From 35b1570d1879e3606e9eb1063699025f567a0c64 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sat, 21 Nov 2020 04:24:57 -0800 Subject: [PATCH] Update of various components, new aroless bootstrap working --- charts/fluent-bit | 1 - charts/kubezero-argo-cd/Chart.yaml | 4 +- .../kubezero-argo-cd/templates/project.yaml | 1 - charts/kubezero-argo-cd/values.yaml | 2 +- charts/kubezero-calico/Chart.yaml | 4 +- charts/kubezero-calico/README.md | 3 +- charts/kubezero-calico/calico-v3.15.patch | 101 - charts/kubezero-calico/calico-v3.16.5.patch | 3359 +++++++++++++++++ charts/kubezero-calico/crds/crds.yaml | 34 + charts/kubezero-calico/templates/crds.yaml | 6 - charts/kubezero-calico/values.yaml | 2 - charts/kubezero-cert-manager/Chart.yaml | 5 +- charts/kubezero-cert-manager/README.md | 8 +- .../templates/cluster-ca.yaml | 19 +- .../templates/cluster-issuer.yaml | 2 +- charts/kubezero-cert-manager/values.yaml | 17 +- charts/kubezero-istio/Chart.yaml | 4 +- charts/kubezero-istio/README.md | 5 +- .../istio-operator/templates/clusterrole.yaml | 1 + .../istio-base.yaml => crds/crd-all.gen.yaml} | 3022 +++++++-------- charts/kubezero-istio/crds/crd-mixer.yaml | 82 + charts/kubezero-istio/crds/crd-operator.yaml | 74 + .../kubezero-istio/templates/envoyfilter.yaml | 2 + .../templates/ingress-certificate.yaml | 2 +- .../templates/ingress-gateway.yaml | 19 +- .../templates/istio-private-ingress.yaml | 10 + charts/kubezero-istio/templates/istio.yaml | 6 + charts/kubezero-istio/update.sh | 18 +- charts/kubezero-istio/values.yaml | 5 +- charts/kubezero-kiam/Chart.yaml | 4 +- charts/kubezero-kiam/README.md | 12 +- .../kubezero-kiam/templates/certificates.yaml | 8 +- charts/kubezero-kiam/values.yaml | 10 +- charts/kubezero-logging/Chart.yaml | 8 +- charts/kubezero-logging/eck/all-in-one.yaml | 3008 --------------- .../kubezero-logging/eck/kustomization.yaml | 6 - charts/kubezero-logging/eck/map-operator.yaml | 14 - charts/kubezero-logging/eck/update.sh | 7 - .../templates/eck/eck-operator.yaml | 3059 --------------- charts/kubezero-logging/values-all.yaml | 6 +- charts/kubezero-logging/values-remote-es.yaml | 0 charts/kubezero-logging/values.yaml | 12 +- charts/kubezero-metrics/Chart.yaml | 7 +- charts/kubezero-metrics/README.md | 18 +- .../templates/istio-service.yaml | 2 + charts/kubezero-metrics/values.yaml | 33 +- charts/kubezero-redis/.helmignore | 23 + charts/kubezero-redis/Chart.yaml | 20 + charts/kubezero-redis/README.md | 44 + charts/kubezero-redis/README.md.gotmpl | 26 + .../templates/istio-authorization-policy.yaml | 26 + .../templates/istio-service.yaml | 22 + charts/kubezero-redis/values.yaml | 27 + charts/kubezero/README.md | 2 +- deploy/bootstrap.sh | 334 +- deploy/deploy.sh | 82 +- deploy/templates/values.yaml | 5 + deploy/values-step-1.yaml | 17 - deploy/values-step-2.yaml | 17 - deploy/values-step-3.yaml | 17 - deploy/values-step-4.yaml | 16 - deploy/values-step-5.yaml | 9 - deploy/values-step-6.yaml | 6 - deploy/values.yaml | 7 +- 64 files changed, 5545 insertions(+), 8187 deletions(-) delete mode 120000 charts/fluent-bit delete mode 100644 charts/kubezero-calico/calico-v3.15.patch create mode 100644 charts/kubezero-calico/calico-v3.16.5.patch delete mode 100644 charts/kubezero-calico/templates/crds.yaml rename charts/kubezero-istio/{templates/istio-base.yaml => crds/crd-all.gen.yaml} (97%) create mode 100644 charts/kubezero-istio/crds/crd-mixer.yaml create mode 100644 charts/kubezero-istio/crds/crd-operator.yaml delete mode 100644 charts/kubezero-logging/eck/all-in-one.yaml delete mode 100644 charts/kubezero-logging/eck/kustomization.yaml delete mode 100644 charts/kubezero-logging/eck/map-operator.yaml delete mode 100755 charts/kubezero-logging/eck/update.sh delete mode 100644 charts/kubezero-logging/templates/eck/eck-operator.yaml delete mode 100644 charts/kubezero-logging/values-remote-es.yaml create mode 100644 charts/kubezero-redis/.helmignore create mode 100644 charts/kubezero-redis/Chart.yaml create mode 100644 charts/kubezero-redis/README.md create mode 100644 charts/kubezero-redis/README.md.gotmpl create mode 100644 charts/kubezero-redis/templates/istio-authorization-policy.yaml create mode 100644 charts/kubezero-redis/templates/istio-service.yaml create mode 100644 charts/kubezero-redis/values.yaml delete mode 100644 deploy/values-step-1.yaml delete mode 100644 deploy/values-step-2.yaml delete mode 100644 deploy/values-step-3.yaml delete mode 100644 deploy/values-step-4.yaml delete mode 100644 deploy/values-step-5.yaml delete mode 100644 deploy/values-step-6.yaml diff --git a/charts/fluent-bit b/charts/fluent-bit deleted file mode 120000 index cd73d773..00000000 --- a/charts/fluent-bit +++ /dev/null @@ -1 +0,0 @@ -../../helm-charts/charts/fluent-bit \ No newline at end of file diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argo-cd/Chart.yaml index 93427001..0f6a3726 100644 --- a/charts/kubezero-argo-cd/Chart.yaml +++ b/charts/kubezero-argo-cd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application name: kubezero-argo-cd -version: 0.6.0 +version: 0.6.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,6 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: argo-cd - version: 2.9.3 + version: 2.9.5 repository: https://argoproj.github.io/argo-helm kubeVersion: ">= 1.17.0" diff --git a/charts/kubezero-argo-cd/templates/project.yaml b/charts/kubezero-argo-cd/templates/project.yaml index 8bf499f5..c0335253 100644 --- a/charts/kubezero-argo-cd/templates/project.yaml +++ b/charts/kubezero-argo-cd/templates/project.yaml @@ -12,7 +12,6 @@ spec: sourceRepos: - '*' - # Only permit applications to deploy to the guestbook namespace in the same cluster destinations: - namespace: argocd server: https://kubernetes.default.svc diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argo-cd/values.yaml index 732571df..5191c632 100644 --- a/charts/kubezero-argo-cd/values.yaml +++ b/charts/kubezero-argo-cd/values.yaml @@ -31,7 +31,7 @@ argo-cd: global: image: - tag: v1.7.8 + tag: v1.7.10 controller: args: diff --git a/charts/kubezero-calico/Chart.yaml b/charts/kubezero-calico/Chart.yaml index 46adbe13..f346a5f4 100644 --- a/charts/kubezero-calico/Chart.yaml +++ b/charts/kubezero-calico/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-calico description: KubeZero Umbrella Chart for Calico type: application -version: 0.2.0 -appVersion: v3.16.1 +version: 0.2.1 +appVersion: v3.16.5 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-calico/README.md b/charts/kubezero-calico/README.md index 8b947f8a..e660c3bf 100644 --- a/charts/kubezero-calico/README.md +++ b/charts/kubezero-calico/README.md @@ -1,6 +1,6 @@ # kubezero-calico -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square) +![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square) KubeZero Umbrella Chart for Calico @@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from | Key | Type | Default | Description | |-----|------|---------|-------------| | image.tag | string | `""` | | -| installCRDs | bool | `false` | | | loglevel | string | `"Warning"` | | | mtu | int | `8941` | | | network | string | `"vxlan"` | | diff --git a/charts/kubezero-calico/calico-v3.15.patch b/charts/kubezero-calico/calico-v3.15.patch deleted file mode 100644 index 786d2906..00000000 --- a/charts/kubezero-calico/calico-v3.15.patch +++ /dev/null @@ -1,101 +0,0 @@ ---- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100 -+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100 -@@ -10,13 +10,13 @@ - # Typha is disabled. - typha_service_name: "none" - # Configure the backend to use. -- calico_backend: "bird" -+ calico_backend: "vxlan" - # Configure the MTU to use for workload interfaces and tunnels. - # - If