diff --git a/manifests/function/capm3/v0.3.1/certmanager/certificate.yaml b/manifests/function/capm3/v0.3.1/certmanager/certificate.yaml new file mode 100644 index 000000000..af4e13ffe --- /dev/null +++ b/manifests/function/capm3/v0.3.1/certmanager/certificate.yaml @@ -0,0 +1,24 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/manifests/function/capm3/v0.3.1/certmanager/kustomization.yaml b/manifests/function/capm3/v0.3.1/certmanager/kustomization.yaml new file mode 100644 index 000000000..e0182475f --- /dev/null +++ b/manifests/function/capm3/v0.3.1/certmanager/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- certificate.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/manifests/function/capm3/v0.3.1/certmanager/kustomizeconfig.yaml b/manifests/function/capm3/v0.3.1/certmanager/kustomizeconfig.yaml new file mode 100644 index 000000000..28a895a40 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/certmanager/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name + +varReference: +- kind: Certificate + group: cert-manager.io + path: spec/commonName +- kind: Certificate + group: cert-manager.io + path: spec/dnsNames +- kind: Certificate + group: cert-manager.io + path: spec/secretName diff --git a/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3clusters.yaml b/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3clusters.yaml new file mode 100644 index 000000000..ea8e43c3a --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3clusters.yaml @@ -0,0 +1,225 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.8 + creationTimestamp: null + name: metal3clusters.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: Metal3Cluster + listKind: Metal3ClusterList + plural: metal3clusters + shortNames: + - m3c + - m3cluster + singular: metal3cluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: metal3Cluster is Ready + jsonPath: .status.ready + name: Ready + type: string + - description: Most recent error + jsonPath: .status.errorReason + name: Error + type: string + - description: API endpoints + jsonPath: .status.apiEndpoints + name: APIEndpoints + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: Metal3Cluster is the Schema for the metal3clusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Metal3ClusterSpec defines the desired state of Metal3Cluster. + properties: + apiEndpoint: + type: string + noCloudProvider: + type: boolean + required: + - apiEndpoint + type: object + status: + description: Metal3ClusterStatus defines the observed state of Metal3Cluster. + properties: + apiEndpoints: + description: APIEndpoints represents the endpoints to communicate + with the control plane. + items: + description: APIEndpoint represents a reachable Kubernetes API endpoint. + properties: + host: + description: Host is the hostname on which the API server is + serving. + type: string + port: + description: Port is the port on which the API server is serving. + type: integer + required: + - host + - port + type: object + type: array + errorMessage: + description: "ErrorMessage will be set in the event that there is + a terminal problem reconciling the metal3machine and will contain + a more verbose string suitable for logging and human consumption. + \n This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over time (like + service outages), but instead indicate that something is fundamentally + wrong with the metal3machine's spec or the configuration of the + controller, and that manual intervention is required. Examples of + terminal errors would be invalid combinations of settings in the + spec, values that are unsupported by the controller, or the responsible + controller itself being critically misconfigured. \n Any transient + errors that occur during the reconciliation of Machines can be added + as events to the metal3machine object and/or logged in the controller's + output." + type: string + errorReason: + description: "ErrorReason will be set in the event that there is a + terminal problem reconciling the metal3machine and will contain + a succinct value suitable for machine interpretation. \n This field + should not be set for transitive errors that a controller faces + that are expected to be fixed automatically over time (like service + outages), but instead indicate that something is fundamentally wrong + with the metal3machine's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of Machines can be added as events + to the metal3machine object and/or logged in the controller's output." + type: string + lastUpdated: + description: LastUpdated identifies when this status was last observed. + format: date-time + type: string + ready: + description: Ready denotes that the Metal3 cluster (infrastructure) + is ready. In Baremetal case, it does not mean anything for now as + no infrastructure steps need to be performed. Required by Cluster + API. Set to True by the metal3Cluster controller after creation. + type: boolean + required: + - ready + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: metal3Cluster is Ready + jsonPath: .status.ready + name: Ready + type: string + - description: Most recent error + jsonPath: .status.failureReason + name: Error + type: string + - description: Cluster to which this BMCluster belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: Control plane endpoint + jsonPath: .spec.controlPlaneEndpoint + name: Endpoint + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + description: Metal3Cluster is the Schema for the metal3clusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Metal3ClusterSpec defines the desired state of Metal3Cluster. + properties: + controlPlaneEndpoint: + description: ControlPlaneEndpoint represents the endpoint used to + communicate with the control plane. + properties: + host: + description: Host is the hostname on which the API server is serving. + type: string + port: + description: Port is the port on which the API server is serving. + type: integer + required: + - host + - port + type: object + noCloudProvider: + type: boolean + required: + - controlPlaneEndpoint + type: object + status: + description: Metal3ClusterStatus defines the observed state of Metal3Cluster. + properties: + failureMessage: + description: FailureMessage indicates that there is a fatal problem + reconciling the state, and will be set to a descriptive error message. + type: string + failureReason: + description: FailureReason indicates that there is a fatal problem + reconciling the state, and will be set to a token value suitable + for programmatic interpretation. + type: string + lastUpdated: + description: LastUpdated identifies when this status was last observed. + format: date-time + type: string + ready: + description: Ready denotes that the Metal3 cluster (infrastructure) + is ready. In Baremetal case, it does not mean anything for now as + no infrastructure steps need to be performed. Required by Cluster + API. Set to True by the metal3Cluster controller after creation. + type: boolean + required: + - ready + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3machines.yaml b/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3machines.yaml new file mode 100644 index 000000000..4b3d98ddc --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3machines.yaml @@ -0,0 +1,388 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.8 + creationTimestamp: null + name: metal3machines.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: Metal3Machine + listKind: Metal3MachineList + plural: metal3machines + shortNames: + - m3m + - m3machine + singular: metal3machine + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Provider ID + jsonPath: .spec.providerID + name: ProviderID + type: string + - description: Machines current phase + jsonPath: .status.phase + name: Phase + type: string + - description: metal3machine is Ready + jsonPath: .status.ready + name: Ready + type: string + - description: Most recent error + jsonPath: .status.errorReason + name: Error + type: string + name: v1alpha2 + schema: + openAPIV3Schema: + description: Metal3Machine is the Schema for the metal3machines API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Metal3MachineSpec defines the desired state of Metal3Machine + properties: + hostSelector: + description: HostSelector specifies matching criteria for labels on + BareMetalHosts. This is used to limit the set of BareMetalHost objects + considered for claiming for a metal3machine. + properties: + matchExpressions: + description: Label match expressions that must be true on a chosen + BareMetalHost + items: + description: HostSelectorRequirement struct + properties: + key: + type: string + operator: + description: Operator represents a key/field's relationship + to value(s). See labels.Requirement and fields.Requirement + for more details. + type: string + values: + items: + type: string + type: array + required: + - key + - operator + - values + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: Key/value pairs of labels that must exist on a chosen + BareMetalHost + type: object + type: object + image: + description: Image is the image to be provisioned. + properties: + checksum: + description: Checksum is a md5sum value or a URL to retrieve one. + type: string + url: + description: URL is a location of an image to deploy. + type: string + required: + - checksum + - url + type: object + providerID: + description: ProviderID will be the Metal3 machine in ProviderID format + (baremetal:////) + type: string + userData: + description: UserData references the Secret that holds user data needed + by the bare metal operator. The Namespace is optional; it will default + to the metal3machine's namespace if not specified. + properties: + name: + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + required: + - image + type: object + status: + description: Metal3MachineStatus defines the observed state of Metal3Machine + properties: + addresses: + description: Addresses is a list of addresses