airship
/
treasuremap
Code Issues Proposed changes

WIP: Add SIP function 

Signed-off-by: Drew Walters <andrew.walters@att.com>
Change-Id: I4b6ac2707d495217bec14c09bec34f305a12e8e3
This commit is contained in:
Drew Walters 2021-03-05 17:48:50 +00:00
parent 786567aa12
commit b9a6f15e9e
34 changed files with 1496 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
manifests/function/sip/Kptfile Normal file
View File

@ -0,0 +1,23 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
dependencies:
- name: upstream/crd
git:
repo: "https://opendev.org/airship/sip"
directory: "config/crd"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
- name: upstream/default
git:
repo: "https://opendev.org/airship/sip"
directory: "config/default"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
- name: upstream/manager
git:
repo: "https://opendev.org/airship/sip"
directory: "config/manager"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
- name: upstream/rbac
git:
repo: "https://opendev.org/airship/sip"
directory: "config/rbac"
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"

17
manifests/function/sip/README.md Normal file
View File

@ -0,0 +1,17 @@
# Support Infrastructure Provider (SIP)
The Support Infrastructure Provider (SIP) provisions tenant Kubernetes clusters
using BaremetalHost (BMH) objects and deploys supporting infrastructure to
access sub-clusters.
View the source code for SIP on [OpenDev][repo].
[repo]: https://opendev.org/airship/sip
## Update Manifests
To update the upstream manifests in this function:
1. Update the git references in `Kptfile`.
2. Run `kpt pkg sync .` from this directory.
3. Update any `sip` container image references defined in version catalogs.

4
manifests/function/sip/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- upstream/default

2
manifests/function/sip/replacements/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- versions.yaml

29
manifests/function/sip/replacements/versions.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: airshipit.org/v1alpha1
kind: ReplacementTransformer
metadata:
name: sip-versions-replacements
annotations:
config.kubernetes.io/function: |-
container:
image: quay.io/airshipit/replacement-transformer:latest
replacements:
- source:
objref:
kind: VersionsCatalogue
name: versions-treasuremap
fieldref: images.sip.manager
target:
objref:
kind: Deployment
name: sipcluster-controller-manager
fieldrefs: ["spec.template.spec.containers[name=manager].image"]
- source:
objref:
kind: VersionsCatalogue
name: versions-treasuremap
fieldref: images.sip.kube-rbac-proxy
target:
objref:
kind: Deployment
name: sipcluster-controller-manager
fieldrefs: ["spec.template.spec.containers[name=kube-rbac-proxy].image"]

11
manifests/function/sip/upstream/crd/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/crd
upstream:
type: git
git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
repo: https://opendev.org/airship/sip
directory: config/crd
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b

240
manifests/function/sip/upstream/crd/bases/airship.airshipit.org_sipclusters.yaml Normal file
View File

@ -0,0 +1,240 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: sipclusters.airship.airshipit.org
spec:
group: airship.airshipit.org
names:
kind: SIPCluster
listKind: SIPClusterList
plural: sipclusters
singular: sipcluster
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: SIPCluster is the Schema for the sipclusters API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SIPClusterSpec defines the desired state of a SIPCluster
properties:
nodes:
additionalProperties:
description: 'NodeSet are the the list of Nodes objects workers, or
ControlPlane that define expectations for the Tenant Clusters Includes
artifacts to associate with each defined namespace Such as : - Roles
for the Nodes - Flavor for theh Nodes image - Scheduling expectations
- Scale of the group of Nodes'
properties:
count:
description: Count defines the scale expectations for the Nodes
properties:
active:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed
state of cluster Important: Run "make" to regenerate code
after modifying this file'
type: integer
standby:
type: integer
type: object
spreadTopology:
description: PlaceHolder until we define the real expected Implementation
Scheduling define constraints that allow the SIP Scheduler to
identify the required BMH's to allow CAPI to build a cluster
enum:
- PerRack
- PerHost
type: string
vmFlavor:
description: VMFlavor is essentially a Flavor label identifying
the type of Node that meets the construction reqirements
type: string
type: object
description: Nodes defines the set of nodes to schedule for each vm
role.
type: object
services:
description: Services defines the services that are deployed when a
SIPCluster is provisioned.
properties:
auth:
description: Auth defines the sub-cluster authentication services.
items:
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
required:
- image
- nodePort
type: object
type: array
jumpHost:
description: JumpHost defines the sub-cluster jump host services.
items:
description: JumpHostService is an infrastructure service type
that represents the sub-cluster jump-host service.
properties:
bmc:
description: BMCOpts contains options for BMC communication.
properties:
proxy:
type: boolean
type: object
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
sshkey:
type: string
required:
- image
- nodePort
type: object
type: array
loadBalancer:
description: LoadBalancer defines the sub-cluster load balancer
services.
items:
properties:
clusterIP:
type: string
image:
type: string
nodeInterfaceId:
type: string
nodeLabels:
additionalProperties:
type: string
type: object
nodePort:
type: integer
required:
- image
- nodePort
type: object
type: array
type: object
required:
- services
type: object
status:
description: SIPClusterStatus defines the observed state of SIPCluster
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a foo's
current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type //
+patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating details
about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers of
specific condition types may define expected values and meanings
for this field, and whether the values are considered a guaranteed
API. The value should be a CamelCase string. This field may
not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

