From 46c1671f433adec7007403782538a55601bb3df2 Mon Sep 17 00:00:00 2001 From: digambar Date: Wed, 7 Apr 2021 05:37:52 +0000 Subject: [PATCH] Add ViNO function to target/workload phase Change-Id: I1751ad60c05489897aff8b4d578193282acfb9c7 --- .../versions-treasuremap.yaml | 4 + manifests/function/vino/Kptfile | 23 + manifests/function/vino/kustomization.yaml | 4 + .../vino/replacements/kustomization.yaml | 2 + .../function/vino/replacements/versions.yaml | 38 ++ manifests/function/vino/upstream/crd/Kptfile | 18 + .../bases/airship.airshipit.org_ippools.yaml | 86 +++ .../bases/airship.airshipit.org_vinoes.yaml | 346 +++++++++++ .../function/vino/upstream/crd/bases/bmh.yaml | 570 ++++++++++++++++++ .../vino/upstream/crd/kustomization.yaml | 25 + .../vino/upstream/crd/kustomizeconfig.yaml | 15 + .../crd/patches/cainjection_in_ippools.yaml | 8 + .../crd/patches/cainjection_in_vinoes.yaml | 8 + .../crd/patches/webhook_in_ippools.yaml | 17 + .../crd/patches/webhook_in_vinoes.yaml | 17 + .../function/vino/upstream/default/Kptfile | 12 + .../vino/upstream/default/kustomization.yaml | 70 +++ .../default/manager_auth_proxy_patch.yaml | 25 + .../default/manager_webhook_patch.yaml | 23 + .../default/webhookcainjection_patch.yaml | 15 + .../function/vino/upstream/manager/Kptfile | 19 + .../upstream/manager/daemonset-template.yaml | 86 +++ .../upstream/manager/inventory-template.yaml | 34 ++ .../vino/upstream/manager/kustomization.yaml | 9 + .../vino/upstream/manager/manager.yaml | 45 ++ manifests/function/vino/upstream/rbac/Kptfile | 12 + .../rbac/auth_proxy_client_clusterrole.yaml | 7 + .../vino/upstream/rbac/auth_proxy_role.yaml | 13 + .../rbac/auth_proxy_role_binding.yaml | 12 + .../upstream/rbac/auth_proxy_service.yaml | 14 + .../upstream/rbac/ippool_editor_role.yaml | 24 + .../upstream/rbac/ippool_viewer_role.yaml | 20 + .../vino/upstream/rbac/kustomization.yaml | 16 + .../upstream/rbac/leader_election_role.yaml | 44 ++ .../rbac/leader_election_role_binding.yaml | 12 + .../function/vino/upstream/rbac/role.yaml | 66 ++ .../vino/upstream/rbac/role_binding.yaml | 12 + .../rbac/vino_daemonset_controller_role.yaml | 63 ++ ...ino_daemonset_controller_role_binding.yaml | 12 + .../vino/upstream/rbac/vino_editor_role.yaml | 24 + .../vino/upstream/rbac/vino_manager_role.yaml | 47 ++ .../rbac/vino_manager_role_binding.yaml | 12 + .../vino/upstream/rbac/vino_viewer_role.yaml | 20 + .../target/workload/kustomization.yaml | 2 +- .../target/workload/kustomization.yaml | 1 + 45 files changed, 1951 insertions(+), 1 deletion(-) create mode 100644 manifests/function/vino/Kptfile create mode 100644 manifests/function/vino/kustomization.yaml create mode 100644 manifests/function/vino/replacements/kustomization.yaml create mode 100644 manifests/function/vino/replacements/versions.yaml create mode 100644 manifests/function/vino/upstream/crd/Kptfile create mode 100644 manifests/function/vino/upstream/crd/bases/airship.airshipit.org_ippools.yaml create mode 100644 manifests/function/vino/upstream/crd/bases/airship.airshipit.org_vinoes.yaml create mode 100644 manifests/function/vino/upstream/crd/bases/bmh.yaml create mode 100644 manifests/function/vino/upstream/crd/kustomization.yaml create mode 100644 manifests/function/vino/upstream/crd/kustomizeconfig.yaml create mode 100644 manifests/function/vino/upstream/crd/patches/cainjection_in_ippools.yaml create mode 100644 manifests/function/vino/upstream/crd/patches/cainjection_in_vinoes.yaml create mode 100644 manifests/function/vino/upstream/crd/patches/webhook_in_ippools.yaml create mode 100644 manifests/function/vino/upstream/crd/patches/webhook_in_vinoes.yaml create mode 100644 manifests/function/vino/upstream/default/Kptfile create mode 100644 manifests/function/vino/upstream/default/kustomization.yaml create mode 100644 manifests/function/vino/upstream/default/manager_auth_proxy_patch.yaml create mode 100644 manifests/function/vino/upstream/default/manager_webhook_patch.yaml create mode 100644 manifests/function/vino/upstream/default/webhookcainjection_patch.yaml create mode 100644 manifests/function/vino/upstream/manager/Kptfile create mode 100644 manifests/function/vino/upstream/manager/daemonset-template.yaml create mode 100644 manifests/function/vino/upstream/manager/inventory-template.yaml create mode 100644 manifests/function/vino/upstream/manager/kustomization.yaml create mode 100644 manifests/function/vino/upstream/manager/manager.yaml create mode 100644 manifests/function/vino/upstream/rbac/Kptfile create mode 100644 manifests/function/vino/upstream/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 manifests/function/vino/upstream/rbac/auth_proxy_role.yaml create mode 100644 manifests/function/vino/upstream/rbac/auth_proxy_role_binding.yaml create mode 100644 manifests/function/vino/upstream/rbac/auth_proxy_service.yaml create mode 100644 manifests/function/vino/upstream/rbac/ippool_editor_role.yaml create mode 100644 manifests/function/vino/upstream/rbac/ippool_viewer_role.yaml create mode 100644 manifests/function/vino/upstream/rbac/kustomization.yaml create mode 100644 manifests/function/vino/upstream/rbac/leader_election_role.yaml create mode 100644 manifests/function/vino/upstream/rbac/leader_election_role_binding.yaml create mode 100644 manifests/function/vino/upstream/rbac/role.yaml create mode 100644 manifests/function/vino/upstream/rbac/role_binding.yaml create mode 100644 manifests/function/vino/upstream/rbac/vino_daemonset_controller_role.yaml create mode 100644 manifests/function/vino/upstream/rbac/vino_daemonset_controller_role_binding.yaml create mode 100644 manifests/function/vino/upstream/rbac/vino_editor_role.yaml create mode 100644 manifests/function/vino/upstream/rbac/vino_manager_role.yaml create mode 100644 manifests/function/vino/upstream/rbac/vino_manager_role_binding.yaml create mode 100644 manifests/function/vino/upstream/rbac/vino_viewer_role.yaml diff --git a/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml b/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml index bff3bb0c8..60cd113ea 100644 --- a/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml +++ b/manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml @@ -109,3 +109,7 @@ spec: defaultBackend: repository: k8s.gcr.io/defaultbackend-amd64 tag: 1.5 + vino: + kube-rbac-proxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + libvirt: quay.io/airshipit/libvirt + manager: quay.io/airshipit/vino:6480ddc3ba98fba21fd692b8489adb0177abb8b5 diff --git a/manifests/function/vino/Kptfile