assigned to the machine. + This field is copied from the infrastructure provider reference. + items: + description: MachineAddress contains information for the node's + address. + properties: + address: + description: The machine address. + type: string + type: + description: Machine address type, one of Hostname, ExternalIP + or InternalIP. + type: string + required: + - address + - type + type: object + type: array + errorMessage: + description: "ErrorMessage will be set in the event that there is + a terminal problem reconciling the metal3machine and will contain + a more verbose string suitable for logging and human consumption. + \n This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over time (like + service outages), but instead indicate that something is fundamentally + wrong with the metal3machine's spec or the configuration of the + controller, and that manual intervention is required. Examples of + terminal errors would be invalid combinations of settings in the + spec, values that are unsupported by the controller, or the responsible + controller itself being critically misconfigured. \n Any transient + errors that occur during the reconciliation of metal3machines can + be added as events to the metal3machine object and/or logged in + the controller's output." + type: string + errorReason: + description: "ErrorReason will be set in the event that there is a + terminal problem reconciling the metal3machine and will contain + a succinct value suitable for machine interpretation. \n This field + should not be set for transitive errors that a controller faces + that are expected to be fixed automatically over time (like service + outages), but instead indicate that something is fundamentally wrong + with the metal3machine's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of metal3machines can be added as + events to the metal3machine object and/or logged in the controller's + output." + type: string + lastUpdated: + description: LastUpdated identifies when this status was last observed. + format: date-time + type: string + phase: + description: Phase represents the current phase of machine actuation. + E.g. Pending, Running, Terminating, Failed etc. + type: string + ready: + description: 'Ready is the state of the metal3. TODO : Document the + variable : mhrivnak: " it would be good to document what this means, + how to interpret it, under what circumstances the value changes, + etc."' + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Provider ID + jsonPath: .spec.providerID + name: ProviderID + type: string + - description: metal3machine is Ready + jsonPath: .status.ready + name: Ready + type: string + - description: Cluster to which this BMMachine belongs + jsonPath: .metadata.labels.cluster\.x-k8s\.io/cluster-name + name: Cluster + type: string + - description: metal3machine current phase + jsonPath: .status.phase + name: Phase + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + description: Metal3Machine is the Schema for the metal3machines API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Metal3MachineSpec defines the desired state of Metal3Machine + properties: + hostSelector: + description: HostSelector specifies matching criteria for labels on + BareMetalHosts. This is used to limit the set of BareMetalHost objects + considered for claiming for a metal3machine. + properties: + matchExpressions: + description: Label match expressions that must be true on a chosen + BareMetalHost + items: + properties: + key: + type: string + operator: + description: Operator represents a key/field's relationship + to value(s). See labels.Requirement and fields.Requirement + for more details. + type: string + values: + items: + type: string + type: array + required: + - key + - operator + - values + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: Key/value pairs of labels that must exist on a chosen + BareMetalHost + type: object + type: object + image: + description: Image is the image to be provisioned. + properties: + checksum: + description: Checksum is a md5sum value or a URL to retrieve one. + type: string + url: + description: URL is a location of an image to deploy. + type: string + required: + - checksum + - url + type: object + providerID: + description: ProviderID will be the Metal3 machine in ProviderID format + (baremetal:////) + type: string + userData: + description: UserData references the Secret that holds user data needed + by the bare metal operator. The Namespace is optional; it will default + to the metal3machine's namespace if not specified. + properties: + name: + description: Name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + required: + - image + type: object + status: + description: Metal3MachineStatus defines the observed state of Metal3Machine + properties: + addresses: + description: Addresses is a list of addresses assigned to the machine. + This field is copied from the infrastructure provider reference. + items: + description: MachineAddress contains information for the node's + address. + properties: + address: + description: The machine address. + type: string + type: + description: Machine address type, one of Hostname, ExternalIP + or InternalIP. + type: string + required: + - address + - type + type: object + type: array + failureMessage: + description: "FailureMessage will be set in the event that there is + a terminal problem reconciling the metal3machine and will contain + a more verbose string suitable for logging and human consumption. + \n This field should not be set for transitive errors that a controller + faces that are expected to be fixed automatically over time (like + service outages), but instead indicate that something is fundamentally + wrong with the metal3machine's spec or the configuration of the + controller, and that manual intervention is required. Examples of + terminal errors would be invalid combinations of settings in the + spec, values that are unsupported by the controller, or the responsible + controller itself being critically misconfigured. \n Any transient + errors that occur during the reconciliation of metal3machines can + be added as events to the metal3machine object and/or logged in + the controller's output." + type: string + failureReason: + description: "FailureReason will be set in the event that there is + a terminal problem reconciling the metal3machine and will contain + a succinct value suitable for machine interpretation. \n This field + should not be set for transitive errors that a controller faces + that are expected to be fixed automatically over time (like service + outages), but instead indicate that something is fundamentally wrong + with the metal3machine's spec or the configuration of the controller, + and that manual intervention is required. Examples of terminal errors + would be invalid combinations of settings in the spec, values that + are unsupported by the controller, or the responsible controller + itself being critically misconfigured. \n Any transient errors that + occur during the reconciliation of metal3machines can be added as + events to the metal3machine object and/or logged in the controller's + output." + type: string + lastUpdated: + description: LastUpdated identifies when this status was last observed. + format: date-time + type: string + phase: + description: Phase represents the current phase of machine actuation. + E.g. Pending, Running, Terminating, Failed etc. + type: string + ready: + description: 'Ready is the state of the metal3. TODO : Document the + variable : mhrivnak: " it would be good to document what this means, + how to interpret it, under what circumstances the value changes, + etc."' + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3machinetemplates.yaml b/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3machinetemplates.yaml new file mode 100644 index 000000000..3d33196d6 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/bases/infrastructure.cluster.x-k8s.io_metal3machinetemplates.yaml @@ -0,0 +1,243 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.8 + creationTimestamp: null + name: metal3machinetemplates.infrastructure.cluster.x-k8s.io +spec: + group: infrastructure.cluster.x-k8s.io + names: + categories: + - cluster-api + kind: Metal3MachineTemplate + listKind: Metal3MachineTemplateList + plural: metal3machinetemplates + singular: metal3machinetemplate + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + description: Metal3MachineTemplate is the Schema for the metal3machinetemplates + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Metal3MachineTemplateSpec defines the desired state of Metal3MachineTemplate + properties: + template: + description: Metal3MachineTemplateResource describes the data needed + to create a Metal3Machine from a template + properties: + spec: + description: Spec is the specification of the desired behavior + of the machine. + properties: + hostSelector: + description: HostSelector specifies matching criteria for + labels on BareMetalHosts. This is used to limit the set + of BareMetalHost objects considered for claiming for a metal3machine. + properties: + matchExpressions: + description: Label match expressions that must be true + on a chosen BareMetalHost + items: + description: HostSelectorRequirement struct + properties: + key: + type: string + operator: + description: Operator represents a key/field's relationship + to value(s). See labels.Requirement and fields.Requirement + for more details. + type: string + values: + items: + type: string + type: array + required: + - key + - operator + - values + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: Key/value pairs of labels that must exist + on a chosen BareMetalHost + type: object + type: object + image: + description: Image is the image to be provisioned. + properties: + checksum: + description: Checksum is a md5sum value or a URL to retrieve + one. + type: string + url: + description: URL is a location of an image