Merge "Add CAPD config v0.3.11"

This commit is contained in:
Zuul 2020-10-22 18:19:00 +00:00 committed by Gerrit Code Review
commit 14ae7e5129
38 changed files with 1190 additions and 0 deletions

View File

@ -0,0 +1,24 @@
# The following manifests contain a self-signed issuer CR and a certificate CR.
# More document can be found at https://docs.cert-manager.io
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: system
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: system
spec:
# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
dnsNames:
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize

View File

@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- certificate.yaml
configurations:
- kustomizeconfig.yaml

View File

@ -0,0 +1,19 @@
# This configuration is for teaching kustomize how to update name ref and var substitution
nameReference:
- kind: Issuer
group: cert-manager.io
fieldSpecs:
- kind: Certificate
group: cert-manager.io
path: spec/issuerRef/name
varReference:
- kind: Certificate
group: cert-manager.io
path: spec/commonName
- kind: Certificate
group: cert-manager.io
path: spec/dnsNames
- kind: Certificate
group: cert-manager.io
path: spec/secretName

View File

@ -0,0 +1,165 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6
creationTimestamp: null
name: dockermachinepools.exp.infrastructure.cluster.x-k8s.io
spec:
group: exp.infrastructure.cluster.x-k8s.io
names:
categories:
- cluster-api
kind: DockerMachinePool
listKind: DockerMachinePoolList
plural: dockermachinepools
singular: dockermachinepool
scope: Namespaced
versions:
- name: v1alpha3
schema:
openAPIV3Schema:
description: DockerMachinePool is the Schema for the dockermachinepools API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: DockerMachinePoolSpec defines the desired state of DockerMachinePool
properties:
providerID:
description: ProviderID is the identification ID of the Machine Pool
type: string
providerIDList:
description: ProviderIDList is the list of identification IDs of machine instances managed by this Machine Pool
items:
type: string
type: array
template:
description: Template contains the details used to build a replica machine within the Machine Pool
properties:
customImage:
description: CustomImage allows customizing the container image that is used for running the machine
type: string
extraMounts:
description: ExtraMounts describes additional mount points for the node container These may be used to bind a hostPath
items:
description: Mount specifies a host volume to mount into a container. This is a simplified version of kind v1alpha4.Mount types
properties:
containerPath:
description: Path of the mount within the container.
type: string
hostPath:
description: Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container.
type: string
readOnly:
description: If set, the mount is read-only.
type: boolean
type: object
type: array
preLoadImages:
description: PreLoadImages allows to pre-load images in a newly created machine. This can be used to speed up tests by avoiding e.g. to download CNI images on all the containers.
items:
type: string
type: array
type: object
type: object
status:
description: DockerMachinePoolStatus defines the observed state of DockerMachinePool
properties:
conditions:
description: Conditions defines current service state of the DockerMachinePool.
items:
description: Condition defines an observation of a Cluster API resource operational state.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: A human readable message indicating details about the transition. This field may be empty.
type: string
reason:
description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty.
type: string
severity:
description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.
type: string
required:
- status
- type
type: object
type: array
instances:
description: Instances contains the status for each instance in the pool
items:
properties:
addresses:
description: Addresses contains the associated addresses for the docker machine.
items:
description: MachineAddress contains information for the node's address.
properties:
address:
description: The machine address.
type: string
type:
description: Machine address type, one of Hostname, ExternalIP or InternalIP.
type: string
required:
- address
- type
type: object
type: array
bootstrapped:
description: Bootstrapped is true when the kubeadm bootstrapping has been run against this machine
type: boolean
instanceName:
description: InstanceName is the identification of the Machine Instance within the Machine Pool
type: string
providerID:
description: ProviderID is the provider identification of the Machine Pool Instance
type: string
ready:
description: Ready denotes that the machine (docker container) is ready
type: boolean
version:
description: Version defines the Kubernetes version for the Machine Instance
