airship/airshipctl
Code Issues Proposed changes

Add CAPI ControlPlane provider Kubeadm

Browse Source 
Forked kustomization from 0.3.3 release

Change-Id: I7e7074fe6e68aff4c3280567160ebb25bd9f7780
This commit is contained in:
Dmitry Ukov 2020-04-08 18:53:36 +04:00
parent 992efae971
commit 9f1916d8dd
33 changed files with 1633 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml Normal file
View File

@ -0,0 +1,25 @@
# The following manifests contain a self-signed issuer CR and a certificate CR.
# More document can be found at https://docs.cert-manager.io
# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: system
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: system
spec:
# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
dnsNames:
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
- $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize

5
manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
resources:
- certificate.yaml
configurations:
- kustomizeconfig.yaml

19
manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,19 @@
# This configuration is for teaching kustomize how to update name ref and var substitution
nameReference:
- kind: Issuer
group: cert-manager.io
fieldSpecs:
- kind: Certificate
group: cert-manager.io
path: spec/issuerRef/name
varReference:
- kind: Certificate
group: cert-manager.io
path: spec/commonName
- kind: Certificate
group: cert-manager.io
path: spec/dnsNames
- kind: Certificate
group: cert-manager.io
path: spec/secretName

997
manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml Normal file
View File