Wireguard is enabled, set to your network MTU - 60 - # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 - # - Otherwise, if IPIP is enabled, set to your network MTU - 20 - # - Otherwise, if not using any encapsulation, set to your network MTU. -- veth_mtu: "1410" -+ veth_mtu: "8941" - - # The CNI network configuration to install on each node. The special - # values in this config will be automatically populated. -@@ -3451,29 +3451,6 @@ - terminationGracePeriodSeconds: 0 - priorityClassName: system-node-critical - initContainers: -- # This container performs upgrade from host-local IPAM to calico-ipam. -- # It can be deleted if this is a fresh installation, or if you have already -- # upgraded to use calico-ipam. -- - name: upgrade-ipam -- image: calico/cni:v3.15.0 -- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] -- env: -- - name: KUBERNETES_NODE_NAME -- valueFrom: -- fieldRef: -- fieldPath: spec.nodeName -- - name: CALICO_NETWORKING_BACKEND -- valueFrom: -- configMapKeyRef: -- name: calico-config -- key: calico_backend -- volumeMounts: -- - mountPath: /var/lib/cni/networks -- name: host-local-net-dir -- - mountPath: /host/opt/cni/bin -- name: cni-bin-dir -- securityContext: -- privileged: true - # This container installs the CNI binaries - # and CNI network config file on each node. - - name: install-cni -@@ -3545,7 +3522,7 @@ - key: calico_backend - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE -- value: "k8s,bgp" -+ value: "k8s,kubeadm" - # Auto-detect the BGP IP address. - - name: IP - value: "autodetect" -@@ -3554,7 +3531,7 @@ - value: "Never" - # Enable or Disable VXLAN on the default IP pool. - - name: CALICO_IPV4POOL_VXLAN -- value: "CrossSubnet" -+ value: "Always" - # Set MTU for tunnel device used if ipip is enabled - - name: FELIX_IPINIPMTU - valueFrom: -@@ -3595,9 +3572,17 @@ - value: "false" - # Set Felix logging to "info" - - name: FELIX_LOGSEVERITYSCREEN -- value: "info" -+ value: "Warning" -+ - name: FELIX_LOGSEVERITYFILE -+ value: "Warning" -+ - name: FELIX_LOGSEVERITYSYS -+ value: "" - - name: FELIX_HEALTHENABLED - value: "true" -+ - name: FELIX_PROMETHEUSGOMETRICSENABLED -+ value: "false" -+ - name: FELIX_PROMETHEUSMETRICSENABLED -+ value: "true" - securityContext: - privileged: true - resources: -@@ -3608,7 +3593,6 @@ - command: - - /bin/calico-node - - -felix-live -- - -bird-live - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 -@@ -3617,7 +3601,6 @@ - command: - - /bin/calico-node - - -felix-ready -- - -bird-ready - periodSeconds: 10 - volumeMounts: - - mountPath: /lib/modules diff --git a/charts/kubezero-calico/calico-v3.16.5.patch b/charts/kubezero-calico/calico-v3.16.5.patch new file mode 100644 index 00000000..0db98ff9 --- /dev/null +++ b/charts/kubezero-calico/calico-v3.16.5.patch @@ -0,0 +1,3359 @@ +--- calico-vxlan.yaml 2020-11-17 08:12:04.783766338 -0800 ++++ templates/calico.yaml 2020-11-17 08:10:35.583765716 -0800 +@@ -10,13 +10,13 @@ + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. +- calico_backend: "vxlan" ++ calico_backend: "{{ .Values.network }}" + # Configure the MTU to use for workload interfaces and tunnels. + # - If Wireguard is enabled, set to your network MTU - 60 + # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 + # - Otherwise, if IPIP is enabled, set to your network MTU - 20 + # - Otherwise, if not using any encapsulation, set to your network MTU. +- veth_mtu: "1410" ++ veth_mtu: "{{ .Values.mtu }}" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. +@@ -55,3230 +55,6 @@ + } + + --- +-# Source: calico/templates/kdd-crds.yaml +- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: bgpconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BGPConfiguration +- listKind: BGPConfigurationList +- plural: bgpconfigurations +- singular: bgpconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: BGPConfiguration contains the configuration for any BGP routing. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BGPConfigurationSpec contains the values of the BGP configuration. +- properties: +- asNumber: +- description: 'ASNumber is the default AS number used by a node. [Default: +- 64512]' +- format: int32 +- type: integer +- communities: +- description: Communities is a list of BGP community values and their +- arbitrary names for tagging routes. +- items: +- description: Community contains standard or large community value +- and its name. +- properties: +- name: +- description: Name given to community value. +- type: string +- value: +- description: Value must be of format `aa:nn` or `aa:nn:mm`. +- For standard community use `aa:nn` format, where `aa` and +- `nn` are 16 bit number. For large community use `aa:nn:mm` +- format, where `aa`, `nn` and `mm` are 32 bit number. Where, +- `aa` is an AS Number, `nn` and `mm` are per-AS identifier. +- pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ +- type: string +- type: object +- type: array +- listenPort: +- description: ListenPort is the port where BGP protocol should listen. +- Defaults to 179 +- maximum: 65535 +- minimum: 1 +- type: integer +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: INFO]' +- type: string +- nodeToNodeMeshEnabled: +- description: 'NodeToNodeMeshEnabled sets whether full node to node +- BGP mesh is enabled. [Default: true]' +- type: boolean +- prefixAdvertisements: +- description: PrefixAdvertisements contains per-prefix advertisement +- configuration. +- items: +- description: PrefixAdvertisement configures advertisement properties +- for the specified CIDR. +- properties: +- cidr: +- description: CIDR for which properties should be advertised. +- type: string +- communities: +- description: Communities can be list of either community names +- already defined in `Specs.Communities` or community value +- of format `aa:nn` or `aa:nn:mm`. For standard community use +- `aa:nn` format, where `aa` and `nn` are 16 bit number. For +- large community use `aa:nn:mm` format, where `aa`, `nn` and +- `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and +- `mm` are per-AS identifier. +- items: +- type: string +- type: array +- type: object +- type: array +- serviceClusterIPs: +- description: ServiceClusterIPs are the CIDR blocks from which service +- cluster IPs are allocated. If specified, Calico will advertise these +- blocks, as well as any cluster IPs within them. +- items: +- description: ServiceClusterIPBlock represents a single allowed ClusterIP +- CIDR block. +- properties: +- cidr: +- type: string +- type: object +- type: array +- serviceExternalIPs: +- description: ServiceExternalIPs are the CIDR blocks for Kubernetes +- Service External IPs. Kubernetes Service ExternalIPs will only be +- advertised if they are within one of these blocks. +- items: +- description: ServiceExternalIPBlock represents a single allowed +- External IP CIDR block. +- properties: +- cidr: +- type: string +- type: object +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: bgppeers.