From f3ad42960a8702125f487c9674a686cd72f995b4 Mon Sep 17 00:00:00 2001 From: "Shiba, Sidney" Date: Mon, 20 Sep 2021 15:31:22 +0000 Subject: [PATCH] CAPZ v0.5.2 Uplift This patchset provides the manifests supporting CAPZ v0.5.2. It requires CAPI v1alpha4 (v0.4.2) manifests and clusterctl v0.4.2 binary to work properly. Depends-on: https://review.opendev.org/c/airship/airshipctl/+/804834 Relates-to: #600 Change-Id: Icccaf84d8765c75fb19bb2be352086cc33647f30 --- .../capz/v0.5.2/certmanager/certificate.yaml | 24 + .../v0.5.2/certmanager/kustomization.yaml | 4 + .../v0.5.2/certmanager/kustomizeconfig.yaml | 19 + ...uster.x-k8s.io_azureclusteridentities.yaml | 321 ++ ...ucture.cluster.x-k8s.io_azureclusters.yaml | 1204 +++++ ...ter.x-k8s.io_azuremachinepoolmachines.yaml | 237 + ...re.cluster.x-k8s.io_azuremachinepools.yaml | 1289 +++++ ...ucture.cluster.x-k8s.io_azuremachines.yaml | 961 ++++ ...luster.x-k8s.io_azuremachinetemplates.yaml | 749 +++ ...cluster.x-k8s.io_azuremanagedclusters.yaml | 126 + ...er.x-k8s.io_azuremanagedcontrolplanes.yaml | 384 ++ ...ter.x-k8s.io_azuremanagedmachinepools.yaml | 178 + ...uster.x-k8s.io_azureserviceprincipals.yaml | 122 + ...x-k8s.io_azuresystemassignedidentites.yaml | 121 + ...r.x-k8s.io_azureuserassignedidentites.yaml | 121 + .../capz/v0.5.2/crd/kustomization.yaml | 49 + .../capz/v0.5.2/crd/kustomizeconfig.yaml | 17 + ...cainjection_in_azureclusteridentities.yaml | 8 + .../patches/cainjection_in_azureclusters.yaml | 8 + ...injection_in_azuremachinepoolmachines.yaml | 8 + .../cainjection_in_azuremachinepools.yaml | 8 + .../patches/cainjection_in_azuremachines.yaml | 8 + .../cainjection_in_azuremachinetemplates.yaml | 8 + .../cainjection_in_azuremanagedclusters.yaml | 8 + ...njection_in_azuremanagedcontrolplanes.yaml | 8 + ...injection_in_azuremanagedmachinepools.yaml | 8 + .../webhook_in_azureclusteridentities.yaml | 19 + .../crd/patches/webhook_in_azureclusters.yaml | 19 + .../webhook_in_azuremachinepoolmachines.yaml | 19 + .../patches/webhook_in_azuremachinepools.yaml | 19 + .../crd/patches/webhook_in_azuremachines.yaml | 19 + .../webhook_in_azuremachinetemplates.yaml | 19 + .../webhook_in_azuremanagedclusters.yaml | 19 + .../webhook_in_azuremanagedcontrolplanes.yaml | 19 + .../webhook_in_azuremanagedmachinepools.yaml | 19 + .../capz/v0.5.2/data/kustomization.yaml | 2 + .../function/capz/v0.5.2/data/metadata.yaml | 21 + .../default/aad-pod-identity-deployment.yaml | 329 ++ .../capz/v0.5.2/default/credentials.yaml | 11 + .../capz/v0.5.2/default/kustomization.yaml | 58 + .../capz/v0.5.2/default/kustomizeconfig.yaml | 4 + .../default/manager_auth_proxy_patch.yaml | 21 + .../default/manager_credentials_patch.yaml | 31 + .../v0.5.2/default/manager_image_patch.yaml | 12 + .../manager_prometheus_metrics_patch.yaml | 19 + .../v0.5.2/default/manager_pull_policy.yaml | 11 + .../v0.5.2/default/manager_webhook_patch.yaml | 23 + .../capz/v0.5.2/default/namespace.yaml | 4 + .../default/webhookcainjection_patch.yaml | 17 + .../function/capz/v0.5.2/kustomization.yaml | 3 + .../capz/v0.5.2/manager/kustomization.yaml | 5 + .../function/capz/v0.5.2/manager/manager.yaml | 61 + .../v0.5.2/patch_crd_webhook_namespace.yaml | 3 + .../rbac/auth_proxy_client_clusterrole.yaml | 7 + .../capz/v0.5.2/rbac/auth_proxy_role.yaml | 13 + .../v0.5.2/rbac/auth_proxy_role_binding.yaml | 12 + .../capz/v0.5.2/rbac/auth_proxy_service.yaml | 18 + .../capz/v0.5.2/rbac/kustomization.yaml | 12 + .../v0.5.2/rbac/leader_election_role.yaml | 44 + .../rbac/leader_election_role_binding.yaml | 12 + manifests/function/capz/v0.5.2/rbac/role.yaml | 247 + .../capz/v0.5.2/rbac/role_binding.yaml | 12 + .../capz/v0.5.2/rbac/service_account.yaml | 5 + .../capz/v0.5.2/webhook/kustomization.yaml | 6 + .../capz/v0.5.2/webhook/kustomizeconfig.yaml | 26 + .../capz/v0.5.2/webhook/manifests.yaml | 297 ++ .../function/capz/v0.5.2/webhook/service.yaml | 9 + .../cni/calico-capz/v3.20.0/README.md | 10 + .../cni/calico-capz/v3.20.0/calico.yaml | 4143 +++++++++++++++++ .../calico-capz/v3.20.0/kustomization.yaml | 4 + .../function/k8scontrol-capz/v0.5.2/README.md | 6 + .../k8scontrol-capz/v0.5.2/cluster.yaml | 66 + .../k8scontrol-capz/v0.5.2/controlplane.yaml | 104 + .../k8scontrol-capz/v0.5.2/kustomization.yaml | 5 + .../k8scontrol-capz/v0.5.2/namespace.yaml | 5 + .../v0.5.2/replacements/cluster.yaml | 140 + .../v0.5.2/replacements/kustomization.yaml | 4 + .../function/workers-capz/v0.5.2/README.md | 6 + .../workers-capz/v0.5.2/kustomization.yaml | 3 + .../v0.5.2/replacements/kustomization.yaml | 4 + .../v0.5.2/replacements/worker.yaml | 56 + .../function/workers-capz/v0.5.2/workers.yaml | 63 + manifests/phases/executors.yaml | 2 +- 83 files changed, 12144 insertions(+), 1 deletion(-) create mode 100644 manifests/function/capz/v0.5.2/certmanager/certificate.yaml create mode 100644 manifests/function/capz/v0.5.2/certmanager/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/certmanager/kustomizeconfig.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepoolmachines.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedclusters.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureserviceprincipals.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuresystemassignedidentites.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureuserassignedidentites.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/kustomizeconfig.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusteridentities.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusters.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepoolmachines.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepools.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachines.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinetemplates.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedclusters.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedcontrolplanes.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedmachinepools.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusteridentities.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusters.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepoolmachines.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepools.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachines.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinetemplates.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedclusters.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedcontrolplanes.yaml create mode 100644 manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedmachinepools.yaml create mode 100644 manifests/function/capz/v0.5.2/data/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/data/metadata.yaml create mode 100644 manifests/function/capz/v0.5.2/default/aad-pod-identity-deployment.yaml create mode 100644 manifests/function/capz/v0.5.2/default/credentials.yaml create mode 100644 manifests/function/capz/v0.5.2/default/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/default/kustomizeconfig.yaml create mode 100644 manifests/function/capz/v0.5.2/default/manager_auth_proxy_patch.yaml create mode 100644 manifests/function/capz/v0.5.2/default/manager_credentials_patch.yaml create mode 100644 manifests/function/capz/v0.5.2/default/manager_image_patch.yaml create mode 100644 manifests/function/capz/v0.5.2/default/manager_prometheus_metrics_patch.yaml create mode 100644 manifests/function/capz/v0.5.2/default/manager_pull_policy.yaml create mode 100644 manifests/function/capz/v0.5.2/default/manager_webhook_patch.yaml create mode 100644 manifests/function/capz/v0.5.2/default/namespace.yaml create mode 100644 manifests/function/capz/v0.5.2/default/webhookcainjection_patch.yaml create mode 100644 manifests/function/capz/v0.5.2/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/manager/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/manager/manager.yaml create mode 100644 manifests/function/capz/v0.5.2/patch_crd_webhook_namespace.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/auth_proxy_role.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/auth_proxy_role_binding.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/auth_proxy_service.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/leader_election_role.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/leader_election_role_binding.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/role.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/role_binding.yaml create mode 100644 manifests/function/capz/v0.5.2/rbac/service_account.yaml create mode 100644 manifests/function/capz/v0.5.2/webhook/kustomization.yaml create mode 100644 manifests/function/capz/v0.5.2/webhook/kustomizeconfig.yaml create mode 100644 manifests/function/capz/v0.5.2/webhook/manifests.yaml create mode 100644 manifests/function/capz/v0.5.2/webhook/service.yaml create mode 100644 manifests/function/cni/calico-capz/v3.20.0/README.md create mode 100644 manifests/function/cni/calico-capz/v3.20.0/calico.yaml create mode 100644 manifests/function/cni/calico-capz/v3.20.0/kustomization.yaml create mode 100644 manifests/function/k8scontrol-capz/v0.5.2/README.md create mode 100644 manifests/function/k8scontrol-capz/v0.5.2/cluster.yaml create mode 100644 manifests/function/k8scontrol-capz/v0.5.2/controlplane.yaml create mode 100644 manifests/function/k8scontrol-capz/v0.5.2/kustomization.yaml create mode 100644 manifests/function/k8scontrol-capz/v0.5.2/namespace.yaml create mode 100644 manifests/function/k8scontrol-capz/v0.5.2/replacements/cluster.yaml create mode 100644 manifests/function/k8scontrol-capz/v0.5.2/replacements/kustomization.yaml create mode 100644 manifests/function/workers-capz/v0.5.2/README.md create mode 100644 manifests/function/workers-capz/v0.5.2/kustomization.yaml create mode 100644 manifests/function/workers-capz/v0.5.2/replacements/kustomization.yaml create mode 100644 manifests/function/workers-capz/v0.5.2/replacements/worker.yaml create mode 100644 manifests/function/workers-capz/v0.5.2/workers.yaml diff --git a/manifests/function/capz/v0.5.2/certmanager/certificate.yaml b/manifests/function/capz/v0.5.2/certmanager/certificate.yaml new file mode 100644 index 00000000..ffcc8106 --- /dev/null +++ b/manifests/function/capz/v0.5.2/certmanager/certificate.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: $(SERVICE_NAME)-cert diff --git a/manifests/function/capz/v0.5.2/certmanager/kustomization.yaml b/manifests/function/capz/v0.5.2/certmanager/kustomization.yaml new file mode 100644 index 00000000..34e7e5b1 --- /dev/null +++ b/manifests/function/capz/v0.5.2/certmanager/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - certificate.yaml +configurations: + - kustomizeconfig.yaml diff --git a/manifests/function/capz/v0.5.2/certmanager/kustomizeconfig.yaml b/manifests/function/capz/v0.5.2/certmanager/kustomizeconfig.yaml new file mode 100644 index 00000000..c6a6c0f1 --- /dev/null +++ b/manifests/function/capz/v0.5.2/certmanager/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: + - kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: + - kind: Certificate + group: cert-manager.io + path: spec/commonName + - kind: Certificate + group: cert-manager.io + path: spec/dnsNames + - kind: Certificate + group: cert-manager.io + path: spec/secretName diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml new file mode 100644 index 00000000..b36fd7cb --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml @@ -0,0 +1,321 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azureclusteridentities.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureClusterIdentity + listKind: AzureClusterIdentityList + plural: azureclusteridentities + singular: azureclusteridentity + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureClusterIdentity is the Schema for the azureclustersidentities + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureClusterIdentitySpec defines the parameters that are + used to create an AzureIdentity. + properties: + allowedNamespaces: + description: "AllowedNamespaces is an array of namespaces that AzureClusters + can use this Identity from. \n An empty list (default) indicates + that AzureClusters can use this Identity from any namespace. This + field is intentionally not a pointer because the nil behavior (no + namespaces) is undesirable here." + items: + type: string + type: array + clientID: + description: Both User Assigned MSI and SP can use this field. + type: string + clientSecret: + description: ClientSecret is a secret reference which should contain + either a Service Principal password or certificate secret. + properties: + name: + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + resourceID: + description: User assigned MSI resource id. + type: string + tenantID: + description: Service principal primary tenant id. + type: string + type: + description: UserAssignedMSI or Service Principal + enum: + - ServicePrincipal + - UserAssignedMSI + type: string + required: + - clientID + - tenantID + - type + type: object + status: + description: AzureClusterIdentityStatus defines the observed state of + AzureClusterIdentity. + properties: + conditions: + description: Conditions defines current service state of the AzureClusterIdentity. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureClusterIdentity is the Schema for the azureclustersidentities + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureClusterIdentitySpec defines the parameters that are + used to create an AzureIdentity. + properties: + allowedNamespaces: + description: AllowedNamespaces is used to identify the namespaces + the clusters are allowed to use the identity from. Namespaces can + be selected either using an array of namespaces or with label selector. + An empty allowedNamespaces object indicates that AzureClusters can + use this identity from any namespace. If this object is nil, no + namespaces will be allowed (default behaviour, if this field is + not provided) A namespace should be either in the NamespaceList + or match with Selector to use the identity. + nullable: true + properties: + list: + description: A nil or empty list indicates that AzureCluster cannot + use the identity from any namespace. + items: + type: string + nullable: true + type: array + selector: + description: "Selector is a selector of namespaces that AzureCluster + can use this Identity from. This is a standard Kubernetes LabelSelector, + a label query over a set of resources. The result of matchLabels + and matchExpressions are ANDed. \n A nil or empty selector indicates + that AzureCluster cannot use this AzureClusterIdentity from + any namespace." + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + type: object + clientID: + description: Both User Assigned MSI and SP can use this field. + type: string + clientSecret: + description: ClientSecret is a secret reference which should contain + either a Service Principal password or certificate secret. + properties: + name: + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + resourceID: + description: User assigned MSI resource id. + type: string + tenantID: + description: Service principal primary tenant id. + type: string + type: + description: UserAssignedMSI or Service Principal + enum: + - ServicePrincipal + - UserAssignedMSI + type: string + required: + - clientID + - tenantID + - type + type: object + status: + description: AzureClusterIdentityStatus defines the observed state of + AzureClusterIdentity. + properties: + conditions: + description: Conditions defines current service state of the AzureClusterIdentity. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml new file mode 100644 index 00000000..8ff27b9e --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml @@ -0,0 +1,1204 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azureclusters.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureCluster + listKind: AzureClusterList + plural: azureclusters + singular: azurecluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Cluster to which this AzureCluster belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .spec.resourceGroup + name: Resource Group + priority: 1 + type: string + - jsonPath: .spec.subscriptionID + name: SubscriptionID + priority: 1 + type: string + - jsonPath: .spec.location + name: Location + priority: 1 + type: string + - description: Control Plane Endpoint + jsonPath: .spec.controlPlaneEndpoint.host + name: Endpoint + priority: 1 + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureCluster is the Schema for the azureclusters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureClusterSpec defines the desired state of AzureCluster. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure + resources managed by the Azure provider, in addition to the ones + added by default. + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + identityRef: + description: IdentityRef is a reference to a AzureIdentity to be used + when reconciling this cluster + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + location: + type: string + networkSpec: + description: NetworkSpec encapsulates all things related to Azure + network. + properties: + apiServerLB: + description: APIServerLB is the configuration for the control-plane + load balancer. + properties: + frontendIPs: + items: + description: FrontendIP defines a load balancer frontend + IP configuration. + properties: + name: + minLength: 1 + type: string + privateIP: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create + an Azure public IP address. + properties: + dnsName: + type: string + name: + type: string + required: + - name + type: object + required: + - name + type: object + type: array + id: + type: string + name: + type: string + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + subnets: + description: Subnets is the configuration for the control-plane + subnet and the node subnet. + items: + description: SubnetSpec configures an Azure subnet. + properties: + cidrBlock: + description: 'CidrBlock is the CIDR block to be used when + the provider creates a managed Vnet. DEPRECATED: Use CIDRBlocks + instead' + type: string + cidrBlocks: + description: CIDRBlocks defines the subnet's address space, + specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + id: + description: ID defines a unique identifier to reference + this resource. + type: string + internalLBIPAddress: + description: 'InternalLBIPAddress is the IP address that + will be used as the internal LB private IP. For the control + plane subnet only. Deprecated: Use LoadBalancer private + IP instead' + type: string + name: + description: Name defines a name for the subnet resource. + type: string + role: + description: Role defines the subnet role (eg. Node, ControlPlane) + type: string + routeTable: + description: RouteTable defines the route table that should + be attached to this subnet. + properties: + id: + type: string + name: + type: string + type: object + securityGroup: + description: SecurityGroup defines the NSG (network security + group) that should be attached to this subnet. + properties: + id: + type: string + ingressRule: + description: IngressRules is a slice of Azure ingress + rules for security groups. + items: + description: IngressRule defines an Azure ingress + rule for security groups. + properties: + description: + type: string + destination: + description: Destination - The destination address + prefix. CIDR or destination IP range. Asterix + '*' can also be used to match all source IPs. + Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' + and 'Internet' can also be used. + type: string + destinationPorts: + description: DestinationPorts - The destination + port or range. Integer or range between 0 and + 65535. Asterix '*' can also be used to match + all ports. + type: string + name: + type: string + priority: + description: Priority - A number between 100 and + 4096. Each rule should have a unique value for + priority. Rules are processed in priority order, + with lower numbers processed before higher numbers. + Once traffic matches a rule, processing stops. + format: int32 + type: integer + protocol: + description: SecurityGroupProtocol defines the + protocol type for a security group rule. + type: string + source: + description: Source - The CIDR or source IP range. + Asterix '*' can also be used to match all source + IPs. Default tags such as 'VirtualNetwork', + 'AzureLoadBalancer' and 'Internet' can also + be used. If this is an ingress rule, specifies + where network traffic originates from. + type: string + sourcePorts: + description: SourcePorts - The source port or + range. Integer or range between 0 and 65535. + Asterix '*' can also be used to match all ports. + type: string + required: + - description + - name + - protocol + type: object + type: array + name: + type: string + tags: + additionalProperties: + type: string + description: Tags defines a map of tags. + type: object + type: object + required: + - name + type: object + type: array + vnet: + description: Vnet is the configuration for the Azure virtual network. + properties: + cidrBlock: + description: 'CidrBlock is the CIDR block to be used when + the provider creates a managed virtual network. DEPRECATED: + Use CIDRBlocks instead' + type: string + cidrBlocks: + description: CIDRBlocks defines the virtual network's address + space, specified as one or more address prefixes in CIDR + notation. + items: + type: string + type: array + id: + description: ID is the identifier of the virtual network this + provider should use to create resources. + type: string + name: + description: Name defines a name for the virtual network resource. + type: string + resourceGroup: + description: ResourceGroup is the name of the resource group + of the existing virtual network or the resource group where + a managed virtual network should be created. + type: string + tags: + additionalProperties: + type: string + description: Tags is a collection of tags describing the resource. + type: object + required: + - name + type: object + type: object + resourceGroup: + type: string + subscriptionID: + type: string + required: + - location + type: object + status: + description: AzureClusterStatus defines the observed state of AzureCluster. + properties: + conditions: + description: Conditions defines current service state of the AzureCluster. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureDomains: + additionalProperties: + description: FailureDomainSpec is the Schema for Cluster API failure + domains. It allows controllers to understand how many failure + domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an + infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain + is suitable for use by control plane machines. + type: boolean + type: object + description: 'FailureDomains specifies the list of unique failure + domains for the location/region of the cluster. A FailureDomain + maps to Availability Zone with an Azure Region (if the region support + them). An Availability Zone is a separate data center within a region + and they can be used to ensure the cluster is more resilient to + failure. See: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview + This list will be used by Cluster API to try and spread the machines + across the failure domains.' + type: object + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Cluster to which this AzureCluster belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - jsonPath: .status.ready + name: Ready + type: boolean + - jsonPath: .spec.resourceGroup + name: Resource Group + priority: 1 + type: string + - jsonPath: .spec.subscriptionID + name: SubscriptionID + priority: 1 + type: string + - jsonPath: .spec.location + name: Location + priority: 1 + type: string + - description: Control Plane Endpoint + jsonPath: .spec.controlPlaneEndpoint.host + name: Endpoint + priority: 1 + type: string + name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureCluster is the Schema for the azureclusters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureClusterSpec defines the desired state of AzureCluster. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure + resources managed by the Azure provider, in addition to the ones + added by default. + type: object + azureEnvironment: + description: 'AzureEnvironment is the name of the AzureCloud to be + used. The default value that would be used by most users is "AzurePublicCloud", + other values are: - ChinaCloud: "AzureChinaCloud" - GermanCloud: + "AzureGermanCloud" - PublicCloud: "AzurePublicCloud" - USGovernmentCloud: + "AzureUSGovernmentCloud"' + type: string + bastionSpec: + description: BastionSpec encapsulates all things related to the Bastions + in the cluster. + properties: + azureBastion: + description: AzureBastion specifies how the Azure Bastion cloud + component should be configured. + properties: + name: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create an + Azure public IP address. + properties: + dnsName: + type: string + name: + type: string + required: + - name + type: object + subnet: + description: SubnetSpec configures an Azure subnet. + properties: + cidrBlocks: + description: CIDRBlocks defines the subnet's address space, + specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + id: + description: ID defines a unique identifier to reference + this resource. + type: string + name: + description: Name defines a name for the subnet resource. + type: string + natGateway: + description: NatGateway associated with this subnet. + properties: + id: + type: string + ip: + description: PublicIPSpec defines the inputs to create + an Azure public IP address. + properties: + dnsName: + type: string + name: + type: string + required: + - name + type: object + name: + type: string + type: object + role: + description: Role defines the subnet role (eg. Node, ControlPlane) + type: string + routeTable: + description: RouteTable defines the route table that should + be attached to this subnet. + properties: + id: + type: string + name: + type: string + type: object + securityGroup: + description: SecurityGroup defines the NSG (network security + group) that should be attached to this subnet. + properties: + id: + type: string + name: + type: string + securityRules: + description: SecurityRules is a slice of Azure security + rules for security groups. + items: + description: SecurityRule defines an Azure security + rule for security groups. + properties: + description: + description: A description for this rule. Restricted + to 140 chars. + type: string + destination: + description: Destination is the destination + address prefix. CIDR or destination IP range. + Asterix '*' can also be used to match all + source IPs. Default tags such as 'VirtualNetwork', + 'AzureLoadBalancer' and 'Internet' can also + be used. + type: string + destinationPorts: + description: DestinationPorts specifies the + destination port or range. Integer or range + between 0 and 65535. Asterix '*' can also + be used to match all ports. + type: string + direction: + description: Direction indicates whether the + rule applies to inbound, or outbound traffic. + "Inbound" or "Outbound". + enum: + - Inbound + - Outbound + type: string + name: + description: Name is a unique name within the + network security group. + type: string + priority: + description: Priority is a number between 100 + and 4096. Each rule should have a unique value + for priority. Rules are processed in priority + order, with lower numbers processed before + higher numbers. Once traffic matches a rule, + processing stops. + format: int32 + type: integer + protocol: + description: Protocol specifies the protocol + type. "Tcp", "Udp", "Icmp", or "*". + enum: + - Tcp + - Udp + - Icmp + - '*' + type: string + source: + description: Source specifies the CIDR or source + IP range. Asterix '*' can also be used to + match all source IPs. Default tags such as + 'VirtualNetwork', 'AzureLoadBalancer' and + 'Internet' can also be used. If this is an + ingress rule, specifies where network traffic + originates from. + type: string + sourcePorts: + description: SourcePorts specifies source port + or range. Integer or range between 0 and 65535. + Asterix '*' can also be used to match all + ports. + type: string + required: + - description + - direction + - name + - protocol + type: object + type: array + tags: + additionalProperties: + type: string + description: Tags defines a map of tags. + type: object + type: object + required: + - name + type: object + type: object + type: object + cloudProviderConfigOverrides: + description: 'CloudProviderConfigOverrides is an optional set of configuration + values that can be overridden in azure cloud provider config. This + is only a subset of options that are available in azure cloud provider + config. Some values for the cloud provider config are inferred from + other parts of cluster api provider azure spec, and may not be available + for overrides. See: https://kubernetes-sigs.github.io/cloud-provider-azure/install/configs + Note: All cloud provider config values can be customized by creating + the secret beforehand. CloudProviderConfigOverrides is