From 9f1916d8dd523581ab961c22f91045712d0611a5 Mon Sep 17 00:00:00 2001 From: Dmitry Ukov Date: Wed, 8 Apr 2020 18:53:36 +0400 Subject: [PATCH] Add CAPI ControlPlane provider Kubeadm Forked kustomization from 0.3.3 release Change-Id: I7e7074fe6e68aff4c3280567160ebb25bd9f7780 --- .../cacpk/v0.3.3/certmanager/certificate.yaml | 25 + .../v0.3.3/certmanager/kustomization.yaml | 5 + .../v0.3.3/certmanager/kustomizeconfig.yaml | 19 + ...cluster.x-k8s.io_kubeadmcontrolplanes.yaml | 997 ++++++++++++++++++ .../cacpk/v0.3.3/crd/kustomization.yaml | 24 + .../cacpk/v0.3.3/crd/kustomizeconfig.yaml | 17 + .../cainjection_in_kubeadmcontrolplanes.yaml | 8 + .../webhook_in_kubeadmcontrolplanes.yaml | 19 + .../cacpk/v0.3.3/default/kustomization.yaml | 8 + .../cacpk/v0.3.3/default/namespace.yaml | 6 + .../function/cacpk/v0.3.3/kustomization.yaml | 17 + .../cacpk/v0.3.3/manager/kustomization.yaml | 7 + .../cacpk/v0.3.3/manager/manager.yaml | 28 + .../manager/manager_auth_proxy_patch.yaml | 25 + .../v0.3.3/manager/manager_image_patch.yaml | 11 + .../v0.3.3/manager/manager_image_patch.yaml-e | 11 + .../v0.3.3/manager/manager_pull_policy.yaml | 11 + .../v0.3.3/manager/manager_pull_policy.yaml-e | 11 + .../v0.3.3/patch_crd_webhook_namespace.yaml | 3 + .../cacpk/v0.3.3/rbac/auth_proxy_role.yaml | 13 + .../v0.3.3/rbac/auth_proxy_role_binding.yaml | 12 + .../cacpk/v0.3.3/rbac/auth_proxy_service.yaml | 14 + .../cacpk/v0.3.3/rbac/kustomization.yaml | 11 + .../v0.3.3/rbac/leader_election_role.yaml | 32 + .../rbac/leader_election_role_binding.yaml | 12 + .../function/cacpk/v0.3.3/rbac/role.yaml | 100 ++ .../cacpk/v0.3.3/rbac/role_binding.yaml | 12 + .../cacpk/v0.3.3/webhook/kustomization.yaml | 43 + .../cacpk/v0.3.3/webhook/kustomizeconfig.yaml | 27 + .../v0.3.3/webhook/manager_webhook_patch.yaml | 26 + .../cacpk/v0.3.3/webhook/manifests.yaml | 54 + .../cacpk/v0.3.3/webhook/service.yaml | 10 + .../webhook/webhookcainjection_patch.yaml | 15 + 33 files changed, 1633 insertions(+) create mode 100644 manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml create mode 100644 manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml create mode 100644 manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml create mode 100644 manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml create mode 100644 manifests/function/cacpk/v0.3.3/crd/kustomization.yaml create mode 100644 manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml create mode 100644 manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml create mode 100644 manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml create mode 100644 manifests/function/cacpk/v0.3.3/default/kustomization.yaml create mode 100644 manifests/function/cacpk/v0.3.3/default/namespace.yaml create mode 100644 manifests/function/cacpk/v0.3.3/kustomization.yaml create mode 100644 manifests/function/cacpk/v0.3.3/manager/kustomization.yaml create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager.yaml create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e create mode 100644 manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/role.yaml create mode 100644 manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml create mode 100644 manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml create mode 100644 manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml create mode 100644 manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml create mode 100644 manifests/function/cacpk/v0.3.3/webhook/manifests.yaml create mode 100644 manifests/function/cacpk/v0.3.3/webhook/service.yaml create mode 100644 manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml diff --git a/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml b/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml new file mode 100644 index 000000000..7decb1a4b --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml @@ -0,0 +1,25 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml b/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml new file mode 100644 index 000000000..bebea5a59 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- certificate.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml new file mode 100644 index 000000000..28a895a40 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames +- kind: Certificate + group: cert-manager.io + path: spec/secretName diff --git a/manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml b/manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml new file mode 100644 index 000000000..19f1b92ea --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml @@ -0,0 +1,997 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.8 + creationTimestamp: null + name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io +spec: + group: controlplane.