to deploy. + type: string + required: + - checksum + - url + type: object + providerID: + description: ProviderID will be the Metal3 machine in ProviderID + format (baremetal:////) + type: string + userData: + description: UserData references the Secret that holds user + data needed by the bare metal operator. The Namespace is + optional; it will default to the metal3machine's namespace + if not specified. + properties: + name: + description: Name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + type: object + required: + - image + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: false + - name: v1alpha3 + schema: + openAPIV3Schema: + description: Metal3MachineTemplate is the Schema for the metal3machinetemplates + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Metal3MachineTemplateSpec defines the desired state of Metal3MachineTemplate + properties: + template: + description: Metal3MachineTemplateResource describes the data needed + to create a Metal3Machine from a template + properties: + spec: + description: Spec is the specification of the desired behavior + of the machine. + properties: + hostSelector: + description: HostSelector specifies matching criteria for + labels on BareMetalHosts. This is used to limit the set + of BareMetalHost objects considered for claiming for a metal3machine. + properties: + matchExpressions: + description: Label match expressions that must be true + on a chosen BareMetalHost + items: + properties: + key: + type: string + operator: + description: Operator represents a key/field's relationship + to value(s). See labels.Requirement and fields.Requirement + for more details. + type: string + values: + items: + type: string + type: array + required: + - key + - operator + - values + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: Key/value pairs of labels that must exist + on a chosen BareMetalHost + type: object + type: object + image: + description: Image is the image to be provisioned. + properties: + checksum: + description: Checksum is a md5sum value or a URL to retrieve + one. + type: string + url: + description: URL is a location of an image to deploy. + type: string + required: + - checksum + - url + type: object + providerID: + description: ProviderID will be the Metal3 machine in ProviderID + format (baremetal:////) + type: string + userData: + description: UserData references the Secret that holds user + data needed by the bare metal operator. The Namespace is + optional; it will default to the metal3machine's namespace + if not specified. + properties: + name: + description: Name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: Namespace defines the space within which + the secret name must be unique. + type: string + type: object + required: + - image + type: object + required: + - spec + type: object + required: + - template + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/capm3/v0.3.1/crd/kustomization.yaml b/manifests/function/capm3/v0.3.1/crd/kustomization.yaml new file mode 100644 index 000000000..4a3137efb --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default + +commonLabels: + cluster.x-k8s.io/v1alpha2: v1alpha2 + cluster.x-k8s.io/v1alpha3: v1alpha3 + +resources: +- bases/infrastructure.cluster.x-k8s.io_metal3clusters.yaml +- bases/infrastructure.cluster.x-k8s.io_metal3machines.yaml +- bases/infrastructure.cluster.x-k8s.io_metal3machinetemplates.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patchesStrategicMerge: +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +- patches/webhook_in_metal3machines.yaml +- patches/webhook_in_metal3clusters.yaml +- patches/webhook_in_metal3machinetemplates.yaml +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +- patches/cainjection_in_metal3machines.yaml +- patches/cainjection_in_metal3clusters.yaml +- patches/cainjection_in_metal3machinetemplates.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml diff --git a/manifests/function/capm3/v0.3.1/crd/kustomizeconfig.yaml b/manifests/function/capm3/v0.3.1/crd/kustomizeconfig.yaml new file mode 100644 index 000000000..8e2d8d6b1 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/kustomizeconfig.yaml @@ -0,0 +1,17 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3clusters.yaml b/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3clusters.yaml new file mode 100644 index 000000000..f6d17861b --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3clusters.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: metal3clusters.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3machines.yaml b/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3machines.yaml new file mode 100644 index 000000000..5e0641cee --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3machines.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: metal3machines.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3machinetemplates.yaml b/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3machinetemplates.yaml new file mode 100644 index 000000000..b4ebc7ebf --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/patches/cainjection_in_metal3machinetemplates.