only used + when the secret is managed by the Azure Provider.' + properties: + backOffs: + description: BackOffConfig indicates the back-off config options. + properties: + cloudProviderBackoff: + type: boolean + cloudProviderBackoffDuration: + type: integer + cloudProviderBackoffExponent: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderBackoffJitter: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderBackoffRetries: + type: integer + type: object + rateLimits: + items: + description: 'RateLimitSpec represents the rate limit configuration + for a particular kind of resource. Eg. loadBalancerRateLimit + is used to configure rate limits for load balancers. This + eventually gets converted to CloudProviderRateLimitConfig + that cloud-provider-azure expects. See: https://github.com/kubernetes-sigs/cloud-provider-azure/blob/d585c2031925b39c925624302f22f8856e29e352/pkg/provider/azure_ratelimit.go#L25 + We cannot use CloudProviderRateLimitConfig directly because + floating point values are not supported in controller-tools. + See: https://github.com/kubernetes-sigs/controller-tools/issues/245' + properties: + config: + description: RateLimitConfig indicates the rate limit config + options. + properties: + cloudProviderRateLimit: + type: boolean + cloudProviderRateLimitBucket: + type: integer + cloudProviderRateLimitBucketWrite: + type: integer + cloudProviderRateLimitQPS: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + cloudProviderRateLimitQPSWrite: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + name: + description: Name is the name of the rate limit spec. + enum: + - defaultRateLimit + - routeRateLimit + - subnetsRateLimit + - interfaceRateLimit + - routeTableRateLimit + - loadBalancerRateLimit + - publicIPAddressRateLimit + - securityGroupRateLimit + - virtualMachineRateLimit + - storageAccountRateLimit + - diskRateLimit + - snapshotRateLimit + - virtualMachineScaleSetRateLimit + - virtualMachineSizesRateLimit + - availabilitySetRateLimit + type: string + type: object + type: array + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + identityRef: + description: IdentityRef is a reference to an AzureIdentity to be + used when reconciling this cluster + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + location: + type: string + networkSpec: + description: NetworkSpec encapsulates all things related to Azure + network. + properties: + apiServerLB: + description: APIServerLB is the configuration for the control-plane + load balancer. + properties: + frontendIPs: + items: + description: FrontendIP defines a load balancer frontend + IP configuration. + properties: + name: + minLength: 1 + type: string + privateIP: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create + an Azure public IP address. + properties: + dnsName: + type: string + name: + type: string + required: + - name + type: object + required: + - name + type: object + type: array + frontendIPsCount: + description: FrontendIPsCount specifies the number of frontend + IP addresses for the load balancer. + format: int32 + type: integer + id: + type: string + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for + the TCP idle connection. + format: int32 + type: integer + name: + type: string + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + controlPlaneOutboundLB: + description: ControlPlaneOutboundLB is the configuration for the + control-plane outbound load balancer. This is different from + APIServerLB, and is used only in private clusters (optionally) + for enabling outbound traffic. + properties: + frontendIPs: + items: + description: FrontendIP defines a load balancer frontend + IP configuration. + properties: + name: + minLength: 1 + type: string + privateIP: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create + an Azure public IP address. + properties: + dnsName: + type: string + name: + type: string + required: + - name + type: object + required: + - name + type: object + type: array + frontendIPsCount: + description: FrontendIPsCount specifies the number of frontend + IP addresses for the load balancer. + format: int32 + type: integer + id: + type: string + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for + the TCP idle connection. + format: int32 + type: integer + name: + type: string + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + nodeOutboundLB: + description: NodeOutboundLB is the configuration for the node + outbound load balancer. + properties: + frontendIPs: + items: + description: FrontendIP defines a load balancer frontend + IP configuration. + properties: + name: + minLength: 1 + type: string + privateIP: + type: string + publicIP: + description: PublicIPSpec defines the inputs to create + an Azure public IP address. + properties: + dnsName: + type: string + name: + type: string + required: + - name + type: object + required: + - name + type: object + type: array + frontendIPsCount: + description: FrontendIPsCount specifies the number of frontend + IP addresses for the load balancer. + format: int32 + type: integer + id: + type: string + idleTimeoutInMinutes: + description: IdleTimeoutInMinutes specifies the timeout for + the TCP idle connection. + format: int32 + type: integer + name: + type: string + sku: + description: SKU defines an Azure load balancer SKU. + type: string + type: + description: LBType defines an Azure load balancer Type. + type: string + type: object + privateDNSZoneName: + description: PrivateDNSZoneName defines the zone name for the + Azure Private DNS. + type: string + subnets: + description: Subnets is the configuration for the control-plane + subnet and the node subnet. + items: + description: SubnetSpec configures an Azure subnet. + properties: + cidrBlocks: + description: CIDRBlocks defines the subnet's address space, + specified as one or more address prefixes in CIDR notation. + items: + type: string + type: array + id: + description: ID defines a unique identifier to reference + this resource. + type: string + name: + description: Name defines a name for the subnet resource. + type: string + natGateway: + description: NatGateway associated with this subnet. + properties: + id: + type: string + ip: + description: PublicIPSpec defines the inputs to create + an Azure public IP address. + properties: + dnsName: + type: string + name: + type: string + required: + - name + type: object + name: + type: string + type: object + role: + description: Role defines the subnet role (eg. Node, ControlPlane) + type: string + routeTable: + description: RouteTable defines the route table that should + be attached to this subnet. + properties: + id: + type: string + name: + type: string + type: object + securityGroup: + description: SecurityGroup defines the NSG (network security + group) that should be attached to this subnet. + properties: + id: + type: string + name: + type: string + securityRules: + description: SecurityRules is a slice of Azure security + rules for security groups. + items: + description: SecurityRule defines an Azure security + rule for security groups. + properties: + description: + description: A description for this rule. Restricted + to 140 chars. + type: string + destination: + description: Destination is the destination address + prefix. CIDR or destination IP range. Asterix + '*' can also be used to match all source IPs. + Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' + and 'Internet' can also be used. + type: string + destinationPorts: + description: DestinationPorts specifies the destination + port or range. Integer or range between 0 and + 65535. Asterix '*' can also be used to match + all ports. + type: string + direction: + description: Direction indicates whether the rule + applies to inbound, or outbound traffic. "Inbound" + or "Outbound". + enum: + - Inbound + - Outbound + type: string + name: + description: Name is a unique name within the + network security group. + type: string + priority: + description: Priority is a number between 100 + and 4096. Each rule should have a unique value + for priority. Rules are processed in priority + order, with lower numbers processed before higher + numbers. Once traffic matches a rule, processing + stops. + format: int32 + type: integer + protocol: + description: Protocol specifies the protocol type. + "Tcp", "Udp", "Icmp", or "*". + enum: + - Tcp + - Udp + - Icmp + - '*' + type: string + source: + description: Source specifies the CIDR or source + IP range. Asterix '*' can also be used to match + all source IPs. Default tags such as 'VirtualNetwork', + 'AzureLoadBalancer' and 'Internet' can also + be used. If this is an ingress rule, specifies + where network traffic originates from. + type: string + sourcePorts: + description: SourcePorts specifies source port + or range. Integer or range between 0 and 65535. + Asterix '*' can also be used to match all ports. + type: string + required: + - description + - direction + - name + - protocol + type: object + type: array + tags: + additionalProperties: + type: string + description: Tags defines a map of tags. + type: object + type: object + required: + - name + type: object + type: array + vnet: + description: Vnet is the configuration for the Azure virtual network. + properties: + cidrBlocks: + description: CIDRBlocks defines the virtual network's address + space, specified as one or more address prefixes in CIDR + notation. + items: + type: string + type: array + id: + description: ID is the identifier of the virtual network this + provider should use to create resources. + type: string + name: + description: Name defines a name for the virtual network resource. + type: string + resourceGroup: + description: ResourceGroup is the name of the resource group + of the existing virtual network or the resource group where + a managed virtual network should be created. + type: string + tags: + additionalProperties: + type: string + description: Tags is a collection of tags describing the resource. + type: object + required: + - name + type: object + type: object + resourceGroup: + type: string + subscriptionID: + type: string + required: + - location + type: object + status: + description: AzureClusterStatus defines the observed state of AzureCluster. + properties: + conditions: + description: Conditions defines current service state of the AzureCluster. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureDomains: + additionalProperties: + description: FailureDomainSpec is the Schema for Cluster API failure + domains. It allows controllers to understand how many failure + domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an + infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain + is suitable for use by control plane machines. + type: boolean + type: object + description: 'FailureDomains specifies the list of unique failure + domains for the location/region of the cluster. A FailureDomain + maps to Availability Zone with an Azure Region (if the region support + them). An Availability Zone is a separate data center within a region + and they can be used to ensure the cluster is more resilient to + failure. See: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview + This list will be used by Cluster API to try and spread the machines + across the failure domains.' + type: object + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepoolmachines.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepoolmachines.yaml new file mode 100644 index 00000000..563346bc --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepoolmachines.yaml @@ -0,0 +1,237 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azuremachinepoolmachines.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachinePoolMachine + listKind: AzureMachinePoolMachineList + plural: azuremachinepoolmachines + shortNames: + - ampm + singular: azuremachinepoolmachine + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Kubernetes version + jsonPath: .status.version + name: Version + type: string + - description: Flag indicating infrastructure is successfully provisioned + jsonPath: .status.ready + name: Ready + type: string + - description: Azure VMSS VM provisioning state + jsonPath: .status.provisioningState + name: State + type: string + - description: Cluster to which this AzureMachinePoolMachine belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: Azure VMSS VM ID + jsonPath: .spec.providerID + name: VMSS VM ID + priority: 1 + type: string + name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureMachinePoolMachine is the Schema for the azuremachinepoolmachines + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachinePoolMachineSpec defines the desired state of + AzureMachinePoolMachine. + properties: + instanceID: + description: InstanceID is the identification of the Machine Instance + within the VMSS + type: string + providerID: + description: ProviderID is the identification ID of the Virtual Machine + Scale Set + type: string + required: + - instanceID + - providerID + type: object + status: + description: AzureMachinePoolMachineStatus defines the observed state + of AzureMachinePoolMachine. + properties: + conditions: + description: Conditions defines current service state of the AzureMachinePool. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureMessage: + description: "FailureMessage will be set in the event that there is + a terminal problem reconciling the MachinePool and will contain + a more verbose string suitable for logging and human consumption. + \n Any transient errors that occur during the reconciliation of + MachinePools can be added as events to the MachinePool object and/or + logged in the controller's output." + type: string + failureReason: + description: "FailureReason will be set in the event that there is + a terminal problem reconciling the MachinePool machine and will + contain a succinct value suitable for machine interpretation. \n + Any transient errors that occur during the reconciliation of MachinePools + can be added as events to the MachinePool object and/or logged in + the controller's output." + type: string + instanceName: + description: InstanceName is the name of the Machine Instance within + the VMSS + type: string + latestModelApplied: + description: LatestModelApplied indicates the instance is running + the most up-to-date VMSS model. A VMSS model describes the image + version the VM is running. If the instance is not running the latest + model, it means the instance may not be running the version of Kubernetes + the Machine Pool has specified and needs to be updated. + type: boolean + longRunningOperationState: + description: LongRunningOperationState saves the state for an Azure + long running operations so it can be continued on the next reconciliation + loop. + properties: + futureData: + description: FutureData is the base64 url encoded json Azure AutoRest + Future + type: string + name: + description: Name is the name of the Azure resource + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the + resource + type: string + type: + description: Type describes the type of future, update, create, + delete, etc + type: string + required: + - type + type: object + nodeRef: + description: NodeRef will point to the corresponding Node if it exists. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + provisioningState: + description: ProvisioningState is the provisioning state of the Azure + virtual machine instance. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + version: + description: Version defines the Kubernetes version for the VM Instance + type: string + required: + - latestModelApplied + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml new file mode 100644 index 00000000..485f7d28 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml @@ -0,0 +1,1289 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azuremachinepools.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachinePool + listKind: AzureMachinePoolList + plural: azuremachinepools + shortNames: + - amp + singular: azuremachinepool + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: AzureMachinePool replicas count + jsonPath: .status.replicas + name: Replicas + type: string + - description: AzureMachinePool replicas count + jsonPath: .status.ready + name: Ready + type: string + - description: Azure VMSS provisioning state + jsonPath: .status.provisioningState + name: State + type: string + - description: Cluster to which this AzureMachinePool belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: MachinePool object to which this AzureMachinePool belongs + jsonPath: .metadata.ownerReferences[?(@.kind=="MachinePool")].name + name: MachinePool + priority: 1 + type: string + - description: Azure VMSS ID + jsonPath: .spec.providerID + name: VMSS ID + priority: 1 + type: string + - description: Azure VM Size + jsonPath: .spec.template.vmSize + name: VM Size + priority: 1 + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureMachinePool is the Schema for the azuremachinepools API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachinePoolSpec defines the desired state of AzureMachinePool. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to an + instance, in addition to the ones added by default by the Azure + provider. If both the AzureCluster and the AzureMachine specify + the same tag name with different values, the AzureMachine's value + takes precedence. + type: object + identity: + default: None + description: Identity is the type of identity used for the Virtual + Machine Scale Set. The type 'SystemAssigned' is an implicitly created + identity. The generated identity will be assigned a Subscription + contributor role. The type 'UserAssigned' is a standalone Azure + resource provided by the user and assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + location: + description: Location is the Azure region location e.g. westus2 + type: string + providerID: + description: ProviderID is the identification ID of the Virtual Machine + Scale Set + type: string + providerIDList: + description: ProviderIDList are the identification IDs of machine + instances provided by the provider. This field must match the provider + IDs as seen on the node objects corresponding to a machine pool's + machine instances. + items: + type: string + type: array + roleAssignmentName: + description: RoleAssignmentName is the name of the role assignment + to create for a system assigned identity. It can be any valid GUID. + If not specified, a random GUID will be generated. + type: string + template: + description: Template contains the details used to build a replica + virtual machine within the Machine Pool. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure accelerated + networking. If omitted, it will be set based on whether the + requested VMSize supports accelerated networking. If AcceleratedNetworking + is set to true with a VMSize that does not support it, Azure + will return an error. + type: boolean + dataDisks: + description: DataDisks specifies the list of data disks to be + created for a Virtual Machine + items: + description: DataDisk specifies the parameters that are used + to add one or more data disks to the machine. + properties: + cachingType: + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the + data disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of the + data disk. This value is used to identify data disks within + the VM and therefore must be unique for each data disk + attached to a VM. The value must be between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk defines the managed disk options + for a VM. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk + encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + required: + - storageAccountType + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended to + the machine name to generate the disk name. Each disk + name will be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + image: + description: Image is used to provide details of an image to use + during Virtual Machine creation. If image details are omitted + the image will default the Azure Marketplace "capi" offer, which + is based on Ubuntu. + properties: + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the + Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization + that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such + as a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published + by a third party publisher and a Plan will be generated + for it. + type: boolean + version: + description: Version specifies the version of an image + sku. The allowed formats are Major.Minor.Build or 'latest'. + Major, Minor, and Build are decimal numbers. Specify + 'latest' to use the latest version of an image available + at deploy time. Even if you use 'latest', the VM image + will not automatically update after deploy time even + if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: SharedGallery specifies an image to use from + an Azure Shared Image Gallery + properties: + gallery: + description: Gallery specifies the name of the shared + image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + resourceGroup: + description: ResourceGroup specifies the resource group + containing the shared image gallery + minLength: 1 + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription + that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace + image. The allowed formats are Major.Minor.Build or + 'latest'. Major, Minor, and Build are decimal numbers. + Specify 'latest' to use the latest version of an image + available at deploy time. Even if you use 'latest', + the VM image will not automatically update after deploy + time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + osDisk: + description: OSDisk contains the operating system disk information + for a Virtual Machine + properties: + cachingType: + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk settings + for the os disk. + properties: + option: + description: Option enables ephemeral OS when set to "Local" + See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks + for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + format: int32 + type: integer + managedDisk: + description: ManagedDisk defines the managed disk options + for a VM. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk + encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + required: + - storageAccountType + type: object + osType: + type: string + required: + - diskSizeGB + - managedDisk + - osType + type: object + securityProfile: + description: SecurityProfile specifies the Security profile settings + for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption + should be enabled or disabled for a virtual machine or virtual + machine scale set. Default is disabled. + type: boolean + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the Machine + should use a Spot VM + properties: + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user is + willing to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + description: SSHPublicKey is the SSH public key string base64 + encoded to add to a Virtual Machine + type: string + terminateNotificationTimeout: + description: TerminateNotificationTimeout enables or disables + VMSS scheduled events termination notification with specified + timeout allowed values are between 5 and 15 (mins) + type: integer + vmSize: + description: VMSize is the size of the Virtual Machine to build. + See https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate#virtualmachinesizetypes + type: string + required: + - osDisk + - sshPublicKey + - vmSize + type: object + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone Azure + identities provided by the user The lifecycle of a user-assigned + identity is managed separately from the lifecycle of the AzureMachinePool. + See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned identities + provided by the user to be assigned to Azure resources. + properties: + providerID: + description: 'ProviderID is the identification ID of the user-assigned + Identity, the format of an identity is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + required: + - location + - template + type: object + status: + description: AzureMachinePoolStatus defines the observed state of AzureMachinePool. + properties: + conditions: + description: Conditions defines current service state of the AzureMachinePool. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureMessage: + description: "FailureMessage will be set in the event that there is + a terminal problem reconciling the MachinePool and will contain + a more verbose string suitable for logging and human consumption. + \n This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over time (like + service outages), but instead indicate that something is fundamentally + wrong with the MachinePool's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of MachinePools can be added as + events to the MachinePool object and/or logged in the controller's + output." + type: string + failureReason: + description: "FailureReason will be set in the event that there is + a terminal problem reconciling the MachinePool and will contain + a succinct value suitable for machine interpretation. \n This field + should not be set for transitive errors that a controller faces + that are expected to be fixed automatically over time (like service + outages), but instead indicate that something is fundamentally wrong + with the MachinePool's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of MachinePools can be added as + events to the MachinePool object and/or logged in the controller's + output." + type: string + instances: + description: Instances is the VM instance status for each VM in the + VMSS + items: + description: AzureMachinePoolInstanceStatus provides status information + for each instance in the VMSS. + properties: + instanceID: + description: InstanceID is the identification of the Machine + Instance within the VMSS + type: string + instanceName: + description: InstanceName is the name of the Machine Instance + within the VMSS + type: string + latestModelApplied: + description: LatestModelApplied indicates the instance is running + the most up-to-date VMSS model. A VMSS model describes the + image version the VM is running. If the instance is not running + the latest model, it means the instance may not be running + the version of Kubernetes the Machine Pool has specified and + needs to be updated. + type: boolean + providerID: + description: ProviderID is the provider identification of the + VMSS Instance + type: string + provisioningState: + description: ProvisioningState is the provisioning state of + the Azure virtual machine instance. + type: string + version: + description: Version defines the Kubernetes version for the + VM Instance + type: string + required: + - latestModelApplied + type: object + type: array + longRunningOperationState: + description: LongRunningOperationState saves the state for an Azure + long running operations so it can be continued on the next reconciliation + loop. + properties: + futureData: + description: FutureData is the base64 url encoded json Azure AutoRest + Future. + type: string + name: + description: Name is the name of the Azure resource. + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the + resource. + type: string + type: + description: Type describes the type of future, update, create, + delete, etc. + type: string + required: + - type + type: object + provisioningState: + description: ProvisioningState is the provisioning state of the Azure + virtual machine. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + version: + description: Version is the Kubernetes version for the current VMSS + model + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: AzureMachinePool replicas count + jsonPath: .status.replicas + name: Replicas + type: string + - description: AzureMachinePool replicas count + jsonPath: .status.ready + name: Ready + type: string + - description: Azure VMSS provisioning state + jsonPath: .status.provisioningState + name: State + type: string + - description: Cluster to which this AzureMachinePool belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: MachinePool object to which this AzureMachinePool belongs + jsonPath: .metadata.ownerReferences[?