airship/treasuremap
Code Issues Proposed changes

Uplift SIP

Browse Source 
This moves to the latest version of SIP:
f9226befbd49e4eba8909aa430ce7407551bba62

This version includes a workload load balancer service, for
which configuration is added.

Closes: #146
Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: I1820b408559bc51d86a62d7d4aad10c458890354
This commit is contained in:
Sean Eagan 2021-05-19 16:57:35 -05:00
parent 3ec45406b2
commit 869b0da10f
17 changed files with 432 additions and 505 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
manifests/function/sip/Kptfile
View File

@ -5,19 +5,19 @@ dependencies:
git: git:
repo: "https://opendev.org/airship/sip" repo: "https://opendev.org/airship/sip"
directory: "config/crd" directory: "config/crd"
ref: "194346b22e1df3e922a8fd32dd2fb785856731a9" ref: "f9226befbd49e4eba8909aa430ce7407551bba62"
- name: upstream/default - name: upstream/default
git: git:
repo: "https://opendev.org/airship/sip" repo: "https://opendev.org/airship/sip"
directory: "config/default" directory: "config/default"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b" ref: "f9226befbd49e4eba8909aa430ce7407551bba62"
- name: upstream/manager - name: upstream/manager
git: git:
repo: "https://opendev.org/airship/sip" repo: "https://opendev.org/airship/sip"
directory: "config/manager" directory: "config/manager"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b" ref: "f9226befbd49e4eba8909aa430ce7407551bba62"
- name: upstream/rbac - name: upstream/rbac
git: git:
repo: "https://opendev.org/airship/sip" repo: "https://opendev.org/airship/sip"
directory: "config/rbac" directory: "config/rbac"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b" ref: "f9226befbd49e4eba8909aa430ce7407551bba62"

4
manifests/function/sip/upstream/crd/Kptfile
View File

@ -5,7 +5,7 @@ metadata:
upstream: upstream:
type: git type: git
git: git:
commit: 194346b22e1df3e922a8fd32dd2fb785856731a9 commit: f9226befbd49e4eba8909aa430ce7407551bba62
repo: https://opendev.org/airship/sip repo: https://opendev.org/airship/sip
directory: config/crd directory: config/crd
ref: 194346b22e1df3e922a8fd32dd2fb785856731a9 ref: f9226befbd49e4eba8909aa430ce7407551bba62

557
manifests/function/sip/upstream/crd/bases/airship.airshipit.org_sipclusters.yaml
View File

@ -1,8 +1,9 @@
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.3.0 controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: sipclusters.airship.airshipit.org name: sipclusters.airship.airshipit.org
spec: spec:
group: airship.airshipit.org group: airship.airshipit.org
@ -12,277 +13,297 @@ spec:
plural: sipclusters plural: sipclusters
singular: sipcluster singular: sipcluster
scope: Namespaced scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: SIPCluster is the Schema for the sipclusters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SIPClusterSpec defines the desired state of a SIPCluster
properties:
nodes:
additionalProperties:
description: 'NodeSet are the the list of Nodes objects workers, or
ControlPlane that define expectations for the Tenant Clusters Includes
artifacts to associate with each defined namespace Such as : - Roles
for the Nodes - Flavor for theh Nodes image - Scheduling expectations
- Scale of the group of Nodes'
properties:
count:
description: Count defines the scale expectations for the Nodes
properties:
active:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed
state of cluster Important: Run "make" to regenerate code
after modifying this file'
type: integer
standby:
type: integer
type: object
spreadTopology:
description: PlaceHolder until we define the real expected Implementation
Scheduling define constraints that allow the SIP Scheduler to
identify the required BMH's to allow CAPI to build a cluster
enum:
- PerRack
- PerHost
type: string
vmFlavor: {}
labelSelector:
description: LabelSelector is the BMH label selector to use.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If
the operator is In or NotIn, the values array must
be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced
during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A
single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is "key",
the operator is "In", and the values array contains only
"value". The requirements are ANDed.
type: object
type: object
type: object
description: Nodes defines the set of nodes to schedule for each BMH
role.
type: object
services:
description: Services defines the services that are deployed when a
SIPCluster is provisioned.
properties:
auth:
description: Auth defines the sub-cluster authentication services.
items:
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
required:
- image
- nodePort
type: object
type: array
jumpHost:
description: JumpHost defines the sub-cluster jump host services.
items:
description: JumpHostService is an infrastructure service type
that represents the sub-cluster jump-host service.
properties:
bmc:
description: BMCOpts contains options for BMC communication.
properties:
proxy:
type: boolean
type: object
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
sshkey: {}
nodeSSHPrivateKeys:
description: NodeSSHPrivateKeys holds the name of a Secret
in the same namespace as the SIPCluster CR, whose key values
each represent an ssh private key that can be used to access
the cluster nodes. They are mounted into the jumphost with
the secret keys serving as file names relative to a common
directory, and then configured as identity files in the
SSH config file of the default user.
type: string
sshAuthorizedKeys:
items:
type: string
type: array
required:
- image
- nodePort
- nodeSSHPrivateKeys
type: object
type: array
loadBalancer:
description: LoadBalancer defines the sub-cluster load balancer
services.
items:
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
required:
- image
- nodePort
type: object
type: array
type: object
required:
- services
type: object
status:
description: SIPClusterStatus defines the observed state of SIPCluster
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a foo's
current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type //
+patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details
about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers of
specific condition types may define expected values and meanings
for this field, and whether the values are considered a guaranteed
API. The value should be a CamelCase string. This field may
not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
type: object
version: v1
versions: versions:
- name: v1 - name: v1
schema:
openAPIV3Schema:
description: SIPCluster is the Schema for the sipclusters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SIPClusterSpec defines the desired state of a SIPCluster
properties:
nodes:
additionalProperties:
description: 'NodeSet are the the list of Nodes objects workers,
or ControlPlane that define expectations for the Tenant Clusters
Includes artifacts to associate with each defined namespace Such
as : - Roles for the Nodes - Flavor for the Nodes image - Anti-affinity
expectations - Scale of the group of Nodes'
properties:
count:
description: Count defines the scale expectations for the Nodes
properties:
active:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed
state of cluster Important: Run "make" to regenerate code
after modifying this file'
type: integer
standby:
type: integer
type: object
labelSelector:
description: LabelSelector is the BMH label selector to use.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that relates
the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn,
Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values array
must be non-empty. If the operator is Exists or
DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field is
"key", the operator is "In", and the values array contains
only "value". The requirements are ANDed.
type: object
type: object
topologyKey:
description: TopologyKey is similar to the same named field
in the kubernetes Pod anti-affinity API. If two BMHs are labeled
with this key and have identical values for that label, they
are considered to be in the same topology domain, and thus
only one will be scheduled.
type: string
type: object
description: Nodes defines the set of nodes to schedule for each BMH
role.
type: object
services:
description: Services defines the services that are deployed when
a SIPCluster is provisioned.
properties:
jumpHost:
description: JumpHost defines the sub-cluster jump host services.
items:
description: JumpHostService is an infrastructure service type
that represents the sub-cluster jump-host service.
properties:
bmc:
description: BMCOpts contains options for BMC communication.
properties:
proxy:
type: boolean
type: object
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
nodeSSHPrivateKeys:
description: NodeSSHPrivateKeys holds the name of a Secret
in the same namespace as the SIPCluster CR, whose key
values each represent an ssh private key that can be used
to access the cluster nodes. They are mounted into the
jumphost with the secret keys serving as file names relative
to a common directory, and then configured as identity
files in the SSH config file of the default user.
type: string
sshAuthorizedKeys:
items:
type: string
type: array
required:
- image
- nodePort
- nodeSSHPrivateKeys
type: object
type: array
loadBalancerControlPlane:
description: LoadBalancer defines the sub-cluster load balancer
services.
items:
description: LoadBalancerServiceControlPlane is an infrastructure
service type that represents the sub-cluster load balancer
service.
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
required:
- image
- nodePort
type: object
type: array
loadBalancerWorker:
description: ' LoadBalancer defines the sub-cluster load balancer
services.'
items:
description: LoadBalancerServiceWorker is an infrastructure
service type that represents the sub-cluster load balancer
service.
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
nodePortRange:
description: 'TODO: Remove the inherited single NodePort
field via refactoring. It is unused for this service since
we have the below node port range instead.'
properties:
end:
description: End is the ending port number in the range.
type: integer
start:
description: Start is the starting port number in the
range.
type: integer
required:
- end
- start
type: object
required:
- image
- nodePort
- nodePortRange
type: object
type: array
type: object
required:
- services
type: object
status:
description: SIPClusterStatus defines the observed state of SIPCluster
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
type: object
served: true served: true
storage: true storage: true
subresources:
status: {}
status: status:
acceptedNames: acceptedNames:
kind: "" kind: ""