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BGPPeer +- listKind: BGPPeerList +- plural: bgppeers +- singular: bgppeer +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BGPPeerSpec contains the specification for a BGPPeer resource. +- properties: +- asNumber: +- description: The AS Number of the peer. +- format: int32 +- type: integer +- keepOriginalNextHop: +- description: Option to keep the original nexthop field when routes +- are sent to a BGP Peer. Setting "true" configures the selected BGP +- Peers node to use the "next hop keep;" instead of "next hop self;"(default) +- in the specific branch of the Node on "bird.cfg". +- type: boolean +- node: +- description: The node name identifying the Calico node instance that +- is peering with this peer. If this is not set, this represents a +- global peer, i.e. a peer that peers with every node in the deployment. +- type: string +- nodeSelector: +- description: Selector for the nodes that should have this peering. When +- this is set, the Node field must be empty. +- type: string +- password: +- description: Optional BGP password for the peerings generated by this +- BGPPeer resource. +- properties: +- secretKeyRef: +- description: Selects a key of a secret in the node pod's namespace. +- properties: +- key: +- description: The key of the secret to select from. Must be +- a valid secret key. +- type: string +- name: +- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +- TODO: Add other useful fields. apiVersion, kind, uid?' +- type: string +- optional: +- description: Specify whether the Secret or its key must be +- defined +- type: boolean +- required: +- - key +- type: object +- type: object +- peerIP: +- description: The IP address of the peer followed by an optional port +- number to peer with. If port number is given, format should be `[]:port` +- or `:` for IPv4. If optional port number is not set, +- and this peer IP and ASNumber belongs to a calico/node with ListenPort +- set in BGPConfiguration, then we use that port to peer. +- type: string +- peerSelector: +- description: Selector for the remote nodes to peer with. When this +- is set, the PeerIP and ASNumber fields must be empty. For each +- peering between the local node and selected remote nodes, we configure +- an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, +- and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The +- remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, +- or the global default if that is not set. +- type: string +- required: +- - asNumber +- - peerIP +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: blockaffinities.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BlockAffinity +- listKind: BlockAffinityList +- plural: blockaffinities +- singular: blockaffinity +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BlockAffinitySpec contains the specification for a BlockAffinity +- resource. +- properties: +- cidr: +- type: string +- deleted: +- description: Deleted indicates that this block affinity is being deleted. +- This field is a string for compatibility with older releases that +- mistakenly treat this field as a string. +- type: string +- node: +- type: string +- state: +- type: string +- required: +- - cidr +- - deleted +- - node +- - state +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: clusterinformations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: ClusterInformation +- listKind: ClusterInformationList +- plural: clusterinformations +- singular: clusterinformation +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: ClusterInformation contains the cluster specific information. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: ClusterInformationSpec contains the values of describing +- the cluster. +- properties: +- calicoVersion: +- description: CalicoVersion is the version of Calico that the cluster +- is running +- type: string +- clusterGUID: +- description: ClusterGUID is the GUID of the cluster +- type: string +- clusterType: +- description: ClusterType describes the type of the cluster +- type: string +- datastoreReady: +- description: DatastoreReady is used during significant datastore migrations +- to signal to components such as Felix that it should wait before +- accessing the datastore. +- type: boolean +- variant: +- description: Variant declares which variant of Calico should be active. +- type: string +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: felixconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: FelixConfiguration +- listKind: FelixConfigurationList +- plural: felixconfigurations +- singular: felixconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: Felix Configuration contains the configuration for Felix. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: FelixConfigurationSpec contains the values of the Felix configuration. +- properties: +- allowIPIPPacketsFromWorkloads: +- description: 'AllowIPIPPacketsFromWorkloads controls whether Felix +- will add a rule to drop IPIP encapsulated traffic from workloads +- [Default: false]' +- type: boolean +- allowVXLANPacketsFromWorkloads: +- description: 'AllowVXLANPacketsFromWorkloads controls whether Felix +- will add a rule to drop VXLAN encapsulated traffic from workloads +- [Default: false]' +- type: boolean +- awsSrcDstCheck: +- description: 'Set source-destination-check on AWS EC2 instances. Accepted +- value must be one of "DoNothing", "Enabled" or "Disabled". [Default: +- DoNothing]' +- enum: +- - DoNothing +- - Enable +- - Disable +- type: string +- bpfConnectTimeLoadBalancingEnabled: +- description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, +- controls whether Felix installs the connection-time load balancer. The +- connect-time load balancer is required for the host to be able to +- reach Kubernetes services and it improves the performance of pod-to-service +- connections. The only reason to disable it is for debugging purposes. [Default: +- true]' +- type: boolean +- bpfDataIfacePattern: +- description: 'BPFDataIfacePattern is a regular expression that controls +- which interfaces Felix should attach BPF programs to in order to +- catch traffic to/from the network. This needs to match the interfaces +- that Calico workload traffic flows over as well as any interfaces +- that handle incoming traffic to nodeports and services from outside +- the cluster. It should not match the workload interfaces (usually +- named cali...). [Default: ^(en.*|eth.*|tunl0$)]' +- type: string +- bpfDisableUnprivileged: +- description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled +- sysctl to disable unprivileged use of BPF. This ensures that unprivileged +- users cannot access Calico''s BPF maps and cannot insert their own +- BPF programs to interfere with Calico''s. [Default: true]' +- type: boolean +- bpfEnabled: +- description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. +- [Default: false]' +- type: boolean +- bpfExternalServiceMode: +- description: 'BPFExternalServiceMode in BPF mode, controls how connections +- from outside the cluster to services (node ports and cluster IPs) +- are forwarded to remote workloads. If set to "Tunnel" then both +- request and response traffic is tunneled to the remote node. If +- set to "DSR", the request traffic is tunneled but the response traffic +- is sent directly from the remote node. In "DSR" mode, the remote +- node appears to use the IP of the ingress node; this requires a +- permissive L2 network. [Default: Tunnel]' +- type: string +- bpfKubeProxyEndpointSlicesEnabled: +- description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls +- whether Felix's embedded kube-proxy accepts EndpointSlices or not. +- type: boolean +- bpfKubeProxyIptablesCleanupEnabled: +- description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF +- mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s +- iptables chains. Should only be enabled if kube-proxy is not running. [Default: +- true]' +- type: boolean +- bpfKubeProxyMinSyncPeriod: +- description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the +- minimum time between updates to the dataplane for Felix''s embedded +- kube-proxy. Lower values give reduced set-up latency. Higher values +- reduce Felix CPU usage by batching up more work. [Default: 1s]' +- type: string +- bpfLogLevel: +- description: 'BPFLogLevel controls the log level of the BPF programs +- when in BPF dataplane mode. One