@ -0,0 +1,997 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.8
creationTimestamp: null
name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
spec:
group: controlplane.cluster.x-k8s.io
names:
categories:
- cluster-api
kind: KubeadmControlPlane
listKind: KubeadmControlPlaneList
plural: kubeadmcontrolplanes
shortNames:
- kcp
singular: kubeadmcontrolplane
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: KubeadmControlPlane API Server is ready to receive requests
jsonPath: .status.ready
name: Ready
type: boolean
- description: This denotes whether or not the control plane has the uploaded
kubeadm-config configmap
jsonPath: .status.initialized
name: Initialized
type: boolean
- description: Total number of non-terminated machines targeted by this control
plane
jsonPath: .status.replicas
name: Replicas
type: integer
- description: Total number of fully running and ready control plane machines
jsonPath: .status.readyReplicas
name: Ready Replicas
type: integer
- description: Total number of non-terminated machines targeted by this control
plane that have the desired template spec
jsonPath: .status.updatedReplicas
name: Updated Replicas
type: integer
- description: Total number of unavailable machines targeted by this control plane
jsonPath: .status.unavailableReplicas
name: Unavailable Replicas
type: integer
name: v1alpha3
schema:
openAPIV3Schema:
description: KubeadmControlPlane is the Schema for the KubeadmControlPlane
API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: KubeadmControlPlaneSpec defines the desired state of KubeadmControlPlane.
properties:
infrastructureTemplate:
description: InfrastructureTemplate is a required reference to a custom
resource offered by an infrastructure provider.
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
kubeadmConfigSpec:
description: KubeadmConfigSpec is a KubeadmConfigSpec to use for initializing
and joining machines to the control plane.
properties:
clusterConfiguration:
description: ClusterConfiguration along with InitConfiguration
are the configurations necessary for the init command
properties:
apiServer:
description: APIServer contains extra settings for the API
server control plane component
properties:
certSANs:
description: CertSANs sets extra Subject Alternative Names
for the API Server signing cert.
items:
type: string
type: array
extraArgs:
additionalProperties:
type: string
description: 'ExtraArgs is an extra set of flags to pass
to the control plane component. TODO: This is temporary
and ideally we would like to switch all components to
use ComponentConfig + ConfigMaps.'
type: object
extraVolumes:
description: ExtraVolumes is an extra set of host volumes,
mounted to the control plane component.
items:
description: HostPathMount contains elements describing
volumes that are mounted from the host.
properties:
hostPath:
description: HostPath is the path in the host that
will be mounted inside the pod.
type: string
mountPath:
description: MountPath is the path inside the pod
where hostPath will be mounted.
type: string
name:
description: Name of the volume inside the pod template.
type: string
pathType:
description: PathType is the type of the HostPath.
type: string
readOnly:
description: ReadOnly controls write access to the
volume
type: boolean
required:
- hostPath
- mountPath
- name
type: object
type: array
timeoutForControlPlane:
description: TimeoutForControlPlane controls the timeout
that we use for API server to appear
type: string
type: object
apiVersion:
description: 'APIVersion defines the versioned schema of this
representation of an object. Servers should convert recognized
schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
certificatesDir:
description: 'CertificatesDir specifies where to store or
look for all required certificates. NB: if not provided,
this will default to `/etc/kubernetes/pki`'
type: string
clusterName:
description: The cluster name
type: string
controlPlaneEndpoint:
description: 'ControlPlaneEndpoint sets a stable IP address
or DNS name for the control plane; it can be a valid IP
address or a RFC-1123 DNS subdomain, both with optional
TCP port. In case the ControlPlaneEndpoint is not specified,
the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint
is specified but without a TCP port, the BindPort is used.
Possible usages are: e.g. In a cluster with more than one
control plane instances, this field should be assigned the
address of the external load balancer in front of the control
plane instances. e.g. in environments with enforced node
recycling, the ControlPlaneEndpoint could be used for assigning
a stable DNS to the control plane. NB: This value defaults
to the first value in the Cluster object status.apiEndpoints
array.'
type: string
controllerManager:
description: ControllerManager contains extra settings for
the controller manager control plane component
properties:
extraArgs:
additionalProperties:
type: string
description: 'ExtraArgs is an extra set of flags to pass
to the control plane component. TODO: This is temporary
and ideally we would like to switch all components to
use ComponentConfig + ConfigMaps.'
type: object
extraVolumes:
description: ExtraVolumes is an extra set of host volumes,
mounted to the control plane component.
items:
description: HostPathMount contains elements describing
volumes that are mounted from the host.
properties:
hostPath:
description: HostPath is the path in the host that
will be mounted inside the pod.
type: string
mountPath:
description: MountPath is the path inside the pod
where hostPath will be mounted.
type: string
name:
description: Name of the volume inside the pod template.
type: string
pathType:
description: PathType is the type of the HostPath.
type: string
readOnly:
description: ReadOnly controls write access to the
volume
type: boolean
required:
- hostPath
- mountPath
- name
type: object
type: array
type: object
dns:
description: DNS defines the options for the DNS add-on installed
in the cluster.
properties:
imageRepository:
description: ImageRepository sets the container registry
to pull images from. if not set, the ImageRepository
defined in ClusterConfiguration will be used instead.
type: string
imageTag:
description: ImageTag allows to specify a tag for the
image. In case this value is set, kubeadm does not change
automatically the version of the above components during
upgrades.
type: string
type:
description: Type defines the DNS add-on to be used
type: string
type: object
etcd:
description: 'Etcd holds configuration for etcd. NB: This
value defaults to a Local (stacked) etcd'
properties:
external:
description: External describes how to connect to an external
etcd cluster Local and External are mutually exclusive
properties:
caFile:
description: CAFile is an SSL Certificate Authority
file used to secure etcd communication. Required
if using a TLS connection.
type: string
certFile:
description: CertFile is an SSL certification file
used to secure etcd communication. Required if using
a TLS connection.
type: string
endpoints:
description: Endpoints of etcd members. Required for
ExternalEtcd.
items:
type: string
type: array
keyFile:
description: KeyFile is an SSL key file used to secure
etcd communication. Required if using a TLS connection.
type: string
required:
- caFile
- certFile
- endpoints
- keyFile
type: object
local:
description: Local provides configuration knobs for configuring
the local etcd instance Local and External are mutually
exclusive
properties:
dataDir:
description: DataDir is the directory etcd will place
its data. Defaults to "/var/lib/etcd".
type: string
extraArgs:
additionalProperties:
type: string
description: ExtraArgs are extra arguments provided
to the etcd binary when run inside a static pod.
type: object
imageRepository:
description: ImageRepository sets the container registry
to pull images from. if not set, the ImageRepository
defined in ClusterConfiguration will be used instead.
type: string
imageTag:
description: ImageTag allows to specify a tag for
the image. In case this value is set, kubeadm does
not change automatically the version of the above
components during upgrades.
type: string
peerCertSANs:
description: PeerCertSANs sets extra Subject Alternative
Names for the etcd peer signing cert.
items:
type: string
type: array
serverCertSANs:
description: ServerCertSANs sets extra Subject Alternative
Names for the etcd server signing cert.
items:
type: string
type: array
type: object
type: object
featureGates:
additionalProperties:
type: boolean
description: FeatureGates enabled by the user.
type: object
imageRepository:
description: ImageRepository sets the container registry to
pull images from. If empty, `k8s.gcr.io` will be used by
default; in case of kubernetes version is a CI build (kubernetes
version starts with `ci/` or `ci-cross/`) `gcr.io/kubernetes-ci-images`
will be used as a default for control plane components and
for kube-proxy, while `k8s.gcr.io` will be used for all
the other images.
type: string
kind:
description: 'Kind is a string value representing the REST
resource this object represents. Servers may infer this
from the endpoint the client submits requests to. Cannot
be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
kubernetesVersion:
description: 'KubernetesVersion is the target version of the
control plane. NB: This value defaults to the Machine object
spec.kuberentesVersion'
type: string
networking:
description: 'Networking holds configuration for the networking
topology of the cluster. NB: This value defaults to the
Cluster object spec.clusterNetwork.'
properties:
dnsDomain:
description: DNSDomain is the dns domain used by k8s services.
Defaults to "cluster.local".
type: string
podSubnet:
description: PodSubnet is the subnet used by pods. If
unset, the API server will not allocate CIDR ranges
for every node. Defaults to the first element of the
Cluster object's spec.clusterNetwork.services.cidrBlocks
if that is set
type: string
serviceSubnet:
description: ServiceSubnet is the subnet used by k8s services.
Defaults to the first element of the Cluster object's
spec.clusterNetwork.pods.cidrBlocks field, or to "10.96.0.0/12"
if that's unset.
type: string
type: object
scheduler:
description: Scheduler contains extra settings for the scheduler
control plane component
properties:
extraArgs:
additionalProperties:
type: string
description: 'ExtraArgs is an extra set of flags to pass
to the control plane component. TODO: This is temporary
and ideally we would like to switch all components to
use ComponentConfig + ConfigMaps.'
type: object
extraVolumes:
description: ExtraVolumes is an extra set of host volumes,
mounted to the control plane component.
items:
description: HostPathMount contains elements describing
volumes that are mounted from the host.
properties:
hostPath:
description: HostPath is the path in the host that
will be mounted inside the pod.
type: string
mountPath:
description: MountPath is the path inside the pod
where hostPath will be mounted.
type: string
name:
description: Name of the volume inside the pod template.
type: string
pathType:
description: PathType is the type of the HostPath.
type: string
readOnly:
description: ReadOnly controls write access to the
volume
type: boolean
required:
- hostPath
- mountPath
- name
type: object
type: array
type: object
useHyperKubeImage:
description: UseHyperKubeImage controls if hyperkube should
be used for Kubernetes components instead of their respective
separate images
type: boolean
