From 674f8109ca90764b88bad6276f51c05435d9a752 Mon Sep 17 00:00:00 2001 From: Nikolay Fedorov Date: Fri, 31 Jan 2020 17:43:18 +0400 Subject: [PATCH] Add Cluster API Bootstrap Provider Kubeadm Cluster API bootstrap provider Kubeadm (CABPK) is a component of Cluster API that is responsible of generating a cloud-init script to turn a Machine into a Kubernetes Node Change-Id: Iba71be2bae90c2bb19a52624329ff841717fc349 --- manifests/function/kubeadm/kustomization.yaml | 18 + manifests/function/kubeadm/namespace.yaml | 4 + manifests/function/kubeadm/provider.yaml | 58 ++ .../rbac/cabpk-leader-election-role.yaml | 26 + .../cabpk-leader-election-rolebinding.yaml | 12 + .../kubeadm/rbac/cabpk-manager-role.yaml | 45 + .../rbac/cabpk-manager-rolebinding.yaml | 12 + .../kubeadm/rbac/cabpk-proxy-role.yaml | 18 + .../kubeadm/rbac/cabpk-proxy-rolebinding.yaml | 12 + .../function/kubeadm/rbac/kustomization.yaml | 7 + ...admconfigs.bootstrap.cluster.x-k8s.io.yaml | 821 +++++++++++++++++ ...gtemplates.bootstrap.cluster.x-k8s.io.yaml | 859 ++++++++++++++++++ .../global/crd/kubeadm/kustomization.yaml | 3 + 13 files changed, 1895 insertions(+) create mode 100644 manifests/function/kubeadm/kustomization.yaml create mode 100644 manifests/function/kubeadm/namespace.yaml create mode 100644 manifests/function/kubeadm/provider.yaml create mode 100644 manifests/function/kubeadm/rbac/cabpk-leader-election-role.yaml create mode 100644 manifests/function/kubeadm/rbac/cabpk-leader-election-rolebinding.yaml create mode 100644 manifests/function/kubeadm/rbac/cabpk-manager-role.yaml create mode 100644 manifests/function/kubeadm/rbac/cabpk-manager-rolebinding.yaml create mode 100644 manifests/function/kubeadm/rbac/cabpk-proxy-role.yaml create mode 100644 manifests/function/kubeadm/rbac/cabpk-proxy-rolebinding.yaml create mode 100644 manifests/function/kubeadm/rbac/kustomization.yaml create mode 100644 manifests/global/crd/kubeadm/kubeadmconfigs.bootstrap.cluster.x-k8s.io.yaml create mode 100644 manifests/global/crd/kubeadm/kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io.yaml create mode 100644 manifests/global/crd/kubeadm/kustomization.yaml diff --git a/manifests/function/kubeadm/kustomization.yaml b/manifests/function/kubeadm/kustomization.yaml new file mode 100644 index 000000000..17fbc9fa9 --- /dev/null +++ b/manifests/function/kubeadm/kustomization.yaml @@ -0,0 +1,18 @@ +resources: + - ../../global/crd/kubeadm + - rbac + - provider.yaml + - namespace.yaml + +commonLabels: + # NOTE We can't use airshipit.org/clustertype + # bacause a label can't consists of multiple values + airshipit.org/ephemeral: "true" + airshipit.org/target: "true" + +namespace: capbk + +#vars: +# $(IMAGE_PULL_POLICY) +# The image pull policy by default should be "IfNotPresent", +# it should be globally defined for all images diff --git a/manifests/function/kubeadm/namespace.yaml b/manifests/function/kubeadm/namespace.yaml new file mode 100644 index 000000000..09cdd80d3 --- /dev/null +++ b/manifests/function/kubeadm/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: capbk diff --git a/manifests/function/kubeadm/provider.yaml b/manifests/function/kubeadm/provider.yaml new file mode 100644 index 000000000..221851704 --- /dev/null +++ b/manifests/function/kubeadm/provider.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: cabpk-controller-manager + name: cabpk-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: cabpk-controller-manager +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: cabpk-controller-manager + name: cabpk-controller-manager +spec: + replicas: 1 + selector: + matchLabels: + control-plane: cabpk-controller-manager + template: + metadata: + labels: + control-plane: cabpk-controller-manager + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + imagePullPolicy: $(IMAGE_PULL_POLICY) + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + - --v=4 + - --enable-leader-election + image: gcr.io/k8s-staging-capi-kubeadm/cluster-api-kubeadm-controller:latest + imagePullPolicy: $(IMAGE_PULL_POLICY) + name: manager + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master diff --git a/manifests/function/kubeadm/rbac/cabpk-leader-election-role.yaml b/manifests/function/kubeadm/rbac/cabpk-leader-election-role.yaml new file mode 100644 index 000000000..4dcf11dcc --- /dev/null +++ b/manifests/function/kubeadm/rbac/cabpk-leader-election-role.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cabpk-leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch diff --git a/manifests/function/kubeadm/rbac/cabpk-leader-election-rolebinding.yaml b/manifests/function/kubeadm/rbac/cabpk-leader-election-rolebinding.yaml new file mode 100644 index 000000000..b09b54fb0 --- /dev/null +++ b/manifests/function/kubeadm/rbac/cabpk-leader-election-rolebinding.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cabpk-leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cabpk-leader-election-role +subjects: +- kind: ServiceAccount + name: default diff --git a/manifests/function/kubeadm/rbac/cabpk-manager-role.yaml b/manifests/function/kubeadm/rbac/cabpk-manager-role.yaml new file mode 100644 index 000000000..1681e4592 --- /dev/null +++ b/manifests/function/kubeadm/rbac/cabpk-manager-role.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: cabpk-manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + - events + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - bootstrap.cluster.x-k8s.io + resources: + - kubeadmconfigs + - kubeadmconfigs/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + - machines + - machines/status + verbs: + - get + - list + - watch diff --git a/manifests/function/kubeadm/rbac/cabpk-manager-rolebinding.yaml b/manifests/function/kubeadm/rbac/cabpk-manager-rolebinding.yaml new file mode 100644 index 000000000..68d476239 --- /dev/null +++ b/manifests/function/kubeadm/rbac/cabpk-manager-rolebinding.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cabpk-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cabpk-manager-role +subjects: +- kind: ServiceAccount + name: default diff --git a/manifests/function/kubeadm/rbac/cabpk-proxy-role.yaml b/manifests/function/kubeadm/rbac/cabpk-proxy-role.yaml new file mode 100644 index 000000000..68bf6784f --- /dev/null +++ b/manifests/function/kubeadm/rbac/cabpk-proxy-role.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cabpk-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/manifests/function/kubeadm/rbac/cabpk-proxy-rolebinding.yaml b/manifests/function/kubeadm/rbac/cabpk-proxy-rolebinding.yaml new file mode 100644 index 000000000..d89f36728 --- /dev/null +++ b/manifests/function/kubeadm/rbac/cabpk-proxy-rolebinding.