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: metal3machinetemplates.infrastructure.cluster.x-k8s.io diff --git a/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3clusters.yaml b/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3clusters.yaml new file mode 100644 index 000000000..da9789ddd --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3clusters.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: metal3clusters.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3machines.yaml b/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3machines.yaml new file mode 100644 index 000000000..7097af267 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3machines.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: metal3machines.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3machinetemplates.yaml b/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3machinetemplates.yaml new file mode 100644 index 000000000..100c91050 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/crd/patches/webhook_in_metal3machinetemplates.yaml @@ -0,0 +1,19 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: metal3machinetemplates.infrastructure.cluster.x-k8s.io +spec: + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/capm3/v0.3.1/default/kustomization.yaml b/manifests/function/capm3/v0.3.1/default/kustomization.yaml new file mode 100644 index 000000000..b66a7ba2d --- /dev/null +++ b/manifests/function/capm3/v0.3.1/default/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# Adds namespace to all resources. +namespace: capm3-system + +resources: +- namespace.yaml + +bases: +- ../rbac +- ../manager diff --git a/manifests/function/capm3/v0.3.1/default/namespace.yaml b/manifests/function/capm3/v0.3.1/default/namespace.yaml new file mode 100644 index 000000000..1ab3a7255 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/default/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: system diff --git a/manifests/function/capm3/v0.3.1/kustomization.yaml b/manifests/function/capm3/v0.3.1/kustomization.yaml new file mode 100644 index 000000000..69e3a48ad --- /dev/null +++ b/manifests/function/capm3/v0.3.1/kustomization.yaml @@ -0,0 +1,29 @@ +namePrefix: capm3- + +commonLabels: + cluster.x-k8s.io/provider: "infrastructure-metal3" + +bases: +- crd +- webhook # Disable this if you're not using the webhook functionality. +- default + +patchesJson6902: +- target: # NOTE: This patch needs to be repeatd for EACH CustomResourceDefinition you have under crd/bases. + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: metal3clusters.infrastructure.cluster.x-k8s.io + path: patch_crd_webhook_namespace.yaml +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: metal3machines.infrastructure.cluster.x-k8s.io + path: patch_crd_webhook_namespace.yaml +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: metal3machinetemplates.infrastructure.cluster.x-k8s.io + path: patch_crd_webhook_namespace.yaml diff --git a/manifests/function/capm3/v0.3.1/manager/kustomization.yaml b/manifests/function/capm3/v0.3.1/manager/kustomization.yaml new file mode 100644 index 000000000..131cb63d5 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- manager.yaml + +generatorOptions: + disableNameSuffixHash: true + +patchesStrategicMerge: +- manager_image_patch.yaml +- manager_pull_policy.yaml +- manager_auth_proxy_patch.yaml diff --git a/manifests/function/capm3/v0.3.1/manager/manager.yaml b/manifests/function/capm3/v0.3.1/manager/manager.yaml new file mode 100644 index 000000000..fabd221fe --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/manager.yaml @@ -0,0 +1,80 @@ +apiVersion: v1 +kind: Service +metadata: + name: controller-manager-service + namespace: system + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" +spec: + selector: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + ports: + - port: 443 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" +spec: + selector: + matchLabels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + template: + metadata: + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + spec: + containers: + - command: + - /manager + image: controller:latest + imagePullPolicy: IfNotPresent + name: manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + ports: + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + volumeMounts: + - mountPath: /tmp/cert + name: cert + readOnly: true + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-secret +--- +apiVersion: v1 +kind: Secret +metadata: + name: webhook-server-secret + namespace: system diff --git a/manifests/function/capm3/v0.3.1/manager/manager_auth_proxy_patch.yaml b/manifests/function/capm3/v0.3.1/manager/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..989d69887 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/manager_auth_proxy_patch.yaml @@ -0,0 +1,25 @@ +# This