type: object
files:
description: Files specifies extra files to be passed to user_data
upon creation.
items:
description: File defines the input for generating write_files
in cloud-init.
properties:
content:
description: Content is the actual content of the file.
type: string
encoding:
description: Encoding specifies the encoding of the file
contents.
enum:
- base64
- gzip
- gzip+base64
type: string
owner:
description: Owner specifies the ownership of the file,
e.g. "root:root".
type: string
path:
description: Path specifies the full path on disk where
to store the file.
type: string
permissions:
description: Permissions specifies the permissions to assign
to the file, e.g. "0640".
type: string
required:
- content
- path
type: object
type: array
format:
description: Format specifies the output format of the bootstrap
data
enum:
- cloud-config
type: string
initConfiguration:
description: InitConfiguration along with ClusterConfiguration
are the configurations necessary for the init command
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this
representation of an object. Servers should convert recognized
schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
bootstrapTokens:
description: BootstrapTokens is respected at `kubeadm init`
time and describes a set of Bootstrap Tokens to create.
This information IS NOT uploaded to the kubeadm cluster
configmap, partly because of its sensitive nature
items:
description: BootstrapToken describes one bootstrap token,
stored as a Secret in the cluster
properties:
description:
description: Description sets a human-friendly message
why this token exists and what it's used for, so other
administrators can know its purpose.
type: string
expires:
description: Expires specifies the timestamp when this
token expires. Defaults to being set dynamically at
runtime based on the TTL. Expires and TTL are mutually
exclusive.
format: date-time
type: string
groups:
description: Groups specifies the extra groups that
this token will authenticate as when/if used for authentication
items:
type: string
type: array
token:
description: Token is used for establishing bidirectional
trust between nodes and control-planes. Used for joining
nodes in the cluster.
type: object
ttl:
description: TTL defines the time to live for this token.
Defaults to 24h. Expires and TTL are mutually exclusive.
type: string
usages:
description: Usages describes the ways in which this
token can be used. Can by default be used for establishing
bidirectional trust, but that can be changed here.
items:
type: string
type: array
required:
- token
type: object
type: array
kind:
description: 'Kind is a string value representing the REST
resource this object represents. Servers may infer this
from the endpoint the client submits requests to. Cannot
be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
localAPIEndpoint:
description: LocalAPIEndpoint represents the endpoint of the
API server instance that's deployed on this control plane
node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
in the sense that ControlPlaneEndpoint is the global endpoint
for the cluster, which then loadbalances the requests to
each individual API server. This configuration object lets
you customize what IP/DNS name and port the local API server
advertises it's accessible on. By default, kubeadm tries
to auto-detect the IP of the default interface and use that,
but in case that process fails you may set the desired value
here.
properties:
advertiseAddress:
description: AdvertiseAddress sets the IP address for
the API server to advertise.
type: string
bindPort:
description: BindPort sets the secure port for the API
Server to bind to. Defaults to 6443.
format: int32
type: integer
required:
- advertiseAddress
- bindPort
type: object
nodeRegistration:
description: NodeRegistration holds fields that relate to
registering the new control-plane node to the cluster
properties:
criSocket:
description: CRISocket is used to retrieve container runtime
info. This information will be annotated to the Node
API object, for later re-use
type: string
kubeletExtraArgs:
additionalProperties:
type: string
description: KubeletExtraArgs passes through extra arguments
to the kubelet. The arguments here are passed to the
kubelet command line via the environment file kubeadm
writes at runtime for the kubelet to source. This overrides
the generic base-level configuration in the kubelet-config-1.X
ConfigMap Flags have higher priority when parsing. These
values are local and specific to the node kubeadm is
executing on.
type: object
name:
description: Name is the `.Metadata.Name` field of the
Node API object that will be created in this `kubeadm
init` or `kubeadm join` operation. This field is also
used in the CommonName field of the kubelet's client
certificate to the API server. Defaults to the hostname
of the node if not provided.
type: string
taints:
description: 'Taints specifies the taints the Node API
object should be registered with. If this field is unset,
i.e. nil, in the `kubeadm init` process it will be defaulted
to []v1.Taint{''node-role.kubernetes.io/master=""''}.
If you don''t want to taint your control-plane node,
set this field to an empty slice, i.e. `taints: {}`
in the YAML file. This field is solely used for Node
registration.'
items:
description: The node this Taint is attached to has
the "effect" on any pod that does not tolerate the
Taint.
properties:
effect:
description: Required. The effect of the taint on
pods that do not tolerate the taint. Valid effects
are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Required. The taint key to be applied
to a node.
type: string
timeAdded:
description: TimeAdded represents the time at which