(@.kind=="MachinePool")].name + name: MachinePool + priority: 1 + type: string + - description: Azure VMSS ID + jsonPath: .spec.providerID + name: VMSS ID + priority: 1 + type: string + - description: Azure VM Size + jsonPath: .spec.template.vmSize + name: VM Size + priority: 1 + type: string + name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureMachinePool is the Schema for the azuremachinepools API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachinePoolSpec defines the desired state of AzureMachinePool. + properties: + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to an + instance, in addition to the ones added by default by the Azure + provider. If both the AzureCluster and the AzureMachine specify + the same tag name with different values, the AzureMachine's value + takes precedence. + type: object + identity: + default: None + description: Identity is the type of identity used for the Virtual + Machine Scale Set. The type 'SystemAssigned' is an implicitly created + identity. The generated identity will be assigned a Subscription + contributor role. The type 'UserAssigned' is a standalone Azure + resource provided by the user and assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + location: + description: Location is the Azure region location e.g. westus2 + type: string + nodeDrainTimeout: + description: 'NodeDrainTimeout is the total amount of time that the + controller will spend on draining a node. The default value is 0, + meaning that the node can be drained without any time limitations. + NOTE: NodeDrainTimeout is different from `kubectl drain --timeout`' + type: string + providerID: + description: ProviderID is the identification ID of the Virtual Machine + Scale Set + type: string + providerIDList: + description: ProviderIDList are the identification IDs of machine + instances provided by the provider. This field must match the provider + IDs as seen on the node objects corresponding to a machine pool's + machine instances. + items: + type: string + type: array + roleAssignmentName: + description: RoleAssignmentName is the name of the role assignment + to create for a system assigned identity. It can be any valid GUID. + If not specified, a random GUID will be generated. + type: string + strategy: + default: + rollingUpdate: + deletePolicy: Oldest + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + description: The deployment strategy to use to replace existing AzureMachinePoolMachines + with new ones. + properties: + rollingUpdate: + description: Rolling update config params. Present only if MachineDeploymentStrategyType + = RollingUpdate. + properties: + deletePolicy: + default: Oldest + description: DeletePolicy defines the policy used by the MachineDeployment + to identify nodes to delete when downscaling. Valid values + are "Random, "Newest", "Oldest" When no value is supplied, + the default is Oldest + enum: + - Random + - Newest + - Oldest + type: string + maxSurge: + anyOf: + - type: integer + - type: string + default: 1 + description: 'The maximum number of machines that can be scheduled + above the desired number of machines. Value can be an absolute + number (ex: 5) or a percentage of desired machines (ex: + 10%). This can not be 0 if MaxUnavailable is 0. Absolute + number is calculated from percentage by rounding up. Defaults + to 1. Example: when this is set to 30%, the new MachineSet + can be scaled up immediately when the rolling update starts, + such that the total number of old and new machines do not + exceed 130% of desired machines. Once old machines have + been killed, new MachineSet can be scaled up further, ensuring + that total number of machines running at any time during + the update is at most 130% of desired machines.' + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + default: 0 + description: 'The maximum number of machines that can be unavailable + during the update. Value can be an absolute number (ex: + 5) or a percentage of desired machines (ex: 10%). Absolute + number is calculated from percentage by rounding down. This + can not be 0 if MaxSurge is 0. Defaults to 0. Example: when + this is set to 30%, the old MachineSet can be scaled down + to 70% of desired machines immediately when the rolling + update starts. Once new machines are ready, old MachineSet + can be scaled down further, followed by scaling up the new + MachineSet, ensuring that the total number of machines available + at all times during the update is at least 70% of desired + machines.' + x-kubernetes-int-or-string: true + type: object + type: + default: RollingUpdate + description: Type of deployment. Currently the only supported + strategy is RollingUpdate + enum: + - RollingUpdate + type: string + type: object + template: + description: Template contains the details used to build a replica + virtual machine within the Machine Pool + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure accelerated + networking. If omitted, it will be set based on whether the + requested VMSize supports accelerated networking. If AcceleratedNetworking + is set to true with a VMSize that does not support it, Azure + will return an error. + type: boolean + dataDisks: + description: DataDisks specifies the list of data disks to be + created for a Virtual Machine + items: + description: DataDisk specifies the parameters that are used + to add one or more data disks to the machine. + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the + data disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of the + data disk. This value is used to identify data disks within + the VM and therefore must be unique for each data disk + attached to a VM. The value must be between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters + for the data disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk + encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended to + the machine name to generate the disk name. Each disk + name will be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + image: + description: Image is used to provide details of an image to use + during VM creation. If image details are omitted the image will + default the Azure Marketplace "capi" offer, which is based on + Ubuntu. + properties: + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the + Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization + that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such + as a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published + by a third party publisher and a Plan will be generated + for it. + type: boolean + version: + description: Version specifies the version of an image + sku. The allowed formats are Major.Minor.Build or 'latest'. + Major, Minor, and Build are decimal numbers. Specify + 'latest' to use the latest version of an image available + at deploy time. Even if you use 'latest', the VM image + will not automatically update after deploy time even + if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: SharedGallery specifies an image to use from + an Azure Shared Image Gallery + properties: + gallery: + description: Gallery specifies the name of the shared + image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer This value will be used to add a `Plan` + in the API request when creating the VM/VMSS resource. + This is needed when the source image from which this + SIG image was built requires the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization + that created the image. This value will be used to add + a `Plan` in the API request when creating the VM/VMSS + resource. This is needed when the source image from + which this SIG image was built requires the `Plan` to + be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource group + containing the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such + as a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter This value will be used to add a `Plan` + in the API request when creating the VM/VMSS resource. + This is needed when the source image from which this + SIG image was built requires the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription + that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace + image. The allowed formats are Major.Minor.Build or + 'latest'. Major, Minor, and Build are decimal numbers. + Specify 'latest' to use the latest version of an image + available at deploy time. Even if you use 'latest', + the VM image will not automatically update after deploy + time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + osDisk: + description: OSDisk contains the operating system disk information + for a Virtual Machine + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk settings + for the os disk. + properties: + option: + description: Option enables ephemeral OS when set to "Local" + See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks + for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the + OS disk. Will have a default of 30GB if not provided + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters + for the OS disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk + encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + type: object + osType: + type: string + required: + - osType + type: object + securityProfile: + description: SecurityProfile specifies the Security profile settings + for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption + should be enabled or disabled for a virtual machine or virtual + machine scale set. Default is disabled. + type: boolean + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the Machine + should use a Spot VM + properties: + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user is + willing to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + description: SSHPublicKey is the SSH public key string base64 + encoded to add to a Virtual Machine + type: string + subnetName: + description: SubnetName selects the Subnet where the VMSS will + be placed + type: string + terminateNotificationTimeout: + description: TerminateNotificationTimeout enables or disables + VMSS scheduled events termination notification with specified + timeout allowed values are between 5 and 15 (mins) + type: integer + vmSize: + description: VMSize is the size of the Virtual Machine to build. + See https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/createorupdate#virtualmachinesizetypes + type: string + required: + - osDisk + - sshPublicKey + - vmSize + type: object + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone Azure + identities provided by the user The lifecycle of a user-assigned + identity is managed separately from the lifecycle of the AzureMachinePool. + See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned identities + provided by the user to be assigned to Azure resources. + properties: + providerID: + description: 'ProviderID is the identification ID of the user-assigned + Identity, the format of an identity is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + required: + - location + - template + type: object + status: + description: AzureMachinePoolStatus defines the observed state of AzureMachinePool. + properties: + conditions: + description: Conditions defines current service state of the AzureMachinePool. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureMessage: + description: "FailureMessage will be set in the event that there is + a terminal problem reconciling the MachinePool and will contain + a more verbose string suitable for logging and human consumption. + \n This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over time (like + service outages), but instead indicate that something is fundamentally + wrong with the MachinePool's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of MachinePools can be added as + events to the MachinePool object and/or logged in the controller's + output." + type: string + failureReason: + description: "FailureReason will be set in the event that there is + a terminal problem reconciling the MachinePool and will contain + a succinct value suitable for machine interpretation. \n This field + should not be set for transitive errors that a controller faces + that are expected to be fixed automatically over time (like service + outages), but instead indicate that something is fundamentally wrong + with the MachinePool's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of MachinePools can be added as + events to the MachinePool object and/or logged in the controller's + output." + type: string + image: + description: Image is the current image used in the AzureMachinePool. + When the spec image is nil, this image is populated with the details + of the defaulted Azure Marketplace "capi" offer. + properties: + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the Azure + Marketplace + properties: + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that + created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as + a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published + by a third party publisher and a Plan will be generated + for it. + type: boolean + version: + description: Version specifies the version of an image sku. + The allowed formats are Major.Minor.Build or 'latest'. Major, + Minor, and Build are decimal numbers. Specify 'latest' to + use the latest version of an image available at deploy time. + Even if you use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: SharedGallery specifies an image to use from an Azure + Shared Image Gallery + properties: + gallery: + description: Gallery specifies the name of the shared image + gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer This value will be used to add a `Plan` in + the API request when creating the VM/VMSS resource. This + is needed when the source image from which this SIG image + was built requires the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization that + created the image. This value will be used to add a `Plan` + in the API request when creating the VM/VMSS resource. This + is needed when the source image from which this SIG image + was built requires the `Plan` to be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource group containing + the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as + a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter This value will be used to add a `Plan` + in the API request when creating the VM/VMSS resource. This + is needed when the source image from which this SIG image + was built requires the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription + that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace + image. The allowed formats are Major.Minor.Build or 'latest'. + Major, Minor, and Build are decimal numbers. Specify 'latest' + to use the latest version of an image available at deploy + time. Even if you use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + instances: + description: Instances is the VM instance status for each VM in the + VMSS + items: + description: AzureMachinePoolInstanceStatus provides status information + for each instance in the VMSS. + properties: + instanceID: + description: InstanceID is the identification of the Machine + Instance within the VMSS + type: string + instanceName: + description: InstanceName is the name of the Machine Instance + within the VMSS + type: string + latestModelApplied: + description: LatestModelApplied indicates the instance is running + the most up-to-date VMSS model. A VMSS model describes the + image version the VM is running. If the instance is not running + the latest model, it means the instance may not be running + the version of Kubernetes the Machine Pool has specified and + needs to be updated. + type: boolean + providerID: + description: ProviderID is the provider identification of the + VMSS Instance + type: string + provisioningState: + description: ProvisioningState is the provisioning state of + the Azure virtual machine instance. + type: string + version: + description: Version defines the Kubernetes version for the + VM Instance + type: string + required: + - latestModelApplied + type: object + type: array + longRunningOperationState: + description: LongRunningOperationState saves the state for an Azure + long-running operations so it can be continued on the next reconciliation + loop. + properties: + futureData: + description: FutureData is the base64 url encoded json Azure AutoRest + Future + type: string + name: + description: Name is the name of the Azure resource + type: string + resourceGroup: + description: ResourceGroup is the Azure resource group for the + resource + type: string + type: + description: Type describes the type of future, update, create, + delete, etc + type: string + required: + - type + type: object + provisioningState: + description: ProvisioningState is the provisioning state of the Azure + virtual machine. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + version: + description: Version is the Kubernetes version for the current VMSS + model + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml new file mode 100644 index 00000000..644701f8 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml @@ -0,0 +1,961 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azuremachines.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachine + listKind: AzureMachineList + plural: azuremachines + singular: azuremachine + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: AzureMachine ready status + jsonPath: .status.ready + name: Ready + type: string + - description: Azure VM provisioning state + jsonPath: .status.vmState + name: State + type: string + - description: Cluster to which this AzureMachine belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: Machine object to which this AzureMachine belongs + jsonPath: .metadata.ownerReferences[?(@.kind=="Machine")].name + name: Machine + priority: 1 + type: string + - description: Azure VM ID + jsonPath: .spec.providerID + name: VM ID + priority: 1 + type: string + - description: Azure VM Size + jsonPath: .spec.vmSize + name: VM Size + priority: 1 + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureMachine is the Schema for the azuremachines API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachineSpec defines the desired state of AzureMachine. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure accelerated + networking. If omitted, it will be set based on whether the requested + VMSize supports accelerated networking. If AcceleratedNetworking + is set to true with a VMSize that does not support it, Azure will + return an error. + type: boolean + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to an + instance, in addition to the ones added by default by the Azure + provider. If both the AzureCluster and the AzureMachine specify + the same tag name with different values, the AzureMachine's value + takes precedence. + type: object + allocatePublicIP: + description: AllocatePublicIP allows the ability to create dynamic + public ips for machines where this value is true. + type: boolean + availabilityZone: + description: 'DEPRECATED: use FailureDomain instead' + properties: + enabled: + type: boolean + id: + type: string + type: object + dataDisks: + description: DataDisk specifies the parameters that are used to add + one or more data disks to the machine + items: + description: DataDisk specifies the parameters that are used to + add one or more data disks to the machine. + properties: + cachingType: + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the data + disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of the data + disk. This value is used to identify data disks within the + VM and therefore must be unique for each data disk attached + to a VM. The value must be between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk defines the managed disk options for + a VM. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk encryption + options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + required: + - storageAccountType + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended to the + machine name to generate the disk name. Each disk name will + be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + enableIPForwarding: + description: EnableIPForwarding enables IP Forwarding in Azure which + is required for some CNI's to send traffic from a pods on one machine + to another. This is required for IpV6 with Calico in combination + with User Defined Routes (set by the Azure Cloud Controller manager). + Default is false for disabled. + type: boolean + failureDomain: + description: FailureDomain is the failure domain unique identifier + this Machine should be attached to, as defined in Cluster API. This + relates to an Azure Availability Zone + type: string + identity: + default: None + description: Identity is the type of identity used for the virtual + machine. The type 'SystemAssigned' is an implicitly created identity. + The generated identity will be assigned a Subscription contributor + role. The type 'UserAssigned' is a standalone Azure resource provided + by the user and assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + image: + description: Image is used to provide details of an image to use during + VM creation. If image details are omitted the image will default + the Azure Marketplace "capi" offer, which is based on Ubuntu. + properties: + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the Azure + Marketplace + properties: + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that + created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as + a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published + by a third party publisher and a Plan will be generated + for it. + type: boolean + version: + description: Version specifies the version of an image sku. + The allowed formats are Major.Minor.Build or 'latest'. Major, + Minor, and Build are decimal numbers. Specify 'latest' to + use the latest version of an image available at deploy time. + Even if you use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: SharedGallery specifies an image to use from an Azure + Shared Image Gallery + properties: + gallery: + description: Gallery specifies the name of the shared image + gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + resourceGroup: + description: ResourceGroup specifies the resource group containing + the shared image gallery + minLength: 1 + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription + that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace + image. The allowed formats are Major.Minor.Build or 'latest'. + Major, Minor, and Build are decimal numbers. Specify 'latest' + to use the latest version of an image available at deploy + time. Even if you use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + location: + description: 'DEPRECATED: to support old clients, will be removed + in v1alpha4' + type: string + osDisk: + description: OSDisk specifies the parameters for the operating system + disk of the machine + properties: + cachingType: + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk settings + for the os disk. + properties: + option: + description: Option enables ephemeral OS when set to "Local" + See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks + for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + format: int32 + type: integer + managedDisk: + description: ManagedDisk defines the managed disk options for + a VM. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk encryption + options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + required: + - storageAccountType + type: object + osType: + type: string + required: + - diskSizeGB + - managedDisk + - osType + type: object + providerID: + description: ProviderID is the unique identifier as specified by the + cloud provider. + type: string + roleAssignmentName: + description: RoleAssignmentName is the name of the role assignment + to create for a system assigned identity. It can be any valid GUID. + If not specified, a random GUID will be generated. + type: string + securityProfile: + description: SecurityProfile specifies the Security profile settings + for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption should + be enabled or disabled for a virtual machine or virtual machine + scale set. Default is disabled. + type: boolean + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the Machine + should use a Spot VM. + properties: + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user is willing + to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + type: string + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone Azure + identities provided by the user The lifecycle of a user-assigned + identity is managed separately from the lifecycle of the AzureMachine. + See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned identities + provided by the user to be assigned to Azure resources. + properties: + providerID: + description: 'ProviderID is the identification ID of the user-assigned + Identity, the format of an identity is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + vmSize: + type: string + required: + - location + - osDisk + - sshPublicKey + - vmSize + type: object + status: + description: AzureMachineStatus defines the observed state of AzureMachine. + properties: + addresses: + description: Addresses contains the Azure instance associated addresses. + items: + description: NodeAddress contains information for the node's address. + properties: + address: + description: The node address. + type: string + type: + description: Node address type, one of Hostname, ExternalIP + or InternalIP. + type: string + required: + - address + - type + type: object + type: array + conditions: + description: Conditions defines current service state of the AzureMachine. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureMessage: + description: "ErrorMessage will be set in the event that there is + a terminal problem reconciling the Machine and will contain a more + verbose string suitable for logging and human consumption. \n This + field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over time (like + service outages), but instead indicate that something is fundamentally + wrong with the Machine's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of Machines can be added as events + to the Machine object and/or logged in the controller's output." + type: string + failureReason: + description: "ErrorReason will be set in the event that there is a + terminal problem reconciling the Machine and will contain a succinct + value suitable for machine interpretation. \n This field should + not be set for transitive errors that a controller faces that are + expected to be fixed automatically over time (like service outages), + but instead indicate that something is fundamentally wrong with + the Machine's spec or the configuration of the controller, and that + manual intervention is required. Examples of terminal errors would + be invalid combinations of settings in the spec, values that are + unsupported by the controller, or the responsible controller itself + being critically misconfigured. \n Any transient errors that occur + during the reconciliation of Machines can be added as events to + the Machine object and/or logged in the controller's output." + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + vmState: + description: VMState is the provisioning state of the Azure virtual + machine. + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: AzureMachine ready status + jsonPath: .status.ready + name: Ready + type: string + - description: Azure VM provisioning state + jsonPath: .status.vmState + name: State + type: string + - description: Cluster to which this AzureMachine belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + priority: 1 + type: string + - description: Machine object to which this AzureMachine belongs + jsonPath: .metadata.ownerReferences[?(@.kind=="Machine")].name + name: Machine + priority: 1 + type: string + - description: Azure VM ID + jsonPath: .spec.providerID + name: VM ID + priority: 1 + type: string + - description: Azure VM Size + jsonPath: .spec.vmSize + name: VM Size + priority: 1 + type: string + name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureMachine is the Schema for the azuremachines API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachineSpec defines the desired state of AzureMachine. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure accelerated + networking. If omitted, it will be set based on whether the requested + VMSize supports accelerated networking. If AcceleratedNetworking + is set to true with a VMSize that does not support it, Azure will + return an error. + type: boolean + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to an + instance, in addition to the ones added by default by the Azure + provider. If both the AzureCluster and the AzureMachine specify + the same tag name with different values, the AzureMachine's value + takes precedence. + type: object + allocatePublicIP: + description: AllocatePublicIP allows the ability to create dynamic + public ips for machines where this value is true. + type: boolean + dataDisks: + description: DataDisk specifies the parameters that are used to add + one or more data disks to the machine + items: + description: DataDisk specifies the parameters that are used to + add one or more data disks to the machine. + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the data + disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of the data + disk. This value is used to identify data disks within the + VM and therefore must be unique for each data disk attached + to a VM. The value must be between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters + for the data disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk encryption + options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended to the + machine name to generate the disk name. Each disk name will + be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + enableIPForwarding: + description: EnableIPForwarding enables IP Forwarding in Azure which + is required for some CNI's to send traffic from a pods on one machine + to another. This is required for IpV6 with Calico in combination + with User Defined Routes (set by the Azure Cloud Controller manager). + Default is false for disabled. + type: boolean + failureDomain: + description: FailureDomain is the failure domain unique identifier + this Machine should be attached to, as defined in Cluster API. This + relates to an Azure Availability Zone + type: string + identity: + default: None + description: Identity is the type of identity used for the virtual + machine. The type 'SystemAssigned' is an implicitly created identity. + The generated identity will be assigned a Subscription contributor + role. The type 'UserAssigned' is a standalone Azure resource provided + by the user and assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + image: + description: Image is used to provide details of an image to use during + VM creation. If image details are omitted the image will default + the Azure Marketplace "capi" offer, which is based on Ubuntu. + properties: + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from the Azure + Marketplace + properties: + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization that + created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as + a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is published + by a third party publisher and a Plan will be generated + for it. + type: boolean + version: + description: Version specifies the version of an image sku. + The allowed formats are Major.Minor.Build or 'latest'. Major, + Minor, and Build are decimal numbers. Specify 'latest' to + use the latest version of an image available at deploy time. + Even if you use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: SharedGallery specifies an image to use from an Azure + Shared Image Gallery + properties: + gallery: + description: Gallery specifies the name of the shared image + gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of related + images created by the publisher. For example, UbuntuServer, + WindowsServer This value will be used to add a `Plan` in + the API request when creating the VM/VMSS resource. This + is needed when the source image from which this SIG image + was built requires the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization that + created the image. This value will be used to add a `Plan` + in the API request when creating the VM/VMSS resource. This + is needed when the source image from which this SIG image + was built requires the `Plan` to be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource group containing + the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, such as + a major release of a distribution. For example, 18.04-LTS, + 2019-Datacenter This value will be used to add a `Plan` + in the API request when creating the VM/VMSS resource. This + is needed when the source image from which this SIG image + was built requires the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the subscription + that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the marketplace + image. The allowed formats are Major.Minor.Build or 'latest'. + Major, Minor, and Build are decimal numbers. Specify 'latest' + to use the latest version of an image available at deploy + time. Even if you use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + osDisk: + description: OSDisk specifies the parameters for the operating system + disk of the machine + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk settings + for the os disk. + properties: + option: + description: Option enables ephemeral OS when set to "Local" + See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks + for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to the OS + disk. Will have a default of 30GB if not provided + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters + for the OS disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk encryption + options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + type: object + osType: + type: string + required: + - osType + type: object + providerID: + description: ProviderID is the unique identifier as specified by the + cloud provider. + type: string + roleAssignmentName: + description: RoleAssignmentName is the name of the role assignment + to create for a system assigned identity. It can be any valid GUID. + If not specified, a random GUID will be generated. + type: string + securityProfile: + description: SecurityProfile specifies the Security profile settings + for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption should + be enabled or disabled for a virtual machine or virtual machine + scale set. Default is disabled. + type: boolean + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the Machine + should use a Spot VM + properties: + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user is willing + to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + type: string + subnetName: + description: SubnetName selects the Subnet where the VM will be placed + type: string + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone Azure + identities provided by the user The lifecycle of a user-assigned + identity is managed separately from the lifecycle of the AzureMachine. + See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned identities + provided by the user to be assigned to Azure resources. + properties: + providerID: + description: 'ProviderID is the identification ID of the user-assigned + Identity, the format of an identity is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + vmSize: + type: string + required: + - osDisk + - sshPublicKey + - vmSize + type: object + status: + description: AzureMachineStatus defines the observed state of AzureMachine. + properties: + addresses: + description: Addresses contains the Azure instance associated addresses. + items: + description: NodeAddress contains information for the node's address. + properties: + address: + description: The node address. + type: string + type: + description: Node address type, one of Hostname, ExternalIP + or InternalIP. + type: string + required: + - address + - type + type: object + type: array + conditions: + description: Conditions defines current service state of the AzureMachine. + items: + description: Condition defines an observation of a Cluster API resource + operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - status + - type + type: object + type: array + failureMessage: + description: "ErrorMessage will be set in the event that there is + a terminal problem reconciling the Machine and will contain a more + verbose string suitable for logging and human consumption. \n This + field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over time (like + service outages), but instead indicate that something is fundamentally + wrong with the Machine's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of Machines can be added as events + to the Machine object and/or logged in the controller's output." + type: string + failureReason: + description: "ErrorReason will be set in the event that there is a + terminal problem reconciling the Machine and will contain a succinct + value suitable for machine interpretation. \n This field should + not be set for transitive errors that a controller faces that are + expected to be fixed automatically over time (like service outages), + but instead indicate that something is fundamentally wrong with + the Machine's spec or the configuration of the controller, and that + manual intervention is required. Examples of terminal errors would + be invalid combinations of settings in the spec, values that are + unsupported by the controller, or the responsible controller itself + being critically misconfigured. \n Any transient errors that occur + during the reconciliation of Machines can be added as events to + the Machine object and/or logged in the controller's output." + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + vmState: + description: VMState is the provisioning state of the Azure virtual + machine. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml new file mode 100644 index 00000000..5d6bef09 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml @@ -0,0 +1,749 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azuremachinetemplates.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureMachineTemplate + listKind: AzureMachineTemplateList + plural: azuremachinetemplates + singular: azuremachinetemplate + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureMachineTemplate is the Schema for the azuremachinetemplates + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachineTemplateSpec defines the desired state of AzureMachineTemplate. + properties: + template: + description: AzureMachineTemplateResource describes the data needed + to create an AzureMachine from a template. + properties: + spec: + description: Spec is the specification of the desired behavior + of the machine. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure + accelerated networking. If omitted, it will be set based + on whether the requested VMSize supports accelerated networking. + If AcceleratedNetworking is set to true with a VMSize that + does not support it, Azure will return an error. + type: boolean + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to + add to an instance, in addition to the ones added by default + by the Azure provider. If both the AzureCluster and the + AzureMachine specify the same tag name with different values, + the AzureMachine's value takes precedence. + type: object + allocatePublicIP: + description: AllocatePublicIP allows the ability to create + dynamic public ips for machines where this value is true. + type: boolean + availabilityZone: + description: 'DEPRECATED: use FailureDomain instead' + properties: + enabled: + type: boolean + id: + type: string + type: object + dataDisks: + description: DataDisk specifies the parameters that are used + to add one or more data disks to the machine + items: + description: DataDisk specifies the parameters that are + used to add one or more data disks to the machine. + properties: + cachingType: + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign + to the data disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of + the data disk. This value is used to identify data + disks within the VM and therefore must be unique for + each data disk attached to a VM. The value must be + between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk defines the managed disk options + for a VM. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines + disk encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + required: + - storageAccountType + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended + to the machine name to generate the disk name. Each + disk name will be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + enableIPForwarding: + description: EnableIPForwarding enables IP Forwarding in Azure + which is required for some CNI's to send traffic from a + pods on one machine to another. This is required for IpV6 + with Calico in combination with User Defined Routes (set + by the Azure Cloud Controller manager). Default is false + for disabled. + type: boolean + failureDomain: + description: FailureDomain is the failure domain unique identifier + this Machine should be attached to, as defined in Cluster + API. This relates to an Azure Availability Zone + type: string + identity: + default: None + description: Identity is the type of identity used for the + virtual machine. The type 'SystemAssigned' is an implicitly + created identity. The generated identity will be assigned + a Subscription contributor role. The type 'UserAssigned' + is a standalone Azure resource provided by the user and + assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + image: + description: Image is used to provide details of an image + to use during VM creation. If image details are omitted + the image will default the Azure Marketplace "capi" offer, + which is based on Ubuntu. + properties: + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from + the Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of + related images created by the publisher. For example, + UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization + that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, + such as a major release of a distribution. For example, + 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is + published by a third party publisher and a Plan + will be generated for it. + type: boolean + version: + description: Version specifies the version of an image + sku. The allowed formats are Major.Minor.Build or + 'latest'. Major, Minor, and Build are decimal numbers. + Specify 'latest' to use the latest version of an + image available at deploy time. Even if you use + 'latest', the VM image will not automatically update + after deploy time even if a new version becomes + available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: SharedGallery specifies an image to use from + an Azure Shared Image Gallery + properties: + gallery: + description: Gallery specifies the name of the shared + image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + resourceGroup: + description: ResourceGroup specifies the resource + group containing the shared image gallery + minLength: 1 + type: string + subscriptionID: + description: SubscriptionID is the identifier of the + subscription that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the + marketplace image. The allowed formats are Major.Minor.Build + or 'latest'. Major, Minor, and Build are decimal + numbers. Specify 'latest' to use the latest version + of an image available at deploy time. Even if you + use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes + available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + location: + description: 'DEPRECATED: to support old clients, will be + removed in v1alpha4' + type: string + osDisk: + description: OSDisk specifies the parameters for the operating + system disk of the machine + properties: + cachingType: + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk + settings for the os disk. + properties: + option: + description: Option enables ephemeral OS when set + to "Local" See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks + for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + format: int32 + type: integer + managedDisk: + description: ManagedDisk defines the managed disk options + for a VM. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk + encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + required: + - storageAccountType + type: object + osType: + type: string + required: + - diskSizeGB + - managedDisk + - osType + type: object + providerID: + description: ProviderID is the unique identifier as specified + by the cloud provider. + type: string + roleAssignmentName: + description: RoleAssignmentName is the name of the role assignment + to create for a system assigned identity. It can be any + valid GUID. If not specified, a random GUID will be generated. + type: string + securityProfile: + description: SecurityProfile specifies the Security profile + settings for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption + should be enabled or disabled for a virtual machine + or virtual machine scale set. Default is disabled. + type: boolean + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the + Machine should use a Spot VM. + properties: + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user + is willing to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + type: string + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone + Azure identities provided by the user The lifecycle of a + user-assigned identity is managed separately from the lifecycle + of the AzureMachine. See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned + identities provided by the user to be assigned to Azure + resources. + properties: + providerID: + description: 'ProviderID is the identification ID of + the user-assigned Identity, the format of an identity + is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + vmSize: + type: string + required: + - location + - osDisk + - sshPublicKey + - vmSize + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: false + - name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureMachineTemplate is the Schema for the azuremachinetemplates + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureMachineTemplateSpec defines the desired state of AzureMachineTemplate. + properties: + template: + description: AzureMachineTemplateResource describes the data needed + to create an AzureMachine from a template. + properties: + spec: + description: Spec is the specification of the desired behavior + of the machine. + properties: + acceleratedNetworking: + description: AcceleratedNetworking enables or disables Azure + accelerated networking. If omitted, it will be set based + on whether the requested VMSize supports accelerated networking. + If AcceleratedNetworking is set to true with a VMSize that + does not support it, Azure will return an error. + type: boolean + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to + add to an instance, in addition to the ones added by default + by the Azure provider. If both the AzureCluster and the + AzureMachine specify the same tag name with different values, + the AzureMachine's value takes precedence. + type: object + allocatePublicIP: + description: AllocatePublicIP allows the ability to create + dynamic public ips for machines where this value is true. + type: boolean + dataDisks: + description: DataDisk specifies the parameters that are used + to add one or more data disks to the machine + items: + description: DataDisk specifies the parameters that are + used to add one or more data disks to the machine. + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diskSizeGB: + description: DiskSizeGB is the size in GB to assign + to the data disk. + format: int32 + type: integer + lun: + description: Lun Specifies the logical unit number of + the data disk. This value is used to identify data + disks within the VM and therefore must be unique for + each data disk attached to a VM. The value must be + between 0 and 63. + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk + parameters for the data disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines + disk encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + type: object + nameSuffix: + description: NameSuffix is the suffix to be appended + to the machine name to generate the disk name. Each + disk name will be in format _. + type: string + required: + - diskSizeGB + - nameSuffix + type: object + type: array + enableIPForwarding: + description: EnableIPForwarding enables IP Forwarding in Azure + which is required for some CNI's to send traffic from a + pods on one machine to another. This is required for IpV6 + with Calico in combination with User Defined Routes (set + by the Azure Cloud Controller manager). Default is false + for disabled. + type: boolean + failureDomain: + description: FailureDomain is the failure domain unique identifier + this Machine should be attached to, as defined in Cluster + API. This relates to an Azure Availability Zone + type: string + identity: + default: None + description: Identity is the type of identity used for the + virtual machine. The type 'SystemAssigned' is an implicitly + created identity. The generated identity will be assigned + a Subscription contributor role. The type 'UserAssigned' + is a standalone Azure resource provided by the user and + assigned to the VM + enum: + - None + - SystemAssigned + - UserAssigned + type: string + image: + description: Image is used to provide details of an image + to use during VM creation. If image details are omitted + the image will default the Azure Marketplace "capi" offer, + which is based on Ubuntu. + properties: + id: + description: ID specifies an image to use by ID + type: string + marketplace: + description: Marketplace specifies an image to use from + the Azure Marketplace + properties: + offer: + description: Offer specifies the name of a group of + related images created by the publisher. For example, + UbuntuServer, WindowsServer + minLength: 1 + type: string + publisher: + description: Publisher is the name of the organization + that created the image + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, + such as a major release of a distribution. For example, + 18.04-LTS, 2019-Datacenter + minLength: 1 + type: string + thirdPartyImage: + default: false + description: ThirdPartyImage indicates the image is + published by a third party publisher and a Plan + will be generated for it. + type: boolean + version: + description: Version specifies the version of an image + sku. The allowed formats are Major.Minor.Build or + 'latest'. Major, Minor, and Build are decimal numbers. + Specify 'latest' to use the latest version of an + image available at deploy time. Even if you use + 'latest', the VM image will not automatically update + after deploy time even if a new version becomes + available. + minLength: 1 + type: string + required: + - offer + - publisher + - sku + - version + type: object + sharedGallery: + description: SharedGallery specifies an image to use from + an Azure Shared Image Gallery + properties: + gallery: + description: Gallery specifies the name of the shared + image gallery that contains the image + minLength: 1 + type: string + name: + description: Name is the name of the image + minLength: 1 + type: string + offer: + description: Offer specifies the name of a group of + related images created by the publisher. For example, + UbuntuServer, WindowsServer This value will be used + to add a `Plan` in the API request when creating + the VM/VMSS resource. This is needed when the source + image from which this SIG image was built requires + the `Plan` to be used. + type: string + publisher: + description: Publisher is the name of the organization + that created the image. This value will be used + to add a `Plan` in the API request when creating + the VM/VMSS resource. This is needed when the source + image from which this SIG image was built requires + the `Plan` to be used. + type: string + resourceGroup: + description: ResourceGroup specifies the resource + group containing the shared image gallery + minLength: 1 + type: string + sku: + description: SKU specifies an instance of an offer, + such as a major release of a distribution. For example, + 18.04-LTS, 2019-Datacenter This value will be used + to add a `Plan` in the API request when creating + the VM/VMSS resource. This is needed when the source + image from which this SIG image was built requires + the `Plan` to be used. + type: string + subscriptionID: + description: SubscriptionID is the identifier of the + subscription that contains the shared image gallery + minLength: 1 + type: string + version: + description: Version specifies the version of the + marketplace image. The allowed formats are Major.Minor.Build + or 'latest'. Major, Minor, and Build are decimal + numbers. Specify 'latest' to use the latest version + of an image available at deploy time. Even if you + use 'latest', the VM image will not automatically + update after deploy time even if a new version becomes + available. + minLength: 1 + type: string + required: + - gallery + - name + - resourceGroup + - subscriptionID + - version + type: object + type: object + osDisk: + description: OSDisk specifies the parameters for the operating + system disk of the machine + properties: + cachingType: + description: CachingType specifies the caching requirements. + enum: + - None + - ReadOnly + - ReadWrite + type: string + diffDiskSettings: + description: DiffDiskSettings describe ephemeral disk + settings for the os disk. + properties: + option: + description: Option enables ephemeral OS when set + to "Local" See https://docs.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks + for full details + enum: + - Local + type: string + required: + - option + type: object + diskSizeGB: + description: DiskSizeGB is the size in GB to assign to + the OS disk. Will have a default of 30GB if not provided + format: int32 + type: integer + managedDisk: + description: ManagedDisk specifies the Managed Disk parameters + for the OS disk. + properties: + diskEncryptionSet: + description: DiskEncryptionSetParameters defines disk + encryption options. + properties: + id: + description: ID defines resourceID for diskEncryptionSet + resource. It must be in the same subscription + type: string + type: object + storageAccountType: + type: string + type: object + osType: + type: string + required: + - osType + type: object + providerID: + description: ProviderID is the unique identifier as specified + by the cloud provider. + type: string + roleAssignmentName: + description: RoleAssignmentName is the name of the role assignment + to create for a system assigned identity. It can be any + valid GUID. If not specified, a random GUID will be generated. + type: string + securityProfile: + description: SecurityProfile specifies the Security profile + settings for a virtual machine. + properties: + encryptionAtHost: + description: This field indicates whether Host Encryption + should be enabled or disabled for a virtual machine + or virtual machine scale set. Default is disabled. + type: boolean + type: object + spotVMOptions: + description: SpotVMOptions allows the ability to specify the + Machine should use a Spot VM + properties: + maxPrice: + anyOf: + - type: integer + - type: string + description: MaxPrice defines the maximum price the user + is willing to pay for Spot VM instances + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + sshPublicKey: + type: string + subnetName: + description: SubnetName selects the Subnet where the VM will + be placed + type: string + userAssignedIdentities: + description: UserAssignedIdentities is a list of standalone + Azure identities provided by the user The lifecycle of a + user-assigned identity is managed separately from the lifecycle + of the AzureMachine. See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli + items: + description: UserAssignedIdentity defines the user-assigned + identities provided by the user to be assigned to Azure + resources. + properties: + providerID: + description: 'ProviderID is the identification ID of + the user-assigned Identity, the format of an identity + is: ''azure:///subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}''' + type: string + required: + - providerID + type: object + type: array + vmSize: + type: string + required: + - osDisk + - sshPublicKey + - vmSize + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedclusters.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedclusters.yaml new file mode 100644 index 00000000..ccc3d599 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedclusters.yaml @@ -0,0 +1,126 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azuremanagedclusters.