b/manifests/function/vino/Kptfile new file mode 100644 index 000000000..d166341ba --- /dev/null +++ b/manifests/function/vino/Kptfile @@ -0,0 +1,23 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +dependencies: +- name: upstream/crd + git: + repo: "https://opendev.org/airship/vino" + directory: "config/crd" + ref: "3dc0698a85f618a24c40bd7862d1dd807fc73ae3" +- name: upstream/default + git: + repo: "https://opendev.org/airship/vino" + directory: "config/default" + ref: "3dc0698a85f618a24c40bd7862d1dd807fc73ae3" +- name: upstream/manager + git: + repo: "https://opendev.org/airship/vino" + directory: "config/manager" + ref: "3dc0698a85f618a24c40bd7862d1dd807fc73ae3" +- name: upstream/rbac + git: + repo: "https://opendev.org/airship/vino" + directory: "config/rbac" + ref: "3dc0698a85f618a24c40bd7862d1dd807fc73ae3" diff --git a/manifests/function/vino/kustomization.yaml b/manifests/function/vino/kustomization.yaml new file mode 100644 index 000000000..733300e7e --- /dev/null +++ b/manifests/function/vino/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- upstream/default diff --git a/manifests/function/vino/replacements/kustomization.yaml b/manifests/function/vino/replacements/kustomization.yaml new file mode 100644 index 000000000..ee1becf0d --- /dev/null +++ b/manifests/function/vino/replacements/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - versions.yaml diff --git a/manifests/function/vino/replacements/versions.yaml b/manifests/function/vino/replacements/versions.yaml new file mode 100644 index 000000000..e56388e4e --- /dev/null +++ b/manifests/function/vino/replacements/versions.yaml @@ -0,0 +1,38 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: vino-versions-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: quay.io/airshipit/replacement-transformer:latest +replacements: +- source: + objref: + kind: VariableCatalogue + name: versions-treasuremap + fieldref: "{.spec.images.vino.manager}" + target: + objref: + kind: Deployment + name: vino-controller-manager + fieldrefs: ["{.spec.template.spec.containers[?(.name == 'manager')].image}"] +- source: + objref: + kind: VariableCatalogue + name: versions-treasuremap + fieldref: "{.spec.images.vino.kube-rbac-proxy}" + target: + objref: + kind: Deployment + name: vino-controller-manager + fieldrefs: ["{.spec.template.spec.containers[?(.name == 'kube-rbac-proxy')].image}"] +- source: + objref: + kind: VariableCatalogue + name: versions-treasuremap + fieldref: "{.spec.images.vino.libvirt}" + target: + objref: + kind: ConfigMap + name: vino-daemonset-template diff --git a/manifests/function/vino/upstream/crd/Kptfile b/manifests/function/vino/upstream/crd/Kptfile new file mode 100644 index 000000000..994ac722f --- /dev/null +++ b/manifests/function/vino/upstream/crd/Kptfile @@ -0,0 +1,18 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/crd +upstream: + type: git + git: + commit: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 + repo: https://github.com/airshipit/vino + directory: config/crd + ref: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 +openAPI: + definitions: + io.k8s.cli.setters.replicas: + x-k8s-cli: + setter: + name: replicas + value: "3" diff --git a/manifests/function/vino/upstream/crd/bases/airship.airshipit.org_ippools.yaml b/manifests/function/vino/upstream/crd/bases/airship.airshipit.org_ippools.yaml new file mode 100644 index 000000000..89de742d0 --- /dev/null +++ b/manifests/function/vino/upstream/crd/bases/airship.airshipit.org_ippools.yaml @@ -0,0 +1,86 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: ippools.airship.airshipit.org +spec: + group: airship.airshipit.org + names: + kind: IPPool + listKind: IPPoolList + plural: ippools + singular: ippool + scope: Namespaced + validation: + openAPIV3Schema: + description: IPPool is the Schema for the ippools API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPPoolSpec tracks allocation ranges and statuses within a specific + subnet IPv4 or IPv6 subnet. It has a set of ranges of IPs within the + subnet from which IPs can be allocated by IPAM, and a set of IPs that + are currently allocated already. + properties: + allocatedIPs: + items: + description: AllocatedIP Allocates an IP to an entity + properties: + allocatedTo: + type: string + ip: + type: string + required: + - allocatedTo + - ip + type: object + type: array + ranges: + items: + description: Range has (inclusive) bounds within a subnet from which + IPs can be allocated + properties: + start: + type: string + stop: + type: string + required: + - start + - stop + type: object + type: array + subnet: + type: string + required: + - allocatedIPs + - ranges + - subnet + type: object + status: + description: IPPoolStatus defines the observed state of IPPool + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/vino/upstream/crd/bases/airship.airshipit.org_vinoes.yaml b/manifests/function/vino/upstream/crd/bases/airship.airshipit.org_vinoes.yaml new file mode 100644 index 000000000..644ee62c3 --- /dev/null +++ b/manifests/function/vino/upstream/crd/bases/airship.airshipit.org_vinoes.yaml @@ -0,0 +1,346 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: vinoes.airship.airshipit.org +spec: + group: airship.airshipit.org + names: + kind: Vino + listKind: VinoList + plural: vinoes + singular: vino + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Vino is the Schema for the vinoes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VinoSpec defines the desired state of Vino + properties: + bmcCredentials: + description: BMCCredentials contain credentials that will be used to + create BMH nodes sushy tools will use these credentials as well, to + set up authentication + properties: + password: + type: string + username: + type: string + required: + - password + - username + type: object + configuration: + description: Define CPU configuration + properties: + cpuExclude: + description: Exclude CPU example 0-4,54-60 + type: string + type: object + daemonSetOptions: + description: DaemonSetOptions defines how vino will spawn daemonset + on nodes + properties: + libvirtImage: + type: string + namespacedName: + description: NamespacedName to be used to spawn VMs + properties: + name: + type: string + namespace: + type: string + type: object + nodeAnnotatorImage: + type: string + sushyImage: + type: string + vinoBuilderImage: + type: string + type: object + networks: + description: Define network parameters + items: + description: Network defines libvirt networks + properties: + allocationStart: + type: string + allocationStop: + type: string + dns_servers: + items: + type: string + type: array + name: + description: Network Parameter defined + type: string + routes: + items: + description: VMRoutes defined + properties: + gateway: + type: string + netmask: + type: string + network: + type: string + type: object + type: array + subnet: + type: string + type: + type: string + type: object + type: array + nodeSelector: + description: Define nodelabel parameters + properties: + matchLabels: + additionalProperties: + type: string + description: Node type needs to specified + type: object + required: + - matchLabels + type: object + nodes: + description: Define node details + items: + description: NodeSet node definitions + properties: + count: + type: integer + diskDrives: + description: DiskDrivesTemplate defines disks on the VM + properties: + name: + type: string + options: + description: DiskOptions disk options + properties: + sizeGb: + type: integer + sparse: + type: boolean + type: object + path: + type: string + type: + type: string + type: object + labels: + description: VMNodeFlavor labels for node to be annotated + properties: + vmFlavor: + additionalProperties: + type: string + type: object + type: object + libvirtTemplate: + description: NamespacedName to be used to spawn VMs + properties: + name: + type: string + namespace: + type: string + type: object + name: + description: Parameter for Node master or worker-standard + type: string + networkDataTemplate: + description: NetworkDataTemplate must have a template key + properties: + name: + type: string + namespace: + type: string + type: object + networkInterfaces: + items: + description: NetworkInterface define interface on the VM + properties: + mtu: + type: integer + name: + description: Define parameter for network interfaces + type: string + network: + type: string + options: + additionalProperties: + type: string + type: object + type: + type: string + type: object + type: array + type: object + type: array + vmBridge: + description: VMBridge defines the single interface name to be used as + a bridge for VMs + type: string + required: + - bmcCredentials + - vmBridge + type: object + status: + description: VinoStatus defines the observed state of Vino + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + type FooStatus struct{ // Represents the observations of a foo's + current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // + +patchStrategy=merge // +listType=map // +listMapKey=type + \ Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details + about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers of + specific condition types may define expected values and meanings + for this field, and whether the values are considered a guaranteed + API. The value should be a CamelCase string. This field may + not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + configMapRef: + description: 'ObjectReference contains enough information to let you + inspect or modify the referred object. --- New uses of this type are + discouraged because of difficulty describing its usage when embedded + in APIs. 1. Ignored fields. It includes many fields which are not + generally honored. For instance, ResourceVersion and FieldPath are + both very rarely valid in actual usage. 2. Invalid usage help. It + is impossible to add specific help for individual usage. In most + embedded usages, there are particular restrictions like, "must + refer only to types A and B" or "UID not honored" or "name must be + restricted". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the validation + rules are different by usage, which makes it hard for users to predict + what will happen. 4. The fields are both imprecise and overly precise. Kind + is not a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the dependency + is on the group,resource tuple and the version of the actual struct + is irrelevant. 5. We cannot easily change it. Because this type + is embedded in many locations, updates to this type will affect + numerous schemas. Don''t make new APIs embed an underspecified API + type they do not control. Instead of using this type, create a locally + provided and used type that is well-focused on your reference. For + example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an + entire object, this string should contain a valid JSON/Go field + access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen only + to have some well-defined way of referencing a part of an object. + TODO: this design is not final and this field is subject to change + in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: object + type: object + version: v1 + versions: + - name: v1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/manifests/function/vino/upstream/crd/bases/bmh.yaml b/manifests/function/vino/upstream/crd/bases/bmh.yaml new file mode 100644 index 000000000..bb28fe98b --- /dev/null +++ b/manifests/function/vino/upstream/crd/bases/bmh.yaml @@ -0,0 +1,570 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + clusterctl.cluster.x-k8s.io: "" + name: baremetalhosts.metal3.io +spec: + additionalPrinterColumns: + - JSONPath: .status.operationalStatus + description: Operational status + name: Status + type: string + - JSONPath: .status.provisioning.state + description: Provisioning status + name: Provisioning Status + type: string + - JSONPath: .spec.consumerRef.name + description: Consumer using this host + name: Consumer + type: string + - JSONPath: .spec.bmc.address + description: Address of management controller + name: BMC + type: string + - JSONPath: .status.hardwareProfile + description: The type of hardware detected + name: Hardware Profile + type: string + - JSONPath: .spec.online + description: Whether the host is online or not + name: Online + type: string + - JSONPath: .status.errorMessage + description: Most recent error + name: Error + type: string + group: metal3.io + names: + kind: BareMetalHost + listKind: BareMetalHostList + plural: baremetalhosts + shortNames: + - bmh + - bmhost + singular: baremetalhost + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: BareMetalHost is the Schema for the baremetalhosts API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BareMetalHostSpec defines the desired state of BareMetalHost + properties: + bmc: + description: How do we connect to the BMC? + properties: + address: + description: Address holds the URL for accessing the controller + on the network. + type: string + credentialsName: + description: The name of the secret containing the BMC credentials + (requires keys "username" and "password"). + type: string + disableCertificateVerification: + description: DisableCertificateVerification disables verification + of server certificates when using HTTPS to connect to the BMC. + This is required when the server certificate is self-signed, but + is insecure because it allows a man-in-the-middle to intercept + the connection. + type: boolean + required: + - address + - credentialsName + type: object + bootMACAddress: + description: Which MAC address will PXE boot? This is optional for some + types, but required for libvirt VMs driven by vbmc. + pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}' + type: string + bootMode: + description: Select the method of initializing the hardware during boot. + enum: + - UEFI + - legacy + type: string + consumerRef: + description: ConsumerRef can be used to store information about something + that is using a host. When it is not empty, the host is considered + "in use". + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an + entire object, this string should contain a valid JSON/Go field + access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen only + to have some well-defined way of referencing a part of an object. + TODO: this design is not final and this field is subject to change + in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + description: + description: Description is a human-entered text used to help identify + the host + type: string + externallyProvisioned: + description: ExternallyProvisioned means something else is managing + the image running on the host and the operator should only manage + the power status and hardware inventory inspection. If the Image field + is filled in, this field is ignored. + type: boolean + hardwareProfile: + description: What is the name of the hardware profile for this host? + It should only be necessary to set this when inspection cannot automatically + determine the profile. + type: string + image: + description: Image holds the details of the image to be provisioned. + properties: + checksum: + description: Checksum is the checksum for the image. + type: string + url: + description: URL is a location of an image to deploy. + type: string + required: + - checksum + - url + type: object + networkData: + description: NetworkData holds the reference to the Secret containing + content of network_data.json which is passed to Config Drive + properties: + name: + description: Name is unique within a namespace to reference a secret + resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + online: + description: Should the server be online? + type: boolean + taints: + description: Taints is the full, authoritative list of taints to apply + to the corresponding Machine. This list will overwrite any modifications + made to the Machine on an ongoing basis. + items: + description: The node this Taint is attached to has the "effect" on + any pod that does not tolerate the Taint. + properties: + effect: + description: Required. The effect of the taint on pods that do + not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Required. The taint key to be applied to a node. + type: string + timeAdded: + description: TimeAdded represents the time at which the taint + was added. It is only written for NoExecute taints. + format: date-time + type: string + value: + description: Required. The taint value corresponding to the taint + key. + type: string + required: + - effect + - key + type: object + type: array + userData: + description: UserData holds the reference to the Secret containing the + user data to be passed to the host before it boots. + properties: + name: + description: Name is unique within a namespace to reference a secret + resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + required: + - online + type: object + status: + description: BareMetalHostStatus defines the observed state of BareMetalHost + properties: + errorMessage: + description: the last error message reported by the provisioning subsystem + type: string + errorType: + description: ErrorType indicates the type of failure encountered when + the OperationalStatus is OperationalStatusError + enum: + - registration error + - inspection error + - provisioning error + - power management error + type: string + goodCredentials: + description: the last credentials we were able to validate as working + properties: + credentials: + description: SecretReference represents a Secret Reference. It has + enough information to retrieve secret in any namespace + properties: + name: + description: Name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + credentialsVersion: + type: string + type: object + hardware: + description: The hardware discovered to exist on the host. + properties: + cpu: + description: CPU describes one processor on the host. + properties: + arch: + type: string + clockMegahertz: + description: ClockSpeed is a clock speed in MHz + count: + type: integer + flags: + items: + type: string + type: array + model: + type: string + required: + - arch + - clockMegahertz + - count + - flags + - model + type: object + firmware: + description: Firmware describes the firmware on the host. + properties: + bios: + description: The BIOS for this firmware + properties: + date: + description: The release/build date for this BIOS + type: string + vendor: + description: The vendor name for this BIOS + type: string + version: + description: The version of the BIOS + type: string + required: + - date + - vendor + - version + type: object + required: + - bios + type: object + hostname: + type: string + nics: + items: + description: NIC describes one network interface on the host. + properties: + ip: + description: The IP address of the device + type: string + mac: + description: The device MAC addr + pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}' + type: string + model: + description: The name of the model, e.g. "virt-io" + type: string + name: + description: The name of the NIC, e.g. "nic-1" + type: string + pxe: + description: Whether the NIC is PXE Bootable + type: boolean + speedGbps: + description: The speed of the device + type: integer + vlanId: + description: The untagged VLAN ID + format: int32 + type: integer + vlans: + description: The VLANs available + items: + description: VLAN represents the name and ID of a VLAN + properties: + id: + description: VLANID is a 12-bit 802.1Q VLAN identifier + format: int32 + type: integer + name: + type: string + required: + - id + type: object + type: array + required: + - ip + - mac + - model + - name + - pxe + - speedGbps + - vlanId + type: object + type: array + ramMebibytes: + type: integer + storage: + items: + description: Storage describes one storage device (disk, SSD, + etc.) on the host. + properties: + hctl: + description: The SCSI location of the device + type: string + model: + description: Hardware model + type: string + name: + description: A name for the disk, e.g. "disk 1 (boot)" + type: string + rotational: + description: Whether this disk represents rotational storage + type: boolean + serialNumber: + description: The serial number of the device + type: string + sizeBytes: + description: The size of the disk in Bytes + format: int64 + type: integer + vendor: + description: The name of the vendor of the device + type: string + wwn: + description: The WWN of the device + type: string + wwnVendorExtension: + description: The WWN Vendor extension of the device + type: string + wwnWithExtension: + description: The WWN with the extension + type: string + required: + - name + - rotational + - serialNumber + - sizeBytes + type: object + type: array + systemVendor: + description: HardwareSystemVendor stores details about the whole + hardware system. + properties: + manufacturer: + type: string + productName: + type: string + serialNumber: + type: string + required: + - manufacturer + - productName + - serialNumber + type: object + required: + - cpu + - firmware + - hostname + - nics + - ramMebibytes + - storage + - systemVendor + type: object + hardwareProfile: + description: The name of the profile matching the hardware details. + type: string + lastUpdated: + description: LastUpdated identifies when this status was last observed. + format: date-time + type: string + operationHistory: + description: OperationHistory holds information about operations performed + on this host. + properties: + deprovision: + description: OperationMetric contains metadata about an operation + (inspection, provisioning, etc.) used for tracking metrics. + properties: + end: + format: date-time + nullable: true + type: string + start: + format: date-time + nullable: true + type: string + type: object + inspect: + description: OperationMetric contains metadata about an operation + (inspection, provisioning, etc.) used for tracking metrics. + properties: + end: + format: date-time + nullable: true + type: string + start: + format: date-time + nullable: true + type: string + type: object + provision: + description: OperationMetric contains metadata about an operation + (inspection, provisioning, etc.) used for tracking metrics. + properties: + end: + format: date-time + nullable: true + type: string + start: + format: date-time + nullable: true + type: string + type: object + register: + description: OperationMetric contains metadata about an operation + (inspection, provisioning, etc.) used for tracking metrics. + properties: + end: + format: date-time + nullable: true + type: string + start: + format: date-time + nullable: true + type: string + type: object + type: object + operationalStatus: + description: OperationalStatus holds the status of the host + enum: + - "" + - OK + - discovered + - error + type: string + poweredOn: + description: indicator for whether or not the host is powered on + type: boolean + provisioning: + description: Information tracked by the provisioner. + properties: + ID: + description: The machine's UUID from the underlying provisioning + tool + type: string + image: + description: Image holds the details of the last image successfully + provisioned to the host. + properties: + checksum: + description: Checksum is the checksum for the image. + type: string + url: + description: URL is a location of an image to deploy. + type: string + required: + - checksum + - url + type: object + state: + description: An indiciator for what the provisioner is doing with + the host. + type: string + required: + - ID + - state + type: object + triedCredentials: + description: the last credentials we sent to the provisioning backend + properties: + credentials: + description: SecretReference represents a Secret Reference. It has + enough information to retrieve secret in any namespace + properties: + name: + description: Name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: Namespace defines the space within which the secret + name must be unique. + type: string + type: object + credentialsVersion: + type: string + type: object + required: + - errorMessage + - hardwareProfile + - operationHistory + - operationalStatus + - poweredOn + - provisioning + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true diff --git a/manifests/function/vino/upstream/crd/kustomization.yaml b/manifests/function/vino/upstream/crd/kustomization.yaml new file mode 100644 index 000000000..a3b35aa97 --- /dev/null +++ b/manifests/function/vino/upstream/crd/kustomization.yaml @@ -0,0 +1,25 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/airship.airshipit.org_vinoes.yaml +- bases/airship.airshipit.org_ippools.yaml +- bases/bmh.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patchesStrategicMerge: +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +#- patches/webhook_in_vinoes.yaml +#- patches/webhook_in_ippools.yaml +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#- patches/cainjection_in_vinoes.yaml +#- patches/cainjection_in_ippools.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml diff --git a/manifests/function/vino/upstream/crd/kustomizeconfig.yaml b/manifests/function/vino/upstream/crd/kustomizeconfig.yaml new file mode 100644 index 000000000..e9a6e478c --- /dev/null +++ b/manifests/function/vino/upstream/crd/kustomizeconfig.yaml @@ -0,0 +1,15 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhookClientConfig/service/name +namespace: +- kind: CustomResourceDefinition + group: apiextensions.k8s.io + path: spec/conversion/webhookClientConfig/service/namespace + create: false +varReference: +- path: metadata/annotations diff --git a/manifests/function/vino/upstream/crd/patches/cainjection_in_ippools.yaml b/manifests/function/vino/upstream/crd/patches/cainjection_in_ippools.yaml new file mode 100644 index 000000000..e46716913 --- /dev/null +++ b/manifests/function/vino/upstream/crd/patches/cainjection_in_ippools.