From 4888c256f52ec43fc0552e715e3e748db7d5eaf8 Mon Sep 17 00:00:00 2001 From: Rishabh Kumar Jain Date: Thu, 15 Oct 2020 00:39:01 -0700 Subject: [PATCH] Add CAPD config v0.3.11 Adding manifests for CAPD config v0.3.11. Change-Id: Icfe95b68ee613e8e642ad8a8383a2b0cda01821e --- .../capd/v0.3.11/certmanager/certificate.yaml | 24 +++ .../v0.3.11/certmanager/kustomization.yaml | 8 + .../v0.3.11/certmanager/kustomizeconfig.yaml | 19 ++ ...e.cluster.x-k8s.io_dockermachinepools.yaml | 165 ++++++++++++++++++ ...cture.cluster.x-k8s.io_dockerclusters.yaml | 129 ++++++++++++++ ...cture.cluster.x-k8s.io_dockermachines.yaml | 133 ++++++++++++++ ...uster.x-k8s.io_dockermachinetemplates.yaml | 88 ++++++++++ .../capd/v0.3.11/crd/kustomization.yaml | 31 ++++ .../capd/v0.3.11/crd/kustomizeconfig.yaml | 17 ++ .../cainjection_in_dockerclusters.yaml | 8 + .../cainjection_in_dockermachinepools.yaml | 8 + .../cainjection_in_dockermachines.yaml | 8 + .../patches/webhook_in_dockerclusters.yaml | 19 ++ .../webhook_in_dockermachinepools.yaml | 19 ++ .../patches/webhook_in_dockermachines.yaml | 19 ++ .../capd/v0.3.11/default/kustomization.yaml | 9 + .../capd/v0.3.11/default/namespace.yaml | 6 + .../function/capd/v0.3.11/kustomization.yaml | 9 + .../capd/v0.3.11/manager/kustomization.yaml | 8 + .../capd/v0.3.11/manager/manager.yaml | 47 +++++ .../manager/manager_auth_proxy_patch.yaml | 26 +++ .../v0.3.11/manager/manager_image_patch.yaml | 12 ++ .../manager_prometheus_metrics_patch.yaml | 19 ++ .../v0.3.11/manager/manager_pull_policy.yaml | 11 ++ .../capd/v0.3.11/rbac/auth_proxy_role.yaml | 13 ++ .../v0.3.11/rbac/auth_proxy_role_binding.yaml | 12 ++ .../capd/v0.3.11/rbac/auth_proxy_service.yaml | 18 ++ .../capd/v0.3.11/rbac/kustomization.yaml | 13 ++ .../v0.3.11/rbac/leader_election_role.yaml | 44 +++++ .../rbac/leader_election_role_binding.yaml | 12 ++ .../function/capd/v0.3.11/rbac/role.yaml | 85 +++++++++ .../capd/v0.3.11/rbac/role_binding.yaml | 12 ++ .../capd/v0.3.11/webhook/kustomization.yaml | 45 +++++ .../capd/v0.3.11/webhook/kustomizeconfig.yaml | 20 +++ .../webhook/manager_webhook_patch.yaml | 24 +++ .../capd/v0.3.11/webhook/manifests.yaml | 30 ++++ .../capd/v0.3.11/webhook/service.yaml | 12 ++ .../webhook/webhookcainjection_patch.yaml | 8 + 38 files changed, 1190 insertions(+) create mode 100644 manifests/function/capd/v0.3.11/certmanager/certificate.yaml create mode 100644 manifests/function/capd/v0.3.11/certmanager/kustomization.yaml create mode 100644 manifests/function/capd/v0.3.11/certmanager/kustomizeconfig.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/bases/exp.infrastructure.cluster.x-k8s.io_dockermachinepools.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/kustomization.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/kustomizeconfig.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockerclusters.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachinepools.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachines.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockerclusters.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachinepools.yaml create mode 100644 manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachines.yaml create mode 100644 manifests/function/capd/v0.3.11/default/kustomization.yaml create mode 100644 manifests/function/capd/v0.3.11/default/namespace.yaml create mode 100644 manifests/function/capd/v0.3.11/kustomization.yaml create mode 100644 manifests/function/capd/v0.3.11/manager/kustomization.yaml create mode 100644 manifests/function/capd/v0.3.11/manager/manager.yaml create mode 100644 manifests/function/capd/v0.3.11/manager/manager_auth_proxy_patch.yaml create mode 100644 manifests/function/capd/v0.3.11/manager/manager_image_patch.yaml create mode 100644 manifests/function/capd/v0.3.11/manager/manager_prometheus_metrics_patch.yaml create mode 100644 manifests/function/capd/v0.3.11/manager/manager_pull_policy.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/auth_proxy_role.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/auth_proxy_role_binding.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/auth_proxy_service.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/kustomization.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/leader_election_role.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/leader_election_role_binding.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/role.yaml create mode 100644 manifests/function/capd/v0.3.11/rbac/role_binding.yaml create mode 100644 manifests/function/capd/v0.3.11/webhook/kustomization.yaml create mode 100644 manifests/function/capd/v0.3.11/webhook/kustomizeconfig.yaml create mode 100644 manifests/function/capd/v0.3.11/webhook/manager_webhook_patch.yaml create mode 100644 manifests/function/capd/v0.3.11/webhook/manifests.yaml create mode 100644 manifests/function/capd/v0.3.11/webhook/service.yaml create mode 100644 manifests/function/capd/v0.3.11/webhook/webhookcainjection_patch.yaml diff --git a/manifests/function/capd/v0.3.11/certmanager/certificate.yaml b/manifests/function/capd/v0.3.11/certmanager/certificate.yaml new file mode 100644 index 000000000..cc53cbd94 --- /dev/null +++ b/manifests/function/capd/v0.3.11/certmanager/certificate.