of "Off", "Info", or "Debug". The +- logs are emitted to the BPF trace pipe, accessible with the command +- `tc exec bpf debug`. [Default: Off].' +- type: string +- chainInsertMode: +- description: 'ChainInsertMode controls whether Felix hooks the kernel’s +- top-level iptables chains by inserting a rule at the top of the +- chain or by appending a rule at the bottom. insert is the safe default +- since it prevents Calico’s rules from being bypassed. If you switch +- to append mode, be sure that the other rules in the chains signal +- acceptance by falling through to the Calico rules, otherwise the +- Calico policy will be bypassed. [Default: insert]' +- type: string +- dataplaneDriver: +- type: string +- debugDisableLogDropping: +- type: boolean +- debugMemoryProfilePath: +- type: string +- debugSimulateCalcGraphHangAfter: +- type: string +- debugSimulateDataplaneHangAfter: +- type: string +- defaultEndpointToHostAction: +- description: 'DefaultEndpointToHostAction controls what happens to +- traffic that goes from a workload endpoint to the host itself (after +- the traffic hits the endpoint egress policy). By default Calico +- blocks traffic from workload endpoints to the host itself with an +- iptables “DROP” action. If you want to allow some or all traffic +- from endpoint to host, set this parameter to RETURN or ACCEPT. Use +- RETURN if you have your own rules in the iptables “INPUT” chain; +- Calico will insert its rules at the top of that chain, then “RETURN” +- packets to the “INPUT” chain once it has completed processing workload +- endpoint egress policy. Use ACCEPT to unconditionally accept packets +- from workloads after processing workload endpoint egress policy. +- [Default: Drop]' +- type: string +- deviceRouteProtocol: +- description: This defines the route protocol added to programmed device +- routes, by default this will be RTPROT_BOOT when left blank. +- type: integer +- deviceRouteSourceAddress: +- description: This is the source address to use on programmed device +- routes. By default the source address is left blank, leaving the +- kernel to choose the source address used. +- type: string +- disableConntrackInvalidCheck: +- type: boolean +- endpointReportingDelay: +- type: string +- endpointReportingEnabled: +- type: boolean +- externalNodesList: +- description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes +- which may source tunnel traffic and have the tunneled traffic be +- accepted at calico nodes. +- items: +- type: string +- type: array +- failsafeInboundHostPorts: +- description: 'FailsafeInboundHostPorts is a comma-delimited list of +- UDP/TCP ports that Felix will allow incoming traffic to host endpoints +- on irrespective of the security policy. This is useful to avoid +- accidentally cutting off a host with incorrect configuration. Each +- port should be specified as tcp: or udp:. +- For back-compatibility, if the protocol is not specified, it defaults +- to “tcp”. To disable all inbound host ports, use the value none. +- The default value allows ssh access and DHCP. [Default: tcp:22, +- udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' +- items: +- description: ProtoPort is combination of protocol and port, both +- must be specified. +- properties: +- port: +- type: integer +- protocol: +- type: string +- required: +- - port +- - protocol +- type: object +- type: array +- failsafeOutboundHostPorts: +- description: 'FailsafeOutboundHostPorts is a comma-delimited list +- of UDP/TCP ports that Felix will allow outgoing traffic from host +- endpoints to irrespective of the security policy. This is useful +- to avoid accidentally cutting off a host with incorrect configuration. +- Each port should be specified as tcp: or udp:. +- For back-compatibility, if the protocol is not specified, it defaults +- to “tcp”. To disable all outbound host ports, use the value none. +- The default value opens etcd’s standard ports to ensure that Felix +- does not get cut off from etcd as well as allowing DHCP and DNS. +- [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, +- udp:53, udp:67]' +- items: +- description: ProtoPort is combination of protocol and port, both +- must be specified. +- properties: +- port: +- type: integer +- protocol: +- type: string +- required: +- - port +- - protocol +- type: object +- type: array +- featureDetectOverride: +- description: FeatureDetectOverride is used to override the feature +- detection. Values are specified in a comma separated list with no +- spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". +- "true" or "false" will force the feature, empty or omitted values +- are auto-detected. +- type: string +- genericXDPEnabled: +- description: 'GenericXDPEnabled enables Generic XDP so network cards +- that don''t support XDP offload or driver modes can use XDP. This +- is not recommended since it doesn''t provide better performance +- than iptables. [Default: false]' +- type: boolean +- healthEnabled: +- type: boolean +- healthHost: +- type: string +- healthPort: +- type: integer +- interfaceExclude: +- description: 'InterfaceExclude is a comma-separated list of interfaces +- that Felix should exclude when monitoring for host endpoints. The +- default value ensures that Felix ignores Kubernetes'' IPVS dummy +- interface, which is used internally by kube-proxy. If you want to +- exclude multiple interface names using a single value, the list +- supports regular expressions. For regular expressions you must wrap +- the value with ''/''. For example having values ''/^kube/,veth1'' +- will exclude all interfaces that begin with ''kube'' and also the +- interface ''veth1''. [Default: kube-ipvs0]' +- type: string +- interfacePrefix: +- description: 'InterfacePrefix is the interface name prefix that identifies +- workload endpoints and so distinguishes them from host endpoint +- interfaces. Note: in environments other than bare metal, the orchestrators +- configure this appropriately. For example our Kubernetes and Docker +- integrations set the ‘cali’ value, and our OpenStack integration +- sets the ‘tap’ value. [Default: cali]' +- type: string +- interfaceRefreshInterval: +- description: InterfaceRefreshInterval is the period at which Felix +- rescans local interfaces to verify their state. The rescan can be +- disabled by setting the interval to 0. +- type: string +- ipipEnabled: +- type: boolean +- ipipMTU: +- description: 'IPIPMTU is the MTU to set on the tunnel device. See +- Configuring MTU [Default: 1440]' +- type: integer +- ipsetsRefreshInterval: +- description: 'IpsetsRefreshInterval is the period at which Felix re-checks +- all iptables state to ensure that no other process has accidentally +- broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: +- 90s]' +- type: string +- iptablesBackend: +- description: IptablesBackend specifies which backend of iptables will +- be used. The default is legacy. +- type: string +- iptablesFilterAllowAction: +- type: string +- iptablesLockFilePath: +- description: 'IptablesLockFilePath is the location of the iptables +- lock file. You may need to change this if the lock file is not in +- its standard location (for example if you have mapped it into Felix’s +- container at a different path). [Default: /run/xtables.lock]' +- type: string +- iptablesLockProbeInterval: +- description: 'IptablesLockProbeInterval is the time that Felix will +- wait between attempts to acquire the iptables lock if it is not +- available. Lower values make Felix more responsive when the lock +- is contended, but use more CPU. [Default: 50ms]' +- type: string +- iptablesLockTimeout: +- description: 'IptablesLockTimeout is the time that Felix will wait +- for the