type: string
type: object
type: array
observedGeneration:
description: The generation observed by the deployment controller.
format: int64
type: integer
ready:
description: Ready denotes that the machine pool is ready
type: boolean
replicas:
description: Replicas is the most recently observed number of replicas.
format: int32
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,129 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6
creationTimestamp: null
name: dockerclusters.infrastructure.cluster.x-k8s.io
spec:
group: infrastructure.cluster.x-k8s.io
names:
categories:
- cluster-api
kind: DockerCluster
listKind: DockerClusterList
plural: dockerclusters
singular: dockercluster
scope: Namespaced
versions:
- name: v1alpha3
schema:
openAPIV3Schema:
description: DockerCluster is the Schema for the dockerclusters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: DockerClusterSpec defines the desired state of DockerCluster.
properties:
controlPlaneEndpoint:
description: ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.
properties:
host:
description: Host is the hostname on which the API server is serving.
type: string
port:
description: Port is the port on which the API server is serving.
type: integer
required:
- host
- port
type: object
failureDomains:
additionalProperties:
description: FailureDomainSpec is the Schema for Cluster API failure domains. It allows controllers to understand how many failure domains a cluster can optionally span across.
properties:
attributes:
additionalProperties:
type: string
description: Attributes is a free form map of attributes an infrastructure provider might use or require.
type: object
controlPlane:
description: ControlPlane determines if this failure domain is suitable for use by control plane machines.
type: boolean
type: object
description: FailureDomains are not usulaly defined on the spec. The docker provider is special since failure domains don't mean anything in a local docker environment. Instead, the docker cluster controller will simply copy these into the Status and allow the Cluster API controllers to do what they will with the defined failure domains.
type: object
type: object
status:
description: DockerClusterStatus defines the observed state of DockerCluster.
properties:
conditions:
description: Conditions defines current service state of the DockerCluster.
items:
description: Condition defines an observation of a Cluster API resource operational state.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: A human readable message indicating details about the transition. This field may be empty.
type: string
reason:
description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty.
type: string
severity:
description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.
type: string
required:
- status
- type
type: object
type: array
failureDomains:
additionalProperties:
description: FailureDomainSpec is the Schema for Cluster API failure domains. It allows controllers to understand how many failure domains a cluster can optionally span across.
properties:
attributes:
additionalProperties:
type: string
description: Attributes is a free form map of attributes an infrastructure provider might use or require.
type: object
controlPlane:
description: ControlPlane determines if this failure domain is suitable for use by control plane machines.
type: boolean
type: object
description: FailureDomains don't mean much in CAPD since it's all local, but we can see how the rest of cluster API will use this if we populate it.
type: object
ready:
description: Ready denotes that the docker cluster (infrastructure) is ready.
type: boolean
required:
- ready
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,133 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6
creationTimestamp: null
name: dockermachines.infrastructure.cluster.x-k8s.io
spec:
group: infrastructure.cluster.x-k8s.io
names:
categories:
- cluster-api
kind: DockerMachine
listKind: DockerMachineList
plural: dockermachines
singular: dockermachine
scope: Namespaced
versions:
- name: v1alpha3
schema:
openAPIV3Schema:
description: DockerMachine is the Schema for the dockermachines API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: DockerMachineSpec defines the desired state of DockerMachine
properties:
bootstrapped:
description: Bootstrapped is true when the kubeadm bootstrapping has been run against this machine
type: boolean
customImage:
description: CustomImage allows customizing the container image that is used for running the machine
type: string
extraMounts:
description: ExtraMounts describes additional mount points for the node container These may be used to bind a hostPath
items:
description: Mount specifies a host volume to mount into a container. This is a simplified version of kind v1alpha4.Mount types
