WIP: Add SIP function
Signed-off-by: Drew Walters <andrew.walters@att.com> Change-Id: I4b6ac2707d495217bec14c09bec34f305a12e8e3
This commit is contained in:
parent
786567aa12
commit
b9a6f15e9e
|
@ -0,0 +1,23 @@
|
|||
apiVersion: kpt.dev/v1alpha1
|
||||
kind: Kptfile
|
||||
dependencies:
|
||||
- name: upstream/crd
|
||||
git:
|
||||
repo: "https://opendev.org/airship/sip"
|
||||
directory: "config/crd"
|
||||
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
|
||||
- name: upstream/default
|
||||
git:
|
||||
repo: "https://opendev.org/airship/sip"
|
||||
directory: "config/default"
|
||||
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
|
||||
- name: upstream/manager
|
||||
git:
|
||||
repo: "https://opendev.org/airship/sip"
|
||||
directory: "config/manager"
|
||||
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
|
||||
- name: upstream/rbac
|
||||
git:
|
||||
repo: "https://opendev.org/airship/sip"
|
||||
directory: "config/rbac"
|
||||
ref: "eac22786d83f1a4f524f9f32ea36bb57b164ea1b"
|
|
@ -0,0 +1,17 @@
|
|||
# Support Infrastructure Provider (SIP)
|
||||
|
||||
The Support Infrastructure Provider (SIP) provisions tenant Kubernetes clusters
|
||||
using BaremetalHost (BMH) objects and deploys supporting infrastructure to
|
||||
access sub-clusters.
|
||||
|
||||
View the source code for SIP on [OpenDev][repo].
|
||||
|
||||
[repo]: https://opendev.org/airship/sip
|
||||
|
||||
## Update Manifests
|
||||
|
||||
To update the upstream manifests in this function:
|
||||
|
||||
1. Update the git references in `Kptfile`.
|
||||
2. Run `kpt pkg sync .` from this directory.
|
||||
3. Update any `sip` container image references defined in version catalogs.
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- upstream/default
|
|
@ -0,0 +1,2 @@
|
|||
resources:
|
||||
- versions.yaml
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: airshipit.org/v1alpha1
|
||||
kind: ReplacementTransformer
|
||||
metadata:
|
||||
name: sip-versions-replacements
|
||||
annotations:
|
||||
config.kubernetes.io/function: |-
|
||||
container:
|
||||
image: quay.io/airshipit/replacement-transformer:latest
|
||||
replacements:
|
||||
- source:
|
||||
objref:
|
||||
kind: VersionsCatalogue
|
||||
name: versions-treasuremap
|
||||
fieldref: images.sip.manager
|
||||
target:
|
||||
objref:
|
||||
kind: Deployment
|
||||
name: sipcluster-controller-manager
|
||||
fieldrefs: ["spec.template.spec.containers[name=manager].image"]
|
||||
- source:
|
||||
objref:
|
||||
kind: VersionsCatalogue
|
||||
name: versions-treasuremap
|
||||
fieldref: images.sip.kube-rbac-proxy
|
||||
target:
|
||||
objref:
|
||||
kind: Deployment
|
||||
name: sipcluster-controller-manager
|
||||
fieldrefs: ["spec.template.spec.containers[name=kube-rbac-proxy].image"]
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: kpt.dev/v1alpha1
|
||||
kind: Kptfile
|
||||
metadata:
|
||||
name: upstream/crd
|
||||
upstream:
|
||||
type: git
|
||||
git:
|
||||
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
||||
repo: https://opendev.org/airship/sip
|
||||
directory: config/crd
|
||||
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
|
@ -0,0 +1,240 @@
|
|||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.3.0
|
||||
creationTimestamp: null
|
||||
name: sipclusters.airship.airshipit.org
|
||||
spec:
|
||||
group: airship.airshipit.org
|
||||
names:
|
||||
kind: SIPCluster
|
||||
listKind: SIPClusterList
|
||||
plural: sipclusters
|
||||
singular: sipcluster
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
validation:
|
||||
openAPIV3Schema:
|
||||
description: SIPCluster is the Schema for the sipclusters API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: SIPClusterSpec defines the desired state of a SIPCluster
|
||||
properties:
|
||||
nodes:
|
||||
additionalProperties:
|
||||
description: 'NodeSet are the the list of Nodes objects workers, or
|
||||
ControlPlane that define expectations for the Tenant Clusters Includes
|
||||
artifacts to associate with each defined namespace Such as : - Roles
|
||||
for the Nodes - Flavor for theh Nodes image - Scheduling expectations
|
||||
- Scale of the group of Nodes'
|
||||
properties:
|
||||
count:
|
||||
description: Count defines the scale expectations for the Nodes
|
||||
properties:
|
||||
active:
|
||||
description: 'INSERT ADDITIONAL STATUS FIELD - define observed
|
||||
state of cluster Important: Run "make" to regenerate code
|
||||
after modifying this file'
|
||||
type: integer
|
||||
standby:
|
||||
type: integer
|
||||
type: object
|
||||
spreadTopology:
|
||||
description: PlaceHolder until we define the real expected Implementation
|
||||
Scheduling define constraints that allow the SIP Scheduler to
|
||||
identify the required BMH's to allow CAPI to build a cluster
|
||||
enum:
|
||||
- PerRack
|
||||
- PerHost
|
||||
type: string
|
||||
vmFlavor:
|
||||
description: VMFlavor is essentially a Flavor label identifying
|
||||
the type of Node that meets the construction reqirements
|
||||
type: string
|
||||
type: object
|
||||
description: Nodes defines the set of nodes to schedule for each vm
|
||||
role.