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: KubeadmControlPlane + listKind: KubeadmControlPlaneList + plural: kubeadmcontrolplanes + shortNames: + - kcp + singular: kubeadmcontrolplane + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: KubeadmControlPlane API Server is ready to receive requests + jsonPath: .status.ready + name: Ready + type: boolean + - description: This denotes whether or not the control plane has the uploaded + kubeadm-config configmap + jsonPath: .status.initialized + name: Initialized + type: boolean + - description: Total number of non-terminated machines targeted by this control + plane + jsonPath: .status.replicas + name: Replicas + type: integer + - description: Total number of fully running and ready control plane machines + jsonPath: .status.readyReplicas + name: Ready Replicas + type: integer + - description: Total number of non-terminated machines targeted by this control + plane that have the desired template spec + jsonPath: .status.updatedReplicas + name: Updated Replicas + type: integer + - description: Total number of unavailable machines targeted by this control plane + jsonPath: .status.unavailableReplicas + name: Unavailable Replicas + type: integer + name: v1alpha3 + schema: + openAPIV3Schema: + description: KubeadmControlPlane is the Schema for the KubeadmControlPlane + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubeadmControlPlaneSpec defines the desired state of KubeadmControlPlane. + properties: + infrastructureTemplate: + description: InfrastructureTemplate is a required reference to a custom + resource offered by an infrastructure provider. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + kubeadmConfigSpec: + description: KubeadmConfigSpec is a KubeadmConfigSpec to use for initializing + and joining machines to the control plane. + properties: + clusterConfiguration: + description: ClusterConfiguration along with InitConfiguration + are the configurations necessary for the init command + properties: + apiServer: + description: APIServer contains extra settings for the API + server control plane component + properties: + certSANs: + description: CertSANs sets extra Subject Alternative Names + for the API Server signing cert. + items: + type: string + type: array + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to pass + to the control plane component. TODO: This is temporary + and ideally we would like to switch all components to + use ComponentConfig + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, + mounted to the control plane component. + items: + description: HostPathMount contains elements describing + volumes that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host that + will be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the pod + where hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to the + volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + timeoutForControlPlane: + description: TimeoutForControlPlane controls the timeout + that we use for API server to appear + type: string + type: object + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + certificatesDir: + description: 'CertificatesDir specifies where to store or + look for all required certificates. NB: if not provided, + this will default to `/etc/kubernetes/pki`' + type: string + clusterName: + description: The cluster name + type: string + controlPlaneEndpoint: + description: 'ControlPlaneEndpoint sets a stable IP address + or DNS name for the control plane; it can be a valid IP + address or a RFC-1123 DNS subdomain, both with optional + TCP port. In case the ControlPlaneEndpoint is not specified, + the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint + is specified but without a TCP port, the BindPort is used. + Possible usages are: e.g. In a cluster with more than one + control plane instances, this field should be assigned the + address of the external load balancer in front of the control + plane instances. e.g. in environments with enforced node + recycling, the ControlPlaneEndpoint could be used for assigning + a stable DNS to the control plane. NB: This value defaults + to the first value in the Cluster object status.apiEndpoints + array.' + type: string + controllerManager: + description: ControllerManager contains extra settings for + the controller manager control plane component + properties: + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to pass + to the control plane component. TODO: This is temporary + and ideally we would like to switch all components to + use ComponentConfig + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, + mounted to the control plane component. + items: + description: HostPathMount contains elements describing + volumes that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host that + will be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the pod + where hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to the + volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + type: object + dns: + description: DNS defines the options for the DNS add-on installed + in the cluster. + properties: + imageRepository: + description: ImageRepository sets the container registry + to pull images from. if not set, the ImageRepository + defined in ClusterConfiguration will be used instead. + type: string + imageTag: + description: ImageTag allows to specify a tag for the + image. In case this value is set, kubeadm does not change + automatically the version of the above components during + upgrades. + type: string + type: + description: Type defines the DNS add-on to be used + type: string + type: object + etcd: + description: 'Etcd holds configuration for etcd. NB: This + value defaults to a Local (stacked) etcd' + properties: + external: + description: External describes how to connect to an external + etcd cluster Local and External are mutually exclusive + properties: + caFile: + description: CAFile is an SSL Certificate Authority + file used to secure etcd