570
manifests/function/sip/upstream/crd/bases/bmh.yaml Normal file
View File

@ -0,0 +1,570 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
clusterctl.cluster.x-k8s.io: ""
name: baremetalhosts.metal3.io
spec:
additionalPrinterColumns:
- JSONPath: .status.operationalStatus
description: Operational status
name: Status
type: string
- JSONPath: .status.provisioning.state
description: Provisioning status
name: Provisioning Status
type: string
- JSONPath: .spec.consumerRef.name
description: Consumer using this host
name: Consumer
type: string
- JSONPath: .spec.bmc.address
description: Address of management controller
name: BMC
type: string
- JSONPath: .status.hardwareProfile
description: The type of hardware detected
name: Hardware Profile
type: string
- JSONPath: .spec.online
description: Whether the host is online or not
name: Online
type: string
- JSONPath: .status.errorMessage
description: Most recent error
name: Error
type: string
group: metal3.io
names:
kind: BareMetalHost
listKind: BareMetalHostList
plural: baremetalhosts
shortNames:
- bmh
- bmhost
singular: baremetalhost
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: BareMetalHost is the Schema for the baremetalhosts API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: BareMetalHostSpec defines the desired state of BareMetalHost
properties:
bmc:
description: How do we connect to the BMC?
properties:
address:
description: Address holds the URL for accessing the controller
on the network.
type: string
credentialsName:
description: The name of the secret containing the BMC credentials
(requires keys "username" and "password").
type: string
disableCertificateVerification:
description: DisableCertificateVerification disables verification
of server certificates when using HTTPS to connect to the BMC.
This is required when the server certificate is self-signed, but
is insecure because it allows a man-in-the-middle to intercept
the connection.
type: boolean
required:
- address
- credentialsName
type: object
bootMACAddress:
description: Which MAC address will PXE boot? This is optional for some
types, but required for libvirt VMs driven by vbmc.
pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'
type: string
bootMode:
description: Select the method of initializing the hardware during boot.
enum:
- UEFI
- legacy
type: string
consumerRef:
description: ConsumerRef can be used to store information about something
that is using a host. When it is not empty, the host is considered
"in use".
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an
entire object, this string should contain a valid JSON/Go field
access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen only
to have some well-defined way of referencing a part of an object.
TODO: this design is not final and this field is subject to change
in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
description:
description: Description is a human-entered text used to help identify
the host
type: string
externallyProvisioned:
description: ExternallyProvisioned means something else is managing
the image running on the host and the operator should only manage
the power status and hardware inventory inspection. If the Image field
is filled in, this field is ignored.
type: boolean
hardwareProfile:
description: What is the name of the hardware profile for this host?
It should only be necessary to set this when inspection cannot automatically
determine the profile.
type: string
image:
description: Image holds the details of the image to be provisioned.
properties:
checksum:
description: Checksum is the checksum for the image.
type: string
url:
description: URL is a location of an image to deploy.
type: string
required:
- checksum
- url
type: object
networkData:
description: NetworkData holds the reference to the Secret containing
content of network_data.json which is passed to Config Drive
properties:
name:
description: Name is unique within a namespace to reference a secret
resource.
type: string
namespace:
description: Namespace defines the space within which the secret
name must be unique.
type: string
type: object
online:
description: Should the server be online?
type: boolean
taints:
description: Taints is the full, authoritative list of taints to apply
to the corresponding Machine. This list will overwrite any modifications
made to the Machine on an ongoing basis.
items:
description: The node this Taint is attached to has the "effect" on
any pod that does not tolerate the Taint.
properties:
effect:
description: Required. The effect of the taint on pods that do
not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule
and NoExecute.
type: string
key:
description: Required. The taint key to be applied to a node.
type: string
timeAdded:
description: TimeAdded represents the time at which the taint
was added. It is only written for NoExecute taints.
format: date-time
type: string
value:
description: Required. The taint value corresponding to the taint
key.
type: string
required:
- effect
- key
type: object
type: array
userData:
description: UserData holds the reference to the Secret containing the
user data to be passed to the host before it boots.
properties:
name:
description: Name is unique within a namespace to reference a secret
resource.
type: string
namespace:
description: Namespace defines the space within which the secret
name must be unique.
type: string
type: object
required:
- online
type: object
status:
description: BareMetalHostStatus defines the observed state of BareMetalHost
properties:
errorMessage:
description: the last error message reported by the provisioning subsystem
type: string
errorType:
description: ErrorType indicates the type of failure encountered when
the OperationalStatus is OperationalStatusError
enum:
- registration error
- inspection error
- provisioning error
- power management error
type: string
goodCredentials:
description: the last credentials we were able to validate as working
properties:
credentials:
description: SecretReference represents a Secret Reference. It has