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/manifests/function/capd/v0.3.11/certmanager/kustomization.yaml b/manifests/function/capd/v0.3.11/certmanager/kustomization.yaml new file mode 100644 index 000000000..438e93c2c --- /dev/null +++ b/manifests/function/capd/v0.3.11/certmanager/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- certificate.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/manifests/function/capd/v0.3.11/certmanager/kustomizeconfig.yaml b/manifests/function/capd/v0.3.11/certmanager/kustomizeconfig.yaml new file mode 100644 index 000000000..28a895a40 --- /dev/null +++ b/manifests/function/capd/v0.3.11/certmanager/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames +- kind: Certificate + group: cert-manager.io + path: spec/secretName diff --git a/manifests/function/capd/v0.3.11/crd/bases/exp.infrastructure.cluster.x-k8s.io_dockermachinepools.yaml b/manifests/function/capd/v0.3.11/crd/bases/exp.infrastructure.cluster.x-k8s.io_dockermachinepools.yaml new file mode 100644 index 000000000..6001b7e36 --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/bases/exp.infrastructure.cluster.x-k8s.io_dockermachinepools.yaml @@ -0,0 +1,165 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6 + creationTimestamp: null + name: dockermachinepools.exp.infrastructure.cluster.x-k8s.io +spec: + group: exp.infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: DockerMachinePool + listKind: DockerMachinePoolList + plural: dockermachinepools + singular: dockermachinepool + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: DockerMachinePool is the Schema for the dockermachinepools API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DockerMachinePoolSpec defines the desired state of DockerMachinePool + properties: + providerID: + description: ProviderID is the identification ID of the Machine Pool + type: string + providerIDList: + description: ProviderIDList is the list of identification IDs of machine instances managed by this Machine Pool + items: + type: string + type: array + template: + description: Template contains the details used to build a replica machine within the Machine Pool + properties: + customImage: + description: CustomImage allows customizing the container image that is used for running the machine + type: string + extraMounts: + description: ExtraMounts describes additional mount points for the node container These may be used to bind a hostPath + items: + description: Mount specifies a host volume to mount into a container. This is a simplified version of kind v1alpha4.Mount types + properties: + containerPath: + description: Path of the mount within the container. + type: string + hostPath: + description: Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container. + type: string + readOnly: + description: If set, the mount is read-only. + type: boolean + type: object + type: array + preLoadImages: + description: PreLoadImages allows to pre-load images in a newly created machine. This can be used to speed up tests by avoiding e.g. to download CNI images on all the containers. + items: + type: string + type: array + type: object + type: object + status: + description: DockerMachinePoolStatus defines the observed state of DockerMachinePool + properties: + conditions: + description: Conditions defines current service state of the DockerMachinePool. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - status + - type + type: object + type: array + instances: + description: Instances contains the status for each instance in the pool + items: + properties: + addresses: + description: Addresses contains the associated addresses for the docker machine. + items: + description: MachineAddress contains information for the node's address. + properties: + address: + description: The machine address. + type: string + type: + description: Machine address type, one of Hostname, ExternalIP or InternalIP. + type: string + required: + - address + - type + type: object + type: array + bootstrapped: + description: Bootstrapped is true when the kubeadm bootstrapping has been run against this machine + type: boolean + instanceName: + description: InstanceName is the identification of the Machine Instance within the Machine Pool + type: string + providerID: + description: ProviderID is the provider identification of the Machine Pool Instance + type: string + ready: + description: Ready denotes that the machine (docker container) is ready + type: boolean + version: + description: Version defines the Kubernetes version for the Machine Instance + type: string + type: object + type: array + observedGeneration: + description: The generation observed by the deployment controller. + format: int64 + type: integer + ready: + description: Ready denotes that the machine pool is ready + type: boolean + replicas: + description: Replicas is the most recently observed number of replicas. + format: int32 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml b/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml new file mode 100644 index 000000000..2bd6aac3a --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml @@ -0,0 +1,129 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6 + creationTimestamp: null + name: dockerclusters.