +| `webhook.podDisruptionBudget.maxUnavailable` | The maximum number of pods that are allowed to be unavailable. | `""` | +| `webhook.podDisruptionBudget.minAvailable` | The minimum number of pods that are required to be available. | `""` | +| `webhook.priorityClassName` | The name of the priority class to assign to the deployment. | `""` | +| `webhook.topologySpreadConstraints` | A list of topology constraints to assign to the deployment. | `[]` | +| `webhook.podSecurityContext` | Security context to set on the webhook pod. | `{}` | +| `webhook.securityContext` | Configure container security context. Defaults to dropping all capabilties and running as user 1000. | `{capabilities: {drop: [ALL]}, readOnlyRootFilesystem: true, runAsNonRoot: true, runAsUser: 1000}` | +| `webhook.resources` | Resources to request and limit on the pod. | `{}` | +| `webhook.nodeSelector` | Node selector to add to each webhook pod. | `{}` | +| `webhook.tolerations` | Tolerations to add to each webhook pod. | `[]` | +| `webhook.affinity` | Affinity to set on each webhook pod. | `{}` | +| `webhook.serviceAccount.create` | Create the service account resource | `true` | +| `webhook.serviceAccount.name` | Sets the name of the service account. If left empty, will use the release name as default | `""` | +| `webhook.tests.nodeSelector` | Node selector to add to each helm test pod. | `{}` | +| `webhook.tests.tolerations` | Tolerations to add to each helm test pod. | `[]` | +| `webhook.tests.affinity` | Affinity to set on each helm test pod. | `{}` | +| `webhook.hostNetwork` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. | `false` | +| `webhook.dnsConfig` | DNS settings for webhook pod. | `{}` | +| `webhook.dnsPolicy` | DNS Policy for webhook pod. For Pods running with hostNetwork, set to `ClusterFirstWithHostNet` | `ClusterFirst` | + +[`3.x.x` releases]: https://github.com/kubernetes-csi/external-snapshotter/releases +[have to ensure non of your resources violate the requirements for `v1`]: https://github.com/kubernetes-csi/external-snapshotter#validating-webhook diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotclasses.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotclasses.yaml new file mode 100644 index 00000000..aff3a571 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotclasses.yaml @@ -0,0 +1,94 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io +spec: + group: groupsnapshot.storage.k8s.io + names: + kind: VolumeGroupSnapshotClass + listKind: VolumeGroupSnapshotClassList + plural: volumegroupsnapshotclasses + shortNames: + - vgsclass + - vgsclasses + singular: volumegroupsnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeGroupSnapshotContent created through + the VolumeGroupSnapshotClass should be deleted when its bound VolumeGroupSnapshot + is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + VolumeGroupSnapshotClass specifies parameters that a underlying storage system + uses when creating a volume group snapshot. A specific VolumeGroupSnapshotClass + is used by specifying its name in a VolumeGroupSnapshot object. + VolumeGroupSnapshotClasses are non-namespaced. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + DeletionPolicy determines whether a VolumeGroupSnapshotContent created + through the VolumeGroupSnapshotClass should be deleted when its bound + VolumeGroupSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeGroupSnapshotContent and its physical group + snapshot on underlying storage system are kept. + "Delete" means that the VolumeGroupSnapshotContent and its physical group + snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + Driver is the name of the storage driver expected to handle this VolumeGroupSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + Parameters is a key-value map with storage driver specific parameters for + creating group snapshots. + These values are opaque to Kubernetes and are passed directly to the driver. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotcontents.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotcontents.yaml new file mode 100644 index 00000000..28584e56 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshotcontents.yaml @@ -0,0 +1,335 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/1068" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumegroupsnapshotcontents.groupsnapshot.storage.k8s.io +spec: + group: groupsnapshot.storage.k8s.io + names: + kind: VolumeGroupSnapshotContent + listKind: VolumeGroupSnapshotContentList + plural: volumegroupsnapshotcontents + shortNames: + - vgsc + - vgscs + singular: volumegroupsnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if all the individual snapshots in the group are ready + to be used to restore a group of volumes. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Determines whether this VolumeGroupSnapshotContent and its physical + group snapshot on the underlying storage system should be deleted when its + bound VolumeGroupSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical group snapshot + on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeGroupSnapshotClass from which this group snapshot + was (or will be) created. + jsonPath: .spec.volumeGroupSnapshotClassName + name: VolumeGroupSnapshotClass + type: string + - description: Namespace of the VolumeGroupSnapshot object to which this VolumeGroupSnapshotContent + object is bound. + jsonPath: .spec.volumeGroupSnapshotRef.namespace + name: VolumeGroupSnapshotNamespace + type: string + - description: Name of the VolumeGroupSnapshot object to which this VolumeGroupSnapshotContent + object is bound. + jsonPath: .spec.volumeGroupSnapshotRef.name + name: VolumeGroupSnapshot + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + VolumeGroupSnapshotContent represents the actual "on-disk" group snapshot object + in the underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + Spec defines properties of a VolumeGroupSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + DeletionPolicy determines whether this VolumeGroupSnapshotContent and the + physical group snapshot on the underlying storage system should be deleted + when the bound VolumeGroupSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeGroupSnapshotContent and its physical group + snapshot on underlying storage system are kept. + "Delete" means that the VolumeGroupSnapshotContent and its physical group + snapshot on underlying storage system are deleted. + For dynamically provisioned group snapshots, this field will automatically + be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field + defined in the corresponding VolumeGroupSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeGroupSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + Driver is the name of the CSI driver used to create the physical group snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + Source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + groupSnapshotHandles: + description: |- + GroupSnapshotHandles specifies the CSI "group_snapshot_id" of a pre-existing + group snapshot and a list of CSI "snapshot_id" of pre-existing snapshots + on the underlying storage system for which a Kubernetes object + representation was (or should be) created. + This field is immutable. + properties: + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle specifies the CSI "group_snapshot_id" of a pre-existing + group snapshot on the underlying storage system for which a Kubernetes object + representation was (or should be) created. + This field is immutable. + Required. + type: string + volumeSnapshotHandles: + description: |- + VolumeSnapshotHandles is a list of CSI "snapshot_id" of pre-existing + snapshots on the underlying storage system for which Kubernetes objects + representation were (or should be) created. + This field is immutable. + Required. + items: + type: string + type: array + required: + - volumeGroupSnapshotHandle + - volumeSnapshotHandles + type: object + x-kubernetes-validations: + - message: groupSnapshotHandles is immutable + rule: self == oldSelf + volumeHandles: + description: |- + VolumeHandles is a list of volume handles on the backend to be snapshotted + together. It is specified for dynamic provisioning of the VolumeGroupSnapshot. + This field is immutable. + items: + type: string + type: array + x-kubernetes-validations: + - message: volumeHandles is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandles is required once set + rule: '!has(oldSelf.volumeHandles) || has(self.volumeHandles)' + - message: groupSnapshotHandles is required once set + rule: '!has(oldSelf.groupSnapshotHandles) || has(self.groupSnapshotHandles)' + - message: exactly one of volumeHandles and groupSnapshotHandles must + be set + rule: (has(self.volumeHandles) && !has(self.groupSnapshotHandles)) + || (!has(self.volumeHandles) && has(self.groupSnapshotHandles)) + volumeGroupSnapshotClassName: + description: |- + VolumeGroupSnapshotClassName is the name of the VolumeGroupSnapshotClass from + which this group snapshot was (or will be) created. + Note that after provisioning, the VolumeGroupSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + For dynamic provisioning, this field must be set. + This field may be unset for pre-provisioned snapshots. + type: string + volumeGroupSnapshotRef: + description: |- + VolumeGroupSnapshotRef specifies the VolumeGroupSnapshot object to which this + VolumeGroupSnapshotContent object is bound. + VolumeGroupSnapshot.Spec.VolumeGroupSnapshotContentName field must reference to + this VolumeGroupSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeGroupSnapshotContent object, name and namespace of the + VolumeGroupSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both volumeGroupSnapshotRef.name and volumeGroupSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + - message: volumeGroupSnapshotRef is immutable + rule: self == oldSelf + required: + - deletionPolicy + - driver + - source + - volumeGroupSnapshotRef + type: object + status: + description: status represents the current information of a group snapshot. + properties: + creationTime: + description: |- + CreationTime is the timestamp when the point-in-time group snapshot is taken + by the underlying storage system. + If not specified, it indicates the creation time is unknown. + If not specified, it means the readiness of a group snapshot is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command date +%s%N returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + Error is the last observed error during group snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + pvVolumeSnapshotContentList: + description: |- + PVVolumeSnapshotContentList is the list of pairs of PV and + VolumeSnapshotContent for this group snapshot + The maximum number of allowed snapshots in the group is 100. + items: + description: |- + PVVolumeSnapshotContentPair represent a pair of PV names and + VolumeSnapshotContent names + properties: + persistentVolumeRef: + description: PersistentVolumeRef is a reference to the persistent + volume resource + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + volumeSnapshotContentRef: + description: VolumeSnapshotContentRef is a reference to the + volume snapshot content resource + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: object + type: array + readyToUse: + description: |- + ReadyToUse indicates if all the individual snapshots in the group are ready to be + used to restore a group of volumes. + ReadyToUse becomes true when ReadyToUse of all individual snapshots become true. + type: boolean + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is a unique id returned by the CSI driver + to identify the VolumeGroupSnapshot on the storage system. + If a storage system does not provide such an id, the + CSI driver can choose to return the VolumeGroupSnapshot name. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshots.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshots.yaml new file mode 100644 index 00000000..3d9a771d --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/crds/groupsnapshot.storage.k8s.io_volumegroupsnapshots.yaml @@ -0,0 +1,273 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/1068" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumegroupsnapshots.groupsnapshot.storage.k8s.io +spec: + group: groupsnapshot.storage.k8s.io + names: + kind: VolumeGroupSnapshot + listKind: VolumeGroupSnapshotList + plural: volumegroupsnapshots + shortNames: + - vgs + singular: volumegroupsnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if all the individual snapshots in the group are ready + to be used to restore a group of volumes. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: The name of the VolumeGroupSnapshotClass requested by the VolumeGroupSnapshot. + jsonPath: .spec.volumeGroupSnapshotClassName + name: VolumeGroupSnapshotClass + type: string + - description: Name of the VolumeGroupSnapshotContent object to which the VolumeGroupSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeGroupSnapshot and VolumeGroupSnapshotContent + to ensure both are pointing at each other. Binding MUST be verified prior + to usage of this object. + jsonPath: .status.boundVolumeGroupSnapshotContentName + name: VolumeGroupSnapshotContent + type: string + - description: Timestamp when the point-in-time group snapshot was taken by the + underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + VolumeGroupSnapshot is a user's request for creating either a point-in-time + group snapshot or binding to a pre-existing group snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + Spec defines the desired characteristics of a group snapshot requested by a user. + Required. + properties: + source: + description: |- + Source specifies where a group snapshot will be created from. + This field is immutable after creation. + Required. + properties: + selector: + description: |- + Selector is a label query over persistent volume claims that are to be + grouped together for snapshotting. + This labelSelector will be used to match the label added to a PVC. + If the label is added or removed to a volume after a group snapshot + is created, the existing group snapshots won't be modified. + Once a VolumeGroupSnapshotContent is created and the sidecar starts to process + it, the volume list will not change with retries. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: selector is immutable + rule: self == oldSelf + volumeGroupSnapshotContentName: + description: |- + VolumeGroupSnapshotContentName specifies the name of a pre-existing VolumeGroupSnapshotContent + object representing an existing volume group snapshot. + This field should be set if the volume group snapshot already exists and + only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeGroupSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: selector is required once set + rule: '!has(oldSelf.selector) || has(self.selector)' + - message: volumeGroupSnapshotContentName is required once set + rule: '!has(oldSelf.volumeGroupSnapshotContentName) || has(self.volumeGroupSnapshotContentName)' + - message: exactly one of selector and volumeGroupSnapshotContentName + must be set + rule: (has(self.selector) && !has(self.volumeGroupSnapshotContentName)) + || (!has(self.selector) && has(self.volumeGroupSnapshotContentName)) + volumeGroupSnapshotClassName: + description: |- + VolumeGroupSnapshotClassName is the name of the VolumeGroupSnapshotClass + requested by the VolumeGroupSnapshot. + VolumeGroupSnapshotClassName may be left nil to indicate that the default + class will be used. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeGroupSnapshotClassName must not be the empty string + when set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + Status represents the current information of a group snapshot. + Consumers must verify binding between VolumeGroupSnapshot and + VolumeGroupSnapshotContent objects is successful (by validating that both + VolumeGroupSnapshot and VolumeGroupSnapshotContent point to each other) before + using this object. + properties: + boundVolumeGroupSnapshotContentName: + description: |- + BoundVolumeGroupSnapshotContentName is the name of the VolumeGroupSnapshotContent + object to which this VolumeGroupSnapshot object intends to bind to. + If not specified, it indicates that the VolumeGroupSnapshot object has not + been successfully bound to a VolumeGroupSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeGroupSnapshot and VolumeGroupSnapshotContent objects is successful + (by validating that both VolumeGroupSnapshot and VolumeGroupSnapshotContent + point at each other) before using this object. + type: string + creationTime: + description: |- + CreationTime is the timestamp when the point-in-time group snapshot is taken + by the underlying storage system. + If not specified, it may indicate that the creation time of the group snapshot + is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command date +%s%N returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: date-time + type: string + error: + description: |- + Error is the last observed error during group snapshot creation, if any. + This field could be helpful to upper level controllers (i.e., application + controller) to decide whether they should continue on waiting for the group + snapshot to be created based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + group snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + pvcVolumeSnapshotRefList: + description: |- + VolumeSnapshotRefList is the list of PVC and VolumeSnapshot pairs that + is part of this group snapshot. + The maximum number of allowed snapshots in the group is 100. + items: + description: PVCVolumeSnapshotPair defines a pair of a PVC reference + and a Volume Snapshot Reference + properties: + persistentVolumeClaimRef: + description: PersistentVolumeClaimRef is a reference to the + PVC this pair is referring to + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + volumeSnapshotRef: + description: VolumeSnapshotRef is a reference to the VolumeSnapshot + this pair is referring to + properties: + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? + type: string + type: object + x-kubernetes-map-type: atomic + type: object + type: array + readyToUse: + description: |- + ReadyToUse indicates if all the individual snapshots in the group are ready + to be used to restore a group of volumes. + ReadyToUse becomes true when ReadyToUse of all individual snapshots become true. + If not specified, it means the readiness of a group snapshot is unknown. + type: boolean + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotclasses.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotclasses.yaml new file mode 100644 index 00000000..8164952a --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotclasses.yaml @@ -0,0 +1,143 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + controller-gen.kubebuilder.io/version: v0.15.0 + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + shortNames: + - vsclass + - vsclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the + VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotClass specifies parameters that a underlying storage system uses when + creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its + name in a VolumeSnapshot object. + VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + deletionPolicy: + description: |- + deletionPolicy determines whether a VolumeSnapshotContent created through + the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the storage driver that handles this VolumeSnapshotClass. + Required. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + description: |- + parameters is a key-value map with storage driver specific parameters for creating snapshots. + These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotClass is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotClass" + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: false + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotcontents.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotcontents.yaml new file mode 100644 index 00000000..cd0c879f --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshotcontents.yaml @@ -0,0 +1,457 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/955" + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + shortNames: + - vsc + - vscs + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical + snapshot on the underlying storage system should be deleted when its bound + VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on + the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent + object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshotContent represents the actual "on-disk" snapshot object in the + underlying storage system + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines properties of a VolumeSnapshotContent created by the underlying storage system. + Required. + properties: + deletionPolicy: + description: |- + deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on + the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + Supported values are "Retain" and "Delete". + "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. + "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. + For dynamically provisioned snapshots, this field will automatically be filled in by the + CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding + VolumeSnapshotClass. + For pre-existing snapshots, users MUST specify this field when creating the + VolumeSnapshotContent object. + Required. + enum: + - Delete + - Retain + type: string + driver: + description: |- + driver is the name of the CSI driver used to create the physical snapshot on + the underlying storage system. + This MUST be the same as the name returned by the CSI GetPluginName() call for + that driver. + Required. + type: string + source: + description: |- + source specifies whether the snapshot is (or should be) dynamically provisioned + or already exists, and just requires a Kubernetes object representation. + This field is immutable after creation. + Required. + properties: + snapshotHandle: + description: |- + snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on + the underlying storage system for which a Kubernetes object representation + was (or should be) created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: snapshotHandle is immutable + rule: self == oldSelf + volumeHandle: + description: |- + volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot + should be dynamically taken from. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeHandle is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: volumeHandle is required once set + rule: '!has(oldSelf.volumeHandle) || has(self.volumeHandle)' + - message: snapshotHandle is required once set + rule: '!has(oldSelf.snapshotHandle) || has(self.snapshotHandle)' + - message: exactly one of volumeHandle and snapshotHandle must be + set + rule: (has(self.volumeHandle) && !has(self.snapshotHandle)) || (!has(self.volumeHandle) + && has(self.snapshotHandle)) + sourceVolumeMode: + description: |- + SourceVolumeMode is the mode of the volume whose snapshot is taken. + Can be either “Filesystem” or “Block”. + If not specified, it indicates the source volume's mode is unknown. + This field is immutable. + This field is an alpha field. + type: string + x-kubernetes-validations: + - message: sourceVolumeMode is immutable + rule: self == oldSelf + volumeSnapshotClassName: + description: |- + name of the VolumeSnapshotClass from which this snapshot was (or will be) + created. + Note that after provisioning, the VolumeSnapshotClass may be deleted or + recreated with different set of values, and as such, should not be referenced + post-snapshot creation. + type: string + volumeSnapshotRef: + description: |- + volumeSnapshotRef specifies the VolumeSnapshot object to which this + VolumeSnapshotContent object is bound. + VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to + this VolumeSnapshotContent's name for the bidirectional binding to be valid. + For a pre-existing VolumeSnapshotContent object, name and namespace of the + VolumeSnapshot object MUST be provided for binding to happen. + This field is immutable after creation. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: both spec.volumeSnapshotRef.name and spec.volumeSnapshotRef.namespace + must be set + rule: has(self.name) && has(self.__namespace__) + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + x-kubernetes-validations: + - message: sourceVolumeMode is required once set + rule: '!has(oldSelf.sourceVolumeMode) || has(self.sourceVolumeMode)' + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it indicates the creation time is unknown. + The format of this field is a Unix nanoseconds time encoded as an int64. + On Unix, the command `date +%s%N` returns the current time in nanoseconds + since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: |- + error is the last observed error during snapshot creation, if any. + Upon success after retry, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if a snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: |- + restoreSize represents the complete size of the snapshot in bytes. + In dynamic snapshot creation case, this field will be filled in by the + CSI snapshotter sidecar with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: |- + snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. + If not specified, it indicates that dynamic snapshot creation has either failed + or it is still in progress. + type: string + volumeGroupSnapshotHandle: + description: |- + VolumeGroupSnapshotHandle is the CSI "group_snapshot_id" of a group snapshot + on the underlying storage system. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - description: Namespace of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.namespace + name: VolumeSnapshotNamespace + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshotContent is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshotContent" + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshots.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshots.yaml new file mode 100644 index 00000000..6b96d708 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/crds/snapshot.storage.k8s.io_volumesnapshots.yaml @@ -0,0 +1,351 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/814" + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + shortNames: + - vs + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of + the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing + VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from + this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot + object intends to bind to. Please note that verification of binding actually + requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure + both are pointing at each other. Binding MUST be verified prior to usage of + this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying + storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + VolumeSnapshot is a user's request for either creating a point-in-time + snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + spec defines the desired characteristics of a snapshot requested by a user. + More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required. + properties: + source: + description: |- + source specifies where a snapshot will be created from. + This field is immutable after creation. + Required. + properties: + persistentVolumeClaimName: + description: |- + persistentVolumeClaimName specifies the name of the PersistentVolumeClaim + object representing the volume from which a snapshot should be created. + This PVC is assumed to be in the same namespace as the VolumeSnapshot + object. + This field should be set if the