enough information to retrieve secret in any namespace
properties:
name:
description: Name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret
name must be unique.
type: string
type: object
credentialsVersion:
type: string
type: object
hardware:
description: The hardware discovered to exist on the host.
properties:
cpu:
description: CPU describes one processor on the host.
properties:
arch:
type: string
clockMegahertz:
description: ClockSpeed is a clock speed in MHz
count:
type: integer
flags:
items:
type: string
type: array
model:
type: string
required:
- arch
- clockMegahertz
- count
- flags
- model
type: object
firmware:
description: Firmware describes the firmware on the host.
properties:
bios:
description: The BIOS for this firmware
properties:
date:
description: The release/build date for this BIOS
type: string
vendor:
description: The vendor name for this BIOS
type: string
version:
description: The version of the BIOS
type: string
required:
- date
- vendor
- version
type: object
required:
- bios
type: object
hostname:
type: string
nics:
items:
description: NIC describes one network interface on the host.
properties:
ip:
description: The IP address of the device
type: string
mac:
description: The device MAC addr
pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'
type: string
model:
description: The name of the model, e.g. "virt-io"
type: string
name:
description: The name of the NIC, e.g. "nic-1"
type: string
pxe:
description: Whether the NIC is PXE Bootable
type: boolean
speedGbps:
description: The speed of the device
type: integer
vlanId:
description: The untagged VLAN ID
format: int32
type: integer
vlans:
description: The VLANs available
items:
description: VLAN represents the name and ID of a VLAN
properties:
id:
description: VLANID is a 12-bit 802.1Q VLAN identifier
format: int32
type: integer
name:
type: string
required:
- id
type: object
type: array
required:
- ip
- mac
- model
- name
- pxe
- speedGbps
- vlanId
type: object
type: array
ramMebibytes:
type: integer
storage:
items:
description: Storage describes one storage device (disk, SSD,
etc.) on the host.
properties:
hctl:
description: The SCSI location of the device
type: string
model:
description: Hardware model
type: string
name:
description: A name for the disk, e.g. "disk 1 (boot)"
type: string
rotational:
description: Whether this disk represents rotational storage
type: boolean
serialNumber:
description: The serial number of the device
type: string
sizeBytes:
description: The size of the disk in Bytes
format: int64
type: integer
vendor:
description: The name of the vendor of the device
type: string
wwn:
description: The WWN of the device
type: string
wwnVendorExtension:
description: The WWN Vendor extension of the device
type: string
wwnWithExtension:
description: The WWN with the extension
type: string
required:
- name
- rotational
- serialNumber
- sizeBytes
type: object
type: array
systemVendor:
description: HardwareSystemVendor stores details about the whole
hardware system.
properties:
manufacturer:
type: string
productName:
type: string
serialNumber:
type: string
required:
- manufacturer
- productName
- serialNumber
type: object
required:
- cpu
- firmware
- hostname
- nics
- ramMebibytes
- storage
- systemVendor
type: object
hardwareProfile:
description: The name of the profile matching the hardware details.
type: string
lastUpdated:
description: LastUpdated identifies when this status was last observed.
format: date-time
type: string
operationHistory:
description: OperationHistory holds information about operations performed
on this host.
properties:
deprovision:
description: OperationMetric contains metadata about an operation
(inspection, provisioning, etc.) used for tracking metrics.
properties:
end:
format: date-time
nullable: true
type: string
start:
format: date-time
nullable: true
type: string
type: object
inspect:
description: OperationMetric contains metadata about an operation
(inspection, provisioning, etc.) used for tracking metrics.
properties:
end:
format: date-time
nullable: true
type: string
start:
format: date-time
nullable: true
type: string
type: object
provision:
description: OperationMetric contains metadata about an operation
(inspection, provisioning, etc.) used for tracking metrics.
properties:
end:
format: date-time
nullable: true
type: string
start:
format: date-time
nullable: true
type: string
type: object
register:
description: OperationMetric contains metadata about an operation
(inspection, provisioning, etc.) used for tracking metrics.
properties:
end:
format: date-time
nullable: true
type: string
start:
format: date-time
nullable: true
type: string
type: object
type: object
operationalStatus:
description: OperationalStatus holds the status of the host
enum:
- ""
- OK
- discovered
- error
type: string
poweredOn:
description: indicator for whether or not the host is powered on
type: boolean
provisioning:
description: Information tracked by the provisioner.
properties:
ID:
description: The machine's UUID from the underlying provisioning
tool
type: string
image:
description: Image holds the details of the last image successfully
provisioned to the host.
properties:
checksum:
description: Checksum is the checksum for the image.
type: string
url:
description: URL is a location of an image to deploy.
type: string
required:
- checksum
- url
type: object
state:
description: An indiciator for what the provisioner is doing with
the host.
type: string
required:
- ID
- state
type: object
triedCredentials:
description: the last credentials we sent to the provisioning backend
properties:
credentials:
description: SecretReference represents a Secret Reference. It has
enough information to retrieve secret in any namespace
properties:
name:
description: Name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret
name must be unique.
type: string
type: object
credentialsVersion:
type: string
type: object
required:
- errorMessage
- hardwareProfile
- operationHistory
- operationalStatus
- poweredOn
- provisioning
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true