4
manifests/function/sip/upstream/default/Kptfile
View File

@ -5,7 +5,7 @@ metadata:
upstream: upstream:
type: git type: git
git: git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b commit: f9226befbd49e4eba8909aa430ce7407551bba62
repo: https://opendev.org/airship/sip repo: https://opendev.org/airship/sip
directory: config/default directory: config/default
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b ref: f9226befbd49e4eba8909aa430ce7407551bba62

48
manifests/function/sip/upstream/default/kustomization.yaml
View File

@ -1,17 +1,14 @@
# Adds namespace to all resources. # Adds namespace to all resources.
namespace: sipcluster-system namespace: sipcluster-system
# Value of this field is prepended to the # Value of this field is prepended to the
# names of all resources, e.g. a deployment named # names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress". # "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace # Note that it should also match with the prefix (text before '-') of the namespace
# field above. # field above.
namePrefix: sipcluster- namePrefix: sipcluster-
# Labels to add to all resources and selectors. # Labels to add to all resources and selectors.
#commonLabels: #commonLabels:
# someName: someValue # someName: someValue
bases: bases:
- ../crd - ../crd
- ../rbac - ../rbac
@ -25,46 +22,7 @@ bases:
#- ../prometheus #- ../prometheus
patchesStrategicMerge: patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth. # Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics # If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line. # endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml - manager_auth_proxy_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- manager_webhook_patch.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
#- webhookcainjection_patch.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
# fieldref:
# fieldpath: metadata.namespace
#- name: CERTIFICATE_NAME
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
#- name: SERVICE_NAMESPACE # namespace of the service
# objref:
# kind: Service
# version: v1
# name: webhook-service
# fieldref:
# fieldpath: metadata.namespace
#- name: SERVICE_NAME
# objref:
# kind: Service
# version: v1
# name: webhook-service

4
manifests/function/sip/upstream/manager/Kptfile
View File

@ -5,7 +5,7 @@ metadata:
upstream: upstream:
type: git type: git
git: git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b commit: f9226befbd49e4eba8909aa430ce7407551bba62
repo: https://opendev.org/airship/sip repo: https://opendev.org/airship/sip
directory: config/manager directory: config/manager
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b ref: f9226befbd49e4eba8909aa430ce7407551bba62

4
manifests/function/sip/upstream/rbac/Kptfile
View File

@ -5,7 +5,7 @@ metadata:
upstream: upstream:
type: git type: git
git: git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b commit: f9226befbd49e4eba8909aa430ce7407551bba62
repo: https://opendev.org/airship/sip repo: https://opendev.org/airship/sip
directory: config/rbac directory: config/rbac
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b ref: f9226befbd49e4eba8909aa430ce7407551bba62

1
manifests/function/sip/upstream/rbac/kustomization.yaml
View File

@ -5,7 +5,6 @@ resources:
- sipcluster_scheduler_binding.yaml - sipcluster_scheduler_binding.yaml
- leader_election_role.yaml - leader_election_role.yaml
- leader_election_role_binding.yaml - leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable # Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy) # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint. # which protects your /metrics endpoint.