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: DockerCluster + listKind: DockerClusterList + plural: dockerclusters + singular: dockercluster + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: DockerCluster is the Schema for the dockerclusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DockerClusterSpec defines the desired state of DockerCluster. + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to communicate with the control plane. + properties: + host: + description: Host is the hostname on which the API server is serving. + type: string + port: + description: Port is the port on which the API server is serving. + type: integer + required: + - host + - port + type: object + failureDomains: + additionalProperties: + description: FailureDomainSpec is the Schema for Cluster API failure domains. It allows controllers to understand how many failure domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain is suitable for use by control plane machines. + type: boolean + type: object + description: FailureDomains are not usulaly defined on the spec. The docker provider is special since failure domains don't mean anything in a local docker environment. Instead, the docker cluster controller will simply copy these into the Status and allow the Cluster API controllers to do what they will with the defined failure domains. + type: object + type: object + status: + description: DockerClusterStatus defines the observed state of DockerCluster. + properties: + conditions: + description: Conditions defines current service state of the DockerCluster. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - status + - type + type: object + type: array + failureDomains: + additionalProperties: + description: FailureDomainSpec is the Schema for Cluster API failure domains. It allows controllers to understand how many failure domains a cluster can optionally span across. + properties: + attributes: + additionalProperties: + type: string + description: Attributes is a free form map of attributes an infrastructure provider might use or require. + type: object + controlPlane: + description: ControlPlane determines if this failure domain is suitable for use by control plane machines. + type: boolean + type: object + description: FailureDomains don't mean much in CAPD since it's all local, but we can see how the rest of cluster API will use this if we populate it. + type: object + ready: + description: Ready denotes that the docker cluster (infrastructure) is ready. + type: boolean + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml b/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml new file mode 100644 index 000000000..a05f1c20a --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml @@ -0,0 +1,133 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6 + creationTimestamp: null + name: dockermachines.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: DockerMachine + listKind: DockerMachineList + plural: dockermachines + singular: dockermachine + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: DockerMachine is the Schema for the dockermachines API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DockerMachineSpec defines the desired state of DockerMachine + properties: + bootstrapped: + description: Bootstrapped is true when the kubeadm bootstrapping has been run against this machine + type: boolean + customImage: + description: CustomImage allows customizing the container image that is used for running the machine + type: string + extraMounts: + description: ExtraMounts describes additional mount points for the node container These may be used to bind a hostPath + items: + description: Mount specifies a host volume to mount into a container. This is a simplified version of kind v1alpha4.Mount types + properties: + containerPath: + description: Path of the mount within the container. + type: string + hostPath: + description: Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container. + type: string + readOnly: + description: If set, the mount is read-only. + type: boolean + type: object + type: array + preLoadImages: + description: PreLoadImages allows to pre-load images in a newly created machine. This can be used to speed up tests by avoiding e.g. to download CNI images on all the containers. + items: + type: string + type: array + providerID: + description: ProviderID will be the container name in ProviderID format (docker:////) + type: string + type: object + status: + description: DockerMachineStatus defines the observed state of DockerMachine + properties: + addresses: + description: Addresses contains the associated addresses for the docker machine. + items: + description: MachineAddress contains information for the node's address. + properties: + address: + description: The machine address. + type: string + type: + description: Machine address type, one of Hostname, ExternalIP or InternalIP. + type: string + required: + - address + - type + type: object + type: array + conditions: + description: Conditions defines current service state of the DockerMachine. + items: + description: Condition defines an observation of a Cluster API resource