snapshot does not exists, and needs to be + created. + This field is immutable. + type: string + x-kubernetes-validations: + - message: persistentVolumeClaimName is immutable + rule: self == oldSelf + volumeSnapshotContentName: + description: |- + volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent + object representing an existing volume snapshot. + This field should be set if the snapshot already exists and only needs a representation in Kubernetes. + This field is immutable. + type: string + x-kubernetes-validations: + - message: volumeSnapshotContentName is immutable + rule: self == oldSelf + type: object + x-kubernetes-validations: + - message: persistentVolumeClaimName is required once set + rule: '!has(oldSelf.persistentVolumeClaimName) || has(self.persistentVolumeClaimName)' + - message: volumeSnapshotContentName is required once set + rule: '!has(oldSelf.volumeSnapshotContentName) || has(self.volumeSnapshotContentName)' + - message: exactly one of volumeSnapshotContentName and persistentVolumeClaimName + must be set + rule: (has(self.volumeSnapshotContentName) && !has(self.persistentVolumeClaimName)) + || (!has(self.volumeSnapshotContentName) && has(self.persistentVolumeClaimName)) + volumeSnapshotClassName: + description: |- + VolumeSnapshotClassName is the name of the VolumeSnapshotClass + requested by the VolumeSnapshot. + VolumeSnapshotClassName may be left nil to indicate that the default + SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: one + default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, + VolumeSnapshotSource will be checked to figure out what the associated + CSI Driver is, and the default VolumeSnapshotClass associated with that + CSI Driver will be used. If more than one VolumeSnapshotClass exist for + a given CSI Driver and more than one have been marked as default, + CreateSnapshot will fail and generate an event. + Empty string is not allowed for this field. + type: string + x-kubernetes-validations: + - message: volumeSnapshotClassName must not be the empty string when + set + rule: size(self) > 0 + required: + - source + type: object + status: + description: |- + status represents the current information of a snapshot. + Consumers must verify binding between VolumeSnapshot and + VolumeSnapshotContent objects is successful (by validating that both + VolumeSnapshot and VolumeSnapshotContent point at each other) before + using this object. + properties: + boundVolumeSnapshotContentName: + description: |- + boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent + object to which this VolumeSnapshot object intends to bind to. + If not specified, it indicates that the VolumeSnapshot object has not been + successfully bound to a VolumeSnapshotContent object yet. + NOTE: To avoid possible security issues, consumers must verify binding between + VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that + both VolumeSnapshot and VolumeSnapshotContent point at each other) before using + this object. + type: string + creationTime: + description: |- + creationTime is the timestamp when the point-in-time snapshot is taken + by the underlying storage system. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "creation_time" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "creation_time" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: |- + error is the last observed error during snapshot creation, if any. + This field could be helpful to upper level controllers(i.e., application controller) + to decide whether they should continue on waiting for the snapshot to be created + based on the type of error reported. + The snapshot controller will keep retrying when an error occurs during the + snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: |- + message is a string detailing the encountered error during snapshot + creation if specified. + NOTE: message may be logged, and it should not contain sensitive + information. + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: |- + readyToUse indicates if the snapshot is ready to be used to restore a volume. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "ready_to_use" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "ready_to_use" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, + otherwise, this field will be set to "True". + If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: |- + restoreSize represents the minimum size of volume required to create a volume + from this snapshot. + In dynamic snapshot creation case, this field will be filled in by the + snapshot controller with the "size_bytes" value returned from CSI + "CreateSnapshot" gRPC call. + For a pre-existing snapshot, this field will be filled with the "size_bytes" + value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. + When restoring a volume from this snapshot, the size of the volume MUST NOT + be smaller than the restoreSize if it is specified, otherwise the restoration will fail. + If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + volumeGroupSnapshotName: + description: |- + VolumeGroupSnapshotName is the name of the VolumeGroupSnapshot of which this + VolumeSnapshot is a part of. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning in the server response. + deprecated: true + # This overrides the default warning returned to clients making v1beta1 API requests. + deprecationWarning: "snapshot.storage.k8s.io/v1beta1 VolumeSnapshot is deprecated; use snapshot.storage.k8s.io/v1 VolumeSnapshot" + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required.' + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field.' + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object.' + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: 'message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information.' + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: false + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/NOTES.txt b/packages/system/snapshot-controller/charts/snapshot-controller/templates/NOTES.txt new file mode 100644 index 00000000..5880eb7e --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/NOTES.txt @@ -0,0 +1,30 @@ +{{- if .Values.controller.enabled }} +Volume Snapshot Controller installed. +{{- end }} +{{- if .Values.webhook.enabled }} +Validation for VolumeSnapshots installed. +{{- end }} + +{{- if and (not (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1")) (not (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1beta") ) }} +Please install the snapshot CRDs, otherwise the controller will not run. + +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml +{{- else if .Release.IsUpgrade }} +It looks like you are upgrading from a previous release. Helm currently does not support upgrading CRDs, so to ensure +you have the latest CRDs applied, you can run the following commands: + +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshots.yaml +kubectl replace -f https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/{{ .Chart.AppVersion }}/client/config/crd/snapshot.storage.k8s.io_volumesnapshotcontents.yaml +{{- end }} + +If you already have volume snapshots deployed using a CRDs before v1, you should +verify that the existing snapshots are upgradable to v1 CRDs. The snapshot controller (>= v3.0.0) +will label any invalid snapshots it can find. Use the following commands to find any invalid snapshot + +kubectl get volumesnapshots --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces +kubectl get volumesnapshotcontents --selector=snapshot.storage.kubernetes.io/invalid-snapshot-resource="" --all-namespaces + +If the above commands return any items, you need to remove them before upgrading to the newer v1 CRDs. diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/_helpers.tpl b/packages/system/snapshot-controller/charts/snapshot-controller/templates/_helpers.tpl new file mode 100644 index 00000000..5b2fcd1f --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/_helpers.tpl @@ -0,0 +1,134 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "snapshot-controller.name" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "snapshot-controller.fullname" -}} +{{- if .Values.controller.fullnameOverride -}} +{{- .Values.controller.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- if contains .Chart.Name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "snapshot-controller.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "snapshot-controller.labels" -}} +helm.sh/chart: {{ include "snapshot-controller.chart" . }} +{{ include "snapshot-controller.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "snapshot-controller.selectorLabels" -}} +app.kubernetes.io/name: {{ include "snapshot-controller.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "snapshot-controller.serviceAccountName" -}} +{{- if .Values.controller.serviceAccount.create -}} + {{ default (include "snapshot-controller.fullname" .) .Values.controller.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "snapshot-validation-webhook.name" -}} +{{- "snapshot-validation-webhook" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "snapshot-validation-webhook.fullname" -}} +{{- if .Values.webhook.fullnameOverride -}} +{{- .Values.webhook.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- if contains .Chart.Name .Release.Name }} +{{- "snapshot-validation-webhook" }} +{{- else }} +{{- printf "%s-%s" .Release.Name "snapshot-validation-webhook" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "snapshot-validation-webhook.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "snapshot-validation-webhook.labels" -}} +helm.sh/chart: {{ include "snapshot-validation-webhook.chart" . }} +{{ include "snapshot-validation-webhook.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "snapshot-validation-webhook.selectorLabels" -}} +app.kubernetes.io/name: {{ include "snapshot-validation-webhook.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "snapshot-validation-webhook.serviceAccountName" -}} +{{- if .Values.webhook.serviceAccount.create -}} + {{ default (include "snapshot-validation-webhook.fullname" .) .Values.webhook.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.webhook.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Certificate secret name +*/}} +{{- define "snapshot-validation-webhook.certifcateName" -}} +{{- if .Values.webhook.tls.certificateSecret }} +{{- .Values.webhook.tls.certificateSecret }} +{{- else }} +{{- include "snapshot-validation-webhook.fullname" . }}-tls +{{- end }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_controller.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_controller.yaml new file mode 100644 index 00000000..4fa022a7 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_controller.yaml @@ -0,0 +1,89 @@ +{{- if .Values.controller.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "snapshot-controller.fullname" . }} + labels: + {{- include "snapshot-controller.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controller.replicaCount }} + revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "snapshot-controller.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.controller.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "snapshot-controller.selectorLabels" . | nindent 8 }} + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.controller.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "snapshot-controller.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.controller.securityContext | nindent 12 }} + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: + {{- range $flag, $val := .Values.controller.args }} + - --{{ $flag | kebabcase }}={{ $val }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + readinessProbe: + httpGet: + port: http + path: /healthz/leader-election + scheme: HTTP + livenessProbe: + httpGet: + port: http + path: /healthz/leader-election + scheme: HTTP + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + {{- with .Values.controller.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_validation_webhook.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_validation_webhook.yaml new file mode 100644 index 00000000..ad24b32b --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/deployment_validation_webhook.yaml @@ -0,0 +1,91 @@ +{{- if .Values.webhook.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.webhook.replicaCount }} + revisionHistoryLimit: {{ .Values.webhook.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.webhook.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 8 }} + {{- with .Values.webhook.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.webhook.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "snapshot-validation-webhook.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.webhook.podSecurityContext | nindent 8 }} + {{- with .Values.webhook.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + containers: + - name: {{ include "snapshot-validation-webhook.name" . }} + securityContext: + {{- toYaml .Values.webhook.securityContext | nindent 12 }} + image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} + args: + {{- range $flag, $val := .Values.webhook.args }} + - --{{ $flag | kebabcase }}={{ $val }} + {{- end }} + ports: + - name: https + containerPort: {{ .Values.webhook.args.port | default 8443 }} + protocol: TCP + volumeMounts: + - mountPath: /etc/snapshot-validation + name: tls-config + livenessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + readinessProbe: + httpGet: + path: /readyz + port: https + scheme: HTTPS + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + volumes: + - name: tls-config + secret: + secretName: {{ include "snapshot-validation-webhook.certifcateName" . }} + {{- with .Values.webhook.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhook.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.webhook.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- with .Values.webhook.