|
||||
type: object
|
||||
services:
|
||||
description: Services defines the services that are deployed when a
|
||||
SIPCluster is provisioned.
|
||||
properties:
|
||||
auth:
|
||||
description: Auth defines the sub-cluster authentication services.
|
||||
items:
|
||||
properties:
|
||||
clusterIP:
|
||||
type: string
|
||||
image:
|
||||
type: string
|
||||
nodeInterfaceId:
|
||||
type: string
|
||||
nodeLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
nodePort:
|
||||
type: integer
|
||||
required:
|
||||
- image
|
||||
- nodePort
|
||||
type: object
|
||||
type: array
|
||||
jumpHost:
|
||||
description: JumpHost defines the sub-cluster jump host services.
|
||||
items:
|
||||
description: JumpHostService is an infrastructure service type
|
||||
that represents the sub-cluster jump-host service.
|
||||
properties:
|
||||
bmc:
|
||||
description: BMCOpts contains options for BMC communication.
|
||||
properties:
|
||||
proxy:
|
||||
type: boolean
|
||||
type: object
|
||||
clusterIP:
|
||||
type: string
|
||||
image:
|
||||
type: string
|
||||
nodeInterfaceId:
|
||||
type: string
|
||||
nodeLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
nodePort:
|
||||
type: integer
|
||||
sshkey:
|
||||
type: string
|
||||
required:
|
||||
- image
|
||||
- nodePort
|
||||
type: object
|
||||
type: array
|
||||
loadBalancer:
|
||||
description: LoadBalancer defines the sub-cluster load balancer
|
||||
services.
|
||||
items:
|
||||
properties:
|
||||
clusterIP:
|
||||
type: string
|
||||
image:
|
||||
type: string
|
||||
nodeInterfaceId:
|
||||
type: string
|
||||
nodeLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
type: object
|
||||
nodePort:
|
||||
type: integer
|
||||
required:
|
||||
- image
|
||||
- nodePort
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- services
|
||||
type: object
|
||||
status:
|
||||
description: SIPClusterStatus defines the observed state of SIPCluster
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: "Condition contains details for one aspect of the current
|
||||
state of this API Resource. --- This struct is intended for direct
|
||||
use as an array at the field path .status.conditions. For example,
|
||||
type FooStatus struct{ // Represents the observations of a foo's
|
||||
current state. // Known .status.conditions.type are: \"Available\",
|
||||
\"Progressing\", and \"Degraded\" // +patchMergeKey=type //
|
||||
+patchStrategy=merge // +listType=map // +listMapKey=type
|
||||
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
|
||||
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
|
||||
\n // other fields }"
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: lastTransitionTime is the last time the condition
|
||||
transitioned from one status to another. This should be when
|
||||
the underlying condition changed. If that is not known, then
|
||||
using the time when the API field changed is acceptable.
|
||||
format: date-time
|
||||
type: string
|
||||
message:
|
||||
description: message is a human readable message indicating details
|
||||
about the transition. This may be an empty string.
|
||||
maxLength: 32768
|
||||
type: string
|
||||
observedGeneration:
|
||||
description: observedGeneration represents the .metadata.generation
|
||||
that the condition was set based upon. For instance, if .metadata.generation
|
||||
is currently 12, but the .status.conditions[x].observedGeneration
|
||||
is 9, the condition is out of date with respect to the current
|
||||
state of the instance.
|
||||
format: int64
|
||||
minimum: 0
|
||||
type: integer
|
||||
reason:
|
||||
description: reason contains a programmatic identifier indicating
|
||||
the reason for the condition's last transition. Producers of
|
||||
specific condition types may define expected values and meanings
|
||||
for this field, and whether the values are considered a guaranteed
|
||||
API. The value should be a CamelCase string. This field may
|
||||
not be empty.