iptables lock, or 0, to disable. To use this feature, Felix +- must share the iptables lock file with all other processes that +- also take the lock. When running Felix inside a container, this +- requires the /run directory of the host to be mounted into the calico/node +- or calico/felix container. [Default: 0s disabled]' +- type: string +- iptablesMangleAllowAction: +- type: string +- iptablesMarkMask: +- description: 'IptablesMarkMask is the mask that Felix selects its +- IPTables Mark bits from. Should be a 32 bit hexadecimal number with +- at least 8 bits set, none of which clash with any other mark bits +- in use on the system. [Default: 0xff000000]' +- format: int32 +- type: integer +- iptablesNATOutgoingInterfaceFilter: +- type: string +- iptablesPostWriteCheckInterval: +- description: 'IptablesPostWriteCheckInterval is the period after Felix +- has done a write to the dataplane that it schedules an extra read +- back in order to check the write was not clobbered by another process. +- This should only occur if another application on the system doesn’t +- respect the iptables lock. [Default: 1s]' +- type: string +- iptablesRefreshInterval: +- description: 'IptablesRefreshInterval is the period at which Felix +- re-checks the IP sets in the dataplane to ensure that no other process +- has accidentally broken Calico’s rules. Set to 0 to disable IP sets +- refresh. Note: the default for this value is lower than the other +- refresh intervals as a workaround for a Linux kernel bug that was +- fixed in kernel version 4.11. If you are using v4.11 or greater +- you may want to set this to, a higher value to reduce Felix CPU +- usage. [Default: 10s]' +- type: string +- ipv6Support: +- type: boolean +- kubeNodePortRanges: +- description: 'KubeNodePortRanges holds list of port ranges used for +- service node ports. Only used if felix detects kube-proxy running +- in ipvs mode. Felix uses these ranges to separate host and workload +- traffic. [Default: 30000:32767].' +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- logFilePath: +- description: 'LogFilePath is the full path to the Felix log. Set to +- none to disable file logging. [Default: /var/log/calico/felix.log]' +- type: string +- logPrefix: +- description: 'LogPrefix is the log prefix that Felix uses when rendering +- LOG rules. [Default: calico-packet]' +- type: string +- logSeverityFile: +- description: 'LogSeverityFile is the log severity above which logs +- are sent to the log file. [Default: Info]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: Info]' +- type: string +- logSeveritySys: +- description: 'LogSeveritySys is the log severity above which logs +- are sent to the syslog. Set to None for no logging to syslog. [Default: +- Info]' +- type: string +- maxIpsetSize: +- type: integer +- metadataAddr: +- description: 'MetadataAddr is the IP address or domain name of the +- server that can answer VM queries for cloud-init metadata. In OpenStack, +- this corresponds to the machine running nova-api (or in Ubuntu, +- nova-api-metadata). A value of none (case insensitive) means that +- Felix should not set up any NAT rule for the metadata path. [Default: +- 127.0.0.1]' +- type: string +- metadataPort: +- description: 'MetadataPort is the port of the metadata server. This, +- combined with global.MetadataAddr (if not ‘None’), is used to set +- up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. +- In most cases this should not need to be changed [Default: 8775].' +- type: integer +- natOutgoingAddress: +- description: NATOutgoingAddress specifies an address to use when performing +- source NAT for traffic in a natOutgoing pool that is leaving the +- network. By default the address used is an address on the interface +- the traffic is leaving on (ie it uses the iptables MASQUERADE target) +- type: string +- natPortRange: +- anyOf: +- - type: integer +- - type: string +- description: NATPortRange specifies the range of ports that is used +- for port mapping when doing outgoing NAT. When unset the default +- behavior of the network stack is used. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- netlinkTimeout: +- type: string +- openstackRegion: +- description: 'OpenstackRegion is the name of the region that a particular +- Felix belongs to. In a multi-region Calico/OpenStack deployment, +- this must be configured somehow for each Felix (here in the datamodel, +- or in felix.cfg or the environment on each compute node), and must +- match the [calico] openstack_region value configured in neutron.conf +- on each node. [Default: Empty]' +- type: string +- policySyncPathPrefix: +- description: 'PolicySyncPathPrefix is used to by Felix to communicate +- policy changes to external services, like Application layer policy. +- [Default: Empty]' +- type: string +- prometheusGoMetricsEnabled: +- description: 'PrometheusGoMetricsEnabled disables Go runtime metrics +- collection, which the Prometheus client does by default, when set +- to false. This reduces the number of metrics reported, reducing +- Prometheus load. [Default: true]' +- type: boolean +- prometheusMetricsEnabled: +- description: 'PrometheusMetricsEnabled enables the Prometheus metrics +- server in Felix if set to true. [Default: false]' +- type: boolean +- prometheusMetricsHost: +- description: 'PrometheusMetricsHost is the host that the Prometheus +- metrics server should bind to. [Default: empty]' +- type: string +- prometheusMetricsPort: +- description: 'PrometheusMetricsPort is the TCP port that the Prometheus +- metrics server should bind to. [Default: 9091]' +- type: integer +- prometheusProcessMetricsEnabled: +- description: 'PrometheusProcessMetricsEnabled disables process metrics +- collection, which the Prometheus client does by default, when set +- to false. This reduces the number of metrics reported, reducing +- Prometheus load. [Default: true]' +- type: boolean +- removeExternalRoutes: +- description: Whether or not to remove device routes that have not +- been programmed by Felix. Disabling this will allow external applications +- to also add device routes. This is enabled by default which means +- we will remove externally added routes. +- type: boolean +- reportingInterval: +- description: 'ReportingInterval is the interval at which Felix reports +- its status into the datastore or 0 to disable. Must be non-zero +- in OpenStack deployments. [Default: 30s]' +- type: string +- reportingTTL: +- description: 'ReportingTTL is the time-to-live setting for process-wide +- status reports. [Default: 90s]' +- type: string +- routeRefreshInterval: +- description: 'RouterefreshInterval is the period at which Felix re-checks +- the routes in the dataplane to ensure that no other process has +- accidentally broken Calico’s rules. Set to 0 to disable route refresh. +- [Default: 90s]' +- type: string +- routeSource: +- description: 'RouteSource configures where Felix gets its routing +- information. - WorkloadIPs: use workload endpoints to construct +- routes. - CalicoIPAM: the default - use IPAM data to construct routes.' +- type: string +- routeTableRange: +- description: Calico programs additional Linux route tables for various +- purposes. RouteTableRange specifies the indices of the route tables +- that Calico should use. +- properties: +- max: +- type: integer +- min: +- type: integer +- required: +- - max +- - min +- type: object +- sidecarAccelerationEnabled: +- description: 'SidecarAccelerationEnabled enables experimental sidecar +- acceleration [Default: false]' +- type: boolean +- usageReportingEnabled: +- description: 'UsageReportingEnabled reports anonymous Calico version +- number and cluster size to projectcalico.org. Logs