21
manifests/function/sip/upstream/crd/kustomization.yaml Normal file
View File

@ -0,0 +1,21 @@
# This kustomization.yaml is not intended to be run by itself,
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/airship.airshipit.org_sipclusters.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patchesStrategicMerge:
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
# patches here are for enabling the conversion webhook for each CRD
#- patches/webhook_in_sipclusters.yaml
# +kubebuilder:scaffold:crdkustomizewebhookpatch
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
# patches here are for enabling the CA injection for each CRD
#- patches/cainjection_in_sipclusters.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml

17
manifests/function/sip/upstream/crd/kustomizeconfig.yaml Normal file
View File

@ -0,0 +1,17 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations

8
manifests/function/sip/upstream/crd/patches/cainjection_in_sipclusters.yaml Normal file
View File

@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
name: sipclusters.airship.airshipit.org

17
manifests/function/sip/upstream/crd/patches/webhook_in_sipclusters.yaml Normal file
View File

@ -0,0 +1,17 @@
# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: sipclusters.airship.airshipit.org
spec:
conversion:
strategy: Webhook
webhookClientConfig:
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: system
name: webhook-service
path: /convert

11
manifests/function/sip/upstream/default/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/default
upstream:
type: git
git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
repo: https://opendev.org/airship/sip
directory: config/default
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b

70
manifests/function/sip/upstream/default/kustomization.yaml Normal file
View File

@ -0,0 +1,70 @@
# Adds namespace to all resources.
namespace: sipcluster-system
# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
# "wordpress" becomes "alices-wordpress".
# Note that it should also match with the prefix (text before '-') of the namespace
# field above.
namePrefix: sipcluster-
# Labels to add to all resources and selectors.
#commonLabels:
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
#- ../certmanager
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
#- ../prometheus
patchesStrategicMerge:
# Protect the /metrics endpoint by putting it behind auth.
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, please comment the following line.
- manager_auth_proxy_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
# crd/kustomization.yaml
#- manager_webhook_patch.yaml
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
#- webhookcainjection_patch.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
# fieldref:
# fieldpath: metadata.namespace
#- name: CERTIFICATE_NAME
# objref:
# kind: Certificate
# group: cert-manager.io
# version: v1alpha2
# name: serving-cert # this name should match the one in certificate.yaml
#- name: SERVICE_NAMESPACE # namespace of the service
# objref:
# kind: Service
# version: v1
# name: webhook-service
# fieldref:
# fieldpath: metadata.namespace
#- name: SERVICE_NAME
# objref:
# kind: Service
# version: v1
# name: webhook-service