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureManagedCluster + listKind: AzureManagedClusterList + plural: azuremanagedclusters + shortNames: + - amc + singular: azuremanagedcluster + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureManagedCluster is the Schema for the azuremanagedclusters + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedClusterSpec defines the desired state of AzureManagedCluster. + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + type: object + status: + description: AzureManagedClusterStatus defines the observed state of AzureManagedCluster. + properties: + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureManagedCluster is the Schema for the azuremanagedclusters + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedClusterSpec defines the desired state of AzureManagedCluster. + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + type: object + status: + description: AzureManagedClusterStatus defines the observed state of AzureManagedCluster. + properties: + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml new file mode 100644 index 00000000..d3db0c8d --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml @@ -0,0 +1,384 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureManagedControlPlane + listKind: AzureManagedControlPlaneList + plural: azuremanagedcontrolplanes + shortNames: + - amcp + singular: azuremanagedcontrolplane + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureManagedControlPlane is the Schema for the azuremanagedcontrolplanes + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedControlPlaneSpec defines the desired state of + AzureManagedControlPlane. + properties: + aadProfile: + description: AadProfile is Azure Active Directory configuration to + integrate with AKS for aad authentication. + properties: + adminGroupObjectIDs: + description: AdminGroupObjectIDs - AAD group object IDs that will + have admin role of the cluster. + items: + type: string + type: array + managed: + description: Managed - Whether to enable managed AAD. + type: boolean + required: + - adminGroupObjectIDs + - managed + type: object + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure + resources managed by the Azure provider, in addition to the ones + added by default. + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + dnsServiceIP: + description: DNSServiceIP is an IP address assigned to the Kubernetes + DNS service. It must be within the Kubernetes service address range + specified in serviceCidr. + type: string + loadBalancerSKU: + description: LoadBalancerSKU is the SKU of the loadBalancer to be + provisioned. + enum: + - Basic + - Standard + type: string + location: + description: 'Location is a string matching one of the canonical Azure + region names. Examples: "westus2", "eastus".' + type: string + networkPlugin: + description: NetworkPlugin used for building Kubernetes network. + enum: + - azure + - kubenet + type: string + networkPolicy: + description: NetworkPolicy used for building Kubernetes network. + enum: + - azure + - calico + type: string + nodeResourceGroupName: + description: NodeResourceGroupName is the name of the resource group + containining cluster IaaS resources. Will be populated to default + in webhook. + type: string + resourceGroupName: + description: ResourceGroupName is the name of the Azure resource group + for this AKS Cluster. + type: string + sshPublicKey: + description: SSHPublicKey is a string literal containing an ssh public + key base64 encoded. + type: string + subscriptionID: + description: SubscriotionID is the GUID of the Azure subscription + to hold this cluster. + type: string + version: + description: Version defines the desired Kubernetes version. + minLength: 2 + type: string + virtualNetwork: + description: VirtualNetwork describes the vnet for the AKS cluster. + Will be created if it does not exist. + properties: + cidrBlock: + type: string + name: + type: string + subnet: + description: ManagedControlPlaneSubnet describes a subnet for + an AKS cluster. + properties: + cidrBlock: + type: string + name: + type: string + required: + - cidrBlock + - name + type: object + required: + - cidrBlock + - name + type: object + required: + - location + - nodeResourceGroupName + - resourceGroupName + - sshPublicKey + - version + type: object + status: + description: AzureManagedControlPlaneStatus defines the observed state + of AzureManagedControlPlane. + properties: + initialized: + description: Initialized is true when the the control plane is available + for initial contact. This may occur before the control plane is + fully ready. In the AzureManagedControlPlane implementation, these + are identical. + type: boolean + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureManagedControlPlane is the Schema for the azuremanagedcontrolplanes + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedControlPlaneSpec defines the desired state of + AzureManagedControlPlane. + properties: + aadProfile: + description: AadProfile is Azure Active Directory configuration to + integrate with AKS for aad authentication. + properties: + adminGroupObjectIDs: + description: AdminGroupObjectIDs - AAD group object IDs that will + have admin role of the cluster. + items: + type: string + type: array + managed: + description: Managed - Whether to enable managed AAD. + type: boolean + required: + - adminGroupObjectIDs + - managed + type: object + additionalTags: + additionalProperties: + type: string + description: AdditionalTags is an optional set of tags to add to Azure + resources managed by the Azure provider, in addition to the ones + added by default. + type: object + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: The hostname on which the API server is serving. + type: string + port: + description: The port on which the API server is serving. + format: int32 + type: integer + required: + - host + - port + type: object + dnsServiceIP: + description: DNSServiceIP is an IP address assigned to the Kubernetes + DNS service. It must be within the Kubernetes service address range + specified in serviceCidr. + type: string + identityRef: + description: IdentityRef is a reference to a AzureClusterIdentity + to be used when reconciling this cluster + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + loadBalancerSKU: + description: LoadBalancerSKU is the SKU of the loadBalancer to be + provisioned. + enum: + - Basic + - Standard + type: string + location: + description: 'Location is a string matching one of the canonical Azure + region names. Examples: "westus2", "eastus".' + type: string + networkPlugin: + description: NetworkPlugin used for building Kubernetes network. + enum: + - azure + - kubenet + type: string + networkPolicy: + description: NetworkPolicy used for building Kubernetes network. + enum: + - azure + - calico + type: string + nodeResourceGroupName: + description: NodeResourceGroupName is the name of the resource group + containining cluster IaaS resources. Will be populated to default + in webhook. + type: string + resourceGroupName: + description: ResourceGroupName is the name of the Azure resource group + for this AKS Cluster. + type: string + sshPublicKey: + description: SSHPublicKey is a string literal containing an ssh public + key base64 encoded. + type: string + subscriptionID: + description: SubscriptionID is the GUID of the Azure subscription + to hold this cluster. + type: string + version: + description: Version defines the desired Kubernetes version. + minLength: 2 + type: string + virtualNetwork: + description: VirtualNetwork describes the vnet for the AKS cluster. + Will be created if it does not exist. + properties: + cidrBlock: + type: string + name: + type: string + subnet: + description: ManagedControlPlaneSubnet describes a subnet for + an AKS cluster. + properties: + cidrBlock: + type: string + name: + type: string + required: + - cidrBlock + - name + type: object + required: + - cidrBlock + - name + type: object + required: + - location + - resourceGroupName + - sshPublicKey + - version + type: object + status: + description: AzureManagedControlPlaneStatus defines the observed state + of AzureManagedControlPlane. + properties: + initialized: + description: Initialized is true when the the control plane is available + for initial contact. This may occur before the control plane is + fully ready. In the AzureManagedControlPlane implementation, these + are identical. + type: boolean + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml new file mode 100644 index 00000000..8c9ab2c6 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml @@ -0,0 +1,178 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: azuremanagedmachinepools.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureManagedMachinePool + listKind: AzureManagedMachinePoolList + plural: azuremanagedmachinepools + shortNames: + - ammp + singular: azuremanagedmachinepool + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureManagedMachinePool is the Schema for the azuremanagedmachinepools + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedMachinePoolSpec defines the desired state of + AzureManagedMachinePool. + properties: + mode: + description: 'Mode - represents mode of an agent pool. Possible values + include: System, User.' + enum: + - System + - User + type: string + osDiskSizeGB: + description: OSDiskSizeGB is the disk size for every machine in this + agent pool. If you specify 0, it will apply the default osDisk size + according to the vmSize specified. + format: int32 + type: integer + providerIDList: + description: ProviderIDList is the unique identifier as specified + by the cloud provider. + items: + type: string + type: array + sku: + description: SKU is the size of the VMs in the node pool. + type: string + required: + - mode + - sku + type: object + status: + description: AzureManagedMachinePoolStatus defines the observed state + of AzureManagedMachinePool. + properties: + errorMessage: + description: Any transient errors that occur during the reconciliation + of Machines can be added as events to the Machine object and/or + logged in the controller's output. + type: string + errorReason: + description: Any transient errors that occur during the reconciliation + of Machines can be added as events to the Machine object and/or + logged in the controller's output. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1alpha4 + schema: + openAPIV3Schema: + description: AzureManagedMachinePool is the Schema for the azuremanagedmachinepools + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureManagedMachinePoolSpec defines the desired state of + AzureManagedMachinePool. + properties: + mode: + description: 'Mode - represents mode of an agent pool. Possible values + include: System, User.' + enum: + - System + - User + type: string + osDiskSizeGB: + description: OSDiskSizeGB is the disk size for every machine in this + agent pool. If you specify 0, it will apply the default osDisk size + according to the vmSize specified. + format: int32 + type: integer + providerIDList: + description: ProviderIDList is the unique identifier as specified + by the cloud provider. + items: + type: string + type: array + sku: + description: SKU is the size of the VMs in the node pool. + type: string + required: + - mode + - sku + type: object + status: + description: AzureManagedMachinePoolStatus defines the observed state + of AzureManagedMachinePool. + properties: + errorMessage: + description: Any transient errors that occur during the reconciliation + of Machines can be added as events to the Machine object and/or + logged in the controller's output. + type: string + errorReason: + description: Any transient errors that occur during the reconciliation + of Machines can be added as events to the Machine object and/or + logged in the controller's output. + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureserviceprincipals.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureserviceprincipals.yaml new file mode 100644 index 00000000..1774dc88 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureserviceprincipals.yaml @@ -0,0 +1,122 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: azureserviceprincipals.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureServicePrincipal + listKind: AzureServicePrincipalList + plural: azureserviceprincipals + singular: azureserviceprincipal + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureServicePrincipal represents a reference to an Azure access + key ID and secret access key, stored in a secret. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for this AzureServicePrincipalSpec. + properties: + allowedNamespaces: + description: "AllowedNamespaces is a selector of namespaces that AzureClusters + can use this ClusterPrincipal from. This is a standard Kubernetes + LabelSelector, a label query over a set of resources. The result + of matchLabels and matchExpressions are ANDed. Controllers must + not support AzureClusters in namespaces outside this selector. \n + An empty selector (default) indicates that AzureClusters can use + this AzureServicePrincipal from any namespace. This field is intentionally + not a pointer because the nil behavior (no namespaces) is undesirable + here." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + name: + type: string + secretRef: + description: 'Reference to a secret containing the credentials. The + secret should contain the following data keys: tenantID clientID + clientSecret' + properties: + name: + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + required: + - name + - secretRef + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuresystemassignedidentites.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuresystemassignedidentites.yaml new file mode 100644 index 00000000..ea2d1f99 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azuresystemassignedidentites.yaml @@ -0,0 +1,121 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: azuresystemassignedidentites.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureSystemAssignedIdentity + listKind: AzureSystemAssignedIdentityList + plural: azuresystemassignedidentites + singular: azuresystemassignedidentity + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureSystemAssignedIdentity represents a reference to an Azure + access key ID and secret access key, stored in a secret. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for this AzureSystemAssignedIdentitySpec. + properties: + allowedNamespaces: + description: "AllowedNamespaces is a selector of namespaces that AzureClusters + can use this ClusterPrincipal from. This is a standard Kubernetes + LabelSelector, a label query over a set of resources. The result + of matchLabels and matchExpressions are ANDed. Controllers must + not support AzureClusters in namespaces outside this selector. \n + An empty selector (default) indicates that AzureClusters can use + this AzureSystemAssignedIdentity from any namespace. This field + is intentionally not a pointer because the nil behavior (no namespaces) + is undesirable here." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + name: + type: string + secretRef: + description: 'Reference to a secret containing the credentials. The + secret should contain the following data keys: tenantID' + properties: + name: + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + required: + - name + - secretRef + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureuserassignedidentites.yaml b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureuserassignedidentites.yaml new file mode 100644 index 00000000..d7dec8ed --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/bases/infrastructure.cluster.x-k8s.io_azureuserassignedidentites.yaml @@ -0,0 +1,121 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: azureuserassignedidentites.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: AzureUserAssignedIdentity + listKind: AzureUserAssignedIdentityList + plural: azureuserassignedidentites + singular: azureuserassignedidentity + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: AzureUserAssignedIdentity represents a reference to an Azure + access key ID and secret access key, stored in a secret. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec for this AzureUserAssignedIdentitySpec. + properties: + allowedNamespaces: + description: "AllowedNamespaces is a selector of namespaces that AzureClusters + can use this ClusterPrincipal from. This is a standard Kubernetes + LabelSelector, a label query over a set of resources. The result + of matchLabels and matchExpressions are ANDed. Controllers must + not support AzureClusters in namespaces outside this selector. \n + An empty selector (default) indicates that AzureClusters can use + this AzureUserAssignedIdentity from any namespace. This field is + intentionally not a pointer because the nil behavior (no namespaces) + is undesirable here." + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + name: + type: string + secretRef: + description: 'Reference to a secret containing the credentials. The + secret should contain the following data keys: tenantID clientID' + properties: + name: + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + required: + - name + - secretRef + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capz/v0.5.2/crd/kustomization.yaml b/manifests/function/capz/v0.5.2/crd/kustomization.yaml new file mode 100644 index 00000000..5029f9ff --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/kustomization.yaml @@ -0,0 +1,49 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/ +commonLabels: + cluster.x-k8s.io/v1alpha4: v1alpha4 + +resources: + - bases/infrastructure.cluster.x-k8s.io_azuremachines.yaml + - bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml + - bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml + - bases/infrastructure.cluster.x-k8s.io_azureclusteridentities.yaml + - bases/infrastructure.cluster.x-k8s.io_azuremachinepools.yaml + - bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml + - bases/infrastructure.cluster.x-k8s.io_azuremanagedclusters.yaml + - bases/infrastructure.cluster.x-k8s.io_azuremanagedcontrolplanes.yaml + - bases/infrastructure.cluster.x-k8s.io_azuremachinepoolmachines.yaml +# +kubebuilder:scaffold:crdkustomizeresource + + +patchesStrategicMerge: + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. + # patches here are for enabling the conversion webhook for each CRD + - patches/webhook_in_azuremachines.yaml + - patches/webhook_in_azureclusters.yaml + - patches/webhook_in_azureclusteridentities.yaml + - patches/webhook_in_azuremachinetemplates.yaml + - patches/webhook_in_azuremachinepools.yaml + - patches/webhook_in_azuremachinepoolmachines.yaml + # - patches/webhook_in_azuremanagedmachinepools.yaml + # - patches/webhook_in_azuremanagedclusters.yaml + # - patches/webhook_in_azuremanagedcontrolplanes.yaml + # +kubebuilder:scaffold:crdkustomizewebhookpatch + + # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. + # patches here are for enabling the CA injection for each CRD + - patches/cainjection_in_azuremachines.yaml + - patches/cainjection_in_azureclusters.yaml + - patches/cainjection_in_azureclusteridentities.yaml + - patches/cainjection_in_azuremachinetemplates.yaml + - patches/cainjection_in_azuremachinepools.yaml + - patches/cainjection_in_azuremachinepoolmachines.yaml + # - patches/cainjection_in_azuremanagedmachinepools.yaml + # - patches/cainjection_in_azuremanagedclusters.yaml + # - patches/cainjection_in_azuremanagedcontrolplanes.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: + - kustomizeconfig.yaml diff --git a/manifests/function/capz/v0.5.2/crd/kustomizeconfig.yaml b/manifests/function/capz/v0.5.2/crd/kustomizeconfig.yaml new file mode 100644 index 00000000..8e2d8d6b --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/kustomizeconfig.yaml @@ -0,0 +1,17 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusteridentities.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusteridentities.yaml new file mode 100644 index 00000000..826a128e --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusteridentities.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azureclusteridentities.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusters.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusters.yaml new file mode 100644 index 00000000..fbe29312 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azureclusters.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azureclusters.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepoolmachines.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepoolmachines.yaml new file mode 100644 index 00000000..cb25d81d --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepoolmachines.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuremachinepoolmachines.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepools.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepools.yaml new file mode 100644 index 00000000..bd7eda50 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinepools.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuremachinepools.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachines.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachines.yaml new file mode 100644 index 00000000..b844976c --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachines.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuremachines.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinetemplates.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinetemplates.yaml new file mode 100644 index 00000000..ab5d0b4a --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremachinetemplates.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuremachinetemplates.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedclusters.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedclusters.yaml new file mode 100644 index 00000000..8a7eb576 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedclusters.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuremanagedclusters.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedcontrolplanes.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedcontrolplanes.yaml new file mode 100644 index 00000000..0734376d --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedcontrolplanes.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedmachinepools.yaml b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedmachinepools.yaml new file mode 100644 index 00000000..dc9610ff --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/cainjection_in_azuremanagedmachinepools.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: azuremanagedmachinepools.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusteridentities.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusteridentities.yaml new file mode 100644 index 00000000..8ce335e0 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusteridentities.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azureclusteridentities.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusters.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusters.yaml new file mode 100644 index 00000000..aef170df --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azureclusters.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azureclusters.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert \ No newline at end of file diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepoolmachines.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepoolmachines.yaml new file mode 100644 index 00000000..86906dd5 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepoolmachines.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachinepoolmachines.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepools.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepools.yaml new file mode 100644 index 00000000..9a48cc04 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinepools.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachinepools.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachines.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachines.yaml new file mode 100644 index 00000000..99b86bde --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachines.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachines.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert \ No newline at end of file diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinetemplates.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinetemplates.yaml new file mode 100644 index 00000000..7172830d --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremachinetemplates.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremachinetemplates.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert \ No newline at end of file diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedclusters.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedclusters.yaml new file mode 100644 index 00000000..8bdb4c52 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedclusters.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremanagedclusters.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert \ No newline at end of file diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedcontrolplanes.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedcontrolplanes.yaml new file mode 100644 index 00000000..75b6a35d --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedcontrolplanes.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedmachinepools.yaml b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedmachinepools.yaml new file mode 100644 index 00000000..56d83530 --- /dev/null +++ b/manifests/function/capz/v0.5.2/crd/patches/webhook_in_azuremanagedmachinepools.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: azuremanagedmachinepools.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capz/v0.5.2/data/kustomization.yaml b/manifests/function/capz/v0.5.2/data/kustomization.yaml new file mode 100644 index 00000000..65d5b6a2 --- /dev/null +++ b/manifests/function/capz/v0.5.2/data/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - metadata.yaml diff --git a/manifests/function/capz/v0.5.2/data/metadata.yaml b/manifests/function/capz/v0.5.2/data/metadata.yaml new file mode 100644 index 00000000..9327ff00 --- /dev/null +++ b/manifests/function/capz/v0.5.2/data/metadata.yaml @@ -0,0 +1,21 @@ +# maps release series of major.minor to cluster-api contract version +# the contract version may change between minor or major versions, but *not* +# between patch versions. +# +# update this file only when a new major or minor version is released +apiVersion: clusterctl.cluster.x-k8s.io/v1alpha3 +kind: Metadata +metadata: + name: repository-metadata + labels: + airshipit.org/deploy-k8s: "false" +releaseSeries: + - major: 0 + minor: 3 + contract: v1alpha2 + - major: 0 + minor: 4 + contract: v1alpha3 + - major: 0 + minor: 5 + contract: v1alpha4 diff --git a/manifests/function/capz/v0.5.2/default/aad-pod-identity-deployment.yaml b/manifests/function/capz/v0.5.2/default/aad-pod-identity-deployment.yaml new file mode 100644 index 00000000..3d39ae7c --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/aad-pod-identity-deployment.yaml @@ -0,0 +1,329 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: unapproved + controller-gen.kubebuilder.io/version: v0.5.0 + name: azureidentities.aadpodidentity.k8s.io +spec: + group: aadpodidentity.k8s.io + names: + kind: AzureIdentity + listKind: AzureIdentityList + plural: azureidentities + singular: azureidentity + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AzureIdentity is the specification of the identity data structure. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureIdentitySpec describes the credential specifications of an identity on Azure. + properties: + adEndpoint: + type: string + adResourceID: + description: For service principal. Option param for specifying the AD details. + type: string + auxiliaryTenantIDs: + description: Service principal auxiliary tenant ids + items: + type: string + nullable: true + type: array + clientID: + description: Both User Assigned MSI and SP can use this field. + type: string + clientPassword: + description: Used for service principal + properties: + name: + description: Name is unique within a namespace to reference a secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret name must be unique. + type: string + type: object + metadata: + type: object + replicas: + format: int32 + nullable: true + type: integer + resourceID: + description: User assigned MSI resource id. + type: string + tenantID: + description: Service principal primary tenant id. + type: string + type: + description: UserAssignedMSI or Service Principal + type: integer + type: object + status: + description: AzureIdentityStatus contains the replica status of the resource. + properties: + availableReplicas: + format: int32 + type: integer + metadata: + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: unapproved + controller-gen.kubebuilder.io/version: v0.5.0 + name: azureidentitybindings.aadpodidentity.k8s.io +spec: + group: aadpodidentity.k8s.io + names: + kind: AzureIdentityBinding + listKind: AzureIdentityBindingList + plural: azureidentitybindings + singular: azureidentitybinding + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. + properties: + azureIdentity: + type: string + metadata: + type: object + selector: + type: string + weight: + description: Weight is used to figure out which of the matching identities would be selected. + type: integer + type: object + status: + description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. + properties: + availableReplicas: + format: int32 + type: integer + metadata: + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: unapproved + controller-gen.kubebuilder.io/version: v0.5.0 + name: azurepodidentityexceptions.aadpodidentity.k8s.io +spec: + group: aadpodidentity.k8s.io + names: + kind: AzurePodIdentityException + listKind: AzurePodIdentityExceptionList + plural: azurepodidentityexceptions + singular: azurepodidentityexception + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. + properties: + metadata: + type: object + podLabels: + additionalProperties: + type: string + type: object + type: object + status: + description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. + properties: + metadata: + type: object + status: + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aad-pod-id-nmi-role +rules: +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] +- apiGroups: ["aadpodidentity.k8s.io"] + resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aad-pod-id-nmi-binding + labels: + k8s-app: capz-aad-pod-id-nmi-binding +subjects: +- kind: ServiceAccount + name: manager + namespace: system +roleRef: + kind: ClusterRole + name: aad-pod-id-nmi-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + component: nmi + tier: node + k8s-app: aad-pod-id + name: nmi + namespace: capz-system +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + component: nmi + tier: node + template: + metadata: + labels: + component: nmi + tier: node + spec: + serviceAccountName: manager + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + volumes: + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: iptableslock + - name: kubelet-config + hostPath: + path: /etc/default/kubelet + type: FileOrCreate + containers: + - name: nmi + image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.0" + imagePullPolicy: IfNotPresent + args: + - "--node=$(NODE_NAME)" + - "--operation-mode=managed" + - "--forceNamespaced" + - "--http-probe-port=8085" + env: + - name: FORCENAMESPACED + value: "true" + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: LOG_LEVEL + value: DEBUG + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + runAsUser: 0 + capabilities: + drop: + - ALL + add: + - DAC_READ_SEARCH + - NET_ADMIN + - NET_RAW + volumeMounts: + - mountPath: /run/xtables.lock + name: iptableslock + - name: kubelet-config + mountPath: /etc/default/kubelet + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: 8085 + initialDelaySeconds: 10 + periodSeconds: 5 + nodeSelector: + kubernetes.io/os: linux diff --git a/manifests/function/capz/v0.5.2/default/credentials.yaml b/manifests/function/capz/v0.5.2/default/credentials.yaml new file mode 100644 index 00000000..9be5a73d --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/credentials.