operational state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. + type: string + severity: + description: Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. + type: string + required: + - status + - type + type: object + type: array + loadBalancerConfigured: + description: LoadBalancerConfigured denotes that the machine has been added to the load balancer + type: boolean + ready: + description: Ready denotes that the machine (docker container) is ready + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml b/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml new file mode 100644 index 000000000..21002627a --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml @@ -0,0 +1,88 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1-0.20201002000720-57250aac17f6 + creationTimestamp: null + name: dockermachinetemplates.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: DockerMachineTemplate + listKind: DockerMachineTemplateList + plural: dockermachinetemplates + singular: dockermachinetemplate + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + description: DockerMachineTemplate is the Schema for the dockermachinetemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DockerMachineTemplateSpec defines the desired state of DockerMachineTemplate + properties: + template: + description: DockerMachineTemplateResource describes the data needed to create a DockerMachine from a template + properties: + spec: + description: Spec is the specification of the desired behavior of the machine. + properties: + bootstrapped: + description: Bootstrapped is true when the kubeadm bootstrapping has been run against this machine + type: boolean + customImage: + description: CustomImage allows customizing the container image that is used for running the machine + type: string + extraMounts: + description: ExtraMounts describes additional mount points for the node container These may be used to bind a hostPath + items: + description: Mount specifies a host volume to mount into a container. This is a simplified version of kind v1alpha4.Mount types + properties: + containerPath: + description: Path of the mount within the container. + type: string + hostPath: + description: Path of the mount on the host. If the hostPath doesn't exist, then runtimes should report error. If the hostpath is a symbolic link, runtimes should follow the symlink and mount the real destination to container. + type: string + readOnly: + description: If set, the mount is read-only. + type: boolean + type: object + type: array + preLoadImages: + description: PreLoadImages allows to pre-load images in a newly created machine. This can be used to speed up tests by avoiding e.g. to download CNI images on all the containers. + items: + type: string + type: array + providerID: + description: ProviderID will be the container name in ProviderID format (docker:////) + type: string + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capd/v0.3.11/crd/kustomization.yaml b/manifests/function/capd/v0.3.11/crd/kustomization.yaml new file mode 100644 index 000000000..8323fd316 --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/kustomization.yaml @@ -0,0 +1,31 @@ +commonLabels: + cluster.x-k8s.io/v1alpha3: v1alpha3 + +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- bases/infrastructure.cluster.x-k8s.io_dockermachines.yaml +- bases/infrastructure.cluster.x-k8s.io_dockerclusters.yaml +- bases/infrastructure.cluster.x-k8s.io_dockermachinetemplates.yaml +- bases/exp.infrastructure.cluster.x-k8s.io_dockermachinepools.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patchesStrategicMerge: [] +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +#- patches/webhook_in_dockermachines.yaml +#- patches/webhook_in_dockerclusters.yaml +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#- patches/cainjection_in_dockermachines.yaml +#- patches/cainjection_in_dockerclusters.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml diff --git a/manifests/function/capd/v0.3.11/crd/kustomizeconfig.yaml b/manifests/function/capd/v0.3.11/crd/kustomizeconfig.yaml new file mode 100644 index 000000000..8e2d8d6b1 --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/kustomizeconfig.yaml @@ -0,0 +1,17 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockerclusters.yaml b/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockerclusters.yaml new file mode 100644 index 000000000..588b6d6b2 --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockerclusters.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: dockerclusters.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachinepools.yaml b/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachinepools.yaml new file mode 100644 index 000000000..14bbeb5ca --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachinepools.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: dockermachinepools.exp.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachines.yaml b/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachines.yaml new file mode 100644 index 000000000..324733ad3 --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/patches/cainjection_in_dockermachines.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: dockermachines.