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cabpk-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cabpk-proxy-role +subjects: +- kind: ServiceAccount + name: default diff --git a/manifests/function/kubeadm/rbac/kustomization.yaml b/manifests/function/kubeadm/rbac/kustomization.yaml new file mode 100644 index 000000000..7c71481fa --- /dev/null +++ b/manifests/function/kubeadm/rbac/kustomization.yaml @@ -0,0 +1,7 @@ +resources: + - cabpk-leader-election-rolebinding.yaml + - cabpk-leader-election-role.yaml + - cabpk-manager-rolebinding.yaml + - cabpk-manager-role.yaml + - cabpk-proxy-rolebinding.yaml + - cabpk-proxy-role.yaml diff --git a/manifests/global/crd/kubeadm/kubeadmconfigs.bootstrap.cluster.x-k8s.io.yaml b/manifests/global/crd/kubeadm/kubeadmconfigs.bootstrap.cluster.x-k8s.io.yaml new file mode 100644 index 000000000..af2f07d6d --- /dev/null +++ b/manifests/global/crd/kubeadm/kubeadmconfigs.bootstrap.cluster.x-k8s.io.yaml @@ -0,0 +1,821 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: kubeadmconfigs.bootstrap.cluster.x-k8s.io +spec: + group: bootstrap.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: KubeadmConfig + listKind: KubeadmConfigList + plural: kubeadmconfigs + singular: kubeadmconfig + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: KubeadmConfig is the Schema for the kubeadmconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubeadmConfigSpec defines the desired state of KubeadmConfig. + Either ClusterConfiguration and InitConfiguration should be defined or + the JoinConfiguration should be defined. + properties: + clusterConfiguration: + description: ClusterConfiguration along with InitConfiguration are the + configurations necessary for the init command + properties: + apiServer: + description: APIServer contains extra settings for the API server + control plane component + properties: + certSANs: + description: CertSANs sets extra Subject Alternative Names for + the API Server signing cert. + items: + type: string + type: array + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to pass to + the control plane component. TODO: This is temporary and ideally + we would like to switch all components to use ComponentConfig + + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, mounted + to the control plane component. + items: + description: HostPathMount contains elements describing volumes + that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host that will + be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the pod where + hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to the volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + timeoutForControlPlane: + description: TimeoutForControlPlane controls the timeout that + we use for API server to appear + type: string + type: object + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the + latest internal value, and may reject unrecognized values. More + info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + certificatesDir: + description: CertificatesDir specifies where to store or look for + all required certificates. + type: string + clusterName: + description: The cluster name + type: string + controlPlaneEndpoint: + description: 'ControlPlaneEndpoint sets a stable IP address or DNS + name for the control plane; it can be a valid IP address or a + RFC-1123 DNS subdomain, both with optional TCP port. In case the + ControlPlaneEndpoint is not specified, the AdvertiseAddress + + BindPort are used; in case the ControlPlaneEndpoint is specified + but without a TCP port, the BindPort is used. Possible usages + are: e.g. In a cluster with more than one control plane instances, + this field should be assigned the address of the external load + balancer in front of the control plane instances. e.g. in environments + with enforced node recycling, the ControlPlaneEndpoint could be + used for assigning a stable DNS to the control plane. NB: This + value defaults to the first value in the Cluster object status.apiEndpoints + array.' + type: string + controllerManager: + description: ControllerManager contains extra settings for the controller + manager control plane component + properties: + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to pass to + the control plane component. TODO: This is temporary and ideally + we would like to switch all components to use ComponentConfig + + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, mounted + to the control plane component. + items: + description: HostPathMount contains elements describing volumes + that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host that will + be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the pod where + hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to the volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + type: object + dns: + description: DNS defines the options for the DNS add-on installed + in the cluster. + properties: + imageRepository: + description: ImageRepository sets the container registry to + pull images from. if not set, the ImageRepository defined + in ClusterConfiguration will be used instead. + type: string + imageTag: + description: ImageTag allows to specify a tag for the image. + In case this value is set, kubeadm does not change automatically + the version of the above components during upgrades. + type: string + type: + description: Type defines the DNS add-on to be used + type: string + required: + - type + type: object + etcd: + description: Etcd holds configuration for etcd. + properties: + external: + description: External describes how to connect to an external + etcd cluster Local and External are mutually exclusive + properties: + caFile: + description: CAFile is an SSL Certificate Authority file + used to secure etcd communication. Required if using a + TLS connection. + type: string + certFile: + description: CertFile is an SSL certification file used + to secure etcd communication. Required if using a TLS + connection. + type: string + endpoints: + description: Endpoints of etcd members. Required for ExternalEtcd. + items: + type: string + type: array + keyFile: + description: KeyFile is an SSL key file used to secure etcd + communication. Required if using a TLS connection. + type: string + required: + - caFile + - certFile + - endpoints + - keyFile + type: object + local: + description: Local provides configuration knobs for configuring + the local etcd instance Local and External are mutually exclusive + properties: + dataDir: + description: DataDir is the directory etcd will place its + data. Defaults to "/var/lib/etcd". + type: string + extraArgs: + additionalProperties: + type: string + description: ExtraArgs are extra arguments provided to the + etcd binary when run inside a static pod. + type: object + imageRepository: + description: ImageRepository sets the container registry + to pull images from. if not set, the ImageRepository defined + in ClusterConfiguration will be used instead. + type: string + imageTag: + description: ImageTag allows to specify a tag for the image. + In case this value is set, kubeadm does not change automatically + the version of the above components during upgrades. + type: string + peerCertSANs: + description: PeerCertSANs sets extra Subject Alternative + Names for the etcd peer signing cert. + items: + type: string + type: array + serverCertSANs: + description: ServerCertSANs sets extra Subject Alternative + Names for the etcd server signing cert. + items: + type: string + type: array + required: + - dataDir + type: object + type: object + featureGates: + additionalProperties: + type: boolean + description: FeatureGates enabled by the user. + type: object + imageRepository: + description: ImageRepository sets the container registry to pull + images from. If empty, `k8s.gcr.io` will be used by default; in + case of kubernetes version is a CI build (kubernetes version starts + with `ci/` or `ci-cross/`) `gcr.io/kubernetes-ci-images` will + be used as a default for control plane components and for kube-proxy, + while `k8s.gcr.io` will be used for all the other images. + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + kubernetesVersion: + description: 'KubernetesVersion is the target version of the control + plane. NB: This value defaults to the Machine object spec.kuberentesVersion' + type: string + networking: + description: 'Networking holds configuration for the networking + topology of the cluster. NB: This value defaults to the Cluster + object spec.clusterNetwork.' + properties: + dnsDomain: + description: DNSDomain is the dns domain used by k8s services. + Defaults to "cluster.local". + type: string + podSubnet: + description: PodSubnet is the subnet used by pods. + type: string + serviceSubnet: + description: ServiceSubnet is the subnet used by k8s services. + Defaults to "10.96.0.0/12". + type: string + required: + - dnsDomain + - podSubnet + - serviceSubnet + type: object + scheduler: + description: Scheduler contains extra settings for the scheduler + control plane component + properties: + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to pass to + the control plane component. TODO: This is temporary and ideally + we would like to switch all components to use ComponentConfig + + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, mounted + to the control plane component. + items: + description: HostPathMount contains elements describing volumes + that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host that will + be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the pod where + hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to the volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + type: object + useHyperKubeImage: + description: UseHyperKubeImage controls if hyperkube should be used + for Kubernetes components instead of their respective separate + images + type: boolean + type: object + files: + description: Files specifies extra files to be passed to user_data upon + creation. + items: + description: File defines the input for generating write_files in + cloud-init. + properties: + content: + description: Content is the actual content of the file. + type: string + encoding: + description: Encoding specifies the encoding of the file contents. + enum: + - base64 + - gzip + - gzip+base64 + type: string + owner: + description: Owner specifies the ownership of the file, e.g. "root:root". + type: string + path: + description: Path specifies the full path on disk where to store + the file. + type: string + permissions: + description: Permissions specifies the permissions to assign to + the file, e.g. "0640". + type: string + required: + - content + - path + type: object + type: array + format: + description: Format specifies the output format of the bootstrap data + enum: + - cloud-config + type: string + initConfiguration: + description: InitConfiguration along with ClusterConfiguration are the + configurations necessary for the init command + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the + latest internal value, and may reject unrecognized values. More + info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + bootstrapTokens: + description: BootstrapTokens is respected at `kubeadm init` time + and describes a set of Bootstrap Tokens to create. This information + IS NOT uploaded to the kubeadm cluster configmap, partly because + of its sensitive nature + items: + description: BootstrapToken describes one bootstrap token, stored + as a Secret in the cluster + properties: + description: + description: Description sets a human-friendly message why + this token exists and what it's used for, so other administrators + can know its purpose. + type: string + expires: + description: Expires specifies the timestamp when this token + expires. Defaults to being set dynamically at runtime based + on the TTL. Expires and TTL are mutually exclusive. + format: date-time + type: string + groups: + description: Groups specifies the extra groups that this token + will authenticate as when/if used for authentication + items: + type: string + type: array + token: + description: Token is used for establishing bidirectional + trust between nodes and control-planes. Used for joining + nodes in the cluster. + type: object + ttl: + description: TTL defines the time to live for this token. + Defaults to 24h. Expires and TTL are mutually exclusive. + type: string + usages: + description: Usages describes the ways in which this token + can be used. Can by default be used for establishing bidirectional + trust, but that can be changed here. + items: + type: string + type: array + required: + - token + type: object + type: array + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + localAPIEndpoint: + description: LocalAPIEndpoint represents the endpoint of the API + server instance that's deployed on this control plane node In + HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint + in the sense that ControlPlaneEndpoint is the global endpoint + for the cluster, which then loadbalances the requests to each + individual API server. This configuration object lets you customize + what IP/DNS name and port the local API server advertises it's + accessible on. By default, kubeadm tries to auto-detect the IP + of the default interface and use that, but in case that process + fails you may set the desired value here. + properties: + advertiseAddress: + description: AdvertiseAddress sets the IP address for the API + server to advertise. + type: string + bindPort: + description: BindPort sets the secure port for the API Server + to bind to. Defaults to 6443. + format: int32 + type: integer + required: + - advertiseAddress + - bindPort + type: object + nodeRegistration: + description: NodeRegistration holds fields that relate to registering + the new control-plane node to the cluster + properties: + criSocket: + description: CRISocket is used to retrieve container runtime + info. This information will be annotated to the Node API object, + for later re-use + type: string + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes through extra arguments + to the kubelet. The arguments here are passed to the