the taint was added. It is only written for NoExecute
taints.
format: date-time
type: string
value:
description: Required. The taint value corresponding
to the taint key.
type: string
required:
- effect
- key
type: object
type: array
type: object
type: object
joinConfiguration:
description: JoinConfiguration is the kubeadm configuration for
the join command
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this
representation of an object. Servers should convert recognized
schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
caCertPath:
description: 'CACertPath is the path to the SSL certificate
authority used to secure comunications between node and
control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
TODO: revisit when there is defaulting from k/k'
type: string
controlPlane:
description: ControlPlane defines the additional control plane
instance to be deployed on the joining node. If nil, no
additional control plane instance will be deployed.
properties:
localAPIEndpoint:
description: LocalAPIEndpoint represents the endpoint
of the API server instance to be deployed on this node.
properties:
advertiseAddress:
description: AdvertiseAddress sets the IP address
for the API server to advertise.
type: string
bindPort:
description: BindPort sets the secure port for the
API Server to bind to. Defaults to 6443.
format: int32
type: integer
required:
- advertiseAddress
- bindPort
type: object
type: object
discovery:
description: 'Discovery specifies the options for the kubelet
to use during the TLS Bootstrap process TODO: revisit when
there is defaulting from k/k'
properties:
bootstrapToken:
description: BootstrapToken is used to set the options
for bootstrap token based discovery BootstrapToken and
File are mutually exclusive
properties:
apiServerEndpoint:
description: APIServerEndpoint is an IP or domain
name to the API server from which info will be fetched.
type: string
caCertHashes:
description: 'CACertHashes specifies a set of public
key pins to verify when token-based discovery is
used. The root CA found during discovery must match
one of these values. Specifying an empty set disables
root CA pinning, which can be unsafe. Each hash
is specified as "<type>:<value>", where the only
currently supported type is "sha256". This is a
hex-encoded SHA-256 hash of the Subject Public Key
Info (SPKI) object in DER-encoded ASN.1. These hashes
can be calculated using, for example, OpenSSL: openssl
x509 -pubkey -in ca.crt openssl rsa -pubin -outform
der 2>&/dev/null | openssl dgst -sha256 -hex'
items:
type: string
type: array
token:
description: Token is a token used to validate cluster
information fetched from the control-plane.
type: string
unsafeSkipCAVerification:
description: UnsafeSkipCAVerification allows token-based
discovery without CA verification via CACertHashes.
This can weaken the security of kubeadm since other
nodes can impersonate the control-plane.
type: boolean
required:
- token
- unsafeSkipCAVerification
type: object
file:
description: File is used to specify a file or URL to
a kubeconfig file from which to load cluster information
BootstrapToken and File are mutually exclusive
properties:
kubeConfigPath:
description: KubeConfigPath is used to specify the
actual file path or URL to the kubeconfig file from
which to load cluster information
type: string
required:
- kubeConfigPath
type: object
timeout:
description: Timeout modifies the discovery timeout
type: string
tlsBootstrapToken:
description: 'TLSBootstrapToken is a token used for TLS
bootstrapping. If .BootstrapToken is set, this field
is defaulted to .BootstrapToken.Token, but can be overridden.
If .File is set, this field **must be set** in case
the KubeConfigFile does not contain any other authentication
information TODO: revisit when there is defaulting from
k/k'
type: string
type: object
kind:
description: 'Kind is a string value representing the REST
resource this object represents. Servers may infer this
from the endpoint the client submits requests to. Cannot
be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
nodeRegistration:
description: NodeRegistration holds fields that relate to
registering the new control-plane node to the cluster
properties:
criSocket:
description: CRISocket is used to retrieve container runtime
info. This information will be annotated to the Node
API object, for later re-use
type: string
kubeletExtraArgs:
additionalProperties:
type: string
description: KubeletExtraArgs passes through extra arguments
to the kubelet. The arguments here are passed to the
kubelet command line via the environment file kubeadm
writes at runtime for the kubelet to source. This overrides
the generic base-level configuration in the kubelet-config-1.X
ConfigMap Flags have higher priority when parsing. These
values are local and specific to the node kubeadm is
executing on.
type: object
name:
description: Name is the `.Metadata.Name` field of the
Node API object that will be created in this `kubeadm
init` or `kubeadm join` operation. This field is also
used in the CommonName field of the kubelet's client
certificate to the API server. Defaults to the hostname
of the node if not provided.
type: string
taints:
description: 'Taints specifies the taints the Node API
object should be registered with. If this field is unset,
i.e. nil, in the `kubeadm init` process it will be defaulted
to []v1.Taint{''node-role.kubernetes.io/master=""''}.
If you don''t want to taint your control-plane node,
set this field to an empty slice, i.e. `taints: {}`
in the YAML file. This field is solely used for Node
registration.'
items:
description: The node this Taint is attached to has
the "effect" on any pod that does not tolerate the
Taint.
properties:
effect:
description: Required. The effect of the taint on