communication. Required + if using a TLS connection. + type: string + certFile: + description: CertFile is an SSL certification file + used to secure etcd communication. Required if using + a TLS connection. + type: string + endpoints: + description: Endpoints of etcd members. Required for + ExternalEtcd. + items: + type: string + type: array + keyFile: + description: KeyFile is an SSL key file used to secure + etcd communication. Required if using a TLS connection. + type: string + required: + - caFile + - certFile + - endpoints + - keyFile + type: object + local: + description: Local provides configuration knobs for configuring + the local etcd instance Local and External are mutually + exclusive + properties: + dataDir: + description: DataDir is the directory etcd will place + its data. Defaults to "/var/lib/etcd". + type: string + extraArgs: + additionalProperties: + type: string + description: ExtraArgs are extra arguments provided + to the etcd binary when run inside a static pod. + type: object + imageRepository: + description: ImageRepository sets the container registry + to pull images from. if not set, the ImageRepository + defined in ClusterConfiguration will be used instead. + type: string + imageTag: + description: ImageTag allows to specify a tag for + the image. In case this value is set, kubeadm does + not change automatically the version of the above + components during upgrades. + type: string + peerCertSANs: + description: PeerCertSANs sets extra Subject Alternative + Names for the etcd peer signing cert. + items: + type: string + type: array + serverCertSANs: + description: ServerCertSANs sets extra Subject Alternative + Names for the etcd server signing cert. + items: + type: string + type: array + type: object + type: object + featureGates: + additionalProperties: + type: boolean + description: FeatureGates enabled by the user. + type: object + imageRepository: + description: ImageRepository sets the container registry to + pull images from. If empty, `k8s.gcr.io` will be used by + default; in case of kubernetes version is a CI build (kubernetes + version starts with `ci/` or `ci-cross/`) `gcr.io/kubernetes-ci-images` + will be used as a default for control plane components and + for kube-proxy, while `k8s.gcr.io` will be used for all + the other images. + type: string + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + kubernetesVersion: + description: 'KubernetesVersion is the target version of the + control plane. NB: This value defaults to the Machine object + spec.kuberentesVersion' + type: string + networking: + description: 'Networking holds configuration for the networking + topology of the cluster. NB: This value defaults to the + Cluster object spec.clusterNetwork.' + properties: + dnsDomain: + description: DNSDomain is the dns domain used by k8s services. + Defaults to "cluster.local". + type: string + podSubnet: + description: PodSubnet is the subnet used by pods. If + unset, the API server will not allocate CIDR ranges + for every node. Defaults to the first element of the + Cluster object's spec.clusterNetwork.services.cidrBlocks + if that is set + type: string + serviceSubnet: + description: ServiceSubnet is the subnet used by k8s services. + Defaults to the first element of the Cluster object's + spec.clusterNetwork.pods.cidrBlocks field, or to "10.96.0.0/12" + if that's unset. + type: string + type: object + scheduler: + description: Scheduler contains extra settings for the scheduler + control plane component + properties: + extraArgs: + additionalProperties: + type: string + description: 'ExtraArgs is an extra set of flags to pass + to the control plane component. TODO: This is temporary + and ideally we would like to switch all components to + use ComponentConfig + ConfigMaps.' + type: object + extraVolumes: + description: ExtraVolumes is an extra set of host volumes, + mounted to the control plane component. + items: + description: HostPathMount contains elements describing + volumes that are mounted from the host. + properties: + hostPath: + description: HostPath is the path in the host that + will be mounted inside the pod. + type: string + mountPath: + description: MountPath is the path inside the pod + where hostPath will be mounted. + type: string + name: + description: Name of the volume inside the pod template. + type: string + pathType: + description: PathType is the type of the HostPath. + type: string + readOnly: + description: ReadOnly controls write access to the + volume + type: boolean + required: + - hostPath + - mountPath + - name + type: object + type: array + type: object + useHyperKubeImage: + description: UseHyperKubeImage controls if hyperkube should + be used for Kubernetes components instead of their respective + separate images + type: boolean + type: object + files: + description: Files specifies extra files to be passed to user_data + upon creation. + items: + description: File defines the input for generating write_files + in cloud-init. + properties: + content: + description: Content is the actual content of the file. + type: string + encoding: + description: Encoding specifies the encoding of the file + contents. + enum: + - base64 + - gzip + - gzip+base64 + type: string + owner: + description: Owner specifies the ownership of the file, + e.g. "root:root". + type: string + path: + description: Path specifies the full path on disk where + to store the file. + type: string + permissions: + description: Permissions specifies the permissions to assign + to the file, e.g. "0640". + type: string + required: + - content + - path + type: object + type: array + format: + description: Format specifies the output format of the bootstrap + data + enum: + - cloud-config + type: string + initConfiguration: + description: InitConfiguration along with ClusterConfiguration + are the configurations necessary for the init command + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + bootstrapTokens: + description: BootstrapTokens is respected at `kubeadm init` + time and describes a set of Bootstrap Tokens to create. + This information IS NOT uploaded to the kubeadm cluster + configmap, partly because of its sensitive nature + items: + description: BootstrapToken describes one bootstrap token, + stored as a Secret in the cluster + properties: + description: + description: Description sets a human-friendly message + why this token exists and what it's used for, so other + administrators can know its purpose. + type: string + expires: + description: Expires specifies the timestamp when this + token expires. Defaults to being set dynamically at + runtime based on the TTL. Expires and TTL are mutually + exclusive. + format: date-time + type: string + groups: + description: Groups specifies the extra groups that + this token will authenticate as when/if used for authentication + items: + type: string + type: array + token: + description: Token is used for establishing bidirectional + trust between nodes and control-planes. Used for joining + nodes in the cluster. + type: object + ttl: + description: TTL defines the time to live for this token. + Defaults to 24h. Expires and TTL are mutually exclusive. + type: string + usages: + description: Usages describes the ways in which this + token can be used. Can by default be used for establishing + bidirectional trust, but that can be changed here. + items: + type: string + type: array + required: + - token + type: object + type: array + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + localAPIEndpoint: + description: LocalAPIEndpoint represents the endpoint of the + API server instance that's deployed on this control plane + node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint + in the sense that ControlPlaneEndpoint is the global endpoint + for the cluster, which then loadbalances the requests to + each individual API server. This configuration object lets + you customize what IP/DNS name and port the local API server + advertises it's accessible on. By default, kubeadm tries + to auto-detect the IP of the default interface and use that, + but in case that process fails you may set the desired value + here. + properties: + advertiseAddress: + description: AdvertiseAddress sets the IP address for + the API server to advertise. + type: string + bindPort: + description: BindPort sets the secure port for the API + Server to bind to. Defaults to 6443. + format: int32 + type: integer + required: + - advertiseAddress + - bindPort + type: object + nodeRegistration: + description: NodeRegistration holds fields that relate to + registering the new control-plane node to the cluster + properties: + criSocket: + description: CRISocket is used to retrieve container runtime + info. This information will be annotated to the Node + API object, for later re-use + type: string + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes through extra arguments + to the kubelet. The arguments here are passed to the + kubelet command line via the environment file kubeadm + writes at runtime for the kubelet to source. This overrides + the generic base-level configuration in the kubelet-config-1.X + ConfigMap Flags have higher priority when parsing. These + values are local and specific to the node kubeadm is + executing on. + type: object + name: + description: Name is the `.Metadata.Name` field of the + Node API object that will be created in this `kubeadm + init` or `kubeadm join` operation. This field is also + used in the CommonName field of the kubelet's client + certificate to the API server. Defaults to the hostname + of the node if not provided. + type: string + taints: + description: 'Taints specifies the taints the Node API + object should be registered with. If this field is unset, + i.e. nil, in the `kubeadm init` process it will be defaulted + to []v1.Taint{''node-role.kubernetes.io/master=""''}. + If you don''t want to taint your control-plane node, + set this field to an empty slice, i.e. `taints: {}` + in the YAML file. This field is solely used for Node + registration.' + items: + description: The node this Taint is attached to has + the "effect" on any pod that does not tolerate the + Taint. + properties: + effect: + description: Required. The effect of the taint on + pods that do not tolerate the taint. Valid effects + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Required. The taint key to be applied + to a node. + type: string + timeAdded: + description: TimeAdded represents the time at which + the taint was added. It is only written for NoExecute + taints. + format: date-time + type: string + value: + description: Required. The taint value corresponding + to the taint key. + type: string + required: + - effect + - key + type: object + type: array + type: object + type: object + joinConfiguration: + description: JoinConfiguration is the kubeadm configuration for + the join command + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + caCertPath: + description: 'CACertPath is the path to the SSL certificate + authority used to secure comunications between node and + control-plane. Defaults to "/etc/kubernetes/pki/ca.crt". + TODO: revisit when there is defaulting from k/k' + type: string + controlPlane: + description: ControlPlane defines the additional control plane + instance to be deployed on the joining node. If nil, no + additional control plane instance will be deployed. + properties: + localAPIEndpoint: + description: LocalAPIEndpoint represents the endpoint + of the API server instance to be deployed on this node. + properties: + advertiseAddress: + description: AdvertiseAddress sets the IP address + for the API server to advertise. + type: string + bindPort: + description: BindPort sets the secure port for the + API Server to bind to. Defaults to 6443. + format: int32 + type: integer + required: + - advertiseAddress + - bindPort + type: object + type: object + discovery: + description: 'Discovery specifies the options for the kubelet + to use during the TLS Bootstrap process TODO: revisit when + there is defaulting from k/k' + properties: + bootstrapToken: + description: BootstrapToken is used to set the options + for bootstrap token based discovery BootstrapToken and + File are mutually exclusive + properties: + apiServerEndpoint: + description: APIServerEndpoint is an IP or domain + name to the API server from which info will be fetched. + type: string + caCertHashes: + description: 'CACertHashes specifies a set of public + key pins to verify when token-based discovery is + used. The root CA found during discovery must match + one of these values. Specifying an empty set disables + root CA pinning, which can be unsafe. Each hash + is specified as ":", where the only + currently supported type is "sha256". This is a + hex-encoded SHA-256 hash of the Subject Public Key + Info (SPKI) object in DER-encoded ASN.1. These hashes + can be calculated using, for example, OpenSSL: openssl + x509 -pubkey -in ca.crt openssl rsa -pubin -outform + der 2>&/dev/null | openssl dgst -sha256 -hex' + items: + type: string + type: array + token: + description: Token is a token used to validate cluster + information fetched from the control-plane. + type: string + unsafeSkipCAVerification: + description: UnsafeSkipCAVerification allows token-based + discovery without CA verification via CACertHashes. + This can weaken the security of kubeadm since other + nodes can impersonate the control-plane. + type: boolean + required: + - token + - unsafeSkipCAVerification + type: object + file: + description: File is used to specify a file or URL to + a kubeconfig file from which to load cluster information + BootstrapToken and File are mutually exclusive + properties: + kubeConfigPath: + description: KubeConfigPath is used to specify the + actual file path or URL to the kubeconfig file from + which to load cluster information + type: string + required: + - kubeConfigPath + type: object + timeout: + description: Timeout modifies the discovery timeout + type: string + tlsBootstrapToken: + description: 'TLSBootstrapToken is a token used for TLS + bootstrapping. If .BootstrapToken is set, this field + is defaulted to .BootstrapToken.Token, but can be overridden. + If .File is set, this field **must be set** in case + the KubeConfigFile does not contain any other authentication + information TODO: revisit when there is defaulting from + k/k' + type: string + type: object + kind: + description: 'Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + nodeRegistration: + description: NodeRegistration holds fields that relate to + registering the new control-plane node to the cluster + properties: + criSocket: + description: CRISocket is used to retrieve container runtime + info. This information will be annotated to the Node + API object, for later re-use + type: string + kubeletExtraArgs: + additionalProperties: + type: string + description: KubeletExtraArgs passes through extra arguments + to the kubelet. The arguments here are passed to the + kubelet command line via the environment file kubeadm + writes at runtime for the kubelet to source. This overrides + the generic base-level configuration in the kubelet-config-1.X + ConfigMap Flags have higher priority when parsing. These + values are local and specific to the node kubeadm is + executing on. + type: object + name: + description: Name is the `.Metadata.Name` field of the + Node API object that will be created in this `kubeadm + init` or `kubeadm join` operation. This field is also + used in the CommonName field of the kubelet's client + certificate to the API server. Defaults to the hostname + of the node if not provided. + type: string + taints: + description: 'Taints specifies the taints the Node API + object should be registered with. If this field is unset, + i.e. nil, in the `kubeadm init` process it will be defaulted + to []v1.Taint{''node-role.kubernetes.io/master=""''}. + If you don''t want to taint your control-plane node, + set this field to an empty slice, i.e. `taints: {}` + in the YAML file. This field is solely used for Node + registration.' + items: + description: The node this Taint is attached to has + the "effect" on any pod that does not tolerate