9
manifests/function/sip/upstream/rbac/role.yaml
View File

@ -1,11 +1,14 @@
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
creationTimestamp: null
name: manager-role name: manager-role
rules: rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups: - apiGroups:
- airship.airshipit.org - airship.airshipit.org
resources: resources:

4
manifests/function/sip/upstream/rbac/sipcluster_scheduler_role.yaml
View File

@ -1,4 +1,3 @@
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -17,8 +16,10 @@ rules:
- update - update
- apiGroups: - apiGroups:
- "" - ""
- apps
resources: resources:
- secrets - secrets
- deployments
verbs: verbs:
- get - get
- list - list
@ -49,7 +50,6 @@ rules:
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- namespaces
- secrets - secrets
verbs: verbs:
- create - create

8
manifests/function/treasuremap-base-catalogues/versions-treasuremap.yaml
View File

@ -75,15 +75,15 @@ spec:
image: quay.io/thanos/thanos:v0.19.0 image: quay.io/thanos/thanos:v0.19.0
sip: sip:
sip: sip:
auth:
image: quay.io/dexidp/dex:v2.20.0
kube-rbac-proxy: kube-rbac-proxy:
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
manager: manager:
image: quay.io/airshipit/sip:51e7ff85d617c0e94fa98920fdbacce3ad9e6bc0 image: quay.io/airshipit/sip:f9226befbd49e4eba8909aa430ce7407551bba62
jump_host: jump_host:
image: quay.io/airshipit/jump-host:latest image: quay.io/airshipit/jump-host:latest
load_balancer: load_balancer_control_plane:
image: haproxy:2.3.2
load_balancer_worker:
image: haproxy:2.3.2 image: haproxy:2.3.2
vino: vino:
vino: vino:

14
manifests/type/multi-tenant/shared/catalogues/subcluster-networking.yaml
View File

@ -32,10 +32,11 @@ spec:
nodePort: 30001 nodePort: 30001
- name: loadBalancerControlPlane - name: loadBalancerControlPlane
nodePort: 30002 nodePort: 30002
# TODO: Uncomment when SIP supports a Worker load balancer.
# Potential ports that can be used by sub-cluster services. # Potential ports that can be used by sub-cluster services.
# - name: loadBalancerWorkers - name: loadBalancerWorker
# nodePort: ["30003:30020"] nodePortRange:
start: 30003
end: 30020
wordpress: wordpress:
# This stanza is replaced directly into the Wordpress sub-cluster's # This stanza is replaced directly into the Wordpress sub-cluster's
@ -55,7 +56,8 @@ spec:
nodePort: 30001 nodePort: 30001
- name: loadBalancerControlPlane - name: loadBalancerControlPlane
nodePort: 30002 nodePort: 30002
# TODO: Uncomment when SIP supports a Worker load balancer.
# Potential ports that can be used by sub-cluster services. # Potential ports that can be used by sub-cluster services.
# - name: loadBalancerWorkers - name: loadBalancerWorker
# nodePort: ["30003:30020"] nodePortRange:
start: 30003
end: 30020

53
manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/networking.yaml
View File

@ -7,18 +7,17 @@ metadata:
container: container:
image: quay.io/airshipit/replacement-transformer:v2 image: quay.io/airshipit/replacement-transformer:v2
replacements: replacements:
- source: # TODO: Uncomment once subcluster Dex is implemented.
objref: # - source:
kind: VariableCatalogue # objref:
name: subcluster-networking # kind: VariableCatalogue
fieldref: "{.spec.lma.exposed_services[?(.name == 'auth')].nodePort}" # name: subcluster-networking
target: # fieldref: "{.spec.lma.exposed_services[?(.name == 'auth')].nodePort}"
objref: # target:
kind: SIPCluster # objref:
name: lma # kind: HelmRelease
# NOTE: The SIPCluster CR accepts multiple infra service definitions, # name: dex-aio
# but we only deploy one instance of each. # fieldrefs: ["{.values.params.endpoints.port.https}"]
fieldrefs: ["{.spec.services.auth[0].nodePort}"]
- source: - source:
objref: objref:
kind: VariableCatalogue kind: VariableCatalogue
@ -31,8 +30,6 @@ replacements:
# NOTE: The SIPCluster CR accepts multiple infra service definitions, # NOTE: The SIPCluster CR accepts multiple infra service definitions,
# but we only deploy one instance of each. # but we only deploy one instance of each.
fieldrefs: ["{.spec.services.jumpHost[0].nodePort}"] fieldrefs: ["{.spec.services.jumpHost[0].nodePort}"]
# NOTE: newer versions of SIP will have an additional load balancer for the
# worker nodes.
- source: - source:
objref: objref:
kind: VariableCatalogue kind: VariableCatalogue
@ -44,7 +41,33 @@ replacements:
name: lma name: lma
# NOTE: The SIPCluster CR accepts multiple infra service definitions, # NOTE: The SIPCluster CR accepts multiple infra service definitions,
# but we only deploy one instance of each. # but we only deploy one instance of each.
fieldrefs: ["{.spec.services.loadBalancer[0].nodePort}"] fieldrefs: ["{.spec.services.loadBalancerControlPlane[0].nodePort}"]
- source:
objref:
kind: VariableCatalogue
name: subcluster-networking
fieldref: "{.spec.lma.exposed_services[?(.name == 'loadBalancerWorker')].nodePortRange}"
target:
objref:
kind: SIPCluster
name: lma
# NOTE: The SIPCluster CR accepts multiple infra service definitions,
# but we only deploy one instance of each.
fieldrefs: ["{.spec.services.loadBalancerWorker[0].nodePortRange}"]
# TODO: The nodePort field is ignored, but still required. Remove this replacement rule once the
# field is removed, see https://github.com/airshipit/sip/issues/21.
- source:
objref:
kind: VariableCatalogue
name: subcluster-networking
fieldref: "{.spec.lma.exposed_services[?(.name == 'loadBalancerWorker')].nodePortRange.start}"
target:
objref:
kind: SIPCluster
name: lma
# NOTE: The SIPCluster CR accepts multiple infra service definitions,
# but we only deploy one instance of each.
fieldrefs: ["{.spec.services.loadBalancerWorker[0].nodePort}"]
- source: - source:
objref: objref:
kind: VariableCatalogue kind: VariableCatalogue