patch inject a sidecar container which is a HTTP proxy for the controller manager, +# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--enable-leader-election" diff --git a/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml b/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml new file mode 100644 index 000000000..692b73bd7 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: quay.io/metal3-io/cluster-api-provider-metal3:v0.3.1 + name: manager diff --git a/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml-e b/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml-e new file mode 100644 index 000000000..2dd2f61e2 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/manager_image_patch.yaml-e @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: quay.io/metal3-io/cluster-api-provider-metal3: + name: manager diff --git a/manifests/function/capm3/v0.3.1/manager/manager_prometheus_metrics_patch.yaml b/manifests/function/capm3/v0.3.1/manager/manager_prometheus_metrics_patch.yaml new file mode 100644 index 000000000..0b96c6813 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/manager_prometheus_metrics_patch.yaml @@ -0,0 +1,19 @@ +# This patch enables Prometheus scraping for the manager pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + metadata: + annotations: + prometheus.io/scrape: 'true' + spec: + containers: + # Expose the prometheus metrics on default port + - name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP diff --git a/manifests/function/capm3/v0.3.1/manager/manager_pull_policy.yaml b/manifests/function/capm3/v0.3.1/manager/manager_pull_policy.yaml new file mode 100644 index 000000000..cd7ae12c0 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/manager_pull_policy.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: IfNotPresent diff --git a/manifests/function/capm3/v0.3.1/manager/manager_pull_policy.yaml-e b/manifests/function/capm3/v0.3.1/manager/manager_pull_policy.yaml-e new file mode 100644 index 000000000..cd7ae12c0 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/manager/manager_pull_policy.yaml-e @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + imagePullPolicy: IfNotPresent diff --git a/manifests/function/capm3/v0.3.1/patch_crd_webhook_namespace.yaml b/manifests/function/capm3/v0.3.1/patch_crd_webhook_namespace.yaml new file mode 100644 index 000000000..110f3a494 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/patch_crd_webhook_namespace.yaml @@ -0,0 +1,3 @@ +- op: replace + path: "/spec/conversion/webhook/clientConfig/service/namespace" + value: capi-webhook-system diff --git a/manifests/function/capm3/v0.3.1/rbac/auth_proxy_role.yaml b/manifests/function/capm3/v0.3.1/rbac/auth_proxy_role.yaml new file mode 100644 index 000000000..618f5e417 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/manifests/function/capm3/v0.3.1/rbac/auth_proxy_role_binding.yaml b/manifests/function/capm3/v0.3.1/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 000000000..48ed1e4b8 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/capm3/v0.3.1/rbac/auth_proxy_service.yaml b/manifests/function/capm3/v0.3.1/rbac/auth_proxy_service.yaml new file mode 100644 index 000000000..443d0c20b --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/auth_proxy_service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + name: controller-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/manifests/function/capm3/v0.3.1/rbac/kustomization.yaml b/manifests/function/capm3/v0.3.1/rbac/kustomization.yaml new file mode 100644 index 000000000..9f5f6419e --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- role.yaml +- role_binding.yaml +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- leader_election_role_binding.yaml +- leader_election_role.yaml diff --git a/manifests/function/capm3/v0.3.1/rbac/leader_election_role.yaml b/manifests/function/capm3/v0.3.1/rbac/leader_election_role.yaml new file mode 100644 index 000000000..eaa79158f --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/leader_election_role.yaml @@ -0,0 +1,32 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/manifests/function/capm3/v0.3.1/rbac/leader_election_role_binding.yaml b/manifests/function/capm3/v0.3.1/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..eed16906f --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/capm3/v0.3.1/rbac/role.yaml b/manifests/function/capm3/v0.3.1/rbac/role.yaml new file mode 100644 index 000000000..073ba48b9 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/role.yaml @@ -0,0 +1,109 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + verbs: + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/status + verbs: + - get + - list + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3clusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3clusters/status + verbs: + - get + - patch + - update +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3machines + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - infrastructure.cluster.x-k8s.io + resources: + - metal3machines/status + verbs: + - get + - patch + - update +- apiGroups: + - metal3.io + resources: + - baremetalhosts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - metal3.io + resources: + - baremetalhosts/status + verbs: + - get + - patch + - update diff --git a/manifests/function/capm3/v0.3.1/rbac/role_binding.yaml b/manifests/function/capm3/v0.3.1/rbac/role_binding.yaml new file mode 100644 index 000000000..8f2658702 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/capm3/v0.3.1/webhook/kustomization.yaml b/manifests/function/capm3/v0.3.1/webhook/kustomization.yaml new file mode 100644 index 000000000..edd5cc7ac --- /dev/null +++ b/manifests/function/capm3/v0.3.1/webhook/kustomization.yaml @@ -0,0 +1,42 @@ +namespace: capi-webhook-system + +resources: +- manifests.yaml +- service.yaml +- ../certmanager +- ../manager + +configurations: +- kustomizeconfig.yaml + +patchesStrategicMerge: +- manager_webhook_patch.yaml +- webhookcainjection_patch.yaml # Disable this value if you don't have any defaulting or validation webhook. If you don't know, you can check if the manifests.yaml file in the same directory has any contents. + +vars: +- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml +- name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service diff --git a/manifests/function/capm3/v0.3.1/webhook/kustomizeconfig.yaml b/manifests/function/capm3/v0.3.1/webhook/kustomizeconfig.yaml new file mode 100644 index 000000000..fddf04146 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/webhook/kustomizeconfig.yaml @@ -0,0 +1,27 @@ +# the following config is for teaching kustomize where to look at when substituting vars. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true + +varReference: +- path: metadata/annotations +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/manifests/function/capm3/v0.3.1/webhook/manager_webhook_patch.yaml b/manifests/function/capm3/v0.3.1/webhook/manager_webhook_patch.yaml new file mode 100644 index 000000000..2a5930378 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/webhook/manager_webhook_patch.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--webhook-port=9443" + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: $(SERVICE_NAME)-cert diff --git a/manifests/function/capm3/v0.3.1/webhook/manifests.yaml b/manifests/function/capm3/v0.3.1/webhook/manifests.yaml new file mode 100644 index 000000000..7b9f89813 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/webhook/manifests.yaml @@ -0,0 +1,130 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + creationTimestamp: null + name: mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha3-metal3cluster + failurePolicy: Fail + matchPolicy: Equivalent + name: default.metal3cluster.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - metal3clusters +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha3-metal3machinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: default.metal3machinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - metal3machinetemplates +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /mutate-infrastructure-cluster-x-k8s-io-v1alpha3-metal3machine + failurePolicy: Fail + matchPolicy: Equivalent + name: default.metal3machine.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - metal3machines + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration +webhooks: +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-metal3cluster + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.metal3cluster.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - metal3clusters +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-metal3machinetemplate + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.metal3machinetemplate.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - metal3machinetemplates +- clientConfig: + caBundle: Cg== + service: + name: webhook-service + namespace: system + path: /validate-infrastructure-cluster-x-k8s-io-v1alpha3-metal3machine + failurePolicy: Fail + matchPolicy: Equivalent + name: validation.metal3machine.infrastructure.cluster.x-k8s.io + rules: + - apiGroups: + - infrastructure.cluster.x-k8s.io + apiVersions: + - v1alpha3 + operations: + - CREATE + - UPDATE + resources: + - metal3machines diff --git a/manifests/function/capm3/v0.3.1/webhook/service.yaml b/manifests/function/capm3/v0.3.1/webhook/service.yaml new file mode 100644 index 000000000..9bc95014f --- /dev/null +++ b/manifests/function/capm3/v0.3.1/webhook/service.yaml @@ -0,0 +1,10 @@ + +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + targetPort: webhook-server diff --git a/manifests/function/capm3/v0.3.1/webhook/webhookcainjection_patch.yaml b/manifests/function/capm3/v0.3.1/webhook/webhookcainjection_patch.yaml new file mode 100644 index 000000000..7e79bf995 --- /dev/null +++ b/manifests/function/capm3/v0.3.1/webhook/webhookcainjection_patch.yaml @@ -0,0 +1,15 @@ +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)