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: ippools.airship.airshipit.org diff --git a/manifests/function/vino/upstream/crd/patches/cainjection_in_vinoes.yaml b/manifests/function/vino/upstream/crd/patches/cainjection_in_vinoes.yaml new file mode 100644 index 000000000..a38be7bb0 --- /dev/null +++ b/manifests/function/vino/upstream/crd/patches/cainjection_in_vinoes.yaml @@ -0,0 +1,8 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: vinoes.airship.airshipit.org diff --git a/manifests/function/vino/upstream/crd/patches/webhook_in_ippools.yaml b/manifests/function/vino/upstream/crd/patches/webhook_in_ippools.yaml new file mode 100644 index 000000000..6698840a2 --- /dev/null +++ b/manifests/function/vino/upstream/crd/patches/webhook_in_ippools.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ippools.airship.airshipit.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/vino/upstream/crd/patches/webhook_in_vinoes.yaml b/manifests/function/vino/upstream/crd/patches/webhook_in_vinoes.yaml new file mode 100644 index 000000000..365933842 --- /dev/null +++ b/manifests/function/vino/upstream/crd/patches/webhook_in_vinoes.yaml @@ -0,0 +1,17 @@ +# The following patch enables conversion webhook for CRD +# CRD conversion requires k8s 1.13 or later. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: vinoes.airship.airshipit.org +spec: + conversion: + strategy: Webhook + webhookClientConfig: + # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, + # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/manifests/function/vino/upstream/default/Kptfile b/manifests/function/vino/upstream/default/Kptfile new file mode 100644 index 000000000..40926027a --- /dev/null +++ b/manifests/function/vino/upstream/default/Kptfile @@ -0,0 +1,12 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/default +upstream: + type: git + git: + commit: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 + repo: https://github.com/airshipit/vino + directory: config/default + ref: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 + diff --git a/manifests/function/vino/upstream/default/kustomization.yaml b/manifests/function/vino/upstream/default/kustomization.yaml new file mode 100644 index 000000000..69475c4ce --- /dev/null +++ b/manifests/function/vino/upstream/default/kustomization.yaml @@ -0,0 +1,70 @@ +# Adds namespace to all resources. +namespace: vino-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: vino- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + +bases: +- ../crd +- ../rbac +- ../manager +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- ../webhook +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. +#- ../certmanager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patchesStrategicMerge: + # Protect the /metrics endpoint by putting it behind auth. + # If you want your controller-manager to expose the /metrics + # endpoint w/o any authn/z, please comment the following line. +- manager_auth_proxy_patch.yaml + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- manager_webhook_patch.yaml + +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. +# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. +# 'CERTMANAGER' needs to be enabled to use ca injection +#- webhookcainjection_patch.yaml + +# the following config is for teaching kustomize how to do var substitution +vars: +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1alpha2 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldref: +# fieldpath: metadata.namespace +#- name: CERTIFICATE_NAME +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1alpha2 +# name: serving-cert # this name should match the one in certificate.yaml +#- name: SERVICE_NAMESPACE # namespace of the service +# objref: +# kind: Service +# version: v1 +# name: webhook-service +# fieldref: +# fieldpath: metadata.namespace +#- name: SERVICE_NAME +# objref: +# kind: Service +# version: v1 +# name: webhook-service diff --git a/manifests/function/vino/upstream/default/manager_auth_proxy_patch.yaml b/manifests/function/vino/upstream/default/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..a945ed173 --- /dev/null +++ b/manifests/function/vino/upstream/default/manager_auth_proxy_patch.yaml @@ -0,0 +1,25 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: manager + args: + - "--metrics-addr=127.0.0.1:8080" + - "--enable-leader-election" diff --git a/manifests/function/vino/upstream/default/manager_webhook_patch.yaml b/manifests/function/vino/upstream/default/manager_webhook_patch.yaml new file mode 100644 index 000000000..738de350b --- /dev/null +++ b/manifests/function/vino/upstream/default/manager_webhook_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/manifests/function/vino/upstream/default/webhookcainjection_patch.yaml b/manifests/function/vino/upstream/default/webhookcainjection_patch.yaml new file mode 100644 index 000000000..7e79bf995 --- /dev/null +++ b/manifests/function/vino/upstream/default/webhookcainjection_patch.yaml @@ -0,0 +1,15 @@ +# This patch add annotation to admission webhook config and +# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/manifests/function/vino/upstream/manager/Kptfile b/manifests/function/vino/upstream/manager/Kptfile new file mode 100644 index 000000000..379a46ed7 --- /dev/null +++ b/manifests/function/vino/upstream/manager/Kptfile @@ -0,0 +1,19 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/manager +upstream: + type: git + git: + commit: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 + repo: https://github.com/airshipit/vino + directory: config/manager + ref: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 +openAPI: + definitions: + io.k8s.cli.setters.replicas: + x-k8s-cli: + setter: + name: replicas + value: "3" + isSet: true diff --git a/manifests/function/vino/upstream/manager/daemonset-template.yaml b/manifests/function/vino/upstream/manager/daemonset-template.yaml new file mode 100644 index 000000000..0a0bb3022 --- /dev/null +++ b/manifests/function/vino/upstream/manager/daemonset-template.