24
manifests/type/multi-tenant/sub-clusters/lma/provide-infra/replacements/versions.yaml
View File

@ -8,16 +8,6 @@ metadata:
image: quay.io/airshipit/replacement-transformer:v2 image: quay.io/airshipit/replacement-transformer:v2
replacements: replacements:
# Replace SIPCluster CR images # Replace SIPCluster CR images
- source:
objref:
kind: VersionsCatalogue
name: versions-treasuremap
fieldref: "{.spec.images.sip.sip.auth.image}"
target:
objref:
kind: SIPCluster
name: lma
fieldrefs: ["{.spec.services.auth[*].image}"]
- source: - source:
objref: objref:
kind: VersionsCatalogue kind: VersionsCatalogue
@ -32,9 +22,19 @@ replacements:
objref: objref:
kind: VersionsCatalogue kind: VersionsCatalogue
name: versions-treasuremap name: versions-treasuremap
fieldref: "{.spec.images.sip.sip.load_balancer.image}" fieldref: "{.spec.images.sip.sip.load_balancer_control_plane.image}"
target: target:
objref: objref:
kind: SIPCluster kind: SIPCluster
name: lma name: lma
fieldrefs: ["{.spec.services.loadBalancer[*].image}"] fieldrefs: ["{.spec.services.loadBalancerControlPlane[*].image}"]
- source:
objref:
kind: VersionsCatalogue
name: versions-treasuremap
fieldref: "{.spec.images.sip.sip.load_balancer_worker.image}"
target:
objref:
kind: SIPCluster
name: lma
fieldrefs: ["{.spec.services.loadBalancerWorker[*].image}"]

75
manifests/type/multi-tenant/sub-clusters/lma/provide-infra/sipcluster.yaml
View File