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockerclusters.yaml b/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockerclusters.yaml new file mode 100644 index 000000000..2dfca085a --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockerclusters.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dockerclusters.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachinepools.yaml b/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachinepools.yaml new file mode 100644 index 000000000..6f25a71cd --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachinepools.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dockermachinepools.exp.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert \ No newline at end of file diff --git a/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachines.yaml b/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachines.yaml new file mode 100644 index 000000000..a9c56366f --- /dev/null +++ b/manifests/function/capd/v0.3.11/crd/patches/webhook_in_dockermachines.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dockermachines.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capd/v0.3.11/default/kustomization.yaml b/manifests/function/capd/v0.3.11/default/kustomization.yaml new file mode 100644 index 000000000..6ff3f0269 --- /dev/null +++ b/manifests/function/capd/v0.3.11/default/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: capd-system + +resources: + - namespace.yaml + +bases: + - ../rbac diff --git a/manifests/function/capd/v0.3.11/default/namespace.yaml b/manifests/function/capd/v0.3.11/default/namespace.yaml new file mode 100644 index 000000000..8b55c3cd8 --- /dev/null +++ b/manifests/function/capd/v0.3.11/default/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system diff --git a/manifests/function/capd/v0.3.11/kustomization.yaml b/manifests/function/capd/v0.3.11/kustomization.yaml new file mode 100644 index 000000000..bd7e5666a --- /dev/null +++ b/manifests/function/capd/v0.3.11/kustomization.yaml @@ -0,0 +1,9 @@ +namePrefix: capd- + +commonLabels: + cluster.x-k8s.io/provider: "infrastructure-docker" + +resources: +- crd +- default +- webhook diff --git a/manifests/function/capd/v0.3.11/manager/kustomization.yaml b/manifests/function/capd/v0.3.11/manager/kustomization.yaml new file mode 100644 index 000000000..9d299adae --- /dev/null +++ b/manifests/function/capd/v0.3.11/manager/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- manager.yaml + +patchesStrategicMerge: + - manager_image_patch.yaml + - manager_auth_proxy_patch.yaml diff --git a/manifests/function/capd/v0.3.11/manager/manager.yaml b/manifests/function/capd/v0.3.11/manager/manager.yaml new file mode 100644 index 000000000..60a6333a2 --- /dev/null +++ b/manifests/function/capd/v0.3.11/manager/manager.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - args: + - --enable-leader-election + image: controller:latest + name: manager + ports: + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + volumeMounts: + - mountPath: /var/run/docker.sock + name: dockersock + securityContext: + privileged: true + terminationGracePeriodSeconds: 10 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - name: dockersock + hostPath: + path: /var/run/docker.sock diff --git a/manifests/function/capd/v0.3.11/manager/manager_auth_proxy_patch.yaml b/manifests/function/capd/v0.3.11/manager/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..42d3f1771 --- /dev/null +++ b/manifests/function/capd/v0.3.11/manager/manager_auth_proxy_patch.yaml @@ -0,0 +1,26 @@ +# This patch inject a sidecar container which is a HTTP proxy for the controller manager, +# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" + - "--metrics-addr=0" + - "-v=4" diff --git a/manifests/function/capd/v0.3.11/manager/manager_image_patch.yaml b/manifests/function/capd/v0.3.11/manager/manager_image_patch.yaml new file mode 100644 index 000000000..2b0a3fe80 --- /dev/null +++ b/manifests/function/capd/v0.3.11/manager/manager_image_patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: gcr.io/k8s-staging-cluster-api/capd-manager:master + name: manager diff --git a/manifests/function/capd/v0.3.11/manager/manager_prometheus_metrics_patch.yaml b/manifests/function/capd/v0.3.11/manager/manager_prometheus_metrics_patch.yaml new file mode 100644 index 000000000..0b96c6813 --- /dev/null +++ b/manifests/function/capd/v0.3.11/manager/manager_prometheus_metrics_patch.yaml @@ -0,0 +1,19 @@ +# This patch enables Prometheus scraping for the manager pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + metadata: + annotations: + prometheus.io/scrape: 'true' + spec: + containers: + # Expose the prometheus metrics on default port + - name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP diff --git a/manifests/function/capd/v0.3.11/manager/manager_pull_policy.yaml b/manifests/function/capd/v0.3.11/manager/manager_pull_policy.yaml new file mode 100644 index 000000000..74a0879c6 --- /dev/null +++ b/manifests/function/capd/v0.3.11/manager/manager_pull_policy.