|
||||
maxLength: 1024
|
||||
minLength: 1
|
||||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
- Unknown
|
||||
type: string
|
||||
type:
|
||||
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
||||
--- Many .condition.type values are consistent across resources
|
||||
like Available, but because arbitrary conditions can be useful
|
||||
(see .node.status.conditions), the ability to deconflict is
|
||||
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
||||
maxLength: 316
|
||||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
||||
type: string
|
||||
required:
|
||||
- lastTransitionTime
|
||||
- message
|
||||
- reason
|
||||
- status
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
type: object
|
||||
version: v1
|
||||
versions:
|
||||
- name: v1
|
||||
served: true
|
||||
storage: true
|
||||
status:
|
||||
acceptedNames:
|
||||
kind: ""
|
||||
plural: ""
|
||||
conditions: []
|
||||
storedVersions: []
|
|
@ -0,0 +1,570 @@
|
|||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
labels:
|
||||
clusterctl.cluster.x-k8s.io: ""
|
||||
name: baremetalhosts.metal3.io
|
||||
spec:
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .status.operationalStatus
|
||||
description: Operational status
|
||||
name: Status
|
||||
type: string
|
||||
- JSONPath: .status.provisioning.state
|
||||
description: Provisioning status
|
||||
name: Provisioning Status
|
||||
type: string
|
||||
- JSONPath: .spec.consumerRef.name
|
||||
description: Consumer using this host
|
||||
name: Consumer
|
||||
type: string
|
||||
- JSONPath: .spec.bmc.address
|
||||
description: Address of management controller
|
||||
name: BMC
|
||||
type: string
|
||||
- JSONPath: .status.hardwareProfile
|
||||
description: The type of hardware detected
|
||||
name: Hardware Profile
|
||||
type: string
|
||||
- JSONPath: .spec.online
|
||||
description: Whether the host is online or not
|
||||
name: Online
|
||||
type: string
|
||||
- JSONPath: .status.errorMessage
|
||||
description: Most recent error
|
||||
name: Error
|
||||
type: string
|
||||
group: metal3.io
|
||||
names:
|
||||
kind: BareMetalHost
|
||||
listKind: BareMetalHostList
|
||||
plural: baremetalhosts
|
||||
shortNames:
|
||||
- bmh
|
||||
- bmhost
|
||||
singular: baremetalhost
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
validation:
|
||||
openAPIV3Schema:
|
||||
description: BareMetalHost is the Schema for the baremetalhosts API
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: BareMetalHostSpec defines the desired state of BareMetalHost
|
||||
properties:
|
||||
bmc:
|
||||
description: How do we connect to the BMC?
|
||||
properties:
|
||||
address:
|
||||
description: Address holds the URL for accessing the controller
|
||||
on the network.
|
||||
type: string
|
||||
credentialsName:
|
||||
description: The name of the secret containing the BMC credentials
|
||||
(requires keys "username" and "password").
|
||||
type: string
|
||||
disableCertificateVerification:
|
||||
description: DisableCertificateVerification disables verification
|
||||
of server certificates when using HTTPS to connect to the BMC.
|
||||
This is required when the server certificate is self-signed, but
|
||||
is insecure because it allows a man-in-the-middle to intercept
|
||||
the connection.
|
||||
type: boolean
|
||||
required:
|
||||
- address
|
||||
- credentialsName
|
||||
type: object
|
||||
bootMACAddress:
|
||||
description: Which MAC address will PXE boot? This is optional for some
|
||||
types, but required for libvirt VMs driven by vbmc.
|
||||
pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'
|
||||
type: string
|
||||
bootMode:
|
||||
description: Select the method of initializing the hardware during boot.
|
||||
enum:
|
||||
- UEFI
|
||||
- legacy
|
||||
type: string
|
||||
consumerRef:
|
||||
description: ConsumerRef can be used to store information about something
|
||||
that is using a host. When it is not empty, the host is considered
|
||||
"in use".
|
||||
properties:
|
||||
apiVersion:
|
||||
description: API version of the referent.
|
||||
type: string
|
||||
fieldPath:
|
||||
description: 'If referring to a piece of an object instead of an
|
||||
entire object, this string should contain a valid JSON/Go field
|
||||
access statement, such as desiredState.manifest.containers[2].
|
||||
For example, if the object reference is to a container within
|
||||
a pod, this would take on a value like: "spec.containers{name}"
|
||||
(where "name" refers to the name of the container that triggered
|
||||
the event) or if no container name is specified "spec.containers[2]"
|
||||
(container with index 2 in this pod). This syntax is chosen only
|
||||
to have some well-defined way of referencing a part of an object.