@ -8,72 +8,21 @@ spec:
nodes: nodes:
ControlPlane: ControlPlane:
labelSelector: labelSelector:
vino.airshipit.org/flavor: control-plane matchLabels:
spreadTopology: PerRack vino.airshipit.org/flavor: control-plane
topologyKey: vino.airshipit.org/rack
count: count:
active: 1 active: 1
standby: 1 standby: 1
Worker: Worker:
labelSelector: labelSelector:
vino.airshipit.org/flavor: worker matchLabels:
spreadTopology: PerHost vino.airshipit.org/flavor: worker
topologyKey: vino.airshipit.org/host
count: count:
active: 2 active: 2
standby: 1 # Slew for upgrades standby: 1 # Slew for upgrades
services: services:
auth:
- image: quay.io/dexidp/dex
nodeInterfaceId: oam-ipv4
nodePort: 30556
TLSCrt: |
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMDMxNzExNDYzMFoXDTMxMDMxNjExNDYzMFowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKs1
ujCXS/HDS9dSOJWfotlrQj46V4oL8q5dOmLXSvqfISINzdXK9XrBo/1INQ2RmFL/
oXbCwvT1PhRkm/KS/LN3dgsbPjb6/meKsrLOpKPtTAm29+c7h87ZkwHi2LPZO+3w
bVp49ERCg89VjfIStvGefJvKaz1Rq3WTZN96216dSY2sShON07ELv4pZPJGjEHg6
U6c4UgMdnye3FUUxaayqjZbLKcN/mNkI7kMzy4e0RZ4Y3WTlr0nxDVuYiz8v9usa
rHO5Pu9w40FAudlmMrSB9Qj8ED/VtooW4qewm4oUdHrmzJ86vamWLll2keHt4MAY
5mG0vglWqm2zEL8jJWUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBQs35Wcd1nnNOP1YuzwousJxfATmDANBgkqhkiG9w0BAQsFAAOCAQEAbspb0RE5
vOeObqLY7JEMlNvnxbnHceIpltZpnq5ZGbDHEBUEyBUnDnO7UZrxw2qmDgvpUPot
jNxgWzDcxb7kuli6Ehc1Nbtm8HKFf3xx5d1dTBuPj8i6njB/3kVbYZOHGcFxku62
ac8KQT8EdaQdTtwoQLhfGl3P++afg7kfvcm962PKYWDGcbXbbJxEf1YDuy2dY2/Z
u5rOyAIhRSOm68edMhy/0Bdq3NBmT5icptMawEBrJXW7tNOnbSLu6qtQqSX8w58u
2ZnZouCSXMfLYKNuDWVuhe/WfCv9ZKr/Izcz1raBquo8yDt4qsxDPfix/QSqUxRc
kDR2hHk/Mfv+rg==
-----END CERTIFICATE-----
TLSKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqzW6MJdL8cNL11I4lZ+i2WtCPjpXigvyrl06YtdK+p8hIg3N
1cr1esGj/Ug1DZGYUv+hdsLC9PU+FGSb8pL8s3d2Cxs+Nvr+Z4qyss6ko+1MCbb3
5zuHztmTAeLYs9k77fBtWnj0REKDz1WN8hK28Z58m8prPVGrdZNk33rbXp1JjaxK
E43TsQu/ilk8kaMQeDpTpzhSAx2fJ7cVRTFprKqNlsspw3+Y2QjuQzPLh7RFnhjd
ZOWvSfENW5iLPy/26xqsc7k+73DjQUC52WYytIH1CPwQP9W2ihbip7CbihR0eubM
nzq9qZYuWXaR4e3gwBjmYbS+CVaqbbMQvyMlZQIDAQABAoIBAC3cZ3JqpKIvERqt
YJDbwRCCRa1LjXVh+/Cu8lvVlbUKeSKZFgDlq9nlEttewy9OR8I7zXF1fCmHo8hs
psVUkDI2lr0k4AZ0Nz9fDL0O01VB1DNp+n/LF3bWGyXPMQMD9qSm2XP5oFzEgHBC
V5J3Zt/T90b38r/rJ4WIJOYkD60I/mQ2oB9I6QsUDSxeH9a/L1BEHvGcBtfbqWlA
b7BBRBjRCdtbV67pFpspSnWmIwDBF3GNbjjPyWiRCicLQeZ+Eysc4GbeT89A76xN
q76uPH/+vo5fafm86AURN59QA6/qaCvrlE02gt9FbFW/cN0Bs7y3OSl2e8/si6tz
n4Nwq8ECgYEA4F4oAitnCfAKhHr501qaJk4uj5YuzQktANjPp9Bo5x/FThF497gN
KvumUlq4Z3H7ivXk0WEYb5v2erXtgXoj6o/uAL+5FQyRBpUDa5FpeAi64e0Vzhtk
UUd5RXoC0eITdF8zaXHJsYTNv6jDA33Flqkk7bioTWi0VrTFlwp5mRUCgYEAw1kB
HmuV1LSqmwXf/6NIO2mmSBLNWC4JY/qAV9HlCxKhv9fXhl99m0lQRPs2TZIYrkCY
Q0entaYY+2EQn1HBm7sdGnoy5tOYb9Lg89zzP23MJDLAQ+eXRTyl25W3qQVnrRzx
o00EFX6QhySbuBditiu75wjN1Q2IY+jE81MozxECgYBU6s3xpEOnOzZ/1ZtgJtZY
0RZGOe0UpPhnbaeKOBK8BwZB+dLyzrINJplYagWJAVbWzSIBLOJ2u2yaHOj7LCMT
z82gcu+1y7/H4fYdbDeiuosgnv61tyBMsuRvKzKOBSaf0LhAnFRd34mPlGvakmuK
DhJv9oecZJh8iIaQF+LV0QKBgFDDQHIqOqTZGNvEvwo6oIdns4aCt4Dob5t1GpC0
R4SfbF4bR5DXc9+6nMQYNCg36ZpJPGo8errf894iEDQ+IdRXtL2YnejOvGwm/Df2