pods that do not tolerate the taint. Valid effects
are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Required. The taint key to be applied
to a node.
type: string
timeAdded:
description: TimeAdded represents the time at which
the taint was added. It is only written for NoExecute
taints.
format: date-time
type: string
value:
description: Required. The taint value corresponding
to the taint key.
type: string
required:
- effect
- key
type: object
type: array
type: object
type: object
ntp:
description: NTP specifies NTP configuration
properties:
enabled:
description: Enabled specifies whether NTP should be enabled
type: boolean
servers:
description: Servers specifies which NTP servers to use
items:
type: string
type: array
type: object
postKubeadmCommands:
description: PostKubeadmCommands specifies extra commands to run
after kubeadm runs
items:
type: string
type: array
preKubeadmCommands:
description: PreKubeadmCommands specifies extra commands to run
before kubeadm runs
items:
type: string
type: array
useExperimentalRetryJoin:
description: "UseExperimentalRetryJoin replaces a basic kubeadm
command with a shell script with retries for joins. \n This
is meant to be an experimental temporary workaround on some
environments where joins fail due to timing (and other issues).
The long term goal is to add retries to kubeadm proper and use
that functionality. \n This will add about 40KB to userdata
\n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
type: boolean
users:
description: Users specifies extra users to add
items:
description: User defines the input for a generated user in
cloud-init.
properties:
gecos:
description: Gecos specifies the gecos to use for the user
type: string
groups:
description: Groups specifies the additional groups for
the user
type: string
homeDir:
description: HomeDir specifies the home directory to use
for the user
type: string
inactive:
description: Inactive specifies whether to mark the user
as inactive
type: boolean
lockPassword:
description: LockPassword specifies if password login should
be disabled
type: boolean
name:
description: Name specifies the user name
type: string
passwd:
description: Passwd specifies a hashed password for the
user
type: string
primaryGroup:
description: PrimaryGroup specifies the primary group for
the user
type: string
shell:
description: Shell specifies the user's shell
type: string
sshAuthorizedKeys:
description: SSHAuthorizedKeys specifies a list of ssh authorized
keys for the user
items:
type: string
type: array
sudo:
description: Sudo specifies a sudo role for the user
type: string
required:
- name
type: object
type: array
verbosity:
description: Verbosity is the number for the kubeadm log level
verbosity. It overrides the `--v` flag in kubeadm commands.
format: int32
type: integer
type: object
replicas:
description: Number of desired machines. Defaults to 1. When stacked
etcd is used only odd numbers are permitted, as per [etcd best practice](https://etcd.io/docs/v3.3.12/faq/#why-an-odd-number-of-cluster-members).
This is a pointer to distinguish between explicit zero and not specified.
format: int32
type: integer
upgradeAfter:
description: UpgradeAfter is a field to indicate an upgrade should
be performed after the specified time even if no changes have been
made to the KubeadmControlPlane
format: date-time
type: string
version:
description: Version defines the desired Kubernetes version.
minLength: 2
pattern: ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)([-0-9a-zA-Z_\.+]*)?$
type: string
required:
- infrastructureTemplate
- kubeadmConfigSpec
- version
type: object
status:
description: KubeadmControlPlaneStatus defines the observed state of KubeadmControlPlane.
properties:
failureMessage:
description: ErrorMessage indicates that there is a terminal problem
reconciling the state, and will be set to a descriptive error message.
type: string
failureReason:
description: FailureReason indicates that there is a terminal problem
reconciling the state, and will be set to a token value suitable
for programmatic interpretation.
type: string
initialized:
description: Initialized denotes whether or not the control plane
has the uploaded kubeadm-config configmap.
type: boolean
ready:
description: Ready denotes that the KubeadmControlPlane API Server
is ready to receive requests.
type: boolean
readyReplicas:
description: Total number of fully running and ready control plane
machines.
format: int32
type: integer
replicas:
description: Total number of non-terminated machines targeted by this
control plane (their labels match the selector).
format: int32
type: integer
selector:
description: 'Selector is the label selector in string format to avoid
introspection by clients, and is used to provide the CRD-based integration
for the scale subresource and additional integrations for things
like kubectl describe.. The string will be in the same format as
the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
type: string
unavailableReplicas:
description: Total number of unavailable machines targeted by this
control plane. This is the total number of machines that are still
required for the deployment to have 100% available capacity. They
may either be machines that are running but not yet ready or machines
that still have not been created.
format: int32
type: integer
updatedReplicas:
description: Total number of non-terminated machines targeted by this
control plane that have the desired template spec.
format: int32
type: integer
type: object
type: object
served: true
storage: true
subresources:
scale:
labelSelectorPath: .status.selector
specReplicasPath: .spec.replicas
statusReplicasPath: .status.replicas
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