|
||||
TODO: this design is not final and this field is subject to change
|
||||
in the future.'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
name:
|
||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
||||
type: string
|
||||
namespace:
|
||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
||||
type: string
|
||||
resourceVersion:
|
||||
description: 'Specific resourceVersion to which this reference is
|
||||
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
||||
type: string
|
||||
uid:
|
||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
||||
type: string
|
||||
type: object
|
||||
description:
|
||||
description: Description is a human-entered text used to help identify
|
||||
the host
|
||||
type: string
|
||||
externallyProvisioned:
|
||||
description: ExternallyProvisioned means something else is managing
|
||||
the image running on the host and the operator should only manage
|
||||
the power status and hardware inventory inspection. If the Image field
|
||||
is filled in, this field is ignored.
|
||||
type: boolean
|
||||
hardwareProfile:
|
||||
description: What is the name of the hardware profile for this host?
|
||||
It should only be necessary to set this when inspection cannot automatically
|
||||
determine the profile.
|
||||
type: string
|
||||
image:
|
||||
description: Image holds the details of the image to be provisioned.
|
||||
properties:
|
||||
checksum:
|
||||
description: Checksum is the checksum for the image.
|
||||
type: string
|
||||
url:
|
||||
description: URL is a location of an image to deploy.
|
||||
type: string
|
||||
required:
|
||||
- checksum
|
||||
- url
|
||||
type: object
|
||||
networkData:
|
||||
description: NetworkData holds the reference to the Secret containing
|
||||
content of network_data.json which is passed to Config Drive
|
||||
properties:
|
||||
name:
|
||||
description: Name is unique within a namespace to reference a secret
|
||||
resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the space within which the secret
|
||||
name must be unique.
|
||||
type: string
|
||||
type: object
|
||||
online:
|
||||
description: Should the server be online?
|
||||
type: boolean
|
||||
taints:
|
||||
description: Taints is the full, authoritative list of taints to apply
|
||||
to the corresponding Machine. This list will overwrite any modifications
|
||||
made to the Machine on an ongoing basis.
|
||||
items:
|
||||
description: The node this Taint is attached to has the "effect" on
|
||||
any pod that does not tolerate the Taint.
|
||||
properties:
|
||||
effect:
|
||||
description: Required. The effect of the taint on pods that do
|
||||
not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule
|
||||
and NoExecute.
|
||||
type: string
|
||||
key:
|
||||
description: Required. The taint key to be applied to a node.
|
||||
type: string
|
||||
timeAdded:
|
||||
description: TimeAdded represents the time at which the taint
|
||||
was added. It is only written for NoExecute taints.
|
||||
format: date-time
|
||||
type: string
|
||||
value:
|
||||
description: Required. The taint value corresponding to the taint
|
||||
key.
|
||||
type: string
|
||||
required:
|
||||
- effect
|
||||
- key
|
||||
type: object
|
||||
type: array
|
||||
userData:
|
||||
description: UserData holds the reference to the Secret containing the
|
||||
user data to be passed to the host before it boots.
|
||||
properties:
|
||||
name:
|
||||
description: Name is unique within a namespace to reference a secret
|
||||
resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the space within which the secret
|
||||
name must be unique.
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- online
|
||||
type: object
|
||||
status:
|
||||
description: BareMetalHostStatus defines the observed state of BareMetalHost
|
||||
properties:
|
||||
errorMessage:
|
||||
description: the last error message reported by the provisioning subsystem
|
||||
type: string
|
||||
errorType:
|
||||
description: ErrorType indicates the type of failure encountered when
|
||||
the OperationalStatus is OperationalStatusError
|
||||
enum:
|
||||
- registration error
|
||||
- inspection error
|
||||
- provisioning error
|
||||
- power management error
|
||||
type: string
|
||||
goodCredentials:
|
||||
description: the last credentials we were able to validate as working
|
||||
properties:
|
||||
credentials:
|
||||
description: SecretReference represents a Secret Reference. It has
|
||||
enough information to retrieve secret in any namespace
|
||||
properties:
|
||||
name:
|
||||
description: Name is unique within a namespace to reference
|
||||
a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the space within which the secret
|
||||
name must be unique.
|
||||
type: string
|
||||
type: object
|
||||
credentialsVersion:
|
||||
type: string
|
||||
type: object
|
||||
hardware:
|
||||
description: The hardware discovered to exist on the host.
|
||||
properties:
|
||||
cpu:
|
||||
description: CPU describes one processor on the host.
|
||||
properties:
|
||||
arch:
|
||||
type: string
|
||||
clockMegahertz:
|
||||
description: ClockSpeed is a clock speed in MHz
|
||||
count:
|
||||
type: integer
|
||||
flags:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
model:
|
||||
type: string
|
||||
required:
|
||||
- arch
|
||||
- clockMegahertz
|
||||
- count
|
||||
- flags
|
||||
- model
|
||||
type: object
|
||||
firmware:
|
||||
description: Firmware describes the firmware on the host.