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.webhook.hostNetwork }} + {{- with .Values.webhook.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.webhook.dnsPolicy }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/networkpolicy.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/networkpolicy.yaml new file mode 100644 index 00000000..49c8049f --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/networkpolicy.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.webhook.enabled .Values.webhook.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 12 }} + {{- with .Values.webhook.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_controller.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_controller.yaml new file mode 100644 index 00000000..88fa179f --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_controller.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.controller.enabled .Values.controller.pdb }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "snapshot-controller.fullname" . }} + labels: + {{- include "snapshot-controller.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "snapshot-controller.selectorLabels" . | nindent 6 }} +{{ toYaml .Values.controller.pdb | indent 2 }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_validation_webhook.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_validation_webhook.yaml new file mode 100644 index 00000000..af4a0cce --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/poddisruptionbudget_validation_webhook.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.webhook.enabled .Values.webhook.pdb -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 6 }} +{{ toYaml .Values.webhook.pdb | indent 2 }} +{{- end -}} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/service_controller.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/service_controller.yaml new file mode 100644 index 00000000..4581dc18 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/service_controller.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.controller.enabled .Values.controller.serviceMonitor.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "snapshot-controller.fullname" . }} + labels: + {{- include "snapshot-controller.labels" . | nindent 4 }} +spec: + clusterIP: None + ports: + - port: {{ (.Values.controller.args.httpEndpoint | split ":")._1 }} + targetPort: {{ (.Values.controller.args.httpEndpoint | split ":")._1 }} + name: http + selector: + {{- include "snapshot-controller.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/service_validation_webhook.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/service_validation_webhook.yaml new file mode 100644 index 00000000..bf73511a --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/service_validation_webhook.yaml @@ -0,0 +1,17 @@ +{{- if .Values.webhook.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + selector: + {{- include "snapshot-validation-webhook.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml new file mode 100644 index 00000000..07b2bf3c --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_controller.yaml @@ -0,0 +1,96 @@ +{{- if .Values.controller.enabled }} +{{- if .Values.controller.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "snapshot-controller.serviceAccountName" . }} + labels: + {{- include "snapshot-controller.labels" . | nindent 4 }} +{{- end }} +--- +{{- if .Values.controller.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-controller.fullname" . }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents/status"] + verbs: ["patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshots"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshots/status"] + verbs: ["update", "patch"] + {{- if get .Values.controller.args "enableDistributedSnapshotting" }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + {{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-controller.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "snapshot-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "snapshot-controller.fullname" . }} + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-controller.fullname" . }} +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-controller.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "snapshot-controller.serviceAccountName" . }} +roleRef: + kind: Role + name: {{ include "snapshot-controller.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_validation_webhook.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_validation_webhook.yaml new file mode 100644 index 00000000..f1bbebe0 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/serviceaccount_validation_webhook.yaml @@ -0,0 +1,38 @@ +{{- if .Values.webhook.enabled }} +{{- if .Values.webhook.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "snapshot-validation-webhook.serviceAccountName" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +{{- end }} +{{- if .Values.webhook.rbac.create }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} +rules: + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotclasses"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "snapshot-validation-webhook.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "snapshot-validation-webhook.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/servicemonitor.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/servicemonitor.yaml new file mode 100644 index 00000000..54a7f293 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/servicemonitor.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.controller.enabled .Values.controller.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "snapshot-controller.fullname" . }} + labels: + {{- include "snapshot-controller.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "snapshot-controller.selectorLabels" . | nindent 6 }} + endpoints: + - port: http + path: /metrics +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/volumesnapshotclass.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/volumesnapshotclass.yaml new file mode 100644 index 00000000..a88f7e8e --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/volumesnapshotclass.yaml @@ -0,0 +1,22 @@ +{{- if .Values.controller.enabled }} +{{- range .Values.controller.volumeSnapshotClasses }} +--- +kind: VolumeSnapshotClass +apiVersion: snapshot.storage.k8s.io/v1 +metadata: + name: {{ .name }} +{{- with .annotations }} + annotations: {{- . | toYaml | trim | nindent 4 }} +{{- end }} + labels: + {{- include "snapshot-controller.labels" $ | nindent 4 }} +{{- with .labels }} + {{- . | toYaml | trim | nindent 4 }} +{{- end }} +driver: {{ .driver }} +deletionPolicy: {{ .deletionPolicy }} +{{- with .parameters }} +parameters: {{- . | toYaml | trim | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/templates/webhook.