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: manager-bootstrap-credentials + namespace: system +type: Opaque +data: + subscription-id: ${AZURE_SUBSCRIPTION_ID_B64:=""} + tenant-id: ${AZURE_TENANT_ID_B64:=""} + client-id: ${AZURE_CLIENT_ID_B64:=""} + client-secret: ${AZURE_CLIENT_SECRET_B64:=""} diff --git a/manifests/function/capz/v0.5.2/default/kustomization.yaml b/manifests/function/capz/v0.5.2/default/kustomization.yaml new file mode 100644 index 00000000..fe219254 --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/kustomization.yaml @@ -0,0 +1,58 @@ +namespace: capz-system + +namePrefix: capz- + +# Labels to add to all resources and selectors. +commonLabels: + cluster.x-k8s.io/provider: "infrastructure-azure" + +resources: + - namespace.yaml + - credentials.yaml + - aad-pod-identity-deployment.yaml + +bases: + - ../crd + - ../rbac + - ../manager + - ../webhook + - ../certmanager + +patchesStrategicMerge: + - manager_image_patch.yaml + - manager_pull_policy.yaml + - manager_auth_proxy_patch.yaml + - manager_credentials_patch.yaml + - manager_webhook_patch.yaml + - webhookcainjection_patch.yaml + +vars: + - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace + - name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + - name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace + - name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + +configurations: + - kustomizeconfig.yaml diff --git a/manifests/function/capz/v0.5.2/default/kustomizeconfig.yaml b/manifests/function/capz/v0.5.2/default/kustomizeconfig.yaml new file mode 100644 index 00000000..eb191e64 --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/kustomizeconfig.yaml @@ -0,0 +1,4 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +varReference: +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/manifests/function/capz/v0.5.2/default/manager_auth_proxy_patch.yaml b/manifests/function/capz/v0.5.2/default/manager_auth_proxy_patch.yaml new file mode 100644 index 00000000..65d23b91 --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,21 @@ +# This patch inject a sidecar container which is a HTTP proxy for the controller manager, +# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https diff --git a/manifests/function/capz/v0.5.2/default/manager_credentials_patch.yaml b/manifests/function/capz/v0.5.2/default/manager_credentials_patch.yaml new file mode 100644 index 00000000..4388a83d --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/manager_credentials_patch.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + env: + - name: AZURE_SUBSCRIPTION_ID + valueFrom: + secretKeyRef: + name: manager-bootstrap-credentials + key: subscription-id + - name: AZURE_TENANT_ID + valueFrom: + secretKeyRef: + name: manager-bootstrap-credentials + key: tenant-id + - name: AZURE_CLIENT_ID + valueFrom: + secretKeyRef: + name: manager-bootstrap-credentials + key: client-id + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: manager-bootstrap-credentials + key: client-secret diff --git a/manifests/function/capz/v0.5.2/default/manager_image_patch.yaml b/manifests/function/capz/v0.5.2/default/manager_image_patch.yaml new file mode 100644 index 00000000..0876a1db --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/manager_image_patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: gcr.io/k8s-staging-cluster-api-azure/cluster-api-azure-controller:latest + name: manager diff --git a/manifests/function/capz/v0.5.2/default/manager_prometheus_metrics_patch.yaml b/manifests/function/capz/v0.5.2/default/manager_prometheus_metrics_patch.yaml new file mode 100644 index 00000000..0b96c681 --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/manager_prometheus_metrics_patch.yaml @@ -0,0 +1,19 @@ +# This patch enables Prometheus scraping for the manager pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + metadata: + annotations: + prometheus.io/scrape: 'true' + spec: + containers: + # Expose the prometheus metrics on default port + - name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP diff --git a/manifests/function/capz/v0.5.2/default/manager_pull_policy.yaml b/manifests/function/capz/v0.5.2/default/manager_pull_policy.yaml new file mode 100644 index 00000000..74a0879c --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/manager_pull_policy.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: Always diff --git a/manifests/function/capz/v0.5.2/default/manager_webhook_patch.yaml b/manifests/function/capz/v0.5.2/default/manager_webhook_patch.yaml new file mode 100644 index 00000000..35e2de07 --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/manager_webhook_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: $(SERVICE_NAME)-cert diff --git a/manifests/function/capz/v0.5.2/default/namespace.yaml b/manifests/function/capz/v0.5.2/default/namespace.yaml new file mode 100644 index 00000000..1ab3a725 --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: system diff --git a/manifests/function/capz/v0.5.2/default/webhookcainjection_patch.yaml b/manifests/function/capz/v0.5.2/default/webhookcainjection_patch.yaml new file mode 100644 index 00000000..82b2850a --- /dev/null +++ b/manifests/function/capz/v0.5.2/default/webhookcainjection_patch.yaml @@ -0,0 +1,17 @@ + +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +# uncomment the following lines to enable mutating and validating webhook +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) \ No newline at end of file diff --git a/manifests/function/capz/v0.5.2/kustomization.yaml b/manifests/function/capz/v0.5.2/kustomization.yaml new file mode 100644 index 00000000..d3232410 --- /dev/null +++ b/manifests/function/capz/v0.5.2/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - default + - data diff --git a/manifests/function/capz/v0.5.2/manager/kustomization.yaml b/manifests/function/capz/v0.5.2/manager/kustomization.yaml new file mode 100644 index 00000000..96c47e35 --- /dev/null +++ b/manifests/function/capz/v0.5.2/manager/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - manager.yaml + diff --git a/manifests/function/capz/v0.5.2/manager/manager.yaml b/manifests/function/capz/v0.5.2/manager/manager.yaml new file mode 100644 index 00000000..b26ced1a --- /dev/null +++ b/manifests/function/capz/v0.5.2/manager/manager.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: capz-controller-manager + aadpodidbinding: capz-controller-aadpodidentity-selector +spec: + selector: + matchLabels: + control-plane: capz-controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: capz-controller-manager + aadpodidbinding: capz-controller-aadpodidentity-selector + annotations: + kubectl.kubernetes.io/default-logs-container: manager + spec: + containers: + - args: + - --leader-elect + - "--metrics-bind-addr=127.0.0.1:8080" + - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},AKS=${EXP_AKS:=false}" + - "--v=0" + image: controller:latest + imagePullPolicy: Always + name: manager + ports: + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 10 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + terminationGracePeriodSeconds: 10 + serviceAccountName: manager diff --git a/manifests/function/capz/v0.5.2/patch_crd_webhook_namespace.yaml b/manifests/function/capz/v0.5.2/patch_crd_webhook_namespace.yaml new file mode 100644 index 00000000..110f3a49 --- /dev/null +++ b/manifests/function/capz/v0.5.2/patch_crd_webhook_namespace.yaml @@ -0,0 +1,3 @@ +- op: replace + path: "/spec/conversion/webhook/clientConfig/service/namespace" + value: capi-webhook-system diff --git a/manifests/function/capz/v0.5.2/rbac/auth_proxy_client_clusterrole.yaml b/manifests/function/capz/v0.5.2/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 00000000..54c29664 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: + - nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/manifests/function/capz/v0.5.2/rbac/auth_proxy_role.yaml b/manifests/function/capz/v0.5.2/rbac/auth_proxy_role.yaml new file mode 100644 index 00000000..618f5e41 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/manifests/function/capz/v0.5.2/rbac/auth_proxy_role_binding.yaml b/manifests/function/capz/v0.5.2/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 00000000..136c0b39 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: manager + namespace: system diff --git a/manifests/function/capz/v0.5.2/rbac/auth_proxy_service.yaml b/manifests/function/capz/v0.5.2/rbac/auth_proxy_service.yaml new file mode 100644 index 00000000..28e03f11 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/auth_proxy_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8443" + prometheus.io/scheme: https + labels: + control-plane: capz-controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: capz-controller-manager diff --git a/manifests/function/capz/v0.5.2/rbac/kustomization.yaml b/manifests/function/capz/v0.5.2/rbac/kustomization.yaml new file mode 100644 index 00000000..3f567ac0 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - role.yaml + - role_binding.yaml + - service_account.yaml + - leader_election_role.yaml + - leader_election_role_binding.yaml + - auth_proxy_client_clusterrole.yaml + - auth_proxy_service.yaml + - auth_proxy_role.yaml + - auth_proxy_role_binding.yaml diff --git a/manifests/function/capz/v0.5.2/rbac/leader_election_role.yaml b/manifests/function/capz/v0.5.2/rbac/leader_election_role.yaml new file mode 100644 index 00000000..86ba4b1e --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/manifests/function/capz/v0.5.2/rbac/leader_election_role_binding.yaml b/manifests/function/capz/v0.5.2/rbac/leader_election_role_binding.yaml new file mode 100644 index 00000000..d5e00446 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: manager + namespace: system diff --git a/manifests/function/capz/v0.5.2/rbac/role.yaml b/manifests/function/capz/v0.5.2/rbac/role.yaml new file mode 100644 index 00000000..c9278526 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/role.yaml @@ -0,0 +1,247 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aadpodidentity.k8s.io + resources: + - azureidentities + - azureidentities/status + verbs: + - get + - list + - watch +- apiGroups: + - aadpodidentity.k8s.io + resources: + - azureidentitybindings + - azureidentitybindings/status + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + verbs: + - get + - list + - patch + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machinepools + - machinepools/status + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azureclusteridentities + - azureclusteridentities/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azureclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azureclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremachinepoolmachines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremachinepoolmachines/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremachinepools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremachinepools/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremachines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremachines/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremachinetemplates + - azuremachinetemplates/status + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremanagedclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremanagedclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremanagedcontrolplanes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremanagedcontrolplanes/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremanagedmachinepools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - azuremanagedmachinepools/status + verbs: + - get + - patch + - update diff --git a/manifests/function/capz/v0.5.2/rbac/role_binding.yaml b/manifests/function/capz/v0.5.2/rbac/role_binding.yaml new file mode 100644 index 00000000..5a95f66d --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: manager + namespace: system diff --git a/manifests/function/capz/v0.5.2/rbac/service_account.yaml b/manifests/function/capz/v0.5.2/rbac/service_account.yaml new file mode 100644 index 00000000..c4180052 --- /dev/null +++ b/manifests/function/capz/v0.5.2/rbac/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: manager + namespace: system \ No newline at end of file diff --git a/manifests/function/capz/v0.5.2/webhook/kustomization.yaml b/manifests/function/capz/v0.5.2/webhook/kustomization.yaml new file mode 100644 index 00000000..7feb516a --- /dev/null +++ b/manifests/function/capz/v0.5.2/webhook/kustomization.yaml @@ -0,0 +1,6 @@ +resources: + - manifests.yaml + - service.yaml + +configurations: + - kustomizeconfig.yaml diff --git a/manifests/function/capz/v0.5.2/webhook/kustomizeconfig.yaml b/manifests/function/capz/v0.5.2/webhook/kustomizeconfig.yaml new file mode 100644 index 00000000..39a1cc6f --- /dev/null +++ b/manifests/function/capz/v0.5.2/webhook/kustomizeconfig.yaml @@ -0,0 +1,26 @@ +# the following config is for teaching kustomize where to look at when substituting vars. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: + - kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + +varReference: + - path: metadata/annotations + diff --git a/manifests/function/capz/v0.5.2/webhook/manifests.yaml b/manifests/function/capz/v0.5.2/webhook/manifests.yaml new file mode 100644 index 00000000..df3ca8e8 --- /dev/null +++ b/manifests/function/capz/v0.5.2/webhook/manifests.yaml @@ -0,0 +1,297 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + creationTimestamp: null + name: mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha4-azurecluster + failurePolicy: Fail + matchPolicy: Equivalent + name: default.azurecluster.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azureclusters + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremachine + failurePolicy: Fail + matchPolicy: Equivalent + name: default.azuremachine.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremachines + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremachinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: default.azuremachinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremachinetemplates + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremachinepool + failurePolicy: Fail + name: default.azuremachinepool.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremachinepools + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremanagedcontrolplane + failurePolicy: Fail + name: default.azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremanagedcontrolplanes + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremanagedmachinepool + failurePolicy: Fail + matchPolicy: Equivalent + name: default.azuremanagedmachinepools.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremanagedmachinepools + sideEffects: None + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha4-azurecluster + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.azurecluster.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azureclusters + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremachine + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.azuremachine.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremachines + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremachinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.azuremachinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremachinetemplates + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremachinepool + failurePolicy: Fail + name: validation.azuremachinepool.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremachinepools + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremachinepoolmachine + failurePolicy: Fail + name: azuremachinepoolmachine.kb.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremachinepoolmachines + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremanagedcontrolplane + failurePolicy: Fail + name: validation.azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - CREATE + - UPDATE + resources: + - azuremanagedcontrolplanes + sideEffects: None +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha4-azuremanagedmachinepool + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.azuremanagedmachinepools.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha4 + operations: + - UPDATE + - DELETE + resources: + - azuremanagedmachinepools + sideEffects: None diff --git a/manifests/function/capz/v0.5.2/webhook/service.yaml b/manifests/function/capz/v0.5.2/webhook/service.yaml new file mode 100644 index 00000000..711977f5 --- /dev/null +++ b/manifests/function/capz/v0.5.2/webhook/service.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + targetPort: webhook-server diff --git a/manifests/function/cni/calico-capz/v3.20.0/README.md b/manifests/function/cni/calico-capz/v3.20.0/README.md new file mode 100644 index 00000000..daac563e --- /dev/null +++ b/manifests/function/cni/calico-capz/v3.20.0/README.md @@ -0,0 +1,10 @@ +# Calico for Azure Target Cluster + +Azure does not currently support Calico networking. The reason is Azure does not allow traffic with unknown source IPs. +As a workaround, it is recommended that Azure clusters use the Calico spec below that uses VXLAN. + +```bash +https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-azure/main/templates/addons/calico.yaml +``` + +You can find more about Calico on Azure [here](https://docs.projectcalico.org/reference/public-cloud/azure). diff --git a/manifests/function/cni/calico-capz/v3.20.0/calico.yaml b/manifests/function/cni/calico-capz/v3.20.0/calico.yaml new file mode 100644 index 00000000..7ab7662a --- /dev/null +++ b/manifests/function/cni/calico-capz/v3.20.0/calico.yaml @@ -0,0 +1,4143 @@ +--- +# Source: calico/templates/calico-config.yaml +# This ConfigMap is used to configure a self-hosted Calico installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-config + namespace: kube-system +data: + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. + calico_backend: "vxlan" + # On Azure, the underlying network has an MTU of 1400, even though the network interface will have an MTU of 1500. + # We set this value to 1350 for “physical network MTU size minus 50” since we use VXLAN, which uses a 50-byte header. + # If enabling Wireguard, this value should be changed to 1340 (Wireguard uses a 60-byte header). + # https://docs.projectcalico.org/networking/mtu#determine-mtu-size + veth_mtu: "1350" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "log_file_path": "/var/log/calico/cni/cni.log", + "datastore_type": "kubernetes", + "nodename": "__KUBERNETES_NODE_NAME__", + "mtu": __CNI_MTU__, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + +--- +# Source: calico/templates/kdd-crds.yaml + + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: bgpconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPConfiguration + listKind: BGPConfigurationList + plural: bgpconfigurations + singular: bgpconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: BGPConfiguration contains the configuration for any BGP routing. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPConfigurationSpec contains the values of the BGP configuration. + properties: + asNumber: + description: 'ASNumber is the default AS number used by a node. [Default: + 64512]' + format: int32 + type: integer + communities: + description: Communities is a list of BGP community values and their + arbitrary names for tagging routes. + items: + description: Community contains standard or large community value + and its name. + properties: + name: + description: Name given to community value. + type: string + value: + description: Value must be of format `aa:nn` or `aa:nn:mm`. + For standard community use `aa:nn` format, where `aa` and + `nn` are 16 bit number. For large community use `aa:nn:mm` + format, where `aa`, `nn` and `mm` are 32 bit number. Where, + `aa` is an AS Number, `nn` and `mm` are per-AS identifier. + pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ + type: string + type: object + type: array + listenPort: + description: ListenPort is the port where BGP protocol should listen. + Defaults to 179 + maximum: 65535 + minimum: 1 + type: integer + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: INFO]' + type: string + nodeToNodeMeshEnabled: + description: 'NodeToNodeMeshEnabled sets whether full node to node + BGP mesh is enabled. [Default: true]' + type: boolean + prefixAdvertisements: + description: PrefixAdvertisements contains per-prefix advertisement + configuration. + items: + description: PrefixAdvertisement configures advertisement properties + for the specified CIDR. + properties: + cidr: + description: CIDR for which properties should be advertised. + type: string + communities: + description: Communities can be list of either community names + already defined in `Specs.Communities` or community value + of format `aa:nn` or `aa:nn:mm`. For standard community use + `aa:nn` format, where `aa` and `nn` are 16 bit number. For + large community use `aa:nn:mm` format, where `aa`, `nn` and + `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and + `mm` are per-AS identifier. + items: + type: string + type: array + type: object + type: array + serviceClusterIPs: + description: ServiceClusterIPs are the CIDR blocks from which service + cluster IPs are allocated. If specified, Calico will advertise these + blocks, as well as any cluster IPs within them. + items: + description: ServiceClusterIPBlock represents a single allowed ClusterIP + CIDR block. + properties: + cidr: + type: string + type: object + type: array + serviceExternalIPs: + description: ServiceExternalIPs are the CIDR blocks for Kubernetes + Service External IPs. Kubernetes Service ExternalIPs will only be + advertised if they are within one of these blocks. + items: + description: ServiceExternalIPBlock represents a single allowed + External IP CIDR block. + properties: + cidr: + type: string + type: object + type: array + serviceLoadBalancerIPs: + description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes + Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress + IPs will only be advertised if they are within one of these blocks. + items: + description: ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. + properties: + cidr: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: bgppeers.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPPeer + listKind: BGPPeerList + plural: bgppeers + singular: bgppeer + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPPeerSpec contains the specification for a BGPPeer resource. + properties: + asNumber: + description: The AS Number of the peer. + format: int32 + type: integer + keepOriginalNextHop: + description: Option to keep the original nexthop field when routes + are sent to a BGP Peer. Setting "true" configures the selected BGP + Peers node to use the "next hop keep;" instead of "next hop self;"(default) + in the specific branch of the Node on "bird.cfg". + type: boolean + maxRestartTime: + description: Time to allow for software restart. When specified, this + is configured as the graceful restart timeout. When not specified, + the BIRD default of 120s is used. + type: string + node: + description: The node name identifying the Calico node instance that + is targeted by this peer. If this is not set, and no nodeSelector + is specified, then this BGP peer selects all nodes in the cluster. + type: string + nodeSelector: + description: Selector for the nodes that should have this peering. When + this is set, the Node field must be empty. + type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object + peerIP: + description: The IP address of the peer followed by an optional port + number to peer with. If port number is given, format should be `[]:port` + or `:` for IPv4. If optional port number is not set, + and this peer IP and ASNumber belongs to a calico/node with ListenPort + set in BGPConfiguration, then we use that port to peer. + type: string + peerSelector: + description: Selector for the remote nodes to peer with. When this + is set, the PeerIP and ASNumber fields must be empty. For each + peering between the local node and selected remote nodes, we configure + an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, + and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The + remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, + or the global default if that is not set. + type: string + sourceAddress: + description: Specifies whether and how to configure a source address + for the peerings generated by this BGPPeer resource. Default value + "UseNodeIP" means to configure the node IP as the source address. "None" + means not to configure a source address. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: blockaffinities.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BlockAffinity + listKind: BlockAffinityList + plural: blockaffinities + singular: blockaffinity + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BlockAffinitySpec contains the specification for a BlockAffinity + resource. + properties: + cidr: + type: string + deleted: + description: Deleted indicates that this block affinity is being deleted. + This field is a string for compatibility with older releases that + mistakenly treat this field as a string. + type: string + node: + type: string + state: + type: string + required: + - cidr + - deleted + - node + - state + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: clusterinformations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: ClusterInformation + listKind: ClusterInformationList + plural: clusterinformations + singular: clusterinformation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ClusterInformation contains the cluster specific information. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterInformationSpec contains the values of describing + the cluster. + properties: + calicoVersion: + description: CalicoVersion is the version of Calico that the cluster + is running + type: string + clusterGUID: + description: ClusterGUID is the GUID of the cluster + type: string + clusterType: + description: ClusterType describes the type of the cluster + type: string + datastoreReady: + description: DatastoreReady is used during significant datastore migrations + to signal to components such as Felix that it should wait before + accessing the datastore. + type: boolean + variant: + description: Variant declares which variant of Calico should be active. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: felixconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: FelixConfiguration + listKind: FelixConfigurationList + plural: felixconfigurations + singular: felixconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Felix Configuration contains the configuration for Felix. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FelixConfigurationSpec contains the values of the Felix configuration. + properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean + awsSrcDstCheck: + description: 'Set source-destination-check on AWS EC2 instances. Accepted + value must be one of "DoNothing", "Enabled" or "Disabled". [Default: + DoNothing]' + enum: + - DoNothing + - Enable + - Disable + type: string + bpfConnectTimeLoadBalancingEnabled: + description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, + controls whether Felix installs the connection-time load balancer. The + connect-time load balancer is required for the host to be able to + reach Kubernetes services and it improves the performance of pod-to-service + connections. The only reason to disable it is for debugging purposes. [Default: + true]' + type: boolean + bpfDataIfacePattern: + description: 'BPFDataIfacePattern is a regular expression that controls + which interfaces Felix should attach BPF programs to in order to + catch traffic to/from the network. This needs to match the interfaces + that Calico workload traffic flows over as well as any interfaces + that handle incoming traffic to nodeports and services from outside + the cluster. It should not match the workload interfaces (usually + named cali...). [Default: ^(en.