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: DaemonSet +spec: + selector: + matchLabels: + vino-role: vino-builder + template: + metadata: + labels: + vino-role: vino-builder + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + hostNetwork: true + hostPID: true + hostIPC: true + containers: + - name: libvirt + command: + - /tmp/libvirt.sh + image: quay.io/airshipit/libvirt + securityContext: + privileged: true + runAsUser: 0 + readOnlyRootFilesystem: false + volumeMounts: + - mountPath: /lib/modules + name: libmodules + readOnly: true + - name: var-lib-libvirt + mountPath: /var/lib/libvirt + mountPropagation: Bidirectional + - name: var-lib-libvirt-images + mountPath: /var/lib/libvirt/images + - name: run + mountPath: /run + - name: dev + mountPath: /dev + - name: cgroup + mountPath: /sys/fs/cgroup + - name: logs + mountPath: /var/log/libvirt + - name: sushy + ports: + - containerPort: 8000 + hostPort: 8000 + image: quay.io/metal3-io/sushy-tools + imagePullPolicy: IfNotPresent + command: ["/usr/local/bin/sushy-emulator"] + volumeMounts: + - name: var-run-libvirt + mountPath: /var/run/libvirt + - name: labeler + image: quay.io/airshipit/nodelabeler + imagePullPolicy: IfNotPresent + env: + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumes: + - name: libmodules + hostPath: + path: /lib/modules + - name: var-lib-libvirt + hostPath: + path: /var/lib/libvirt + - name: var-lib-libvirt-images + hostPath: + path: /var/lib/libvirt/images + - name: run + hostPath: + path: /run + - name: dev + hostPath: + path: /dev + - name: logs + hostPath: + path: /var/log/libvirt + - name: cgroup + hostPath: + path: /sys/fs/cgroup + - name: var-run-libvirt + hostPath: + path: /var/run/libvirt diff --git a/manifests/function/vino/upstream/manager/inventory-template.yaml b/manifests/function/vino/upstream/manager/inventory-template.yaml new file mode 100644 index 000000000..667e1143e --- /dev/null +++ b/manifests/function/vino/upstream/manager/inventory-template.yaml @@ -0,0 +1,34 @@ +# NOTE: auto-generated. Some fields should NOT be modified. +# Date: 2021-03-16 10:05:35 UTC +# +# Contains the "inventory object" template ConfigMap. +# When this object is applied, it is handled specially, +# storing the metadata of all the other objects applied. +# This object and its stored inventory is subsequently +# used to calculate the set of objects to automatically +# delete (prune), when an object is omitted from further +# applies. When applied, this "inventory object" is also +# used to identify the entire set of objects to delete. +# +# NOTE: The name of this inventory template file +# does NOT have any impact on group-related functionality +# such as deletion or pruning. +# +apiVersion: v1 +kind: ConfigMap +metadata: + # DANGER: Do not change the inventory object namespace. + # Changing the namespace will cause a loss of continuity + # with previously applied grouped objects. Set deletion + # and pruning functionality will be impaired. + namespace: default + # NOTE: The name of the inventory object does NOT have + # any impact on group-related functionality such as + # deletion or pruning. + name: inventory-15862452 + labels: + # DANGER: Do not change the value of this label. + # Changing this value will cause a loss of continuity + # with previously applied grouped objects. Set deletion + # and pruning functionality will be impaired. + cli-utils.sigs.k8s.io/inventory-id: 6e088520-63c2-4b5d-82ea-4f2cb089920f diff --git a/manifests/function/vino/upstream/manager/kustomization.yaml b/manifests/function/vino/upstream/manager/kustomization.yaml new file mode 100644 index 000000000..4b803c24e --- /dev/null +++ b/manifests/function/vino/upstream/manager/kustomization.yaml @@ -0,0 +1,9 @@ +resources: +- manager.yaml + +configMapGenerator: +- name: daemonset-template + options: + disableNameSuffixHash: true + files: + - template=daemonset-template.yaml diff --git a/manifests/function/vino/upstream/manager/manager.yaml b/manifests/function/vino/upstream/manager/manager.yaml new file mode 100644 index 000000000..9fbae7753 --- /dev/null +++ b/manifests/function/vino/upstream/manager/manager.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - command: + - /manager + args: + - --enable-leader-election + image: quay.io/airshipit/vino + imagePullPolicy: IfNotPresent + name: manager + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + env: + - name: RUNTIME_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + terminationGracePeriodSeconds: 10 diff --git a/manifests/function/vino/upstream/rbac/Kptfile b/manifests/function/vino/upstream/rbac/Kptfile new file mode 100644 index 000000000..a51dbf2be --- /dev/null +++ b/manifests/function/vino/upstream/rbac/Kptfile @@ -0,0 +1,12 @@ +apiVersion: kpt.dev/v1alpha1 +kind: Kptfile +metadata: + name: upstream/rbac +upstream: + type: git + git: + commit: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 + repo: https://github.com/airshipit/vino + directory: config/rbac + ref: 3dc0698a85f618a24c40bd7862d1dd807fc73ae3 + diff --git a/manifests/function/vino/upstream/rbac/auth_proxy_client_clusterrole.yaml b/manifests/function/vino/upstream/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 000000000..7d62534c5 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/manifests/function/vino/upstream/rbac/auth_proxy_role.yaml b/manifests/function/vino/upstream/rbac/auth_proxy_role.yaml new file mode 100644 index 000000000..618f5e417 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/auth_proxy_role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-role +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/manifests/function/vino/upstream/rbac/auth_proxy_role_binding.yaml b/manifests/function/vino/upstream/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 000000000..48ed1e4b8 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/vino/upstream/rbac/auth_proxy_service.yaml b/manifests/function/vino/upstream/rbac/auth_proxy_service.yaml new file mode 100644 index 000000000..6cf656be1 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/auth_proxy_service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager diff --git a/manifests/function/vino/upstream/rbac/ippool_editor_role.yaml b/manifests/function/vino/upstream/rbac/ippool_editor_role.yaml new file mode 100644 index 000000000..8a142cbc4 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/ippool_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit ippools. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ippool-editor-role +rules: +- apiGroups: + - airship.airshipit.org + resources: + - ippools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - airship.airshipit.org + resources: + - ippools/status + verbs: + - get diff --git a/manifests/function/vino/upstream/rbac/ippool_viewer_role.yaml b/manifests/function/vino/upstream/rbac/ippool_viewer_role.yaml new file mode 100644 index 000000000..36cfb9968 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/ippool_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view ippools. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ippool-viewer-role +rules: +- apiGroups: + - airship.airshipit.org + resources: + - ippools + verbs: + - get + - list + - watch +- apiGroups: + - airship.airshipit.org + resources: + - ippools/status + verbs: + - get diff --git a/manifests/function/vino/upstream/rbac/kustomization.yaml b/manifests/function/vino/upstream/rbac/kustomization.yaml new file mode 100644 index 000000000..51557bdfd --- /dev/null +++ b/manifests/function/vino/upstream/rbac/kustomization.yaml @@ -0,0 +1,16 @@ +resources: +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +- vino_daemonset_controller_role.yaml +- vino_daemonset_controller_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml +- vino_manager_role.yaml +- vino_manager_role_binding.yaml \ No newline at end of file diff --git a/manifests/function/vino/upstream/rbac/leader_election_role.yaml b/manifests/function/vino/upstream/rbac/leader_election_role.yaml new file mode 100644 index 000000000..47209c08b --- /dev/null +++ b/manifests/function/vino/upstream/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete \ No newline at end of file diff --git a/manifests/function/vino/upstream/rbac/leader_election_role_binding.yaml b/manifests/function/vino/upstream/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..eed16906f --- /dev/null +++ b/manifests/function/vino/upstream/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/vino/upstream/rbac/role.yaml b/manifests/function/vino/upstream/rbac/role.yaml new file mode 100644 index 000000000..c5316c2bc --- /dev/null +++ b/manifests/function/vino/upstream/rbac/role.yaml @@ -0,0 +1,66 @@ + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - airship.airshipit.org + resources: + - ippools + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - airship.airshipit.org + resources: + - vinoes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - airship.airshipit.org + resources: + - vinoes/status + verbs: + - get + - patch + - update diff --git a/manifests/function/vino/upstream/rbac/role_binding.yaml b/manifests/function/vino/upstream/rbac/role_binding.yaml new file mode 100644 index 000000000..8f2658702 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: system diff --git a/manifests/function/vino/upstream/rbac/vino_daemonset_controller_role.yaml b/manifests/function/vino/upstream/rbac/vino_daemonset_controller_role.yaml new file mode 100644 index 000000000..8723d6f4c --- /dev/null +++ b/manifests/function/vino/upstream/rbac/vino_daemonset_controller_role.yaml @@ -0,0 +1,63 @@ +# permissions for end users to edit vinoes. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: daemonset-controller-role +rules: +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - daemonsets/status + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - patch diff --git a/manifests/function/vino/upstream/rbac/vino_daemonset_controller_role_binding.yaml b/manifests/function/vino/upstream/rbac/vino_daemonset_controller_role_binding.yaml new file mode 100644 index 000000000..8a08f6af7 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/vino_daemonset_controller_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: daemonset-controller-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: daemonset-controller-role +subjects: +- kind: ServiceAccount + name: default + namespace: vino-system \ No newline at end of file diff --git a/manifests/function/vino/upstream/rbac/vino_editor_role.yaml b/manifests/function/vino/upstream/rbac/vino_editor_role.yaml new file mode 100644 index 000000000..e9544abea --- /dev/null +++ b/manifests/function/vino/upstream/rbac/vino_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit vinoes. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vino-editor-role +rules: +- apiGroups: + - airship.airshipit.org + resources: + - vinoes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - airship.airshipit.org + resources: + - vinoes/status + verbs: + - get diff --git a/manifests/function/vino/upstream/rbac/vino_manager_role.yaml b/manifests/function/vino/upstream/rbac/vino_manager_role.yaml new file mode 100644 index 000000000..e10248d3b --- /dev/null +++ b/manifests/function/vino/upstream/rbac/vino_manager_role.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-manager-role +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - watch + - list + - delete + - update + - apiGroups: + - airship.airshipit.org + resources: + - vinoes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - airship.airshipit.org + resources: + - vinoes/status + verbs: + - get + - patch + - update + - apiGroups: + - metal3.io + resources: + - baremetalhosts + verbs: + - create + - get + - list + - patch + - update \ No newline at end of file diff --git a/manifests/function/vino/upstream/rbac/vino_manager_role_binding.yaml b/manifests/function/vino/upstream/rbac/vino_manager_role_binding.yaml new file mode 100644 index 000000000..30d4d0b9d --- /dev/null +++ b/manifests/function/vino/upstream/rbac/vino_manager_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-manager-role +subjects: +- kind: ServiceAccount + name: default + namespace: vino-system \ No newline at end of file diff --git a/manifests/function/vino/upstream/rbac/vino_viewer_role.yaml b/manifests/function/vino/upstream/rbac/vino_viewer_role.yaml new file mode 100644 index 000000000..d97645cd9 --- /dev/null +++ b/manifests/function/vino/upstream/rbac/vino_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view vinoes. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vino-viewer-role +rules: +- apiGroups: + - airship.airshipit.org + resources: + - vinoes + verbs: + - get + - list + - watch +- apiGroups: + - airship.airshipit.org + resources: + - vinoes/status + verbs: + - get diff --git a/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml b/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml index c45465241..0cfe44a96 100644 --- a/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml +++ b/manifests/site/virtual-network-cloud/target/workload/kustomization.yaml @@ -4,4 +4,4 @@ resources: transformers: - ../../../../function/ingress/replacements - ../../../../function/sip/replacements - + - ../../../../function/vino/replacements diff --git a/manifests/type/multi-tenant/target/workload/kustomization.yaml b/manifests/type/multi-tenant/target/workload/kustomization.yaml index 204787a05..239ed8485 100644 --- a/manifests/type/multi-tenant/target/workload/kustomization.yaml +++ b/manifests/type/multi-tenant/target/workload/kustomization.yaml @@ -1,4 +1,5 @@ resources: - ../../../airship-core/target/workload - ../../../../function/sip + - ../../../../function/vino #- network-policy