24
manifests/function/cacpk/v0.3.3/crd/kustomization.yaml Normal file
View File

@ -0,0 +1,24 @@
commonLabels:
cluster.x-k8s.io/v1alpha3: v1alpha3
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/
resources:
- bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patchesStrategicMerge:
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
- patches/webhook_in_kubeadmcontrolplanes.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
- patches/cainjection_in_kubeadmcontrolplanes.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml

17
manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,17 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/name
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhook/clientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

8
manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml Normal file
View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io

19
manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml Normal file
View File

@ -0,0 +1,19 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
spec:
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1", "v1beta1"]
clientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

8
manifests/function/cacpk/v0.3.3/default/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
namespace: capi-kubeadm-control-plane-system
resources:
- namespace.yaml
bases:
- ../rbac
- ../manager

6
manifests/function/cacpk/v0.3.3/default/namespace.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system

17
manifests/function/cacpk/v0.3.3/kustomization.yaml Normal file
View File

@ -0,0 +1,17 @@
namePrefix: capi-kubeadm-control-plane-
commonLabels:
cluster.x-k8s.io/provider: "control-plane-kubeadm"
bases:
- crd
- default
- webhook
patchesJson6902:
- target:
group: apiextensions.k8s.io
version: v1
kind: CustomResourceDefinition
name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
path: patch_crd_webhook_namespace.yaml

7
manifests/function/cacpk/v0.3.3/manager/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
resources:
- manager.yaml
patchesStrategicMerge:
- manager_pull_policy.yaml
- manager_image_patch.yaml
- manager_auth_proxy_patch.yaml

28
manifests/function/cacpk/v0.3.3/manager/manager.yaml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- --enable-leader-election
image: controller:latest
name: manager
terminationGracePeriodSeconds: 10
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master

25
manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml Normal file
View File

@ -0,0 +1,25 @@
# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- "--enable-leader-election"