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: Always diff --git a/manifests/function/capd/v0.3.11/rbac/auth_proxy_role.yaml b/manifests/function/capd/v0.3.11/rbac/auth_proxy_role.yaml new file mode 100644 index 000000000..618f5e417 --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/manifests/function/capd/v0.3.11/rbac/auth_proxy_role_binding.yaml b/manifests/function/capd/v0.3.11/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 000000000..48ed1e4b8 --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/capd/v0.3.11/rbac/auth_proxy_service.yaml b/manifests/function/capd/v0.3.11/rbac/auth_proxy_service.yaml new file mode 100644 index 000000000..d61e5469f --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/auth_proxy_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/manifests/function/capd/v0.3.11/rbac/kustomization.yaml b/manifests/function/capd/v0.3.11/rbac/kustomization.yaml new file mode 100644 index 000000000..82895f516 --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 3 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml diff --git a/manifests/function/capd/v0.3.11/rbac/leader_election_role.yaml b/manifests/function/capd/v0.3.11/rbac/leader_election_role.yaml new file mode 100644 index 000000000..86ba4b1ee --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/manifests/function/capd/v0.3.11/rbac/leader_election_role_binding.yaml b/manifests/function/capd/v0.3.11/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..eed16906f --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/capd/v0.3.11/rbac/role.yaml b/manifests/function/capd/v0.3.11/rbac/role.yaml new file mode 100644 index 000000000..c9f498b8d --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/role.yaml @@ -0,0 +1,85 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - machines + verbs: + - get + - list + - watch +- apiGroups: + - exp.cluster.x-k8s.io + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - exp.infrastructure.cluster.x-k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockerclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockerclusters/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockermachines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - dockermachines/status + verbs: + - get + - patch + - update diff --git a/manifests/function/capd/v0.3.11/rbac/role_binding.yaml b/manifests/function/capd/v0.3.11/rbac/role_binding.yaml new file mode 100644 index 000000000..8f2658702 --- /dev/null +++ b/manifests/function/capd/v0.3.11/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/capd/v0.3.11/webhook/kustomization.yaml b/manifests/function/capd/v0.3.11/webhook/kustomization.yaml new file mode 100644 index 000000000..ec4e28426 --- /dev/null +++ b/manifests/function/capd/v0.3.11/webhook/kustomization.yaml @@ -0,0 +1,45 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: capd-system + +resources: +- manifests.yaml +- service.yaml +- ../certmanager +- ../manager + +patchesStrategicMerge: +- manager_webhook_patch.yaml +- webhookcainjection_patch.yaml + +configurations: +- kustomizeconfig.yaml + +vars: + - name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace + - name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. + - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace + - name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml diff --git a/manifests/function/capd/v0.3.11/webhook/kustomizeconfig.yaml b/manifests/function/capd/v0.3.11/webhook/kustomizeconfig.yaml new file mode 100644 index 000000000..7cf1cd553 --- /dev/null +++ b/manifests/function/capd/v0.3.11/webhook/kustomizeconfig.yaml @@ -0,0 +1,20 @@ +# the following config is for teaching kustomize where to look at when substituting vars. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + +varReference: +- path: metadata/annotations +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/manifests/function/capd/v0.3.11/webhook/manager_webhook_patch.yaml b/manifests/function/capd/v0.3.11/webhook/manager_webhook_patch.yaml new file mode 100644 index 000000000..f3d554cb0 --- /dev/null +++ b/manifests/function/capd/v0.3.11/webhook/manager_webhook_patch.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize + diff --git a/manifests/function/capd/v0.3.11/webhook/manifests.yaml b/manifests/function/capd/v0.3.11/webhook/manifests.yaml new file mode 100644 index 000000000..cdc8b4b55 --- /dev/null +++ b/manifests/function/capd/v0.3.11/webhook/manifests.yaml @@ -0,0 +1,30 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-dockermachinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.dockermachinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - dockermachinetemplates + sideEffects: None diff --git a/manifests/function/capd/v0.3.11/webhook/service.yaml b/manifests/function/capd/v0.3.11/webhook/service.yaml new file mode 100644 index 000000000..31e0f8295 --- /dev/null +++ b/manifests/function/capd/v0.3.11/webhook/service.yaml @@ -0,0 +1,12 @@ + +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + control-plane: controller-manager diff --git a/manifests/function/capd/v0.3.11/webhook/webhookcainjection_patch.yaml b/manifests/function/capd/v0.3.11/webhook/webhookcainjection_patch.yaml new file mode 100644 index 000000000..47ef1d13c --- /dev/null +++ b/manifests/function/capd/v0.3.11/webhook/webhookcainjection_patch.yaml @@ -0,0 +1,8 @@ +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)