25
manifests/function/sip/upstream/default/manager_auth_proxy_patch.yaml Normal file
View File

@ -0,0 +1,25 @@
# This patch inject a sidecar container which is a HTTP proxy for the
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- "--enable-leader-election"

23
manifests/function/sip/upstream/default/manager_webhook_patch.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert

15
manifests/function/sip/upstream/default/webhookcainjection_patch.yaml Normal file
View File

@ -0,0 +1,15 @@
# This patch add annotation to admission webhook config and
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
annotations:
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

11
manifests/function/sip/upstream/manager/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/manager
upstream:
type: git
git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
repo: https://opendev.org/airship/sip
directory: config/manager
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b

2
manifests/function/sip/upstream/manager/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- manager.yaml

40
manifests/function/sip/upstream/manager/manager.yaml Normal file
View File

@ -0,0 +1,40 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: system
labels:
control-plane: controller-manager
spec:
selector:
matchLabels:
control-plane: controller-manager
replicas: 1
template:
metadata:
labels:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- --enable-leader-election
image: quay.io/airshipit/sip
imagePullPolicy: IfNotPresent
name: manager
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
terminationGracePeriodSeconds: 10

11
manifests/function/sip/upstream/rbac/Kptfile Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kpt.dev/v1alpha1
kind: Kptfile
metadata:
name: upstream/rbac
upstream:
type: git
git:
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
repo: https://opendev.org/airship/sip
directory: config/rbac
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b

7
manifests/function/sip/upstream/rbac/auth_proxy_client_clusterrole.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- nonResourceURLs: ["/metrics"]
verbs: ["get"]

13
manifests/function/sip/upstream/rbac/auth_proxy_role.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

12
manifests/function/sip/upstream/rbac/auth_proxy_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

14
manifests/function/sip/upstream/rbac/auth_proxy_service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

15
manifests/function/sip/upstream/rbac/kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
resources:
- role.yaml
- role_binding.yaml
- sipcluster_scheduler_role.yaml
- sipcluster_scheduler_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml

44
manifests/function/sip/upstream/rbac/leader_election_role.yaml Normal file
View File

@ -0,0 +1,44 @@
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- apiGroups:
- "coordination.k8s.io"
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

12
manifests/function/sip/upstream/rbac/leader_election_role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

37
manifests/function/sip/upstream/rbac/role.yaml Normal file
View File

@ -0,0 +1,37 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters/status
verbs:
- get
- patch
- update
- apiGroups:
- metal3.io
resources:
- baremetalhosts
verbs:
- get
- list
- patch
- update

12
manifests/function/sip/upstream/rbac/role_binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

24
manifests/function/sip/upstream/rbac/sipcluster_editor_role.yaml Normal file
View File

@ -0,0 +1,24 @@
# permissions for end users to edit sipclusters.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sipcluster-editor-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters/status
verbs:
- get

39
manifests/function/sip/upstream/rbac/sipcluster_scheduler_binding.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: scheduler-rolebinding
namespace: metal3
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: scheduler-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-scheduler-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-scheduler-role
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-infra-service-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sipcluster-infra-service
subjects:
- kind: ServiceAccount
name: default
namespace: sipcluster-system

80
manifests/function/sip/upstream/rbac/sipcluster_scheduler_role.yaml Normal file
View File

@ -0,0 +1,80 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: scheduler-role
namespace: metal3
rules:
- apiGroups:
- metal3.io
resources:
- baremetalhosts
verbs:
- get
- list
- patch
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-scheduler-role
rules:
- apiGroups:
- metal3.io
resources:
- baremetalhosts
verbs:
- get
- list
- patch
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- secrets
verbs:
- create
- delete
- update
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sipcluster-infra-service
rules:
- apiGroups:
- ""
- apps
resources:
- configmaps
- deployments
- services
verbs:
- create
- delete
- update
- get
- list
- watch

20
manifests/function/sip/upstream/rbac/sipcluster_viewer_role.yaml Normal file
View File

@ -0,0 +1,20 @@
# permissions for end users to view sipclusters.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sipcluster-viewer-role
rules:
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters
verbs:
- get
- list
- watch
- apiGroups:
- airship.airshipit.org
resources:
- sipclusters/status
verbs:
- get