*|eth.*|tunl0$)]' + type: string + bpfDisableUnprivileged: + description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled + sysctl to disable unprivileged use of BPF. This ensures that unprivileged + users cannot access Calico''s BPF maps and cannot insert their own + BPF programs to interfere with Calico''s. [Default: true]' + type: boolean + bpfEnabled: + description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. + [Default: false]' + type: boolean + bpfExtToServiceConnmark: + description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit + mark that is set on connections from an external client to a local + service. This mark allows us to control how packets of that connection + are routed within the host and how is routing intepreted by RPF + check. [Default: 0]' + type: integer + bpfExternalServiceMode: + description: 'BPFExternalServiceMode in BPF mode, controls how connections + from outside the cluster to services (node ports and cluster IPs) + are forwarded to remote workloads. If set to "Tunnel" then both + request and response traffic is tunneled to the remote node. If + set to "DSR", the request traffic is tunneled but the response traffic + is sent directly from the remote node. In "DSR" mode, the remote + node appears to use the IP of the ingress node; this requires a + permissive L2 network. [Default: Tunnel]' + type: string + bpfKubeProxyEndpointSlicesEnabled: + description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls + whether Felix's embedded kube-proxy accepts EndpointSlices or not. + type: boolean + bpfKubeProxyIptablesCleanupEnabled: + description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF + mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s + iptables chains. Should only be enabled if kube-proxy is not running. [Default: + true]' + type: boolean + bpfKubeProxyMinSyncPeriod: + description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the + minimum time between updates to the dataplane for Felix''s embedded + kube-proxy. Lower values give reduced set-up latency. Higher values + reduce Felix CPU usage by batching up more work. [Default: 1s]' + type: string + bpfLogLevel: + description: 'BPFLogLevel controls the log level of the BPF programs + when in BPF dataplane mode. One of "Off", "Info", or "Debug". The + logs are emitted to the BPF trace pipe, accessible with the command + `tc exec bpf debug`. [Default: Off].' + type: string + chainInsertMode: + description: 'ChainInsertMode controls whether Felix hooks the kernel’s + top-level iptables chains by inserting a rule at the top of the + chain or by appending a rule at the bottom. insert is the safe default + since it prevents Calico’s rules from being bypassed. If you switch + to append mode, be sure that the other rules in the chains signal + acceptance by falling through to the Calico rules, otherwise the + Calico policy will be bypassed. [Default: insert]' + type: string + dataplaneDriver: + type: string + debugDisableLogDropping: + type: boolean + debugMemoryProfilePath: + type: string + debugSimulateCalcGraphHangAfter: + type: string + debugSimulateDataplaneHangAfter: + type: string + defaultEndpointToHostAction: + description: 'DefaultEndpointToHostAction controls what happens to + traffic that goes from a workload endpoint to the host itself (after + the traffic hits the endpoint egress policy). By default Calico + blocks traffic from workload endpoints to the host itself with an + iptables “DROP” action. If you want to allow some or all traffic + from endpoint to host, set this parameter to RETURN or ACCEPT. Use + RETURN if you have your own rules in the iptables “INPUT” chain; + Calico will insert its rules at the top of that chain, then “RETURN” + packets to the “INPUT” chain once it has completed processing workload + endpoint egress policy. Use ACCEPT to unconditionally accept packets + from workloads after processing workload endpoint egress policy. + [Default: Drop]' + type: string + deviceRouteProtocol: + description: This defines the route protocol added to programmed device + routes, by default this will be RTPROT_BOOT when left blank. + type: integer + deviceRouteSourceAddress: + description: This is the source address to use on programmed device + routes. By default the source address is left blank, leaving the + kernel to choose the source address used. + type: string + disableConntrackInvalidCheck: + type: boolean + endpointReportingDelay: + type: string + endpointReportingEnabled: + type: boolean + externalNodesList: + description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes + which may source tunnel traffic and have the tunneled traffic be + accepted at calico nodes. + items: + type: string + type: array + failsafeInboundHostPorts: + description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow incoming traffic to host endpoints + on irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all inbound host ports, use the value + none. The default value allows ssh access and DHCP. [Default: tcp:22, + udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' + items: + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + failsafeOutboundHostPorts: + description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow outgoing traffic from host endpoints + to irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all outbound host ports, use the value + none. The default value opens etcd''s standard ports to ensure that + Felix does not get cut off from etcd as well as allowing DHCP and + DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, + tcp:6667, udp:53, udp:67]' + items: + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + featureDetectOverride: + description: FeatureDetectOverride is used to override the feature + detection. Values are specified in a comma separated list with no + spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". + "true" or "false" will force the feature, empty or omitted values + are auto-detected. + type: string + genericXDPEnabled: + description: 'GenericXDPEnabled enables Generic XDP so network cards + that don''t support XDP offload or driver modes can use XDP. This + is not recommended since it doesn''t provide better performance + than iptables. [Default: false]' + type: boolean + healthEnabled: + type: boolean + healthHost: + type: string + healthPort: + type: integer + interfaceExclude: + description: 'InterfaceExclude is a comma-separated list of interfaces + that Felix should exclude when monitoring for host endpoints. The + default value ensures that Felix ignores Kubernetes'' IPVS dummy + interface, which is used internally by kube-proxy. If you want to + exclude multiple interface names using a single value, the list + supports regular expressions. For regular expressions you must wrap + the value with ''/''. For example having values ''/^kube/,veth1'' + will exclude all interfaces that begin with ''kube'' and also the + interface ''veth1''. [Default: kube-ipvs0]' + type: string + interfacePrefix: + description: 'InterfacePrefix is the interface name prefix that identifies + workload endpoints and so distinguishes them from host endpoint + interfaces. Note: in environments other than bare metal, the orchestrators + configure this appropriately. For example our Kubernetes and Docker + integrations set the ‘cali’ value, and our OpenStack integration + sets the ‘tap’ value. [Default: cali]' + type: string + interfaceRefreshInterval: + description: InterfaceRefreshInterval is the period at which Felix + rescans local interfaces to verify their state. The rescan can be + disabled by setting the interval to 0. + type: string + ipipEnabled: + type: boolean + ipipMTU: + description: 'IPIPMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + ipsetsRefreshInterval: + description: 'IpsetsRefreshInterval is the period at which Felix re-checks + all iptables state to ensure that no other process has accidentally + broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: + 90s]' + type: string + iptablesBackend: + description: IptablesBackend specifies which backend of iptables will + be used. The default is legacy. + type: string + iptablesFilterAllowAction: + type: string + iptablesLockFilePath: + description: 'IptablesLockFilePath is the location of the iptables + lock file. You may need to change this if the lock file is not in + its standard location (for example if you have mapped it into Felix’s + container at a different path). [Default: /run/xtables.lock]' + type: string + iptablesLockProbeInterval: + description: 'IptablesLockProbeInterval is the time that Felix will + wait between attempts to acquire the iptables lock if it is not + available. Lower values make Felix more responsive when the lock + is contended, but use more CPU. [Default: 50ms]' + type: string + iptablesLockTimeout: + description: 'IptablesLockTimeout is the time that Felix will wait + for the iptables lock, or 0, to disable. To use this feature, Felix + must share the iptables lock file with all other processes that + also take the lock. When running Felix inside a container, this + requires the /run directory of the host to be mounted into the calico/node + or calico/felix container. [Default: 0s disabled]' + type: string + iptablesMangleAllowAction: + type: string + iptablesMarkMask: + description: 'IptablesMarkMask is the mask that Felix selects its + IPTables Mark bits from. Should be a 32 bit hexadecimal number with + at least 8 bits set, none of which clash with any other mark bits + in use on the system. [Default: 0xff000000]' + format: int32 + type: integer + iptablesNATOutgoingInterfaceFilter: + type: string + iptablesPostWriteCheckInterval: + description: 'IptablesPostWriteCheckInterval is the period after Felix + has done a write to the dataplane that it schedules an extra read + back in order to check the write was not clobbered by another process. + This should only occur if another application on the system doesn’t + respect the iptables lock. [Default: 1s]' + type: string + iptablesRefreshInterval: + description: 'IptablesRefreshInterval is the period at which Felix + re-checks the IP sets in the dataplane to ensure that no other process + has accidentally broken Calico''s rules. Set to 0 to disable IP + sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that + was fixed in kernel version 4.11. If you are using v4.11 or greater + you may want to set this to, a higher value to reduce Felix CPU + usage. [Default: 10s]' + type: string + ipv6Support: + type: boolean + kubeNodePortRanges: + description: 'KubeNodePortRanges holds list of port ranges used for + service node ports. Only used if felix detects kube-proxy running + in ipvs mode. Felix uses these ranges to separate host and workload + traffic. [Default: 30000:32767].' + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + logFilePath: + description: 'LogFilePath is the full path to the Felix log. Set to + none to disable file logging. [Default: /var/log/calico/felix.log]' + type: string + logPrefix: + description: 'LogPrefix is the log prefix that Felix uses when rendering + LOG rules. [Default: calico-packet]' + type: string + logSeverityFile: + description: 'LogSeverityFile is the log severity above which logs + are sent to the log file. [Default: Info]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]' + type: string + logSeveritySys: + description: 'LogSeveritySys is the log severity above which logs + are sent to the syslog. Set to None for no logging to syslog. [Default: + Info]' + type: string + maxIpsetSize: + type: integer + metadataAddr: + description: 'MetadataAddr is the IP address or domain name of the + server that can answer VM queries for cloud-init metadata. In OpenStack, + this corresponds to the machine running nova-api (or in Ubuntu, + nova-api-metadata). A value of none (case insensitive) means that + Felix should not set up any NAT rule for the metadata path. [Default: + 127.0.0.1]' + type: string + metadataPort: + description: 'MetadataPort is the port of the metadata server. This, + combined with global.MetadataAddr (if not ‘None’), is used to set + up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + In most cases this should not need to be changed [Default: 8775].' + type: integer + mtuIfacePattern: + description: MTUIfacePattern is a regular expression that controls + which interfaces Felix should scan in order to calculate the host's + MTU. This should not match workload interfaces (usually named cali...). + type: string + natOutgoingAddress: + description: NATOutgoingAddress specifies an address to use when performing + source NAT for traffic in a natOutgoing pool that is leaving the + network. By default the address used is an address on the interface + the traffic is leaving on (ie it uses the iptables MASQUERADE target) + type: string + natPortRange: + anyOf: + - type: integer + - type: string + description: NATPortRange specifies the range of ports that is used + for port mapping when doing outgoing NAT. When unset the default + behavior of the network stack is used. + pattern: ^.* + x-kubernetes-int-or-string: true + netlinkTimeout: + type: string + openstackRegion: + description: 'OpenstackRegion is the name of the region that a particular + Felix belongs to. In a multi-region Calico/OpenStack deployment, + this must be configured somehow for each Felix (here in the datamodel, + or in felix.cfg or the environment on each compute node), and must + match the [calico] openstack_region value configured in neutron.conf + on each node. [Default: Empty]' + type: string + policySyncPathPrefix: + description: 'PolicySyncPathPrefix is used to by Felix to communicate + policy changes to external services, like Application layer policy. + [Default: Empty]' + type: string + prometheusGoMetricsEnabled: + description: 'PrometheusGoMetricsEnabled disables Go runtime metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + prometheusMetricsEnabled: + description: 'PrometheusMetricsEnabled enables the Prometheus metrics + server in Felix if set to true. [Default: false]' + type: boolean + prometheusMetricsHost: + description: 'PrometheusMetricsHost is the host that the Prometheus + metrics server should bind to. [Default: empty]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. [Default: 9091]' + type: integer + prometheusProcessMetricsEnabled: + description: 'PrometheusProcessMetricsEnabled disables process metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + removeExternalRoutes: + description: Whether or not to remove device routes that have not + been programmed by Felix. Disabling this will allow external applications + to also add device routes. This is enabled by default which means + we will remove externally added routes. + type: boolean + reportingInterval: + description: 'ReportingInterval is the interval at which Felix reports + its status into the datastore or 0 to disable. Must be non-zero + in OpenStack deployments. [Default: 30s]' + type: string + reportingTTL: + description: 'ReportingTTL is the time-to-live setting for process-wide + status reports. [Default: 90s]' + type: string + routeRefreshInterval: + description: 'RouterefreshInterval is the period at which Felix re-checks + the routes in the dataplane to ensure that no other process has + accidentally broken Calico’s rules. Set to 0 to disable route refresh. + [Default: 90s]' + type: string + routeSource: + description: 'RouteSource configures where Felix gets its routing + information. - WorkloadIPs: use workload endpoints to construct + routes. - CalicoIPAM: the default - use IPAM data to construct routes.' + type: string + routeTableRange: + description: Calico programs additional Linux route tables for various + purposes. RouteTableRange specifies the indices of the route tables + that Calico should use. + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + serviceLoopPrevention: + description: 'When service IP advertisement is enabled, prevent routing + loops to service IPs that are not in use, by dropping or rejecting + packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", + in which case such routing loops continue to be allowed. [Default: + Drop]' + type: string + sidecarAccelerationEnabled: + description: 'SidecarAccelerationEnabled enables experimental sidecar + acceleration [Default: false]' + type: boolean + usageReportingEnabled: + description: 'UsageReportingEnabled reports anonymous Calico version + number and cluster size to projectcalico.org. Logs warnings returned + by the usage server. For example, if a significant security vulnerability + has been discovered in the version of Calico being used. [Default: + true]' + type: boolean + usageReportingInitialDelay: + description: 'UsageReportingInitialDelay controls the minimum delay + before Felix makes a report. [Default: 300s]' + type: string + usageReportingInterval: + description: 'UsageReportingInterval controls the interval at which + Felix makes reports. [Default: 86400s]' + type: string + useInternalDataplaneDriver: + type: boolean + vxlanEnabled: + type: boolean + vxlanMTU: + description: 'VXLANMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + vxlanPort: + type: integer + vxlanVNI: + type: integer + wireguardEnabled: + description: 'WireguardEnabled controls whether Wireguard is enabled. + [Default: false]' + type: boolean + wireguardInterfaceName: + description: 'WireguardInterfaceName specifies the name to use for + the Wireguard interface. [Default: wg.calico]' + type: string + wireguardListeningPort: + description: 'WireguardListeningPort controls the listening port used + by Wireguard. [Default: 51820]' + type: integer + wireguardMTU: + description: 'WireguardMTU controls the MTU on the Wireguard interface. + See Configuring MTU [Default: 1420]' + type: integer + wireguardRoutingRulePriority: + description: 'WireguardRoutingRulePriority controls the priority value + to use for the Wireguard routing rule. [Default: 99]' + type: integer + xdpEnabled: + description: 'XDPEnabled enables XDP acceleration for suitable untracked + incoming deny rules. [Default: true]' + type: boolean + xdpRefreshInterval: + description: 'XDPRefreshInterval is the period at which Felix re-checks + all XDP state to ensure that no other process has accidentally broken + Calico''s BPF maps or attached programs. Set to 0 to disable XDP + refresh. [Default: 90s]' + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: globalnetworkpolicies.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: GlobalNetworkPolicy + listKind: GlobalNetworkPolicyList + plural: globalnetworkpolicies + singular: globalnetworkpolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + description: ApplyOnForward indicates to apply the rules in this policy + on forward traffic. + type: boolean + doNotTrack: + description: DoNotTrack indicates whether packets matched by the rules + in this policy should go through the data plane's connection tracking, + such as Linux conntrack. If True, the rules in this policy are + applied before any data plane connection tracking, and packets allowed + by this policy are marked as not to be tracked. + type: boolean + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + namespaceSelector: + description: NamespaceSelector is an optional field for an expression + used to select a pod based on namespaces. + type: string + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + preDNAT: + description: PreDNAT indicates to apply the rules in this policy before + any DNAT. + type: boolean + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress rules are present in the policy. The + default is: \n - [ PolicyTypeIngress ], if there are no Egress rules + (including the case where there are also no Ingress rules) \n + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress + rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are + both Ingress and Egress rules. \n When the policy is read back again, + Types will always be one of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: globalnetworksets.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: GlobalNetworkSet + listKind: GlobalNetworkSetList + plural: globalnetworksets + singular: globalnetworkset + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs + that share labels to allow rules to refer to them via selectors. The labels + of GlobalNetworkSet are not namespaced. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalNetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: hostendpoints.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: HostEndpoint + listKind: HostEndpointList + plural: hostendpoints + singular: hostendpoint + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HostEndpointSpec contains the specification for a HostEndpoint + resource. + properties: + expectedIPs: + description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. + If \"InterfaceName\" is not present, Calico will look for an interface + matching any of the IPs in the list and apply policy to that. Note: + \tWhen using the selector match criteria in an ingress or egress + security Policy \tor Profile, Calico converts the selector into + a set of IP addresses. For host \tendpoints, the ExpectedIPs field + is used for that purpose. (If only the interface \tname is specified, + Calico does not learn the IPs of the interface for use in match + \tcriteria.)" + items: + type: string + type: array + interfaceName: + description: "Either \"*\", or the name of a specific Linux interface + to apply policy to; or empty. \"*\" indicates that this HostEndpoint + governs all traffic to, from or through the default network namespace + of the host named by the \"Node\" field; entering and leaving that + namespace via any interface, including those from/to non-host-networked + local workloads. \n If InterfaceName is not \"*\", this HostEndpoint + only governs traffic that enters or leaves the host through the + specific interface named by InterfaceName, or - when InterfaceName + is empty - through the specific interface that has one of the IPs + in ExpectedIPs. Therefore, when InterfaceName is empty, at least + one expected IP must be specified. Only external interfaces (such + as “eth0”) are supported here; it isn't possible for a HostEndpoint + to protect traffic through a specific local workload interface. + \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; + initially just pre-DNAT policy. Please check Calico documentation + for the latest position." + type: string + node: + description: The node name identifying the Calico node instance. + type: string + ports: + description: Ports contains the endpoint's named ports, which may + be referenced in security policy rules. + items: + properties: + name: + type: string + port: + type: integer + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + required: + - name + - port + - protocol + type: object + type: array + profiles: + description: A list of identifiers of security Profile objects that + apply to this endpoint. Each profile is applied in the order that + they appear in this list. Profile rules are applied after the selector-based + security policy. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: ipamblocks.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMBlock + listKind: IPAMBlockList + plural: ipamblocks + singular: ipamblock + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMBlockSpec contains the specification for an IPAMBlock + resource. + properties: + affinity: + type: string + allocations: + items: + type: integer + # TODO: This nullable is manually added in. We should update controller-gen + # to handle []*int properly itself. + nullable: true + type: array + attributes: + items: + properties: + handle_id: + type: string + secondary: + additionalProperties: + type: string + type: object + type: object + type: array + cidr: + type: string + deleted: + type: boolean + strictAffinity: + type: boolean + unallocated: + items: + type: integer + type: array + required: + - allocations + - attributes + - cidr + - strictAffinity + - unallocated + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: ipamconfigs.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMConfig + listKind: IPAMConfigList + plural: ipamconfigs + singular: ipamconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMConfigSpec contains the specification for an IPAMConfig + resource. + properties: + autoAllocateBlocks: + type: boolean + maxBlocksPerHost: + description: MaxBlocksPerHost, if non-zero, is the max number of blocks + that can be affine to each host. + type: integer + strictAffinity: + type: boolean + required: + - autoAllocateBlocks + - strictAffinity + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: ipamhandles.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMHandle + listKind: IPAMHandleList + plural: ipamhandles + singular: ipamhandle + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMHandleSpec contains the specification for an IPAMHandle + resource. + properties: + block: + additionalProperties: + type: integer + type: object + deleted: + type: boolean + handleID: + type: string + required: + - block + - handleID + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: ippools.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPPool + listKind: IPPoolList + plural: ippools + singular: ippool + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPPoolSpec contains the specification for an IPPool resource. + properties: + blockSize: + description: The block size to use for IP address assignments from + this pool. Defaults to 26 for IPv4 and 112 for IPv6. + type: integer + cidr: + description: The pool CIDR. + type: string + disabled: + description: When disabled is true, Calico IPAM will not assign addresses + from this pool. + type: boolean + ipip: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + properties: + enabled: + description: When enabled is true, ipip tunneling will be used + to deliver packets to destinations within this pool. + type: boolean + mode: + description: The IPIP mode. This can be one of "always" or "cross-subnet". A + mode of "always" will also use IPIP tunneling for routing to + destination IP addresses within this pool. A mode of "cross-subnet" + will only use IPIP tunneling when the destination node is on + a different subnet to the originating node. The default value + (if not specified) is "always". + type: string + type: object + ipipMode: + description: Contains configuration for IPIP tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling + is disabled). + type: string + nat-outgoing: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + type: boolean + natOutgoing: + description: When nat-outgoing is true, packets sent from Calico networked + containers in this pool to destinations outside of this pool will + be masqueraded. + type: boolean + nodeSelector: + description: Allows IPPool to allocate for a specific node by label + selector. + type: string + vxlanMode: + description: Contains configuration for VXLAN tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. VXLAN + tunneling is disabled). + type: string + required: + - cidr + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: kubecontrollersconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: KubeControllersConfiguration + listKind: KubeControllersConfigurationList + plural: kubecontrollersconfigurations + singular: kubecontrollersconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubeControllersConfigurationSpec contains the values of the + Kubernetes controllers configuration. + properties: + controllers: + description: Controllers enables and configures individual Kubernetes + controllers + properties: + namespace: + description: Namespace enables and configures the namespace controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + node: + description: Node enables and configures the node controller. + Enabled by default, set to nil to disable. + properties: + hostEndpoint: + description: HostEndpoint controls syncing nodes to host endpoints. + Disabled by default, set to nil to disable. + properties: + autoCreate: + description: 'AutoCreate enables automatic creation of + host endpoints for every node. [Default: Disabled]' + type: string + type: object + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + syncLabels: + description: 'SyncLabels controls whether to copy Kubernetes + node labels to Calico nodes. [Default: Enabled]' + type: string + type: object + policy: + description: Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + serviceAccount: + description: ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + workloadEndpoint: + description: WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + type: object + etcdV3CompactionPeriod: + description: 'EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]' + type: string + healthChecks: + description: 'HealthChecks enables or disables support for health + checks [Default: Enabled]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: 9094]' + type: integer + required: + - controllers + type: object + status: + description: KubeControllersConfigurationStatus represents the status + of the configuration. It's useful for admins to be able to see the actual + config that was applied, which can be modified by environment variables + on the kube-controllers process. + properties: + environmentVars: + additionalProperties: + type: string + description: EnvironmentVars contains the environment variables on + the kube-controllers that influenced the RunningConfig. + type: object + runningConfig: + description: RunningConfig contains the effective config that is running + in the kube-controllers pod, after merging the API resource with + any environment variables. + properties: + controllers: + description: Controllers enables and configures individual Kubernetes + controllers + properties: + namespace: + description: Namespace enables and configures the namespace + controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + node: + description: Node enables and configures the node controller. + Enabled by default, set to nil to disable. + properties: + hostEndpoint: + description: HostEndpoint controls syncing nodes to host + endpoints. Disabled by default, set to nil to disable. + properties: + autoCreate: + description: 'AutoCreate enables automatic creation + of host endpoints for every node. [Default: Disabled]' + type: string + type: object + leakGracePeriod: + description: 'LeakGracePeriod is the period used by the + controller to determine if an IP address has been leaked. + Set to 0 to disable IP garbage collection. [Default: + 15m]' + type: string + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + syncLabels: + description: 'SyncLabels controls whether to copy Kubernetes + node labels to Calico nodes. [Default: Enabled]' + type: string + type: object + policy: + description: Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + serviceAccount: + description: ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + workloadEndpoint: + description: WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + type: object + etcdV3CompactionPeriod: + description: 'EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]' + type: string + healthChecks: + description: 'HealthChecks enables or disables support for health + checks [Default: Enabled]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which + logs are sent to the stdout. [Default: Info]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: + 9094]' + type: integer + required: + - controllers + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: networkpolicies.