kubelet + command line via the environment file kubeadm writes at runtime + for the kubelet to source. This overrides the generic base-level + configuration in the kubelet-config-1.X ConfigMap Flags have + higher priority when parsing. These values are local and specific + to the node kubeadm is executing on. + type: object + name: + description: Name is the `.Metadata.Name` field of the Node + API object that will be created in this `kubeadm init` or + `kubeadm join` operation. This field is also used in the CommonName + field of the kubelet's client certificate to the API server. + Defaults to the hostname of the node if not provided. + type: string + taints: + description: 'Taints specifies the taints the Node API object + should be registered with. If this field is unset, i.e. nil, + in the `kubeadm init` process it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}. + If you don''t want to taint your control-plane node, set this + field to an empty slice, i.e. `taints: {}` in the YAML file. + This field is solely used for Node registration.' + items: + description: The node this Taint is attached to has the "effect" + on any pod that does not tolerate the Taint. + properties: + effect: + description: Required. The effect of the taint on pods + that do not tolerate the taint. Valid effects are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Required. The taint key to be applied to + a node. + type: string + timeAdded: + description: TimeAdded represents the time at which the + taint was added. It is only written for NoExecute taints. + format: date-time + type: string + value: + description: Required. The taint value corresponding to + the taint key. + type: string + required: + - effect + - key + type: object + type: array + type: object + type: object + joinConfiguration: + description: JoinConfiguration is the kubeadm configuration for the + join command + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the + latest internal value, and may reject unrecognized values. More + info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + caCertPath: + description: 'CACertPath is the path to the SSL certificate authority + used to secure comunications between node and control-plane. Defaults + to "/etc/kubernetes/pki/ca.crt". TODO: revisit when there is defaulting + from k/k' + type: string + controlPlane: + description: ControlPlane defines the additional control plane instance + to be deployed on the joining node. If nil, no additional control + plane instance will be deployed. + properties: + localAPIEndpoint: + description: LocalAPIEndpoint represents the endpoint of the + API server instance to be deployed on this node. + properties: + advertiseAddress: + description: AdvertiseAddress sets the IP address for the + API server to advertise. + type: string + bindPort: + description: BindPort sets the secure port for the API Server + to bind to. Defaults to 6443. + format: int32 + type: integer + required: + - advertiseAddress + - bindPort + type: object + type: object + discovery: + description: 'Discovery specifies the options for the kubelet to + use during the TLS Bootstrap process TODO: revisit when there + is defaulting from k/k' + properties: + bootstrapToken: + description: BootstrapToken is used to set the options for bootstrap + token based discovery BootstrapToken and File are mutually + exclusive + properties: + apiServerEndpoint: + description: APIServerEndpoint is an IP or domain name to + the API server from which info will be fetched. + type: string + caCertHashes: + description: 'CACertHashes specifies a set of public key + pins to verify when token-based discovery is used. The + root CA found during discovery must match one of these + values. Specifying an empty set disables root CA pinning, + which can be unsafe. Each hash is specified as ":", + where the only currently supported type is "sha256". This + is a hex-encoded SHA-256 hash of the Subject Public Key + Info (SPKI) object in DER-encoded ASN.1. These hashes + can be calculated using, for example, OpenSSL: openssl + x509 -pubkey -in ca.crt openssl rsa -pubin -outform der + 2>&/dev/null | openssl dgst -sha256 -hex' + items: + type: string + type: array + token: + description: Token is a token used to validate cluster information + fetched from the control-plane. + type: string + unsafeSkipCAVerification: + description: UnsafeSkipCAVerification allows token-based + discovery without CA verification via CACertHashes. This + can weaken the security of kubeadm since other nodes can + impersonate the control-plane. + type: boolean + required: + - token + - unsafeSkipCAVerification + type: object + file: + description: File is used to specify a file or URL to a kubeconfig + file from which to load cluster information BootstrapToken + and File are mutually exclusive + properties: + kubeConfigPath: + description: KubeConfigPath is used to specify the actual + file path or URL to the kubeconfig file from which to + load cluster information + type: string + required: + - kubeConfigPath + type: object + timeout: + description: Timeout modifies the discovery timeout + type: string + tlsBootstrapToken: + description: 'TLSBootstrapToken is a token used for TLS bootstrapping. + If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, + but can be overridden. If .File is set, this field **must + be set** in case the KubeConfigFile does not contain any other + authentication information TODO: revisit when there is defaulting + from k/k' + type: string + type: object + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + nodeRegistration: + description: NodeRegistration holds fields that relate to registering + the new control-plane node to the cluster + properties: + criSocket: + description: CRISocket is used to retrieve container runtime + info. This information will be annotated to the Node API object, + for later re-use + type: string + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes through extra arguments + to the kubelet. The arguments here are passed to the kubelet + command line via the environment file kubeadm writes at runtime + for the kubelet to source. This overrides the generic base-level + configuration in the kubelet-config-1.X ConfigMap Flags have + higher priority when parsing. These values are local and specific + to the node kubeadm is executing on. + type: object + name: + description: Name is the `.Metadata.Name` field of the Node + API object that will be created in this `kubeadm init` or + `kubeadm join` operation. This field is also used in the CommonName + field of the kubelet's client certificate to the API server. + Defaults to the hostname of the node if not provided. + type: string + taints: + description: 'Taints specifies the taints the Node API object + should be registered with. If this field is unset, i.e. nil, + in the `kubeadm init` process it will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}. + If you