11
manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- image: us.gcr.io/k8s-artifacts-prod/cluster-api/kubeadm-control-plane-controller:v0.3.3
name: manager

11
manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e Normal file
View File

@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:master
name: manager

11
manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
imagePullPolicy: IfNotPresent

11
manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e Normal file
View File

@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
imagePullPolicy: Always

3
manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml Normal file
View File

@ -0,0 +1,3 @@
- op: replace
path: "/spec/conversion/webhook/clientConfig/service/namespace"
value: capi-webhook-system

13
manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

12
manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

14
manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

11
manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
resources:
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 3 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml

32
manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml Normal file
View File

@ -0,0 +1,32 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create

12
manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

100
manifests/function/cacpk/v0.3.3/rbac/role.yaml Normal file
View File

@ -0,0 +1,100 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- bootstrap.cluster.x-k8s.io
- controlplane.cluster.x-k8s.io
- infrastructure.cluster.x-k8s.io
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- clusters
- clusters/status
verbs:
- get
- list
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- machines
- machines/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: manager-role
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- apiGroups:
- rbac
resources:
- rolebindings
verbs:
- create
- get
- list
- watch
- apiGroups:
- rbac
resources:
- roles
verbs:
- create
- get
- list
- watch

12
manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: system

43
manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml Normal file
View File

@ -0,0 +1,43 @@
namespace: capi-webhook-system
resources:
- manifests.yaml
- service.yaml
- ../certmanager
- ../manager
configurations:
- kustomizeconfig.yaml
patchesStrategicMerge:
- manager_webhook_patch.yaml
- webhookcainjection_patch.yaml
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
objref:
kind: Certificate
group: cert-manager.io
version: v1alpha2
name: serving-cert # this name should match the one in certificate.yaml
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATE_NAME
objref:
kind: Certificate
group: cert-manager.io
version: v1alpha2
name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICE_NAMESPACE # namespace of the service
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: SERVICE_NAME
objref:
kind: Service
version: v1
name: webhook-service

27
manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,27 @@
# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
namespace:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
varReference:
- path: metadata/annotations
- kind: Deployment
path: spec/template/spec/volumes/secret/secretName

26
manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml Normal file
View File

@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- "--webhook-port=9443"
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: $(SERVICE_NAME)-cert

54
manifests/function/cacpk/v0.3.3/webhook/manifests.yaml Normal file
View File

@ -0,0 +1,54 @@
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
name: mutating-webhook-configuration
webhooks:
- clientConfig:
caBundle: Cg==
service:
name: webhook-service
namespace: system
path: /mutate-controlplane-cluster-x-k8s-io-v1alpha3-kubeadmcontrolplane
failurePolicy: Fail
matchPolicy: Equivalent
name: default.kubeadmcontrolplane.controlplane.cluster.x-k8s.io
rules:
- apiGroups:
- controlplane.cluster.x-k8s.io
apiVersions:
- v1alpha3
operations:
- CREATE
- UPDATE
resources:
- kubeadmcontrolplanes
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: null
name: validating-webhook-configuration
webhooks:
- clientConfig:
caBundle: Cg==
service:
name: webhook-service
namespace: system
path: /validate-controlplane-cluster-x-k8s-io-v1alpha3-kubeadmcontrolplane
failurePolicy: Fail
matchPolicy: Equivalent
name: validation.kubeadmcontrolplane.controlplane.cluster.x-k8s.io
rules:
- apiGroups:
- controlplane.cluster.x-k8s.io
apiVersions:
- v1alpha3
operations:
- CREATE
- UPDATE
resources:
- kubeadmcontrolplanes

10
manifests/function/cacpk/v0.3.3/webhook/service.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: webhook-service
namespace: system
spec:
ports:
- port: 443
targetPort: webhook-server

15
manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml Normal file
View File

@ -0,0 +1,15 @@
# This patch add annotation to admission webhook config and
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)