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: NetworkPolicy + listKind: NetworkPolicyList + plural: networkpolicies + singular: networkpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n + Only valid on egress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress are present in the policy. The default + is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including + the case where there are also no Ingress rules) \n - [ PolicyTypeEgress + ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, + PolicyTypeEgress ], if there are both Ingress and Egress rules. + \n When the policy is read back again, Types will always be one + of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: networksets.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: NetworkSet + listKind: NetworkSetList + plural: networksets + singular: networkset + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +--- +# Source: calico/templates/calico-kube-controllers-rbac.yaml + +# Include a clusterrole for the kube-controllers component, +# and bind it to the calico-kube-controllers serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +rules: + # Nodes are watched to monitor for deletions. + - apiGroups: [""] + resources: + - nodes + verbs: + - watch + - list + - get + # Pods are watched to check for existence as part of IPAM controller. + - apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + # IPAM resources are manipulated when nodes are deleted. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + verbs: + - list + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - watch + # kube-controllers manages hostendpoints. + - apiGroups: ["crd.projectcalico.org"] + resources: + - hostendpoints + verbs: + - get + - list + - create + - update + - delete + # Needs access to update clusterinformations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - clusterinformations + verbs: + - get + - create + - update + # KubeControllersConfiguration is where it gets its config + - apiGroups: ["crd.projectcalico.org"] + resources: + - kubecontrollersconfigurations + verbs: + # read its own config + - get + # create a default if none exists + - create + # update status + - update + # watch for changes + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-kube-controllers +subjects: + - kind: ServiceAccount + name: calico-kube-controllers + namespace: kube-system +--- + +--- +# Source: calico/templates/calico-node-rbac.yaml +# Include a clusterrole for the calico-node DaemonSet, +# and bind it to the calico-node serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-node +rules: + # The CNI plugin needs to get pods, nodes, and namespaces. + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + # EndpointSlices are used for Service-based network policy rule + # enforcement. + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: + - watch + - list + - apiGroups: [""] + resources: + - endpoints + - services + verbs: + # Used to discover service IPs for advertisement. + - watch + - list + # Used to discover Typhas. + - get + # Pod CIDR auto-detection on kubeadm needs access to config maps. + - apiGroups: [""] + resources: + - configmaps + verbs: + - get + - apiGroups: [""] + resources: + - nodes/status + verbs: + # Needed for clearing NodeNetworkUnavailable flag. + - patch + # Calico stores some configuration information in node annotations. + - update + # Watch for changes to Kubernetes NetworkPolicies. + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - watch + - list + # Used by Calico for policy information. + - apiGroups: [""] + resources: + - pods + - namespaces + - serviceaccounts + verbs: + - list + - watch + # The CNI plugin patches pods/status. + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + # Calico monitors various CRDs for config. + - apiGroups: ["crd.projectcalico.org"] + resources: + - globalfelixconfigs + - felixconfigurations + - bgppeers + - globalbgpconfigs + - bgpconfigurations + - ippools + - ipamblocks + - globalnetworkpolicies + - globalnetworksets + - networkpolicies + - networksets + - clusterinformations + - hostendpoints + - blockaffinities + verbs: + - get + - list + - watch + # Calico must create and update some CRDs on startup. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + - felixconfigurations + - clusterinformations + verbs: + - create + - update + # Calico stores some configuration information on the node. + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - list + - watch + # These permissions are only required for upgrade from v2.6, and can + # be removed after upgrade or on fresh installations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - bgpconfigurations + - bgppeers + verbs: + - create + - update + # These permissions are required for Calico CNI to perform IPAM allocations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: ["crd.projectcalico.org"] + resources: + - ipamconfigs + verbs: + - get + # Block affinities must also be watchable by confd for route aggregation. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + verbs: + - watch + # The Calico IPAM migration needs to get daemonsets. These permissions can be + # removed if not upgrading from an installation using host-local IPAM. + - apiGroups: ["apps"] + resources: + - daemonsets + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: + - kind: ServiceAccount + name: calico-node + namespace: kube-system + +--- +# Source: calico/templates/calico-node.yaml +# This manifest installs the calico-node container, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: calico-node + namespace: kube-system + labels: + k8s-app: calico-node +spec: + selector: + matchLabels: + k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: calico-node + spec: + nodeSelector: + kubernetes.io/os: linux + hostNetwork: true + tolerations: + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: calico-node + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: + # This container performs upgrade from host-local IPAM to calico-ipam. + # It can be deleted if this is a fresh installation, or if you have already + # upgraded to use calico-ipam. + - name: upgrade-ipam + image: calico/cni:v3.20.0 + command: ["/opt/cni/bin/calico-ipam", "-upgrade"] + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + volumeMounts: + - mountPath: /var/lib/cni/networks + name: host-local-net-dir + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + securityContext: + privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: calico/cni:v3.20.0 + command: ["/opt/cni/bin/install"] + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "10-calico.conflist" + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: calico-config + key: cni_network_config + # Set the hostname based on the k8s node name. + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # CNI MTU Config variable + - name: CNI_MTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Prevents the container from sleeping forever. + - name: SLEEP + value: "false" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + securityContext: + privileged: true + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver + image: calico/pod2daemon-flexvol:v3.20.0 + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver + securityContext: + privileged: true + containers: + # Runs calico-node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: calico/node:v3.20.0 + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Choose the backend to use. + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "k8s,bgp" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" + # Enable VXLAN + - name: CALICO_IPV4POOL_VXLAN + value: "Always" + # Set MTU for tunnel device used if ipip is enabled + - name: FELIX_IPINIPMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Set MTU for the VXLAN tunnel device. + - name: FELIX_VXLANMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Set MTU for the Wireguard tunnel device. + - name: FELIX_WIREGUARDMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + # - name: CALICO_IPV4POOL_CIDR + # value: "192.168.0.0/16" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # Disable IPv6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + - name: FELIX_FEATUREDETECTOVERRIDE + value: "ChecksumOffloadBroken=true" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + livenessProbe: + exec: + command: + - /bin/calico-node + - -felix-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + exec: + command: + - /bin/calico-node + - -felix-ready + periodSeconds: 10 + volumeMounts: + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: false + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: policysync + mountPath: /var/run/nodeagent + # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the + # parent directory. + - name: sysfs + mountPath: /sys/fs/ + # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. + # If the host is known to mount that filesystem already then Bidirectional can be omitted. + mountPropagation: Bidirectional + - name: cni-log-dir + mountPath: /var/log/calico/cni + readOnly: true + volumes: + # Used by calico-node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + - name: sysfs + hostPath: + path: /sys/fs/ + type: DirectoryOrCreate + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Used to access CNI logs. + - name: cni-log-dir + hostPath: + path: /var/log/calico/cni + # Mount in the directory for host-local IPAM allocations. This is + # used when upgrading from host-local to calico-ipam, and can be removed + # if not using the upgrade-ipam init container. + - name: host-local-net-dir + hostPath: + path: /var/lib/cni/networks + # Used to create per-pod Unix Domain Sockets + - name: policysync + hostPath: + type: DirectoryOrCreate + path: /var/run/nodeagent + # Used to install Flex Volume Driver + - name: flexvol-driver-host + hostPath: + type: DirectoryOrCreate + path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-node + namespace: kube-system + +--- +# Source: calico/templates/calico-kube-controllers.yaml +# See https://github.com/projectcalico/kube-controllers +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + # The controllers can only have a single active instance. + replicas: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers + strategy: + type: Recreate + template: + metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: calico-kube-controllers + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers + image: calico/kube-controllers:v3.20.0 + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS + value: node + - name: DATASTORE_TYPE + value: kubernetes + livenessProbe: + exec: + command: + - /usr/bin/check-status + - -l + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + timeoutSeconds: 10 + readinessProbe: + exec: + command: + - /usr/bin/check-status + - -r + periodSeconds: 10 + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-kube-controllers + namespace: kube-system + +--- + +# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers +--- +# Source: calico/templates/calico-etcd-secrets.yaml + +--- +# Source: calico/templates/calico-typha.yaml + +--- +# Source: calico/templates/configure-canal.yaml diff --git a/manifests/function/cni/calico-capz/v3.20.0/kustomization.yaml b/manifests/function/cni/calico-capz/v3.20.0/kustomization.yaml new file mode 100644 index 00000000..d297e470 --- /dev/null +++ b/manifests/function/cni/calico-capz/v3.20.0/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - calico.yaml diff --git a/manifests/function/k8scontrol-capz/v0.5.2/README.md b/manifests/function/k8scontrol-capz/v0.5.2/README.md new file mode 100644 index 00000000..9ca13fef --- /dev/null +++ b/manifests/function/k8scontrol-capz/v0.5.2/README.md @@ -0,0 +1,6 @@ +# CAPZ Cluster and Control Plane Resources +This folder contains the manifests necessary to deploy target cluster on Azure cloud. +These manifests were generated using **clusterctl generate** command with **public flavor** and then broken down into three manifests: +- cluster.yaml - provides the generic Cluster, AzureCluster, AzureClusterIdentity, and Secret (for client ID) resources. +- controlplane.yaml - provides the KubeadmControlPlane and AzureMachineTemplate resources. +- workers.yaml - this manifest is located in ../../workers-capz folder \ No newline at end of file diff --git a/manifests/function/k8scontrol-capz/v0.5.2/cluster.yaml b/manifests/function/k8scontrol-capz/v0.5.2/cluster.yaml new file mode 100644 index 00000000..6f2329c9 --- /dev/null +++ b/manifests/function/k8scontrol-capz/v0.5.2/cluster.yaml @@ -0,0 +1,66 @@ +apiVersion: cluster.x-k8s.io/v1alpha4 +kind: Cluster +metadata: + labels: + cni: calico + name: target-cluster + namespace: default +spec: + clusterNetwork: + pods: + cidrBlocks: + - 192.168.0.0/16 + controlPlaneRef: + apiVersion: controlplane.cluster.x-k8s.io/v1alpha4 + kind: KubeadmControlPlane + name: target-cluster-control-plane + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 + kind: AzureCluster + name: target-cluster +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 +kind: AzureCluster +metadata: + name: target-cluster + namespace: default +spec: + identityRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 + kind: AzureClusterIdentity + name: target-cluster-identity + location: centralus + networkSpec: + vnet: + name: target-cluster-vnet + resourceGroup: target-cluster-rg + subscriptionID: cb3e23d3-b697-4c4f-a1a7-529e308691e4 +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 +kind: AzureClusterIdentity +metadata: + labels: + clusterctl.cluster.x-k8s.io/move-hierarchy: "true" + name: target-cluster-identity + namespace: default +spec: + allowedNamespaces: {} + clientID: + clientSecret: + name: target-cluster-identity-secret + namespace: default + tenantID: + type: ServicePrincipal +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + clusterctl.cluster.x-k8s.io/move-hierarchy: "true" + annotations: + config.kubernetes.io/path: target-infra/secret_target-cluster-identity-secret.yaml + name: target-cluster-identity-secret + namespace: default +type: Opaque +data: + clientSecret: diff --git a/manifests/function/k8scontrol-capz/v0.5.2/controlplane.yaml b/manifests/function/k8scontrol-capz/v0.5.2/controlplane.yaml new file mode 100644 index 00000000..698430a7 --- /dev/null +++ b/manifests/function/k8scontrol-capz/v0.5.2/controlplane.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: controlplane.cluster.x-k8s.io/v1alpha4 +kind: KubeadmControlPlane +metadata: + name: target-cluster-control-plane + namespace: default +spec: + kubeadmConfigSpec: + clusterConfiguration: + apiServer: + extraArgs: + cloud-config: /etc/kubernetes/azure.json + cloud-provider: azure + extraVolumes: + - hostPath: /etc/kubernetes/azure.json + mountPath: /etc/kubernetes/azure.json + name: cloud-config + readOnly: true + timeoutForControlPlane: 20m + controllerManager: + extraArgs: + allocate-node-cidrs: "false" + cloud-config: /etc/kubernetes/azure.json + cloud-provider: azure + cluster-name: target-cluster + extraVolumes: + - hostPath: /etc/kubernetes/azure.json + mountPath: /etc/kubernetes/azure.json + name: cloud-config + readOnly: true + etcd: + local: + dataDir: /var/lib/etcddisk/etcd + extraArgs: + quota-backend-bytes: "8589934592" + diskSetup: + filesystems: + - device: /dev/disk/azure/scsi1/lun0 + extraOpts: + - -E + - lazy_itable_init=1,lazy_journal_init=1 + filesystem: ext4 + label: etcd_disk + - device: ephemeral0.1 + filesystem: ext4 + label: ephemeral0 + replaceFS: ntfs + partitions: + - device: /dev/disk/azure/scsi1/lun0 + layout: true + overwrite: false + tableType: gpt + files: + - contentFrom: + secret: + key: control-plane-azure.json + name: target-cluster-control-plane-azure-json + owner: root:root + path: /etc/kubernetes/azure.json + permissions: "0644" + initConfiguration: + nodeRegistration: + kubeletExtraArgs: + azure-container-registry-config: /etc/kubernetes/azure.json + cloud-config: /etc/kubernetes/azure.json + cloud-provider: azure + name: '{{ ds.meta_data["local_hostname"] }}' + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + azure-container-registry-config: /etc/kubernetes/azure.json + cloud-config: /etc/kubernetes/azure.json + cloud-provider: azure + name: '{{ ds.meta_data["local_hostname"] }}' + mounts: + - - LABEL=etcd_disk + - /var/lib/etcddisk + postKubeadmCommands: [] + preKubeadmCommands: [] + machineTemplate: + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 + kind: AzureMachineTemplate + name: target-cluster-control-plane + replicas: 1 + version: v1.21.1 +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 +kind: AzureMachineTemplate +metadata: + name: target-cluster-control-plane + namespace: default +spec: + template: + spec: + dataDisks: + - diskSizeGB: 256 + lun: 0 + nameSuffix: etcddisk + osDisk: + diskSizeGB: 128 + osType: Linux + sshPublicKey: "" + vmSize: Standard_D2s_v3 diff --git a/manifests/function/k8scontrol-capz/v0.5.2/kustomization.yaml b/manifests/function/k8scontrol-capz/v0.5.2/kustomization.yaml new file mode 100644 index 00000000..e583318a --- /dev/null +++ b/manifests/function/k8scontrol-capz/v0.5.2/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - ../../airshipctl-base-catalogues + - namespace.yaml + - cluster.yaml + - controlplane.yaml diff --git a/manifests/function/k8scontrol-capz/v0.5.2/namespace.yaml b/manifests/function/k8scontrol-capz/v0.5.2/namespace.yaml new file mode 100644 index 00000000..b3202848 --- /dev/null +++ b/manifests/function/k8scontrol-capz/v0.5.2/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: target-infra diff --git a/manifests/function/k8scontrol-capz/v0.5.2/replacements/cluster.yaml b/manifests/function/k8scontrol-capz/v0.5.2/replacements/cluster.yaml new file mode 100644 index 00000000..ce5342d5 --- /dev/null +++ b/manifests/function/k8scontrol-capz/v0.5.2/replacements/cluster.yaml @@ -0,0 +1,140 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: k8scontrol-cluster-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +# Target Cluster - Azure K8S Version +- source: + objref: + kind: VersionsCatalogue + name: versions-airshipctl + fieldref: "{.spec.kubernetes}" + target: + objref: + kind: KubeadmControlPlane + name: target-cluster-control-plane + fieldrefs: ["{.spec.version}"] + +# Azure Cloud's Subscription ID +- source: + objref: + kind: VariableCatalogue + name: combined-target-secrets + fieldref: ".secretGroups[name=azureIdentity].values[name=subscriptionID].data" + target: + objref: + kind: AzureCluster + name: target-cluster + fieldrefs: ["{.spec.subscriptionID}"] + +# Azure Cloud Subscription's Tenant ID +- source: + objref: + kind: VariableCatalogue + name: combined-target-secrets + fieldref: ".secretGroups[name=azureIdentity].values[name=tenantID].data" + target: + objref: + kind: AzureClusterIdentity + name: target-cluster-identity + fieldrefs: ["{.spec.tenantID}"] + +# Azure Cloud Subscription's Client ID +- source: + objref: + kind: VariableCatalogue + name: combined-target-secrets + fieldref: ".secretGroups[name=azureIdentity].values[name=clientID].data" + target: + objref: + kind: AzureClusterIdentity + name: target-cluster-identity + fieldrefs: ["{.spec.clientID}"] + +# Azure Cloud Subscription's Client Secret +- source: + objref: + kind: VariableCatalogue + name: combined-target-secrets + fieldref: ".secretGroups[name=azureIdentity].values[name=clientSecret].data" + target: + objref: + kind: Secret + name: target-cluster-identity-secret + fieldrefs: ["{.data.clientSecret}"] + +# Target Cluster - Azure location +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.cluster.location}" + target: + objref: + kind: AzureCluster + name: target-cluster + fieldrefs: ["{.spec.location}"] + +# Target cluster - Azure VNet Name +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.cluster.vnetName}" + target: + objref: + kind: AzureCluster + name: target-cluster + fieldrefs: ["{.spec.networkSpec.vnet.name}"] + +# Target Cluster - Azure Resource Group +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.cluster.resourceGroup}" + target: + objref: + kind: AzureCluster + name: target-cluster + fieldrefs: ["{.spec.resourceGroup}"] + +# Target Cluster - Control Plane Replica Count +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.controlplane.replicas}" + target: + objref: + kind: KubeadmControlPlane + name: target-cluster-control-plane + fieldrefs: ["{.spec.replicas}"] + +# Target Cluster - Control Plane VM Flavor +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.controlplane.vmSize}" + target: + objref: + kind: AzureMachineTemplate + name: target-cluster-control-plane + fieldrefs: ["{.spec.template.spec.vmSize}"] + +# Target Cluster - Control Plane SSH Public Key access +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.controlplane.sshPublicKey}" + target: + objref: + kind: AzureMachineTemplate + name: target-cluster-control-plane + fieldrefs: ["{.spec.template.spec.sshPublicKey}"] diff --git a/manifests/function/k8scontrol-capz/v0.5.2/replacements/kustomization.yaml b/manifests/function/k8scontrol-capz/v0.5.2/replacements/kustomization.yaml new file mode 100644 index 00000000..993fbde1 --- /dev/null +++ b/manifests/function/k8scontrol-capz/v0.5.2/replacements/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cluster.yaml diff --git a/manifests/function/workers-capz/v0.5.2/README.md b/manifests/function/workers-capz/v0.5.2/README.md new file mode 100644 index 00000000..0167d86e --- /dev/null +++ b/manifests/function/workers-capz/v0.5.2/README.md @@ -0,0 +1,6 @@ +# CAPZ Worker Resources +This folder contains the manifests necessary to deploy target cluster on Azure cloud. +These manifests were generated using **clusterctl generate** command with **public flavor** and then broken down into three manifests: +- cluster.yaml - this manifest is located in ../../k8scontrol-capz folder. +- controlplane.yaml - this manifest is located in ../../k8scontrol-capz folder. +- workers.yaml - provides the manifests for MachineDeployment, AzureMachineTemplate, and KubeadmConfigTemplate resources. \ No newline at end of file diff --git a/manifests/function/workers-capz/v0.5.2/kustomization.yaml b/manifests/function/workers-capz/v0.5.2/kustomization.yaml new file mode 100644 index 00000000..35f15361 --- /dev/null +++ b/manifests/function/workers-capz/v0.5.2/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - ../../airshipctl-base-catalogues + - workers.yaml diff --git a/manifests/function/workers-capz/v0.5.2/replacements/kustomization.yaml b/manifests/function/workers-capz/v0.5.2/replacements/kustomization.yaml new file mode 100644 index 00000000..71fcd3f0 --- /dev/null +++ b/manifests/function/workers-capz/v0.5.2/replacements/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - worker.yaml diff --git a/manifests/function/workers-capz/v0.5.2/replacements/worker.yaml b/manifests/function/workers-capz/v0.5.2/replacements/worker.yaml new file mode 100644 index 00000000..bb02567d --- /dev/null +++ b/manifests/function/workers-capz/v0.5.2/replacements/worker.yaml @@ -0,0 +1,56 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: k8scontrol-cluster-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +# Target Cluster - Azure K8S Version +- source: + objref: + kind: VersionsCatalogue + name: versions-airshipctl + fieldref: "{.spec.kubernetes}" + target: + objref: + kind: MachineDeployment + name: target-cluster-md-0 + fieldrefs: ["{.spec.template.spec.version}"] + +# Target Cluster - Worker Replica Count +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.worker.replicas}" + target: + objref: + kind: MachineDeployment + name: target-cluster-md-0 + fieldrefs: ["{.spec.replicas}"] + +# Target Cluster - Worker VM Flavor +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.controlplane.vmSize}" + target: + objref: + kind: AzureMachineTemplate + name: target-cluster-md-0 + fieldrefs: ["{.spec.template.spec.vmSize}"] + +# Target Cluster - Control Plane SSH Public Key access +- source: + objref: + kind: VariableCatalogue + name: azure-catalogue + fieldref: "{.controlplane.sshPublicKey}" + target: + objref: + kind: AzureMachineTemplate + name: target-cluster-md-0 + fieldrefs: ["{.spec.template.spec.sshPublicKey}"] diff --git a/manifests/function/workers-capz/v0.5.2/workers.yaml b/manifests/function/workers-capz/v0.5.2/workers.yaml new file mode 100644 index 00000000..9160c5ce --- /dev/null +++ b/manifests/function/workers-capz/v0.5.2/workers.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: cluster.x-k8s.io/v1alpha4 +kind: MachineDeployment +metadata: + name: target-cluster-md-0 + namespace: default +spec: + clusterName: target-cluster + replicas: 3 + selector: + matchLabels: null + template: + spec: + bootstrap: + configRef: + apiVersion: bootstrap.cluster.x-k8s.io/v1alpha4 + kind: KubeadmConfigTemplate + name: target-cluster-md-0 + clusterName: target-cluster + infrastructureRef: + apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 + kind: AzureMachineTemplate + name: target-cluster-md-0 + version: v1.21.1 +--- +apiVersion: infrastructure.cluster.x-k8s.io/v1alpha4 +kind: AzureMachineTemplate +metadata: + name: target-cluster-md-0 + namespace: default +spec: + template: + spec: + osDisk: + diskSizeGB: 128 + osType: Linux + sshPublicKey: "" + vmSize: Standard_D2s_v3 +--- +apiVersion: bootstrap.cluster.x-k8s.io/v1alpha4 +kind: KubeadmConfigTemplate +metadata: + name: target-cluster-md-0 + namespace: default +spec: + template: + spec: + files: + - contentFrom: + secret: + key: worker-node-azure.json + name: target-cluster-md-0-azure-json + owner: root:root + path: /etc/kubernetes/azure.json + permissions: "0644" + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + azure-container-registry-config: /etc/kubernetes/azure.json + cloud-config: /etc/kubernetes/azure.json + cloud-provider: azure + name: '{{ ds.meta_data["local_hostname"] }}' + preKubeadmCommands: [] diff --git a/manifests/phases/executors.yaml b/manifests/phases/executors.yaml index 52db341e..c8cab4e2 100644 --- a/manifests/phases/executors.yaml +++ b/manifests/phases/executors.yaml @@ -596,4 +596,4 @@ spec: configRef: kind: ConfigMap name: merge-kubeconfig - apiVersion: v1 \ No newline at end of file + apiVersion: v1