don''t want to taint your control-plane node, set this + field to an empty slice, i.e. `taints: {}` in the YAML file. + This field is solely used for Node registration.' + items: + description: The node this Taint is attached to has the "effect" + on any pod that does not tolerate the Taint. + properties: + effect: + description: Required. The effect of the taint on pods + that do not tolerate the taint. Valid effects are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Required. The taint key to be applied to + a node. + type: string + timeAdded: + description: TimeAdded represents the time at which the + taint was added. It is only written for NoExecute taints. + format: date-time + type: string + value: + description: Required. The taint value corresponding to + the taint key. + type: string + required: + - effect + - key + type: object + type: array + type: object + required: + - nodeRegistration + type: object + ntp: + description: NTP specifies NTP configuration + properties: + enabled: + description: Enabled specifies whether NTP should be enabled + type: boolean + servers: + description: Servers specifies which NTP servers to use + items: + type: string + type: array + type: object + postKubeadmCommands: + description: PostKubeadmCommands specifies extra commands to run after + kubeadm runs + items: + type: string + type: array + preKubeadmCommands: + description: PreKubeadmCommands specifies extra commands to run before + kubeadm runs + items: + type: string + type: array + users: + description: Users specifies extra users to add + items: + description: User defines the input for a generated user in cloud-init. + properties: + gecos: + description: Gecos specifies the gecos to use for the user + type: string + groups: + description: Groups specifies the additional groups for the user + type: string + homeDir: + description: HomeDir specifies the home directory to use for the + user + type: string + inactive: + description: Inactive specifies whether to mark the user as inactive + type: boolean + lockPassword: + description: LockPassword specifies if password login should be + disabled + type: boolean + name: + description: Name specifies the user name + type: string + passwd: + description: Passwd specifies a hashed password for the user + type: string + primaryGroup: + description: PrimaryGroup specifies the primary group for the + user + type: string + shell: + description: Shell specifies the user's shell + type: string + sshAuthorizedKeys: + description: SSHAuthorizedKeys specifies a list of ssh authorized + keys for the user + items: + type: string + type: array + sudo: + description: Sudo specifies a sudo role for the user + type: string + required: + - name + type: object + type: array + type: object + status: + description: KubeadmConfigStatus defines the observed state of KubeadmConfig + properties: + bootstrapData: + description: BootstrapData will be a cloud-init script for now + format: byte + type: string + errorMessage: + description: ErrorMessage will be set on non-retryable errors + type: string + errorReason: + description: ErrorReason will be set on non-retryable errors + type: string + ready: + description: Ready indicates the BootstrapData field is ready to be + consumed + type: boolean + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/global/crd/kubeadm/kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io.yaml b/manifests/global/crd/kubeadm/kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io.yaml new file mode 100644 index 000000000..062db16df --- /dev/null +++ b/manifests/global/crd/kubeadm/kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io.yaml @@ -0,0 +1,859 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io +spec: + group: bootstrap.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: KubeadmConfigTemplate + listKind: KubeadmConfigTemplateList + plural: kubeadmconfigtemplates + singular: kubeadmconfigtemplate + scope: Namespaced + validation: + openAPIV3Schema: + description: KubeadmConfigTemplate is the Schema for the kubeadmconfigtemplates + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubeadmConfigTemplateSpec defines the desired state of KubeadmConfigTemplate + properties: + template: + description: KubeadmConfigTemplateResource defines the Template structure + properties: + spec: + description: KubeadmConfigSpec defines the desired state of KubeadmConfig. + Either ClusterConfiguration and InitConfiguration should be defined + or the JoinConfiguration should be defined. + properties: + clusterConfiguration: + description: ClusterConfiguration along with InitConfiguration + are the configurations necessary for the init command + properties: + apiServer: + description: APIServer contains extra settings for the API + server control plane component + properties: + certSANs: + description: CertSANs sets extra Subject Alternative + Names for the API Server signing cert. + items: + type: string + type: array + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to + pass to the control plane component. TODO: This is + temporary and ideally we would like to switch all + components to use ComponentConfig + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, + mounted to the control plane component. + items: + description: HostPathMount contains elements describing + volumes that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host + that will be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the + pod where hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod + template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to + the volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + timeoutForControlPlane: + description: TimeoutForControlPlane controls the timeout + that we use for API server to appear + type: string + type: object + apiVersion: + description: 'APIVersion defines the versioned schema of + this representation of an object. Servers should convert + recognized schemas to the latest internal value, and may + reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + certificatesDir: + description: CertificatesDir specifies where to store or + look for all required certificates. + type: string + clusterName: + description: The cluster name + type: string + controlPlaneEndpoint: + description: 'ControlPlaneEndpoint sets a stable IP address + or DNS name for the control plane; it can be a valid IP + address or a RFC-1123 DNS subdomain, both with optional + TCP port. In case the ControlPlaneEndpoint is not specified, + the AdvertiseAddress + BindPort are used; in case the + ControlPlaneEndpoint is specified but without a TCP port, + the BindPort is used. Possible usages are: e.g. In a cluster + with more than one control plane instances, this field + should be assigned the address of the external load balancer + in front of the control plane instances. e.g. in environments + with enforced node recycling, the ControlPlaneEndpoint + could be used for assigning a stable DNS to the control + plane. NB: This value defaults to the first value in the + Cluster object status.apiEndpoints array.' + type: string + controllerManager: + description: ControllerManager contains extra settings for + the controller manager control plane component + properties: + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to + pass to the control plane component. TODO: This is + temporary and ideally we would like to switch all + components to use ComponentConfig + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, + mounted to the control plane component. + items: + description: HostPathMount contains elements describing + volumes that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host + that will be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the + pod where hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod + template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to + the volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + type: object + dns: + description: DNS defines the options for the DNS add-on + installed in the cluster. + properties: + imageRepository: + description: ImageRepository sets the container registry + to pull images from. if not set, the ImageRepository + defined in ClusterConfiguration will be used instead. + type: string + imageTag: + description: ImageTag allows to specify a tag for the + image. In case this value is set, kubeadm does not + change automatically the version of the above components + during upgrades. + type: string + type: + description: Type defines the DNS add-on to be used + type: string + required: + - type + type: object + etcd: + description: Etcd holds configuration for etcd. + properties: + external: + description: External describes how to connect to an + external etcd cluster Local and External are mutually + exclusive + properties: + caFile: + description: CAFile is an SSL Certificate Authority + file used to secure etcd communication. Required + if using a TLS connection. + type: string + certFile: + description: CertFile is an SSL certification file + used to secure etcd communication. Required if + using a TLS connection. + type: string + endpoints: + description: Endpoints of etcd members. Required + for ExternalEtcd. + items: + type: string + type: array + keyFile: + description: KeyFile is an SSL key file used to + secure etcd communication. Required if using a + TLS connection. + type: string + required: + - caFile + - certFile + - endpoints + - keyFile + type: object + local: + description: Local provides configuration knobs for + configuring the local etcd instance Local and External + are mutually exclusive + properties: + dataDir: + description: DataDir is the directory etcd will + place its data. Defaults to "/var/lib/etcd". + type: string + extraArgs: + additionalProperties: + type: string + description: ExtraArgs are extra arguments provided + to the etcd binary when run inside a static pod. + type: object + imageRepository: + description: ImageRepository sets the container + registry to pull images from. if not set, the + ImageRepository defined in ClusterConfiguration + will be used instead. + type: string + imageTag: + description: ImageTag allows to specify a tag for + the image. In case this value is set, kubeadm + does not change automatically the version of the + above components during upgrades. + type: string + peerCertSANs: + description: PeerCertSANs sets extra Subject Alternative + Names for the etcd peer signing cert. + items: + type: string + type: array + serverCertSANs: + description: ServerCertSANs sets extra Subject Alternative + Names for the etcd server signing cert. + items: + type: string + type: array + required: + - dataDir + type: object + type: object + featureGates: + additionalProperties: + type: boolean + description: FeatureGates enabled by the user. + type: object + imageRepository: + description: ImageRepository sets the container registry + to pull images from. If empty, `k8s.gcr.io` will be used + by default; in case of kubernetes version is a CI build + (kubernetes version starts with `ci/` or `ci-cross/`) + `gcr.io/kubernetes-ci-images` will be used as a default + for control plane components and for kube-proxy, while + `k8s.gcr.io` will be used for all the other images. + type: string + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + kubernetesVersion: + description: 'KubernetesVersion is the target version of + the control plane. NB: This value defaults to the Machine + object spec.kuberentesVersion' + type: string + networking: + description: 'Networking holds configuration for the networking + topology of the cluster. NB: This value defaults to the + Cluster object spec.clusterNetwork.' + properties: + dnsDomain: + description: DNSDomain is the dns domain used by k8s + services. Defaults to "cluster.local". + type: string + podSubnet: + description: PodSubnet is the subnet used by pods. + type: string + serviceSubnet: + description: ServiceSubnet is the subnet used by k8s + services. Defaults to "10.96.0.0/12". + type: string + required: + - dnsDomain + - podSubnet + - serviceSubnet + type: object + scheduler: + description: Scheduler contains extra settings for the scheduler + control plane component + properties: + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to + pass to the control plane component. TODO: This is + temporary and ideally we would like to switch all + components to use ComponentConfig + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, + mounted to the control plane component. + items: + description: HostPathMount contains elements describing + volumes that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host + that will be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the + pod where hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod + template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to + the volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + type: object + useHyperKubeImage: + description: UseHyperKubeImage controls if hyperkube should + be used for Kubernetes components instead of their respective + separate images + type: boolean + type: object + files: + description: Files specifies extra files to be passed to user_data + upon creation. + items: + description: File defines the input for generating write_files + in cloud-init. + properties: + content: + description: Content is the actual content of the file. + type: string + encoding: + description: Encoding specifies the encoding of the file + contents. + enum: + - base64 + - gzip + - gzip+base64 + type: string + owner: + description: Owner specifies the ownership of the file, + e.g. "root:root". + type: string + path: + description: Path specifies the full path on disk where + to store the file. + type: string + permissions: + description: Permissions specifies the permissions to + assign to the file, e.g. "0640". + type: string + required: + - content + - path + type: object + type: array + format: + description: Format specifies the output format of the bootstrap + data + enum: + - cloud-config + type: string + initConfiguration: + description: InitConfiguration along with ClusterConfiguration + are the configurations necessary for the init command + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of + this representation of an object. Servers should convert + recognized schemas to the latest internal value, and may + reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + bootstrapTokens: + description: BootstrapTokens is respected at `kubeadm init` + time and describes a set of Bootstrap Tokens to create. + This information IS NOT uploaded to the kubeadm cluster + configmap, partly because of its sensitive nature + items: + description: BootstrapToken describes one bootstrap token, + stored as a Secret in the cluster + properties: + description: + description: Description sets a human-friendly message + why this token exists and what it's used for, so + other administrators can know its purpose. + type: string + expires: + description: Expires specifies the timestamp when + this token expires. Defaults to being set dynamically + at runtime based on the TTL. Expires and TTL are + mutually exclusive. + format: date-time + type: string + groups: + description: Groups specifies the extra groups that + this token will authenticate as when/if used for + authentication + items: + type: string + type: array + token: + description: Token is used for establishing bidirectional + trust between nodes and control-planes. Used for + joining nodes in the cluster. + type: object + ttl: + description: TTL defines the time to live for this + token. Defaults to 24h. Expires and TTL are mutually + exclusive. + type: string + usages: + description: Usages describes the ways in which this + token can be used. Can by default be used for establishing + bidirectional trust, but that can be changed here. + items: + type: string + type: array + required: + - token + type: object + type: array + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + localAPIEndpoint: + description: LocalAPIEndpoint represents the endpoint of + the API server instance that's deployed on this control + plane node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint + in the sense that ControlPlaneEndpoint is the global endpoint + for the cluster, which then loadbalances the requests + to each individual API server. This configuration object + lets you customize what IP/DNS name and port the local + API server advertises it's accessible on. By default, + kubeadm tries to auto-detect the IP of the default interface + and use that, but in case that process fails you may set + the desired value here. + properties: + advertiseAddress: + description: AdvertiseAddress sets the IP address for + the API server to advertise. + type: string + bindPort: + description: BindPort sets the secure port for the API + Server to bind to. Defaults to 6443. + format: int32 + type: integer + required: + - advertiseAddress + - bindPort + type: object + nodeRegistration: + description: NodeRegistration holds fields that relate to + registering the new control-plane node to the cluster + properties: + criSocket: + description: CRISocket is used to retrieve container + runtime info. This information will be annotated to + the Node API object, for later re-use + type: string + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes through extra arguments + to the kubelet. The arguments here are passed to the + kubelet command line via the environment file kubeadm + writes at runtime for the kubelet to source. This + overrides the generic base-level configuration in + the kubelet-config-1.X ConfigMap Flags have higher + priority when parsing. These values are local and + specific to the node kubeadm is executing on. + type: object + name: + description: Name is the `.Metadata.Name` field of the + Node API object that will be created in this `kubeadm + init` or `kubeadm join` operation. This field is also + used in the CommonName field of the kubelet's client + certificate to the API server. Defaults to the hostname + of the node if not provided. + type: string + taints: + description: 'Taints specifies the taints the Node API + object should be registered with. If this field is + unset, i.e. nil, in the `kubeadm init` process it + will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}. + If you don''t want to taint your control-plane node, + set this field to an empty slice, i.e. `taints: {}` + in the YAML file. This field is solely used for Node + registration.' + items: + description: The node this Taint is attached to has + the "effect" on any pod that does not tolerate the + Taint. + properties: + effect: + description: Required. The effect of the taint + on pods that do not tolerate the taint. Valid + effects are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Required. The taint key to be applied + to a node. + type: string + timeAdded: + description: TimeAdded represents the time at + which the taint was added. It is only written + for NoExecute taints. + format: date-time + type: string + value: + description: Required. The taint value corresponding + to the taint key. + type: string + required: + - effect + - key + type: object + type: array + type: object + type: object + joinConfiguration: + description: JoinConfiguration is the kubeadm configuration + for the join command + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of + this representation of an object. Servers should convert + recognized schemas to the latest internal value, and may + reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + caCertPath: + description: 'CACertPath is the path to the SSL certificate + authority used to secure comunications between node and + control-plane. Defaults to "/etc/kubernetes/pki/ca.crt". + TODO: revisit when there is defaulting from k/k' + type: string + controlPlane: + description: ControlPlane defines the additional control + plane instance to be deployed on the joining node. If + nil, no additional control plane instance will be deployed. + properties: + localAPIEndpoint: + description: LocalAPIEndpoint represents the endpoint + of the API server instance to be deployed on this + node. + properties: + advertiseAddress: + description: AdvertiseAddress sets the IP address + for the API server to advertise. + type: string + bindPort: + description: BindPort sets the secure port for the + API Server to bind to. Defaults to 6443. + format: int32 + type: integer + required: + - advertiseAddress + - bindPort + type: object + type: object + discovery: + description: 'Discovery specifies the options for the kubelet + to use during the TLS Bootstrap process TODO: revisit + when there is defaulting from k/k' + properties: + bootstrapToken: + description: BootstrapToken is used to set