|
||||
properties:
|
||||
bios:
|
||||
description: The BIOS for this firmware
|
||||
properties:
|
||||
date:
|
||||
description: The release/build date for this BIOS
|
||||
type: string
|
||||
vendor:
|
||||
description: The vendor name for this BIOS
|
||||
type: string
|
||||
version:
|
||||
description: The version of the BIOS
|
||||
type: string
|
||||
required:
|
||||
- date
|
||||
- vendor
|
||||
- version
|
||||
type: object
|
||||
required:
|
||||
- bios
|
||||
type: object
|
||||
hostname:
|
||||
type: string
|
||||
nics:
|
||||
items:
|
||||
description: NIC describes one network interface on the host.
|
||||
properties:
|
||||
ip:
|
||||
description: The IP address of the device
|
||||
type: string
|
||||
mac:
|
||||
description: The device MAC addr
|
||||
pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'
|
||||
type: string
|
||||
model:
|
||||
description: The name of the model, e.g. "virt-io"
|
||||
type: string
|
||||
name:
|
||||
description: The name of the NIC, e.g. "nic-1"
|
||||
type: string
|
||||
pxe:
|
||||
description: Whether the NIC is PXE Bootable
|
||||
type: boolean
|
||||
speedGbps:
|
||||
description: The speed of the device
|
||||
type: integer
|
||||
vlanId:
|
||||
description: The untagged VLAN ID
|
||||
format: int32
|
||||
type: integer
|
||||
vlans:
|
||||
description: The VLANs available
|
||||
items:
|
||||
description: VLAN represents the name and ID of a VLAN
|
||||
properties:
|
||||
id:
|
||||
description: VLANID is a 12-bit 802.1Q VLAN identifier
|
||||
format: int32
|
||||
type: integer
|
||||
name:
|
||||
type: string
|
||||
required:
|
||||
- id
|
||||
type: object
|
||||
type: array
|
||||
required:
|
||||
- ip
|
||||
- mac
|
||||
- model
|
||||
- name
|
||||
- pxe
|
||||
- speedGbps
|
||||
- vlanId
|
||||
type: object
|
||||
type: array
|
||||
ramMebibytes:
|
||||
type: integer
|
||||
storage:
|
||||
items:
|
||||
description: Storage describes one storage device (disk, SSD,
|
||||
etc.) on the host.
|
||||
properties:
|
||||
hctl:
|
||||
description: The SCSI location of the device
|
||||
type: string
|
||||
model:
|
||||
description: Hardware model
|
||||
type: string
|
||||
name:
|
||||
description: A name for the disk, e.g. "disk 1 (boot)"
|
||||
type: string
|
||||
rotational:
|
||||
description: Whether this disk represents rotational storage
|
||||
type: boolean
|
||||
serialNumber:
|
||||
description: The serial number of the device
|
||||
type: string
|
||||
sizeBytes:
|
||||
description: The size of the disk in Bytes
|
||||
format: int64
|
||||
type: integer
|
||||
vendor:
|
||||
description: The name of the vendor of the device
|
||||
type: string
|
||||
wwn:
|
||||
description: The WWN of the device
|
||||
type: string
|
||||
wwnVendorExtension:
|
||||
description: The WWN Vendor extension of the device
|
||||
type: string
|
||||
wwnWithExtension:
|
||||
description: The WWN with the extension
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
- rotational
|
||||
- serialNumber
|
||||
- sizeBytes
|
||||
type: object
|
||||
type: array
|
||||
systemVendor:
|
||||
description: HardwareSystemVendor stores details about the whole
|
||||
hardware system.
|
||||
properties:
|
||||
manufacturer:
|
||||
type: string
|
||||
productName:
|
||||
type: string
|
||||
serialNumber:
|
||||
type: string
|
||||
required:
|
||||
- manufacturer
|
||||
- productName
|
||||
- serialNumber
|
||||
type: object
|
||||
required:
|
||||
- cpu
|
||||
- firmware
|
||||
- hostname
|
||||
- nics
|
||||
- ramMebibytes
|
||||
- storage
|
||||
- systemVendor
|
||||
type: object
|
||||
hardwareProfile:
|
||||
description: The name of the profile matching the hardware details.
|
||||
type: string
|
||||
lastUpdated:
|
||||
description: LastUpdated identifies when this status was last observed.
|
||||
format: date-time
|
||||
type: string
|
||||
operationHistory:
|
||||
description: OperationHistory holds information about operations performed
|
||||
on this host.
|
||||
properties:
|
||||
deprovision:
|
||||
description: OperationMetric contains metadata about an operation
|
||||
(inspection, provisioning, etc.) used for tracking metrics.