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/templates/webhook.yaml new file mode 100644 index 00000000..d18b1480 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/templates/webhook.yaml @@ -0,0 +1,112 @@ +{{- if .Values.webhook.enabled }} +# Check if the TLS secret already exists and initialize variables for later use at the top level +{{- $secret := lookup "v1" "Secret" .Release.Namespace (include "snapshot-validation-webhook.certifcateName" .) }} +{{ $ca := "" }} +{{ $key := "" }} +{{ $crt := "" }} +--- +{{- if .Values.webhook.tls.certManagerIssuerRef }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +spec: + secretName: {{ include "snapshot-validation-webhook.certifcateName" . }} + dnsNames: + - {{ include "snapshot-validation-webhook.fullname" . }}.{{ .Release.Namespace }}.svc + issuerRef: + {{- toYaml .Values.webhook.tls.certManagerIssuerRef | nindent 4 }} + privateKey: + rotationPolicy: Always +--- +{{- else if .Values.webhook.tls.autogenerate }} + {{- if and $secret (not .Values.webhook.tls.renew) }} + {{- $ca = get $secret.data "ca.crt" }} + {{- $key = get $secret.data "tls.key" }} + {{- $crt = get $secret.data "tls.crt" }} + {{- else }} + {{- $serviceName := (printf "%s.%s.svc" (include "snapshot-validation-webhook.fullname" .) .Release.Namespace)}} + {{- $cert := genSelfSignedCert $serviceName nil (list $serviceName) 3650 }} + {{- $ca = b64enc $cert.Cert }} + {{- $key = b64enc $cert.Key }} + {{- $crt = b64enc $cert.Cert }} + {{- end }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "snapshot-validation-webhook.certifcateName" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca }} + tls.key: {{ $key }} + tls.crt: {{ $crt }} +--- +{{- end }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "snapshot-validation-webhook.fullname" . }} + labels: + {{- include "snapshot-validation-webhook.labels" . | nindent 4 }} + {{- if .Values.webhook.tls.certManagerIssuerRef }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "snapshot-validation-webhook.fullname" . }} + {{- end }} +webhooks: + - name: {{ include "snapshot-validation-webhook.name" . }}.snapshot.storage.k8s.io + rules: + - apiGroups: + - snapshot.storage.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - volumesnapshotclasses + scope: "*" + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: {{ include "snapshot-validation-webhook.fullname" . }} + path: "/volumesnapshot" + {{- if not .Values.webhook.tls.certManagerIssuerRef }} + caBundle: {{ $ca }} + {{- end }} + admissionReviewVersions: + - v1 + - v1beta1 + sideEffects: None + failurePolicy: {{ .Values.webhook.webhook.failurePolicy }} + timeoutSeconds: {{ .Values.webhook.webhook.timeoutSeconds }} + - name: {{ include "snapshot-validation-webhook.name" . }}.groupsnapshot.storage.k8s.io + rules: + - apiGroups: + - groupsnapshot.storage.k8s.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - volumegroupsnapshotclasses + scope: "*" + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: {{ include "snapshot-validation-webhook.fullname" . }} + path: "/volumegroupsnapshot" + {{- if not .Values.webhook.tls.certManagerIssuerRef }} + caBundle: {{ $ca }} + {{- end }} + admissionReviewVersions: + - v1 + - v1beta1 + sideEffects: None + failurePolicy: {{ .Values.webhook.webhook.failurePolicy }} + timeoutSeconds: {{ .Values.webhook.webhook.timeoutSeconds }} +{{- end }} diff --git a/packages/system/snapshot-controller/charts/snapshot-controller/values.yaml b/packages/system/snapshot-controller/charts/snapshot-controller/values.yaml new file mode 100644 index 00000000..38acb2b5 --- /dev/null +++ b/packages/system/snapshot-controller/charts/snapshot-controller/values.yaml @@ -0,0 +1,180 @@ +controller: + enabled: true + + replicaCount: 1 + + revisionHistoryLimit: 10 + + args: + leaderElection: true + leaderElectionNamespace: "$(NAMESPACE)" + httpEndpoint: ":8080" + + image: + repository: registry.k8s.io/sig-storage/snapshot-controller + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + imagePullSecrets: [] + + podAnnotations: {} + + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + + resources: {} + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: {} + + topologySpreadConstraints: [] + + rbac: + # Specifies whether RBAC resources should be created + create: true + + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + name: "" + + serviceMonitor: + # Specifies whether a ServiceMonitor should be created + create: false + + volumeSnapshotClasses: [] +# - name: linstor-csi-delete +# annotations: +# snapshot.storage.kubernetes.io/is-default-class: "true" +# labels: +# velero.io/csi-volumesnapshot-class: "true" +# driver: linstor.csi.linbit.com +# deletionPolicy: Delete + + priorityClassName: "" + # Specifies wether a Priority Class should be attached to deployment pods + + # Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + hostNetwork: false + + # DNS settings for the controller pod. https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + dnsConfig: {} + # DNS Policy for controller pod. For Pods running with hostNetwork, set to `ClusterFirstWithHostNet` + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + +webhook: + enabled: true + + replicaCount: 1 + + revisionHistoryLimit: 10 + + args: + tlsPrivateKeyFile: /etc/snapshot-validation/tls.key + tlsCertFile: /etc/snapshot-validation/tls.crt + port: 8443 + # enableVolumeGroupSnapshotWebhook: true + + image: + repository: registry.k8s.io/sig-storage/snapshot-validation-webhook + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + webhook: + timeoutSeconds: 2 + failurePolicy: Fail + + tls: + certificateSecret: "" + autogenerate: true + renew: false + certManagerIssuerRef: {} + + imagePullSecrets: [] + podAnnotations: {} + podLabels: {} + + networkPolicy: + enabled: false + ingress: {} + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 + + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: {} + + priorityClassName: + + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: snapshot-validation-webhook + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + + resources: {} + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + serviceAccount: + create: true + name: "" + + rbac: + create: true + + # Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + hostNetwork: false + + # DNS settings for the webhook pod. https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + dnsConfig: {} + # DNS Policy for webhook pod. For Pods running with hostNetwork, set to `ClusterFirstWithHostNet` + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + tests: + nodeSelector: { } + + tolerations: [ ] + + affinity: { } diff --git a/packages/system/snapshot-controller/values.yaml b/packages/system/snapshot-controller/values.yaml new file mode 100644 index 00000000..667d7a9e --- /dev/null +++ b/packages/system/snapshot-controller/values.yaml @@ -0,0 +1,13 @@ +snapshot-controller: + controller: + replicaCount: 2 + revisionHistoryLimit: 10 + webhook: + replicaCount: 2 + revisionHistoryLimit: 10 + hostNetwork: false + dnsPolicy: ClusterFirst + tls: + certManagerIssuerRef: + name: selfsigned-cluster-issuer + kind: ClusterIssuer