the options + for bootstrap token based discovery BootstrapToken + and File are mutually exclusive + properties: + apiServerEndpoint: + description: APIServerEndpoint is an IP or domain + name to the API server from which info will be + fetched. + type: string + caCertHashes: + description: 'CACertHashes specifies a set of public + key pins to verify when token-based discovery + is used. The root CA found during discovery must + match one of these values. Specifying an empty + set disables root CA pinning, which can be unsafe. + Each hash is specified as ":", where + the only currently supported type is "sha256". + This is a hex-encoded SHA-256 hash of the Subject + Public Key Info (SPKI) object in DER-encoded ASN.1. + These hashes can be calculated using, for example, + OpenSSL: openssl x509 -pubkey -in ca.crt openssl + rsa -pubin -outform der 2>&/dev/null | openssl + dgst -sha256 -hex' + items: + type: string + type: array + token: + description: Token is a token used to validate cluster + information fetched from the control-plane. + type: string + unsafeSkipCAVerification: + description: UnsafeSkipCAVerification allows token-based + discovery without CA verification via CACertHashes. + This can weaken the security of kubeadm since + other nodes can impersonate the control-plane. + type: boolean + required: + - token + - unsafeSkipCAVerification + type: object + file: + description: File is used to specify a file or URL to + a kubeconfig file from which to load cluster information + BootstrapToken and File are mutually exclusive + properties: + kubeConfigPath: + description: KubeConfigPath is used to specify the + actual file path or URL to the kubeconfig file + from which to load cluster information + type: string + required: + - kubeConfigPath + type: object + timeout: + description: Timeout modifies the discovery timeout + type: string + tlsBootstrapToken: + description: 'TLSBootstrapToken is a token used for + TLS bootstrapping. If .BootstrapToken is set, this + field is defaulted to .BootstrapToken.Token, but can + be overridden. If .File is set, this field **must + be set** in case the KubeConfigFile does not contain + any other authentication information TODO: revisit + when there is defaulting from k/k' + type: string + type: object + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + nodeRegistration: + description: NodeRegistration holds fields that relate to + registering the new control-plane node to the cluster + properties: + criSocket: + description: CRISocket is used to retrieve container + runtime info. This information will be annotated to + the Node API object, for later re-use + type: string + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes through extra arguments + to the kubelet. The arguments here are passed to the + kubelet command line via the environment file kubeadm + writes at runtime for the kubelet to source. This + overrides the generic base-level configuration in + the kubelet-config-1.X ConfigMap Flags have higher + priority when parsing. These values are local and + specific to the node kubeadm is executing on. + type: object + name: + description: Name is the `.Metadata.Name` field of the + Node API object that will be created in this `kubeadm + init` or `kubeadm join` operation. This field is also + used in the CommonName field of the kubelet's client + certificate to the API server. Defaults to the hostname + of the node if not provided. + type: string + taints: + description: 'Taints specifies the taints the Node API + object should be registered with. If this field is + unset, i.e. nil, in the `kubeadm init` process it + will be defaulted to []v1.Taint{''node-role.kubernetes.io/master=""''}. + If you don''t want to taint your control-plane node, + set this field to an empty slice, i.e. `taints: {}` + in the YAML file. This field is solely used for Node + registration.' + items: + description: The node this Taint is attached to has + the "effect" on any pod that does not tolerate the + Taint. + properties: + effect: + description: Required. The effect of the taint + on pods that do not tolerate the taint. Valid + effects are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Required. The taint key to be applied + to a node. + type: string + timeAdded: + description: TimeAdded represents the time at + which the taint was added. It is only written + for NoExecute taints. + format: date-time + type: string + value: + description: Required. The taint value corresponding + to the taint key. + type: string + required: + - effect + - key + type: object + type: array + type: object + required: + - nodeRegistration + type: object + ntp: + description: NTP specifies NTP configuration + properties: + enabled: + description: Enabled specifies whether NTP should be enabled + type: boolean + servers: + description: Servers specifies which NTP servers to use + items: + type: string + type: array + type: object + postKubeadmCommands: + description: PostKubeadmCommands specifies extra commands to + run after kubeadm runs + items: + type: string + type: array + preKubeadmCommands: + description: PreKubeadmCommands specifies extra commands to + run before kubeadm runs + items: + type: string + type: array + users: + description: Users specifies extra users to add + items: + description: User defines the input for a generated user in + cloud-init. + properties: + gecos: + description: Gecos specifies the gecos to use for the + user + type: string + groups: + description: Groups specifies the additional groups for + the user + type: string + homeDir: + description: HomeDir specifies the home directory to use + for the user + type: string + inactive: + description: Inactive specifies whether to mark the user + as inactive + type: boolean + lockPassword: + description: LockPassword specifies if password login + should be disabled + type: boolean + name: + description: Name specifies the user name + type: string + passwd: + description: Passwd specifies a hashed password for the + user + type: string + primaryGroup: + description: PrimaryGroup specifies the primary group + for the user + type: string + shell: + description: Shell specifies the user's shell + type: string + sshAuthorizedKeys: + description: SSHAuthorizedKeys specifies a list of ssh + authorized keys for the user + items: + type: string + type: array + sudo: + description: Sudo specifies a sudo role for the user + type: string + required: + - name + type: object + type: array + type: object + type: object + required: + - template + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/global/crd/kubeadm/kustomization.yaml b/manifests/global/crd/kubeadm/kustomization.yaml new file mode 100644 index 000000000..f8d2a3356 --- /dev/null +++ b/manifests/global/crd/kubeadm/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - kubeadmconfigs.bootstrap.cluster.x-k8s.io.yaml + - kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io.yaml