warnings returned +- by the usage server. For example, if a significant security vulnerability +- has been discovered in the version of Calico being used. [Default: +- true]' +- type: boolean +- usageReportingInitialDelay: +- description: 'UsageReportingInitialDelay controls the minimum delay +- before Felix makes a report. [Default: 300s]' +- type: string +- usageReportingInterval: +- description: 'UsageReportingInterval controls the interval at which +- Felix makes reports. [Default: 86400s]' +- type: string +- useInternalDataplaneDriver: +- type: boolean +- vxlanEnabled: +- type: boolean +- vxlanMTU: +- description: 'VXLANMTU is the MTU to set on the tunnel device. See +- Configuring MTU [Default: 1440]' +- type: integer +- vxlanPort: +- type: integer +- vxlanVNI: +- type: integer +- wireguardEnabled: +- description: 'WireguardEnabled controls whether Wireguard is enabled. +- [Default: false]' +- type: boolean +- wireguardInterfaceName: +- description: 'WireguardInterfaceName specifies the name to use for +- the Wireguard interface. [Default: wg.calico]' +- type: string +- wireguardListeningPort: +- description: 'WireguardListeningPort controls the listening port used +- by Wireguard. [Default: 51820]' +- type: integer +- wireguardMTU: +- description: 'WireguardMTU controls the MTU on the Wireguard interface. +- See Configuring MTU [Default: 1420]' +- type: integer +- wireguardRoutingRulePriority: +- description: 'WireguardRoutingRulePriority controls the priority value +- to use for the Wireguard routing rule. [Default: 99]' +- type: integer +- xdpEnabled: +- description: 'XDPEnabled enables XDP acceleration for suitable untracked +- incoming deny rules. [Default: true]' +- type: boolean +- xdpRefreshInterval: +- description: 'XDPRefreshInterval is the period at which Felix re-checks +- all XDP state to ensure that no other process has accidentally broken +- Calico''s BPF maps or attached programs. Set to 0 to disable XDP +- refresh. [Default: 90s]' +- type: string +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: globalnetworkpolicies.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: GlobalNetworkPolicy +- listKind: GlobalNetworkPolicyList +- plural: globalnetworkpolicies +- singular: globalnetworkpolicy +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- properties: +- applyOnForward: +- description: ApplyOnForward indicates to apply the rules in this policy +- on forward traffic. +- type: boolean +- doNotTrack: +- description: DoNotTrack indicates whether packets matched by the rules +- in this policy should go through the data plane's connection tracking, +- such as Linux conntrack. If True, the rules in this policy are +- applied before any data plane connection tracking, and packets allowed +- by this policy are marked as not to be tracked. +- type: boolean +- egress: +- description: The ordered set of egress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- ingress: +- description: The ordered set of ingress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- namespaceSelector: +- description: NamespaceSelector is an optional field for an expression +- used to select a pod based on namespaces. +- type: string +- order: +- description: Order is an optional field that specifies the order in +- which the policy is applied. Policies with higher "order" are applied +- after those with lower order. If the order is omitted, it may be +- considered to be "infinite" - i.e. the policy will be applied last. Policies +- with identical order will be applied in alphanumerical order based +- on the Policy "Name". +- type: number +- preDNAT: +- description: PreDNAT indicates to apply the rules in this policy before +- any DNAT. +- type: boolean +- selector: +- description: "The selector is an expression used to pick pick out +- the endpoints that the policy should be applied to. \n Selector +- expressions follow this syntax: \n \tlabel == \"string_literal\" +- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" +- \ -> not equal; also matches if label is not present \tlabel in +- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is +- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", +- ... } -> true if the value of label X is not one of \"a\", \"b\", +- \"c\" \thas(label_name) -> True if that label is present \t! expr +- -> negation of expr \texpr && expr -> Short-circuit and \texpr +- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() +- or the empty selector -> matches all endpoints. \n Label names are +- allowed to contain alphanumerics, -, _ and /. String literals are +- more permissive but they do not support escape characters. \n Examples +- (with made-up labels): \n \ttype == \"webserver\" && deployment +- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != +- \"dev\" \t! has(label_name)" +- type: string +- serviceAccountSelector: +- description: ServiceAccountSelector is an optional field for an expression +- used to select a pod based on service accounts. +- type: string +- types: +- description: "Types indicates whether this policy applies to ingress, +- or to egress, or to both. When not explicitly specified (and so +- the value on creation is empty or nil), Calico defaults Types according +- to what Ingress and Egress rules are present in the policy. The +- default is: \n - [ PolicyTypeIngress ], if there are no Egress rules +- (including the case where there are also no Ingress rules) \n +- - [ PolicyTypeEgress ], if there are Egress rules but no Ingress +- rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are +- both Ingress and Egress rules. \n When the policy is read back again, +- Types will always be one of these values, never empty or nil." +- items: +- description: PolicyType enumerates the possible values of the PolicySpec +- Types field. +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: globalnetworksets.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: GlobalNetworkSet +- listKind: GlobalNetworkSetList +- plural: globalnetworksets +- singular: globalnetworkset +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs +- that share labels to allow rules to refer to them via selectors. The labels +- of GlobalNetworkSet are not namespaced. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: GlobalNetworkSetSpec contains the specification for a NetworkSet +- resource. +- properties: +- nets: +- description: The list of IP networks that belong to this set. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: hostendpoints.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: HostEndpoint +- listKind: HostEndpointList +- plural: hostendpoints +- singular: hostendpoint +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: HostEndpointSpec contains the specification for a HostEndpoint +- resource. +- properties: +- expectedIPs: +- description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. +- If \"InterfaceName\" is not present, Calico will look for an interface +- matching any of the IPs in the list and apply policy to that. Note: +- \tWhen using the selector match criteria in an ingress or egress +- security Policy \tor Profile, Calico converts the selector into +- a set of IP addresses. For host \tendpoints, the ExpectedIPs field +- is used for that purpose. (If only the interface \tname is specified, +- Calico does not learn the IPs of the interface for use in match +- \tcriteria.)" +- items: +- type: string +- type: array +- interfaceName: +- description: "Either \"*\", or the name of a specific Linux interface +- to apply policy to; or empty. \"*\" indicates that this HostEndpoint +- governs all traffic to, from or through the default network namespace +- of the host named by the \"Node\" field; entering and leaving that +- namespace via any interface, including those from/to non-host-networked +- local workloads. \n If InterfaceName is not \"*\", this HostEndpoint +- only governs traffic that enters or leaves the host through the +- specific interface named by InterfaceName, or - when InterfaceName +- is empty - through the specific interface that has one of the IPs +- in ExpectedIPs. Therefore, when InterfaceName is empty, at least +- one expected IP must be specified. Only external interfaces (such +- as “eth0”) are supported here; it isn't possible for a HostEndpoint +- to protect traffic through a specific local workload interface. +- \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; +- initially just pre-DNAT policy. Please check Calico documentation +- for the latest position." +- type: string +- node: +- description: The node name identifying the Calico node instance. +- type: string +- ports: +- description: Ports contains the endpoint's named ports, which may +- be referenced in security policy rules. +- items: +- properties: +- name: +- type: string +- port: +- type: integer +- protocol: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- required: +- - name +- - port +- - protocol +- type: object +- type: array +- profiles: +- description: A list of identifiers of security Profile objects that +- apply to this endpoint. Each profile is applied in the order that +- they appear in this list. Profile rules are applied after the selector-based +- security policy. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamblocks.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMBlock +- listKind: IPAMBlockList +- plural: ipamblocks +- singular: ipamblock +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMBlockSpec contains the specification for an IPAMBlock +- resource. +- properties: +- affinity: +- type: string +- allocations: +- items: +- type: integer +- # TODO: This nullable is manually added in. We should update controller-gen +- # to handle []*int properly itself. +- nullable: true +- type: array +- attributes: +- items: +- properties: +- handle_id: +- type: string +- secondary: +- additionalProperties: +- type: string +- type: object +- type: object +- type: array +- cidr: +- type: string +- deleted: +- type: boolean +- strictAffinity: +- type: boolean +- unallocated: +- items: +- type: integer +- type: array +- required: +- - allocations +- - attributes +- - cidr +- - deleted +- - strictAffinity +- - unallocated +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamconfigs.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMConfig +- listKind: IPAMConfigList +- plural: ipamconfigs +- singular: ipamconfig +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMConfigSpec contains the specification for an IPAMConfig +- resource. +- properties: +- autoAllocateBlocks: +- type: boolean +- strictAffinity: +- type: boolean +- required: +- - autoAllocateBlocks +- - strictAffinity +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamhandles.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMHandle +- listKind: IPAMHandleList +- plural: ipamhandles +- singular: ipamhandle +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMHandleSpec contains the specification for an IPAMHandle +- resource. +- properties: +- block: +- additionalProperties: +- type: integer +- type: object +- handleID: +- type: string +- required: +- - block +- - handleID +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ippools.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPPool +- listKind: IPPoolList +- plural: ippools +- singular: ippool +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPPoolSpec contains the specification for an IPPool resource. +- properties: +- blockSize: +- description: The block size to use for IP address assignments from +- this pool. Defaults to 26 for IPv4 and 112 for IPv6. +- type: integer +- cidr: +- description: The pool CIDR. +- type: string +- disabled: +- description: When disabled is true, Calico IPAM will not assign addresses +- from this pool. +- type: boolean +- ipip: +- description: 'Deprecated: this field is only used for APIv1 backwards +- compatibility. Setting this field is not allowed, this field is +- for internal use only.' +- properties: +- enabled: +- description: When enabled is true, ipip tunneling will be used +- to deliver packets to destinations within this pool. +- type: boolean +- mode: +- description: The IPIP mode. This can be one of "always" or "cross-subnet". A +- mode of "always" will also use IPIP tunneling for routing to +- destination IP addresses within this pool. A mode of "cross-subnet" +- will only use IPIP tunneling when the destination node is on +- a different subnet to the originating node. The default value +- (if not specified) is "always". +- type: string +- type: object +- ipipMode: +- description: Contains configuration for IPIP tunneling for this pool. +- If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling +- is disabled). +- type: string +- nat-outgoing: +- description: 'Deprecated: this field is only used for APIv1 backwards +- compatibility. Setting this field is not allowed, this field is +- for internal use only.' +- type: boolean +- natOutgoing: +- description: When nat-outgoing is true, packets sent from Calico networked +- containers in this pool to destinations outside of this pool will +- be masqueraded. +- type: boolean +- nodeSelector: +- description: Allows IPPool to allocate for a specific node by label +- selector. +- type: string +- vxlanMode: +- description: Contains configuration for VXLAN tunneling for this pool. +- If not specified, then this is defaulted to "Never" (i.e. VXLAN +- tunneling is disabled). +- type: string +- required: +- - cidr +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: kubecontrollersconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: KubeControllersConfiguration +- listKind: KubeControllersConfigurationList +- plural: kubecontrollersconfigurations +- singular: kubecontrollersconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: KubeControllersConfigurationSpec contains the values of the +- Kubernetes controllers configuration. +- properties: +- controllers: +- description: Controllers enables and configures individual Kubernetes +- controllers +- properties: +- namespace: +- description: Namespace enables and configures the namespace controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- node: +- description: Node enables and configures the node controller. +- Enabled by default, set to nil to disable. +- properties: +- hostEndpoint: +- description: HostEndpoint controls syncing nodes to host endpoints. +- Disabled by default, set to nil to disable. +- properties: +- autoCreate: +- description: 'AutoCreate enables automatic creation of +- host endpoints for every node. [Default: Disabled]' +- type: string +- type: object +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- syncLabels: +- description: 'SyncLabels controls whether to copy Kubernetes +- node labels to Calico nodes. [Default: Enabled]' +- type: string +- type: object +- policy: +- description: Policy enables and configures the policy controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- serviceAccount: +- description: ServiceAccount enables and configures the service +- account controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- workloadEndpoint: +- description: WorkloadEndpoint enables and configures the workload +- endpoint controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- type: object +- etcdV3CompactionPeriod: +- description: 'EtcdV3CompactionPeriod is the period between etcdv3 +- compaction