|
||||
properties:
|
||||
end:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
start:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
inspect:
|
||||
description: OperationMetric contains metadata about an operation
|
||||
(inspection, provisioning, etc.) used for tracking metrics.
|
||||
properties:
|
||||
end:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
start:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
provision:
|
||||
description: OperationMetric contains metadata about an operation
|
||||
(inspection, provisioning, etc.) used for tracking metrics.
|
||||
properties:
|
||||
end:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
start:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
register:
|
||||
description: OperationMetric contains metadata about an operation
|
||||
(inspection, provisioning, etc.) used for tracking metrics.
|
||||
properties:
|
||||
end:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
start:
|
||||
format: date-time
|
||||
nullable: true
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
operationalStatus:
|
||||
description: OperationalStatus holds the status of the host
|
||||
enum:
|
||||
- ""
|
||||
- OK
|
||||
- discovered
|
||||
- error
|
||||
type: string
|
||||
poweredOn:
|
||||
description: indicator for whether or not the host is powered on
|
||||
type: boolean
|
||||
provisioning:
|
||||
description: Information tracked by the provisioner.
|
||||
properties:
|
||||
ID:
|
||||
description: The machine's UUID from the underlying provisioning
|
||||
tool
|
||||
type: string
|
||||
image:
|
||||
description: Image holds the details of the last image successfully
|
||||
provisioned to the host.
|
||||
properties:
|
||||
checksum:
|
||||
description: Checksum is the checksum for the image.
|
||||
type: string
|
||||
url:
|
||||
description: URL is a location of an image to deploy.
|
||||
type: string
|
||||
required:
|
||||
- checksum
|
||||
- url
|
||||
type: object
|
||||
state:
|
||||
description: An indiciator for what the provisioner is doing with
|
||||
the host.
|
||||
type: string
|
||||
required:
|
||||
- ID
|
||||
- state
|
||||
type: object
|
||||
triedCredentials:
|
||||
description: the last credentials we sent to the provisioning backend
|
||||
properties:
|
||||
credentials:
|
||||
description: SecretReference represents a Secret Reference. It has
|
||||
enough information to retrieve secret in any namespace
|
||||
properties:
|
||||
name:
|
||||
description: Name is unique within a namespace to reference
|
||||
a secret resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the space within which the secret
|
||||
name must be unique.
|
||||
type: string
|
||||
type: object
|
||||
credentialsVersion:
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
- errorMessage
|
||||
- hardwareProfile
|
||||
- operationHistory
|
||||
- operationalStatus
|
||||
- poweredOn
|
||||
- provisioning
|
||||
type: object
|
||||
type: object
|
||||
version: v1alpha1
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
served: true
|
||||
storage: true
|
|
@ -0,0 +1,21 @@
|
|||
# This kustomization.yaml is not intended to be run by itself,
|
||||
# since it depends on service name and namespace that are out of this kustomize package.
|
||||
# It should be run by config/default
|
||||
resources:
|
||||
- bases/airship.airshipit.org_sipclusters.yaml
|
||||
# +kubebuilder:scaffold:crdkustomizeresource
|
||||
|
||||
patchesStrategicMerge:
|
||||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
|
||||
# patches here are for enabling the conversion webhook for each CRD
|
||||
#- patches/webhook_in_sipclusters.yaml
|
||||
# +kubebuilder:scaffold:crdkustomizewebhookpatch
|
||||
|
||||
# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
|
||||
# patches here are for enabling the CA injection for each CRD
|
||||
#- patches/cainjection_in_sipclusters.yaml
|
||||
# +kubebuilder:scaffold:crdkustomizecainjectionpatch
|
||||
|
||||
# the following config is for teaching kustomize how to do kustomization for CRDs.
|
||||
configurations:
|
||||
- kustomizeconfig.yaml
|
|
@ -0,0 +1,17 @@
|
|||
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
|
||||
nameReference:
|
||||
- kind: Service
|
||||
version: v1
|
||||
fieldSpecs:
|
||||
- kind: CustomResourceDefinition
|
||||
group: apiextensions.k8s.io
|
||||
path: spec/conversion/webhookClientConfig/service/name
|
||||
|
||||
namespace:
|
||||
- kind: CustomResourceDefinition
|
||||
group: apiextensions.k8s.io
|
||||
path: spec/conversion/webhookClientConfig/service/namespace
|
||||
create: false
|
||||
|
||||
varReference:
|
||||
- path: metadata/annotations
|
|
@ -0,0 +1,8 @@
|
|||
# The following patch adds a directive for certmanager to inject CA into the CRD
|
||||
# CRD conversion requires k8s 1.13 or later.
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
|
||||
name: sipclusters.airship.airshipit.org
|
|
@ -0,0 +1,17 @@
|
|||
# The following patch enables conversion webhook for CRD
|
||||
# CRD conversion requires k8s 1.13 or later.
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: sipclusters.airship.airshipit.org
|
||||
spec:
|
||||
conversion:
|
||||
strategy: Webhook
|
||||
webhookClientConfig:
|
||||
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
|
||||
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
|
||||
caBundle: Cg==
|
||||
service:
|
||||
namespace: system
|
||||
name: webhook-service
|
||||
path: /convert
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: kpt.dev/v1alpha1
|
||||
kind: Kptfile
|
||||
metadata:
|
||||
name: upstream/default
|
||||
upstream:
|
||||
type: git
|
||||
git:
|
||||
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
||||
repo: https://opendev.org/airship/sip
|
||||
directory: config/default
|
||||
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
|
@ -0,0 +1,70 @@
|
|||
# Adds namespace to all resources.
|
||||
namespace: sipcluster-system
|
||||
|
||||
# Value of this field is prepended to the
|
||||
# names of all resources, e.g. a deployment named
|
||||
# "wordpress" becomes "alices-wordpress".
|
||||
# Note that it should also match with the prefix (text before '-') of the namespace
|
||||
# field above.
|
||||
namePrefix: sipcluster-
|
||||
|
||||
# Labels to add to all resources and selectors.
|
||||
#commonLabels:
|
||||
# someName: someValue
|
||||
|
||||
bases:
|
||||
- ../crd
|
||||
- ../rbac
|
||||
- ../manager
|
||||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
|
||||
# crd/kustomization.yaml
|
||||
#- ../webhook
|
||||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
|
||||
#- ../certmanager
|
||||
# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
|
||||
#- ../prometheus
|
||||
|
||||
patchesStrategicMerge:
|
||||
# Protect the /metrics endpoint by putting it behind auth.
|
||||
# If you want your controller-manager to expose the /metrics
|
||||
# endpoint w/o any authn/z, please comment the following line.
|
||||
- manager_auth_proxy_patch.yaml
|
||||
|
||||
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
|
||||
# crd/kustomization.yaml
|
||||
#- manager_webhook_patch.yaml
|
||||
|
||||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
|
||||
# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
|
||||
# 'CERTMANAGER' needs to be enabled to use ca injection
|
||||
#- webhookcainjection_patch.yaml
|
||||
|
||||
# the following config is for teaching kustomize how to do var substitution
|
||||
vars:
|
||||
# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
|
||||
#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
|
||||
# objref:
|
||||
# kind: Certificate
|
||||
# group: cert-manager.io
|
||||
# version: v1alpha2
|
||||
# name: serving-cert # this name should match the one in certificate.yaml
|
||||
# fieldref:
|
||||
# fieldpath: metadata.namespace
|
||||
#- name: CERTIFICATE_NAME
|
||||
# objref:
|
||||
# kind: Certificate
|
||||
# group: cert-manager.io
|
||||
# version: v1alpha2
|
||||
# name: serving-cert # this name should match the one in certificate.yaml
|
||||
#- name: SERVICE_NAMESPACE # namespace of the service
|
||||
# objref:
|
||||
# kind: Service
|
||||
# version: v1
|
||||
# name: webhook-service
|
||||
# fieldref:
|
||||
# fieldpath: metadata.namespace
|
||||
#- name: SERVICE_NAME
|
||||
# objref:
|
||||
# kind: Service
|
||||
# version: v1
|
||||
# name: webhook-service
|
|
@ -0,0 +1,25 @@
|
|||
# This patch inject a sidecar container which is a HTTP proxy for the
|
||||
# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: controller-manager
|
||||
namespace: system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: kube-rbac-proxy
|
||||
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
|
||||
args:
|
||||
- "--secure-listen-address=0.0.0.0:8443"
|
||||
- "--upstream=http://127.0.0.1:8080/"
|
||||
- "--logtostderr=true"
|
||||
- "--v=10"
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
name: https
|
||||
- name: manager
|
||||
args:
|
||||
- "--metrics-addr=127.0.0.1:8080"
|
||||
- "--enable-leader-election"
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: controller-manager
|
||||
namespace: system
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: manager
|
||||
ports:
|
||||
- containerPort: 9443
|
||||
name: webhook-server
|
||||
protocol: TCP
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/k8s-webhook-server/serving-certs
|
||||
name: cert
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: cert
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: webhook-server-cert
|
|
@ -0,0 +1,15 @@
|
|||
# This patch add annotation to admission webhook config and
|
||||
# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
name: mutating-webhook-configuration
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: validating-webhook-configuration
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: kpt.dev/v1alpha1
|
||||
kind: Kptfile
|
||||
metadata:
|
||||
name: upstream/manager
|
||||
upstream:
|
||||
type: git
|
||||
git:
|
||||
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
||||
repo: https://opendev.org/airship/sip
|
||||
directory: config/manager
|
||||
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
|
@ -0,0 +1,2 @@
|
|||
resources:
|
||||
- manager.yaml
|
|
@ -0,0 +1,40 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
name: system
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: controller-manager
|
||||
namespace: system