properties:
containerPath:
description: Path of the mount within the container.
type: string
hostPath:
description: Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container.
type: string
readOnly:
description: If set, the mount is read-only.
type: boolean
type: object
type: array
preLoadImages:
description: PreLoadImages allows to pre-load images in a newly created machine. This can be used to speed up tests by avoiding e.g. to download CNI images on all the containers.
items:
type: string
type: array
providerID:
description: ProviderID will be the container name in ProviderID format (docker:////<containername>)
type: string
type: object
status:
description: DockerMachineStatus defines the observed state of DockerMachine
properties:
addresses:
description: Addresses contains the associated addresses for the docker machine.
items:
description: MachineAddress contains information for the node's address.
properties:
address:
description: The machine address.
type: string
type:
description: Machine address type, one of Hostname, ExternalIP or InternalIP.
type: string
required:
- address
- type
type: object
type: array
conditions:
description: Conditions defines current service state of the DockerMachine.
items:
description: Condition defines an observation of a Cluster API resource operational state.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: A human readable message indicating details about the transition. This field may be empty.
type: string
reason:
description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty.
type: string
severity:
description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.
type: string
required:
- status
- type
type: object
type: array
loadBalancerConfigured:
description: LoadBalancerConfigured denotes that the machine has been added to the load balancer
type: boolean
ready:
description: Ready denotes that the machine (docker container) is ready
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,88 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6
creationTimestamp: null
name: dockermachinetemplates.infrastructure.cluster.x-k8s.io
spec:
group: infrastructure.cluster.x-k8s.io
names:
categories:
- cluster-api
kind: DockerMachineTemplate
listKind: DockerMachineTemplateList
plural: dockermachinetemplates
singular: dockermachinetemplate
scope: Namespaced
versions:
- name: v1alpha3
schema:
openAPIV3Schema:
description: DockerMachineTemplate is the Schema for the dockermachinetemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: DockerMachineTemplateSpec defines the desired state of DockerMachineTemplate
properties:
template:
description: DockerMachineTemplateResource describes the data needed to create a DockerMachine from a template
properties:
spec:
description: Spec is the specification of the desired behavior of the machine.
properties:
bootstrapped:
description: Bootstrapped is true when the kubeadm bootstrapping has been run against this machine
type: boolean
customImage:
description: CustomImage allows customizing the container image that is used for running the machine
type: string
extraMounts:
description: ExtraMounts describes additional mount points for the node container These may be used to bind a hostPath
items:
description: Mount specifies a host volume to mount into a container. This is a simplified version of kind v1alpha4.Mount types
properties:
containerPath:
description: Path of the mount within the container.
type: string
hostPath:
description: Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container.
type: string
readOnly:
description: If set, the mount is read-only.
type: boolean
type: object
type: array
preLoadImages:
description: PreLoadImages allows to pre-load images in a newly created machine. This can be used to speed up tests by avoiding e.g. to download CNI images on all the containers.
items:
type: string
type: array
providerID:
description: ProviderID will be the container name in ProviderID format (docker:////<containername>)
type: string
type: object
required:
- spec
type: object
required:
- template
type: object
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,31 @@
commonLabels:
cluster.x-k8s.io/v1alpha3: v1alpha3
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml
- bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml
- bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml
- bases/exp.infrastructure.cluster.x-k8s.io_dockermachinepools.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patchesStrategicMerge: []
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
#- patches/webhook_in_dockermachines.yaml
#- patches/webhook_in_dockerclusters.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
#- patches/cainjection_in_dockermachines.yaml
#- patches/cainjection_in_dockerclusters.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml

View File

@ -0,0 +1,17 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/name
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: dockerclusters.infrastructure.cluster.x-k8s.io

View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: dockermachinepools.exp.infrastructure.cluster.x-k8s.io

View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: dockermachines.infrastructure.cluster.x-k8s.io

View File

@ -0,0 +1,19 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: dockerclusters.infrastructure.cluster.x-k8s.io
spec:
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

View File

@ -0,0 +1,19 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: dockermachinepools.exp.infrastructure.cluster.x-k8s.io
spec:
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

View File

@ -0,0 +1,19 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: dockermachines.infrastructure.cluster.x-k8s.io
spec:
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

View File

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: capd-system
resources:
- namespace.yaml
bases:
- ../rbac

View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system

View File

@ -0,0 +1,9 @@
namePrefix: capd-
commonLabels:
cluster.x-k8s.io/provider: "infrastructure-docker"
resources:
- crd
- default
- webhook

View File

@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- manager.yaml
patchesStrategicMerge:
- manager_image_patch.yaml
- manager_auth_proxy_patch.yaml

View File

@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --enable-leader-election
image: controller:latest
name: manager
ports:
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
volumeMounts:
- mountPath: /var/run/docker.sock
name: dockersock
securityContext:
privileged: true
terminationGracePeriodSeconds: 10
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- name: dockersock
hostPath:
path: /var/run/docker.sock

View File

@ -0,0 +1,26 @@
# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}"
- "--metrics-addr=0"
- "-v=4"

View File

@ -0,0 +1,12 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
# Change the value of image field below to your controller image URL
- image: gcr.io/k8s-staging-cluster-api/capd-manager:master
name: manager

View File

@ -0,0 +1,19 @@
# This patch enables Prometheus scraping for the manager pod.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
metadata:
annotations:
prometheus.io/scrape: 'true'
spec:
containers:
# Expose the prometheus metrics on default port
- name: manager
ports:
- containerPort: 8080
name: metrics
protocol: TCP

View File

@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
imagePullPolicy: Always

View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/port: "8443"
prometheus.io/scheme: https
prometheus.io/scrape: "true"
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

View File

@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 3 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml

View File

@ -0,0 +1,44 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

View File

@ -0,0 +1,85 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- clusters
- machines
verbs:
- get
- list
- watch
- apiGroups:
- exp.cluster.x-k8s.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- exp.infrastructure.cluster.x-k8s.io
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- dockerclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- dockerclusters/status
verbs:
- get
- patch
- update
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- dockermachines
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- infrastructure.cluster.x-k8s.io
resources:
- dockermachines/status
verbs:
- get
- patch
- update

View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

View File

@ -0,0 +1,45 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: capd-system
resources:
- manifests.yaml
- service.yaml
- ../certmanager
- ../manager
patchesStrategicMerge:
- manager_webhook_patch.yaml
- webhookcainjection_patch.yaml
configurations:
- kustomizeconfig.yaml
vars:
- name: SERVICE_NAMESPACE # namespace of the service
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: SERVICE_NAME
objref:
kind: Service
version: v1
name: webhook-service
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
objref:
kind: Certificate
group: cert-manager.io
version: v1alpha2
name: serving-cert # this name should match the one in certificate.yaml
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATE_NAME
objref:
kind: Certificate
group: cert-manager.io
version: v1alpha2
name: serving-cert # this name should match the one in certificate.yaml

View File

@ -0,0 +1,20 @@
# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
namespace:
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
varReference:
- path: metadata/annotations
- kind: Deployment
path: spec/template/spec/volumes/secret/secretName

View File

@ -0,0 +1,24 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize

View File

@ -0,0 +1,30 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: null
name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: Cg==
service:
name: webhook-service
namespace: system
path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-dockermachinetemplate
failurePolicy: Fail
matchPolicy: Equivalent
name: validation.dockermachinetemplate.infrastructure.cluster.x-k8s.io
rules:
- apiGroups:
- infrastructure.cluster.x-k8s.io
apiVersions:
- v1alpha3
operations:
- CREATE
- UPDATE
resources:
- dockermachinetemplates
sideEffects: None

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: webhook-service
namespace: system
spec:
ports:
- port: 443
targetPort: 9443
selector:
control-plane: controller-manager

View File

@ -0,0 +1,8 @@
# This patch add annotation to admission webhook config and
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)