Nl8X7tlcXh705ZaLb2rsaCUqBeYNXF2OXszgKbKl0Pd4O6hjRmlLO4YE9UmRF7Qd
wnZxAoGBAKN9LgEmOq3GTDbWvnKRDG8q1MjMOOLRuqryQWXF3KP/+oPB2XUrw7Eg
Sw9yBi8GZ6PseG1W5LnwT2vAeDaLRrAr8QrDmd+Aj+og7CVD82Gy/k8Uh0TyCUlF
DOY0q5Hu9iPlqk3ZQqGJKcms+97jD7JPGsPOH0+LcK9sEI6fJOna
-----END RSA PRIVATE KEY-----
CertManagerNS: cert-manager
jumpHost: jumpHost:
- image: quay.io/airshipit/jump-host - image: quay.io/airshipit/jump-host
nodePort: 30001 nodePort: 30001
@ -84,8 +33,14 @@ spec:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyaozS8kZRw2a1d0O4YXhxtJlDPThqIZilGCsXLbukIFOyMUmMTwQAtwWp5epwU1+5ponC2uBENB6xCCj3cl5Rd43d2/B6HxyAPQGKo6/zKYGAKW2nzYDxSWMl6NUSsiJAyXUA7ZlNZQe0m8PmaferlkQyLLZo3NJpizz6U6ZCtxvj43vEl7NYWnLUEIzGP9zMqltIGnD4vYrU9keVKKXSsp+DkApnbrDapeigeGATCammy2xRrUQDuOvGHsfnQbXr2j0onpTIh0PiLrXLQAPDg8UJRgVB+ThX+neI3rQ320djzRABckNeE6e4Kkwzn+QdZsmA2SDvM9IU7boK1jVQlgUPp7zF5q3hbb8Rx7AadyTarBayUkCgNlrMqth+tmTMWttMqCPxJRGnhhvesAHIl55a28Kzz/2Oqa3J9zwzbyDIwlEXho0eAq3YXEPeBhl34k+7gOt/5Zdbh+yacFoxDh0LrshQgboAijcVVaXPeN0LsHEiVvYIzugwIvCkoFMPWoPj/kEGzPY6FCkVneDA7VoLTCoG8dlrN08Lf05/BGC7Wllm66pTNZC/cKXP+cjpQn1iEuiuPxnPldlMHx9sx2y/BRoft6oT/GzqkNy1NTY/xI+MfmxXnF5kwSbcTbzZQ9fZ8xjh/vmpPBgDNrxOEAT4N6OG7GQIhb9HEhXQCQ== example-key - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyaozS8kZRw2a1d0O4YXhxtJlDPThqIZilGCsXLbukIFOyMUmMTwQAtwWp5epwU1+5ponC2uBENB6xCCj3cl5Rd43d2/B6HxyAPQGKo6/zKYGAKW2nzYDxSWMl6NUSsiJAyXUA7ZlNZQe0m8PmaferlkQyLLZo3NJpizz6U6ZCtxvj43vEl7NYWnLUEIzGP9zMqltIGnD4vYrU9keVKKXSsp+DkApnbrDapeigeGATCammy2xRrUQDuOvGHsfnQbXr2j0onpTIh0PiLrXLQAPDg8UJRgVB+ThX+neI3rQ320djzRABckNeE6e4Kkwzn+QdZsmA2SDvM9IU7boK1jVQlgUPp7zF5q3hbb8Rx7AadyTarBayUkCgNlrMqth+tmTMWttMqCPxJRGnhhvesAHIl55a28Kzz/2Oqa3J9zwzbyDIwlEXho0eAq3YXEPeBhl34k+7gOt/5Zdbh+yacFoxDh0LrshQgboAijcVVaXPeN0LsHEiVvYIzugwIvCkoFMPWoPj/kEGzPY6FCkVneDA7VoLTCoG8dlrN08Lf05/BGC7Wllm66pTNZC/cKXP+cjpQn1iEuiuPxnPldlMHx9sx2y/BRoft6oT/GzqkNy1NTY/xI+MfmxXnF5kwSbcTbzZQ9fZ8xjh/vmpPBgDNrxOEAT4N6OG7GQIhb9HEhXQCQ== example-key
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwpOyZjZ4gB0OTvmofH3llh6cBCWaEiEmHZWSkDXr8Bih6HcXVOtYMcFi/ZnUVGUBPw3ATNQBZUaVCYKeF+nDfKTJ9hmnlsyHxV2LeMsVg1o15Pb6f+QJuavEqtE6HI7mHyId4Z1quVTJXDWDW8OZEG7M3VktauqAn/e9UJvlL0bGmTFD1XkNcbRsWMRWkQgt2ozqlgrpPtvrg2/+bNucxX++VUjnsn+fGgAT07kbnrZwppGnAfjbYthxhv7GeSD0+Z0Lf1kiKy/bhUqXsZIuexOfF0YrRyUH1KBl8GCX2OLBYvXHyusByqsrOPiROqRdjX5PsK6HSAS0lk0niTt1p example-key-2 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwpOyZjZ4gB0OTvmofH3llh6cBCWaEiEmHZWSkDXr8Bih6HcXVOtYMcFi/ZnUVGUBPw3ATNQBZUaVCYKeF+nDfKTJ9hmnlsyHxV2LeMsVg1o15Pb6f+QJuavEqtE6HI7mHyId4Z1quVTJXDWDW8OZEG7M3VktauqAn/e9UJvlL0bGmTFD1XkNcbRsWMRWkQgt2ozqlgrpPtvrg2/+bNucxX++VUjnsn+fGgAT07kbnrZwppGnAfjbYthxhv7GeSD0+Z0Lf1kiKy/bhUqXsZIuexOfF0YrRyUH1KBl8GCX2OLBYvXHyusByqsrOPiROqRdjX5PsK6HSAS0lk0niTt1p example-key-2
nodeSSHPrivateKeys: ssh-private-keys nodeSSHPrivateKeys: ssh-private-keys
loadBalancer: loadBalancerControlPlane:
- image: haproxy - image: haproxy
nodePort: 30000 nodePort: 30002
nodeInterfaceId: oam-ipv4
loadBalancerWorker:
- image: haproxy
nodePort: 30003
nodePortRange:
start: 30003
end: 30020
nodeInterfaceId: oam-ipv4 nodeInterfaceId: oam-ipv4