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
control-plane: controller-manager
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- /manager
|
||||
args:
|
||||
- --enable-leader-election
|
||||
image: quay.io/airshipit/sip
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: manager
|
||||
resources:
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 30Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 20Mi
|
||||
terminationGracePeriodSeconds: 10
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: kpt.dev/v1alpha1
|
||||
kind: Kptfile
|
||||
metadata:
|
||||
name: upstream/rbac
|
||||
upstream:
|
||||
type: git
|
||||
git:
|
||||
commit: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
||||
repo: https://opendev.org/airship/sip
|
||||
directory: config/rbac
|
||||
ref: eac22786d83f1a4f524f9f32ea36bb57b164ea1b
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: metrics-reader
|
||||
rules:
|
||||
- nonResourceURLs: ["/metrics"]
|
||||
verbs: ["get"]
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: proxy-role
|
||||
rules:
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources:
|
||||
- subjectaccessreviews
|
||||
verbs: ["create"]
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: proxy-rolebinding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: proxy-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: sipcluster-system
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
control-plane: controller-manager
|
||||
name: controller-manager-metrics-service
|
||||
namespace: system
|
||||
spec:
|
||||
ports:
|
||||
- name: https
|
||||
port: 8443
|
||||
targetPort: https
|
||||
selector:
|
||||
control-plane: controller-manager
|
|
@ -0,0 +1,15 @@
|
|||
resources:
|
||||
- role.yaml
|
||||
- role_binding.yaml
|
||||
- sipcluster_scheduler_role.yaml
|
||||
- sipcluster_scheduler_binding.yaml
|
||||
- leader_election_role.yaml
|
||||
- leader_election_role_binding.yaml
|
||||
|
||||
# Comment the following 4 lines if you want to disable
|
||||
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
|
||||
# which protects your /metrics endpoint.
|
||||
- auth_proxy_service.yaml
|
||||
- auth_proxy_role.yaml
|
||||
- auth_proxy_role_binding.yaml
|
||||
- auth_proxy_client_clusterrole.yaml
|
|
@ -0,0 +1,44 @@
|
|||
# permissions to do leader election.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: leader-election-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps/status
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- "coordination.k8s.io"
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- delete
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: leader-election-rolebinding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: leader-election-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: sipcluster-system
|
|
@ -0,0 +1,37 @@
|
|||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: manager-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- airship.airshipit.org
|
||||
resources:
|
||||
- sipclusters
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- airship.airshipit.org
|
||||
resources:
|
||||
- sipclusters/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- metal3.io
|
||||
resources:
|
||||
- baremetalhosts
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: manager-rolebinding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: manager-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: sipcluster-system
|
|
@ -0,0 +1,24 @@
|
|||
# permissions for end users to edit sipclusters.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: sipcluster-editor-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- airship.airshipit.org
|
||||
resources:
|
||||
- sipclusters
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- airship.airshipit.org
|
||||
resources:
|
||||
- sipclusters/status
|
||||
verbs:
|
||||
- get
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: scheduler-rolebinding
|
||||
namespace: metal3
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: scheduler-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: sipcluster-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cluster-scheduler-rolebinding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-scheduler-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: sipcluster-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cluster-infra-service-rolebinding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: sipcluster-infra-service
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: sipcluster-system
|
|
@ -0,0 +1,80 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: scheduler-role
|
||||
namespace: metal3
|
||||
rules:
|
||||
- apiGroups:
|
||||
- metal3.io
|
||||
resources:
|
||||
- baremetalhosts
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cluster-scheduler-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- metal3.io
|
||||
resources:
|
||||
- baremetalhosts
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- namespaces
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- update
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: sipcluster-infra-service
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- apps
|
||||
resources:
|
||||
- configmaps
|
||||
- deployments
|
||||
- services
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- update
|
||||
- get
|
||||
- list
|
||||
- watch
|
|
@ -0,0 +1,20 @@
|
|||
# permissions for end users to view sipclusters.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: sipcluster-viewer-role
|
||||
rules:
|
||||
- apiGroups:
|
||||
- airship.airshipit.org
|
||||
resources:
|
||||
- sipclusters
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- airship.airshipit.org
|
||||
resources:
|
||||
- sipclusters/status
|
||||
verbs:
|
||||
- get
|
Loading…
Reference in New Issue