the + Taint. + properties: + effect: + description: Required. The effect of the taint on + pods that do not tolerate the taint. Valid effects + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Required. The taint key to be applied + to a node. + type: string + timeAdded: + description: TimeAdded represents the time at which + the taint was added. It is only written for NoExecute + taints. + format: date-time + type: string + value: + description: Required. The taint value corresponding + to the taint key. + type: string + required: + - effect + - key + type: object + type: array + type: object + type: object + ntp: + description: NTP specifies NTP configuration + properties: + enabled: + description: Enabled specifies whether NTP should be enabled + type: boolean + servers: + description: Servers specifies which NTP servers to use + items: + type: string + type: array + type: object + postKubeadmCommands: + description: PostKubeadmCommands specifies extra commands to run + after kubeadm runs + items: + type: string + type: array + preKubeadmCommands: + description: PreKubeadmCommands specifies extra commands to run + before kubeadm runs + items: + type: string + type: array + useExperimentalRetryJoin: + description: "UseExperimentalRetryJoin replaces a basic kubeadm + command with a shell script with retries for joins. \n This + is meant to be an experimental temporary workaround on some + environments where joins fail due to timing (and other issues). + The long term goal is to add retries to kubeadm proper and use + that functionality. \n This will add about 40KB to userdata + \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055." + type: boolean + users: + description: Users specifies extra users to add + items: + description: User defines the input for a generated user in + cloud-init. + properties: + gecos: + description: Gecos specifies the gecos to use for the user + type: string + groups: + description: Groups specifies the additional groups for + the user + type: string + homeDir: + description: HomeDir specifies the home directory to use + for the user + type: string + inactive: + description: Inactive specifies whether to mark the user + as inactive + type: boolean + lockPassword: + description: LockPassword specifies if password login should + be disabled + type: boolean + name: + description: Name specifies the user name + type: string + passwd: + description: Passwd specifies a hashed password for the + user + type: string + primaryGroup: + description: PrimaryGroup specifies the primary group for + the user + type: string + shell: + description: Shell specifies the user's shell + type: string + sshAuthorizedKeys: + description: SSHAuthorizedKeys specifies a list of ssh authorized + keys for the user + items: + type: string + type: array + sudo: + description: Sudo specifies a sudo role for the user + type: string + required: + - name + type: object + type: array + verbosity: + description: Verbosity is the number for the kubeadm log level + verbosity. It overrides the `--v` flag in kubeadm commands. + format: int32 + type: integer + type: object + replicas: + description: Number of desired machines. Defaults to 1. When stacked + etcd is used only odd numbers are permitted, as per [etcd best practice](https://etcd.io/docs/v3.3.12/faq/#why-an-odd-number-of-cluster-members). + This is a pointer to distinguish between explicit zero and not specified. + format: int32 + type: integer + upgradeAfter: + description: UpgradeAfter is a field to indicate an upgrade should + be performed after the specified time even if no changes have been + made to the KubeadmControlPlane + format: date-time + type: string + version: + description: Version defines the desired Kubernetes version. + minLength: 2 + pattern: ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)([-0-9a-zA-Z_\.+]*)?$ + type: string + required: + - infrastructureTemplate + - kubeadmConfigSpec + - version + type: object + status: + description: KubeadmControlPlaneStatus defines the observed state of KubeadmControlPlane. + properties: + failureMessage: + description: ErrorMessage indicates that there is a terminal problem + reconciling the state, and will be set to a descriptive error message. + type: string + failureReason: + description: FailureReason indicates that there is a terminal problem + reconciling the state, and will be set to a token value suitable + for programmatic interpretation. + type: string + initialized: + description: Initialized denotes whether or not the control plane + has the uploaded kubeadm-config configmap. + type: boolean + ready: + description: Ready denotes that the KubeadmControlPlane API Server + is ready to receive requests. + type: boolean + readyReplicas: + description: Total number of fully running and ready control plane + machines. + format: int32 + type: integer + replicas: + description: Total number of non-terminated machines targeted by this + control plane (their labels match the selector). + format: int32 + type: integer + selector: + description: 'Selector is the label selector in string format to avoid + introspection by clients, and is used to provide the CRD-based integration + for the scale subresource and additional integrations for things + like kubectl describe.. The string will be in the same format as + the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors' + type: string + unavailableReplicas: + description: Total number of unavailable machines targeted by this + control plane. This is the total number of machines that are still + required for the deployment to have 100% available capacity. They + may either be machines that are running but not yet ready or machines + that still have not been created. + format: int32 + type: integer + updatedReplicas: + description: Total number of non-terminated machines targeted by this + control plane that have the desired template spec. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.selector + specReplicasPath: .spec.replicas + statusReplicasPath: .status.replicas + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/cacpk/v0.3.3/crd/kustomization.yaml b/manifests/function/cacpk/v0.3.3/crd/kustomization.yaml new file mode 100644 index 000000000..61134db8c --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/crd/kustomization.yaml @@ -0,0 +1,24 @@ +commonLabels: + cluster.x-k8s.io/v1alpha3: v1alpha3 + +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/ +resources: + - bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patchesStrategicMerge: + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. + # patches here are for enabling the conversion webhook for each CRD + - patches/webhook_in_kubeadmcontrolplanes.yaml + # +kubebuilder:scaffold:crdkustomizewebhookpatch + + # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. + # patches here are for enabling the CA injection for each CRD + - patches/cainjection_in_kubeadmcontrolplanes.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: + - kustomizeconfig.yaml diff --git a/manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml new file mode 100644 index 000000000..e3fd575d6 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml @@ -0,0 +1,17 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: + - kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: + - path: metadata/annotations diff --git a/manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml b/manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml new file mode 100644 index 000000000..08aec1dbb --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io diff --git a/manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml b/manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml new file mode 100644 index 000000000..0b71de009 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/cacpk/v0.3.3/default/kustomization.yaml b/manifests/function/cacpk/v0.3.3/default/kustomization.yaml new file mode 100644 index 000000000..17f25ac03 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/default/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: capi-kubeadm-control-plane-system + +resources: +- namespace.yaml + +bases: +- ../rbac +- ../manager diff --git a/manifests/function/cacpk/v0.3.3/default/namespace.yaml b/manifests/function/cacpk/v0.3.3/default/namespace.yaml new file mode 100644 index 000000000..8b55c3cd8 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/default/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system diff --git a/manifests/function/cacpk/v0.3.3/kustomization.yaml b/manifests/function/cacpk/v0.3.3/kustomization.yaml new file mode 100644 index 000000000..15967b1c0 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/kustomization.yaml @@ -0,0 +1,17 @@ +namePrefix: capi-kubeadm-control-plane- + +commonLabels: + cluster.x-k8s.io/provider: "control-plane-kubeadm" + +bases: +- crd +- default +- webhook + +patchesJson6902: +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io + path: patch_crd_webhook_namespace.yaml diff --git a/manifests/function/cacpk/v0.3.3/manager/kustomization.yaml b/manifests/function/cacpk/v0.3.3/manager/kustomization.yaml new file mode 100644 index 000000000..4fe69200e --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/manager/kustomization.yaml @@ -0,0 +1,7 @@ +resources: +- manager.yaml + +patchesStrategicMerge: +- manager_pull_policy.yaml +- manager_image_patch.yaml +- manager_auth_proxy_patch.yaml diff --git a/manifests/function/cacpk/v0.3.3/manager/manager.yaml b/manifests/function/cacpk/v0.3.3/manager/manager.yaml new file mode 100644 index 000000000..41e87eee5 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/manager/manager.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - command: + - /manager + args: + - --enable-leader-election + image: controller:latest + name: manager + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..61cb5e7cb --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml @@ -0,0 +1,25 @@ +# This patch inject a sidecar container which is a HTTP proxy for the controller manager, +# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--enable-leader-election" diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml new file mode 100644 index 000000000..52efc6131 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - image: us.gcr.io/k8s-artifacts-prod/cluster-api/kubeadm-control-plane-controller:v0.3.3 + name: manager diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e new file mode 100644 index 000000000..46ae15ec1 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:master + name: manager diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml new file mode 100644 index 000000000..cd7ae12c0 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: IfNotPresent diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e new file mode 100644 index 000000000..74a0879c6 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: Always diff --git a/manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml b/manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml new file mode 100644 index 000000000..110f3a494 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml @@ -0,0 +1,3 @@ +- op: replace + path: "/spec/conversion/webhook/clientConfig/service/namespace" + value: capi-webhook-system diff --git a/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml new file mode 100644 index 000000000..618f5e417 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 000000000..48ed1e4b8 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml new file mode 100644 index 000000000..6cf656be1 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml b/manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml new file mode 100644 index 000000000..817f1fe61 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml @@ -0,0 +1,11 @@ +resources: +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 3 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml diff --git a/manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml new file mode 100644 index 000000000..eaa79158f --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml @@ -0,0 +1,32 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..eed16906f --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/cacpk/v0.3.3/rbac/role.yaml b/manifests/function/cacpk/v0.3.3/rbac/role.yaml new file mode 100644 index 000000000..481c8a77e --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/role.yaml @@ -0,0 +1,100 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - bootstrap.cluster.x-k8s.io + - controlplane.cluster.x-k8s.io + - infrastructure.cluster.x-k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - patch + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: manager-role + namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - watch +- apiGroups: + - rbac + resources: + - rolebindings + verbs: + - create + - get + - list + - watch +- apiGroups: + - rbac + resources: + - roles + verbs: + - create + - get + - list + - watch diff --git a/manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml b/manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml new file mode 100644 index 000000000..8f2658702 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml b/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml new file mode 100644 index 000000000..23314b771 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml @@ -0,0 +1,43 @@ +namespace: capi-webhook-system + +resources: +- manifests.yaml +- service.yaml +- ../certmanager +- ../manager + +configurations: +- kustomizeconfig.yaml + +patchesStrategicMerge: +- manager_webhook_patch.yaml +- webhookcainjection_patch.yaml + +vars: +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml +- name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service diff --git a/manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml new file mode 100644 index 000000000..fddf04146 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml @@ -0,0 +1,27 @@ +# the following config is for teaching kustomize where to look at when substituting vars. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + +varReference: +- path: metadata/annotations +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml b/manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml new file mode 100644 index 000000000..671fb1f8e --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--webhook-port=9443" + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: $(SERVICE_NAME)-cert diff --git a/manifests/function/cacpk/v0.3.3/webhook/manifests.yaml b/manifests/function/cacpk/v0.3.3/webhook/manifests.yaml new file mode 100644 index 000000000..d5ca20073 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/webhook/manifests.yaml @@ -0,0 +1,54 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + creationTimestamp: null + name: mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /mutate-controlplane-cluster-x-k8s-io-v1alpha3-kubeadmcontrolplane + failurePolicy: Fail + matchPolicy: Equivalent + name: default.kubeadmcontrolplane.controlplane.cluster.x-k8s.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - kubeadmcontrolplanes + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /validate-controlplane-cluster-x-k8s-io-v1alpha3-kubeadmcontrolplane + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.kubeadmcontrolplane.controlplane.cluster.x-k8s.io + rules: + - apiGroups: + - controlplane.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - kubeadmcontrolplanes diff --git a/manifests/function/cacpk/v0.3.3/webhook/service.yaml b/manifests/function/cacpk/v0.3.3/webhook/service.yaml new file mode 100644 index 000000000..9bc95014f --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/webhook/service.yaml @@ -0,0 +1,10 @@ + +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + targetPort: webhook-server diff --git a/manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml b/manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml new file mode 100644 index 000000000..7e79bf995 --- /dev/null +++ b/manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml @@ -0,0 +1,15 @@ +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)