43
manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/replacements/networking.yaml
View File

@ -7,18 +7,17 @@ metadata:
container: container:
image: quay.io/airshipit/replacement-transformer:v2 image: quay.io/airshipit/replacement-transformer:v2
replacements: replacements:
- source: # TODO: Uncomment once subcluster Dex is implemented.
objref: # - source:
kind: VariableCatalogue # objref:
name: subcluster-networking # kind: VariableCatalogue
fieldref: "{.spec.wordpress.exposed_services[?(.name == 'auth')].nodePort}" # name: subcluster-networking
target: # fieldref: "{.spec.lma.exposed_services[?(.name == 'auth')].nodePort}"
objref: # target:
kind: SIPCluster # objref:
name: wordpress # kind: HelmRelease
# NOTE: The SIPCluster CR accepts multiple infra service definitions, # name: dex-aio
# but we only deploy one instance of each. # fieldrefs: ["{.values.params.endpoints.port.https}"]
fieldrefs: ["{.spec.services.auth[0].nodePort}"]
- source: - source:
objref: objref:
kind: VariableCatalogue kind: VariableCatalogue
@ -31,20 +30,32 @@ replacements:
# NOTE: The SIPCluster CR accepts multiple infra service definitions, # NOTE: The SIPCluster CR accepts multiple infra service definitions,
# but we only deploy one instance of each. # but we only deploy one instance of each.
fieldrefs: ["{.spec.services.jumpHost[0].nodePort}"] fieldrefs: ["{.spec.services.jumpHost[0].nodePort}"]
# NOTE: newer versions of SIP will have an additional load balancer for the
# worker nodes.
- source: - source:
objref: objref:
kind: VariableCatalogue kind: VariableCatalogue
name: subcluster-networking name: subcluster-networking
fieldref: "{.spec.wordpress.exposed_services[?(.name == 'loadBalancerControlPlane')].nodePort}" fieldref: "{.spec.wordpress.exposed_services[?(.name == 'loadBalancerWorker')].nodePortRange}"
target: target:
objref: objref:
kind: SIPCluster kind: SIPCluster
name: wordpress name: wordpress
# NOTE: The SIPCluster CR accepts multiple infra service definitions, # NOTE: The SIPCluster CR accepts multiple infra service definitions,
# but we only deploy one instance of each. # but we only deploy one instance of each.
fieldrefs: ["{.spec.services.loadBalancer[0].nodePort}"] fieldrefs: ["{.spec.services.loadBalancerWorker[0].nodePortRange}"]
# TODO: The nodePort field is ignored, but still required. Remove this replacement rule once the
# field is removed, see https://github.com/airshipit/sip/issues/21.
- source:
objref:
kind: VariableCatalogue
name: subcluster-networking
fieldref: "{.spec.wordpress.exposed_services[?(.name == 'loadBalancerWorker')].nodePortRange.start}"
target:
objref:
kind: SIPCluster
name: wordpress
# NOTE: The SIPCluster CR accepts multiple infra service definitions,
# but we only deploy one instance of each.
fieldrefs: ["{.spec.services.loadBalancerWorker[0].nodePort}"]
- source: - source:
objref: objref:
kind: VariableCatalogue kind: VariableCatalogue

75
manifests/type/multi-tenant/sub-clusters/wordpress/provide-infra/sipcluster.yaml
View File

@ -8,72 +8,21 @@ spec:
nodes: nodes:
ControlPlane: ControlPlane:
labelSelector: labelSelector:
vino.airshipit.org/flavor: control-plane matchLabels:
spreadTopology: PerRack vino.airshipit.org/flavor: control-plane
topologyKey: vino.airshipit.org/rack
count: count:
active: 1 active: 1
standby: 1 standby: 1
Worker: Worker:
labelSelector: labelSelector:
vino.airshipit.org/flavor: worker matchLabels:
spreadTopology: PerHost vino.airshipit.org/flavor: worker
topologyKey: vino.airshipit.org/host
count: count:
active: 2 active: 2
standby: 1 # Slew for upgrades standby: 1 # Slew for upgrades
services: services:
auth:
- image: quay.io/dexidp/dex
nodeInterfaceId: oam-ipv4
nodePort: 30556
TLSCrt: |
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMDMxNzExNDYzMFoXDTMxMDMxNjExNDYzMFowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKs1
ujCXS/HDS9dSOJWfotlrQj46V4oL8q5dOmLXSvqfISINzdXK9XrBo/1INQ2RmFL/
oXbCwvT1PhRkm/KS/LN3dgsbPjb6/meKsrLOpKPtTAm29+c7h87ZkwHi2LPZO+3w
bVp49ERCg89VjfIStvGefJvKaz1Rq3WTZN96216dSY2sShON07ELv4pZPJGjEHg6
U6c4UgMdnye3FUUxaayqjZbLKcN/mNkI7kMzy4e0RZ4Y3WTlr0nxDVuYiz8v9usa
rHO5Pu9w40FAudlmMrSB9Qj8ED/VtooW4qewm4oUdHrmzJ86vamWLll2keHt4MAY
5mG0vglWqm2zEL8jJWUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBQs35Wcd1nnNOP1YuzwousJxfATmDANBgkqhkiG9w0BAQsFAAOCAQEAbspb0RE5
vOeObqLY7JEMlNvnxbnHceIpltZpnq5ZGbDHEBUEyBUnDnO7UZrxw2qmDgvpUPot
jNxgWzDcxb7kuli6Ehc1Nbtm8HKFf3xx5d1dTBuPj8i6njB/3kVbYZOHGcFxku62
ac8KQT8EdaQdTtwoQLhfGl3P++afg7kfvcm962PKYWDGcbXbbJxEf1YDuy2dY2/Z
u5rOyAIhRSOm68edMhy/0Bdq3NBmT5icptMawEBrJXW7tNOnbSLu6qtQqSX8w58u
2ZnZouCSXMfLYKNuDWVuhe/WfCv9ZKr/Izcz1raBquo8yDt4qsxDPfix/QSqUxRc
kDR2hHk/Mfv+rg==
-----END CERTIFICATE-----
TLSKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqzW6MJdL8cNL11I4lZ+i2WtCPjpXigvyrl06YtdK+p8hIg3N
1cr1esGj/Ug1DZGYUv+hdsLC9PU+FGSb8pL8s3d2Cxs+Nvr+Z4qyss6ko+1MCbb3
5zuHztmTAeLYs9k77fBtWnj0REKDz1WN8hK28Z58m8prPVGrdZNk33rbXp1JjaxK
E43TsQu/ilk8kaMQeDpTpzhSAx2fJ7cVRTFprKqNlsspw3+Y2QjuQzPLh7RFnhjd
ZOWvSfENW5iLPy/26xqsc7k+73DjQUC52WYytIH1CPwQP9W2ihbip7CbihR0eubM
nzq9qZYuWXaR4e3gwBjmYbS+CVaqbbMQvyMlZQIDAQABAoIBAC3cZ3JqpKIvERqt
YJDbwRCCRa1LjXVh+/Cu8lvVlbUKeSKZFgDlq9nlEttewy9OR8I7zXF1fCmHo8hs
psVUkDI2lr0k4AZ0Nz9fDL0O01VB1DNp+n/LF3bWGyXPMQMD9qSm2XP5oFzEgHBC
V5J3Zt/T90b38r/rJ4WIJOYkD60I/mQ2oB9I6QsUDSxeH9a/L1BEHvGcBtfbqWlA
b7BBRBjRCdtbV67pFpspSnWmIwDBF3GNbjjPyWiRCicLQeZ+Eysc4GbeT89A76xN
q76uPH/+vo5fafm86AURN59QA6/qaCvrlE02gt9FbFW/cN0Bs7y3OSl2e8/si6tz
n4Nwq8ECgYEA4F4oAitnCfAKhHr501qaJk4uj5YuzQktANjPp9Bo5x/FThF497gN
KvumUlq4Z3H7ivXk0WEYb5v2erXtgXoj6o/uAL+5FQyRBpUDa5FpeAi64e0Vzhtk
UUd5RXoC0eITdF8zaXHJsYTNv6jDA33Flqkk7bioTWi0VrTFlwp5mRUCgYEAw1kB
HmuV1LSqmwXf/6NIO2mmSBLNWC4JY/qAV9HlCxKhv9fXhl99m0lQRPs2TZIYrkCY
Q0entaYY+2EQn1HBm7sdGnoy5tOYb9Lg89zzP23MJDLAQ+eXRTyl25W3qQVnrRzx
o00EFX6QhySbuBditiu75wjN1Q2IY+jE81MozxECgYBU6s3xpEOnOzZ/1ZtgJtZY
0RZGOe0UpPhnbaeKOBK8BwZB+dLyzrINJplYagWJAVbWzSIBLOJ2u2yaHOj7LCMT
z82gcu+1y7/H4fYdbDeiuosgnv61tyBMsuRvKzKOBSaf0LhAnFRd34mPlGvakmuK
DhJv9oecZJh8iIaQF+LV0QKBgFDDQHIqOqTZGNvEvwo6oIdns4aCt4Dob5t1GpC0
R4SfbF4bR5DXc9+6nMQYNCg36ZpJPGo8errf894iEDQ+IdRXtL2YnejOvGwm/Df2
Nl8X7tlcXh705ZaLb2rsaCUqBeYNXF2OXszgKbKl0Pd4O6hjRmlLO4YE9UmRF7Qd
wnZxAoGBAKN9LgEmOq3GTDbWvnKRDG8q1MjMOOLRuqryQWXF3KP/+oPB2XUrw7Eg
Sw9yBi8GZ6PseG1W5LnwT2vAeDaLRrAr8QrDmd+Aj+og7CVD82Gy/k8Uh0TyCUlF
DOY0q5Hu9iPlqk3ZQqGJKcms+97jD7JPGsPOH0+LcK9sEI6fJOna
-----END RSA PRIVATE KEY-----
CertManagerNS: cert-manager
jumpHost: jumpHost:
- image: quay.io/airshipit/jump-host - image: quay.io/airshipit/jump-host
nodePort: 30001 nodePort: 30001
@ -84,8 +33,14 @@ spec:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyaozS8kZRw2a1d0O4YXhxtJlDPThqIZilGCsXLbukIFOyMUmMTwQAtwWp5epwU1+5ponC2uBENB6xCCj3cl5Rd43d2/B6HxyAPQGKo6/zKYGAKW2nzYDxSWMl6NUSsiJAyXUA7ZlNZQe0m8PmaferlkQyLLZo3NJpizz6U6ZCtxvj43vEl7NYWnLUEIzGP9zMqltIGnD4vYrU9keVKKXSsp+DkApnbrDapeigeGATCammy2xRrUQDuOvGHsfnQbXr2j0onpTIh0PiLrXLQAPDg8UJRgVB+ThX+neI3rQ320djzRABckNeE6e4Kkwzn+QdZsmA2SDvM9IU7boK1jVQlgUPp7zF5q3hbb8Rx7AadyTarBayUkCgNlrMqth+tmTMWttMqCPxJRGnhhvesAHIl55a28Kzz/2Oqa3J9zwzbyDIwlEXho0eAq3YXEPeBhl34k+7gOt/5Zdbh+yacFoxDh0LrshQgboAijcVVaXPeN0LsHEiVvYIzugwIvCkoFMPWoPj/kEGzPY6FCkVneDA7VoLTCoG8dlrN08Lf05/BGC7Wllm66pTNZC/cKXP+cjpQn1iEuiuPxnPldlMHx9sx2y/BRoft6oT/GzqkNy1NTY/xI+MfmxXnF5kwSbcTbzZQ9fZ8xjh/vmpPBgDNrxOEAT4N6OG7GQIhb9HEhXQCQ== example-key - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyaozS8kZRw2a1d0O4YXhxtJlDPThqIZilGCsXLbukIFOyMUmMTwQAtwWp5epwU1+5ponC2uBENB6xCCj3cl5Rd43d2/B6HxyAPQGKo6/zKYGAKW2nzYDxSWMl6NUSsiJAyXUA7ZlNZQe0m8PmaferlkQyLLZo3NJpizz6U6ZCtxvj43vEl7NYWnLUEIzGP9zMqltIGnD4vYrU9keVKKXSsp+DkApnbrDapeigeGATCammy2xRrUQDuOvGHsfnQbXr2j0onpTIh0PiLrXLQAPDg8UJRgVB+ThX+neI3rQ320djzRABckNeE6e4Kkwzn+QdZsmA2SDvM9IU7boK1jVQlgUPp7zF5q3hbb8Rx7AadyTarBayUkCgNlrMqth+tmTMWttMqCPxJRGnhhvesAHIl55a28Kzz/2Oqa3J9zwzbyDIwlEXho0eAq3YXEPeBhl34k+7gOt/5Zdbh+yacFoxDh0LrshQgboAijcVVaXPeN0LsHEiVvYIzugwIvCkoFMPWoPj/kEGzPY6FCkVneDA7VoLTCoG8dlrN08Lf05/BGC7Wllm66pTNZC/cKXP+cjpQn1iEuiuPxnPldlMHx9sx2y/BRoft6oT/GzqkNy1NTY/xI+MfmxXnF5kwSbcTbzZQ9fZ8xjh/vmpPBgDNrxOEAT4N6OG7GQIhb9HEhXQCQ== example-key
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwpOyZjZ4gB0OTvmofH3llh6cBCWaEiEmHZWSkDXr8Bih6HcXVOtYMcFi/ZnUVGUBPw3ATNQBZUaVCYKeF+nDfKTJ9hmnlsyHxV2LeMsVg1o15Pb6f+QJuavEqtE6HI7mHyId4Z1quVTJXDWDW8OZEG7M3VktauqAn/e9UJvlL0bGmTFD1XkNcbRsWMRWkQgt2ozqlgrpPtvrg2/+bNucxX++VUjnsn+fGgAT07kbnrZwppGnAfjbYthxhv7GeSD0+Z0Lf1kiKy/bhUqXsZIuexOfF0YrRyUH1KBl8GCX2OLBYvXHyusByqsrOPiROqRdjX5PsK6HSAS0lk0niTt1p example-key-2 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwpOyZjZ4gB0OTvmofH3llh6cBCWaEiEmHZWSkDXr8Bih6HcXVOtYMcFi/ZnUVGUBPw3ATNQBZUaVCYKeF+nDfKTJ9hmnlsyHxV2LeMsVg1o15Pb6f+QJuavEqtE6HI7mHyId4Z1quVTJXDWDW8OZEG7M3VktauqAn/e9UJvlL0bGmTFD1XkNcbRsWMRWkQgt2ozqlgrpPtvrg2/+bNucxX++VUjnsn+fGgAT07kbnrZwppGnAfjbYthxhv7GeSD0+Z0Lf1kiKy/bhUqXsZIuexOfF0YrRyUH1KBl8GCX2OLBYvXHyusByqsrOPiROqRdjX5PsK6HSAS0lk0niTt1p example-key-2
nodeSSHPrivateKeys: ssh-private-keys nodeSSHPrivateKeys: ssh-private-keys
loadBalancer: loadBalancerControlPlane:
- image: haproxy - image: haproxy
nodePort: 30000 nodePort: 30002
nodeInterfaceId: oam-ipv4
loadBalancerWorker:
- image: haproxy
nodePort: 30003
nodePortRange:
start: 30003
end: 30020
nodeInterfaceId: oam-ipv4 nodeInterfaceId: oam-ipv4