requests. Set to 0 to disable. [Default: 10m]' +- type: string +- healthChecks: +- description: 'HealthChecks enables or disables support for health +- checks [Default: Enabled]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: Info]' +- type: string +- required: +- - controllers +- type: object +- status: +- description: KubeControllersConfigurationStatus represents the status +- of the configuration. It's useful for admins to be able to see the actual +- config that was applied, which can be modified by environment variables +- on the kube-controllers process. +- properties: +- environmentVars: +- additionalProperties: +- type: string +- description: EnvironmentVars contains the environment variables on +- the kube-controllers that influenced the RunningConfig. +- type: object +- runningConfig: +- description: RunningConfig contains the effective config that is running +- in the kube-controllers pod, after merging the API resource with +- any environment variables. +- properties: +- controllers: +- description: Controllers enables and configures individual Kubernetes +- controllers +- properties: +- namespace: +- description: Namespace enables and configures the namespace +- controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- node: +- description: Node enables and configures the node controller. +- Enabled by default, set to nil to disable. +- properties: +- hostEndpoint: +- description: HostEndpoint controls syncing nodes to host +- endpoints. Disabled by default, set to nil to disable. +- properties: +- autoCreate: +- description: 'AutoCreate enables automatic creation +- of host endpoints for every node. [Default: Disabled]' +- type: string +- type: object +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- syncLabels: +- description: 'SyncLabels controls whether to copy Kubernetes +- node labels to Calico nodes. [Default: Enabled]' +- type: string +- type: object +- policy: +- description: Policy enables and configures the policy controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- serviceAccount: +- description: ServiceAccount enables and configures the service +- account controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- workloadEndpoint: +- description: WorkloadEndpoint enables and configures the workload +- endpoint controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- type: object +- etcdV3CompactionPeriod: +- description: 'EtcdV3CompactionPeriod is the period between etcdv3 +- compaction requests. Set to 0 to disable. [Default: 10m]' +- type: string +- healthChecks: +- description: 'HealthChecks enables or disables support for health +- checks [Default: Enabled]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which +- logs are sent to the stdout. [Default: Info]' +- type: string +- required: +- - controllers +- type: object +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: networkpolicies.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: NetworkPolicy +- listKind: NetworkPolicyList +- plural: networkpolicies +- singular: networkpolicy +- scope: Namespaced +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- properties: +- egress: +- description: The ordered set of egress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- ingress: +- description: The ordered set of ingress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- order: +- description: Order is an optional field that specifies the order in +- which the policy is applied. Policies with higher "order" are applied +- after those with lower order. If the order is omitted, it may be +- considered to be "infinite" - i.e. the policy will be applied last. Policies +- with identical order will be applied in alphanumerical order based +- on the Policy "Name". +- type: number +- selector: +- description: "The selector is an expression used to pick pick out +- the endpoints that the policy should be applied to. \n Selector +- expressions follow this syntax: \n \tlabel == \"string_literal\" +- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" +- \ -> not equal; also matches if label is not present \tlabel in +- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is +- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", +- ... } -> true if the value of label X is not one of \"a\", \"b\", +- \"c\" \thas(label_name) -> True if that label is present \t! expr +- -> negation of expr \texpr && expr -> Short-circuit and \texpr +- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() +- or the empty selector -> matches all endpoints. \n Label names are +- allowed to contain alphanumerics, -, _ and /. String literals are +- more permissive but they do not support escape characters. \n Examples +- (with made-up labels): \n \ttype == \"webserver\" && deployment +- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != +- \"dev\" \t! has(label_name)" +- type: string +- serviceAccountSelector: +- description: ServiceAccountSelector is an optional field for an expression +- used to select a pod based on service accounts. +- type: string +- types: +- description: "Types indicates whether this policy applies to ingress, +- or to egress, or to both. When not explicitly specified (and so +- the value on creation is empty or nil), Calico defaults Types according +- to what Ingress and Egress are present in the policy. The default +- is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including +- the case where there are also no Ingress rules) \n - [ PolicyTypeEgress +- ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, +- PolicyTypeEgress ], if there are both Ingress and Egress rules. +- \n When the policy is read back again, Types will always be one +- of these values, never empty or nil." +- items: +- description: PolicyType enumerates the possible values of the PolicySpec +- Types field. +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: networksets.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: NetworkSet +- listKind: NetworkSetList +- plural: networksets +- singular: networkset +- scope: Namespaced +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: NetworkSetSpec contains the specification for a NetworkSet +- resource. +- properties: +- nets: +- description: The list of IP networks that belong to this set. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +---- + # Source: calico/templates/calico-kube-controllers-rbac.yaml + + # Include a clusterrole for the kube-controllers component, +@@ -3563,38 +339,10 @@ + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: +- # This container performs upgrade from host-local IPAM to calico-ipam. +- # It can be deleted if this is a fresh installation, or if you have already +- # upgraded to use calico-ipam. +- - name: upgrade-ipam +- image: calico/cni:v3.16.5 +- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] +- envFrom: +- - configMapRef: +- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. +- name: kubernetes-services-endpoint +- optional: true +- env: +- - name: KUBERNETES_NODE_NAME +- valueFrom: +- fieldRef: +- fieldPath: spec.nodeName +- - name: CALICO_NETWORKING_BACKEND +- valueFrom: +- configMapKeyRef: +- name: calico-config +- key: calico_backend +- volumeMounts: +- - mountPath: /var/lib/cni/networks +- name: host-local-net-dir +- - mountPath: /host/opt/cni/bin +- name: cni-bin-dir +- securityContext: +- privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni +- image: calico/cni:v3.16.5 ++ image: calico/cni:{{ default .Chart.AppVersion .Values.image.tag }} + command: ["/opt/cni/bin/install"] + envFrom: + - configMapRef: +@@ -3635,7 +383,7 @@ + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver +- image: calico/pod2daemon-flexvol:v3.16.5 ++ image: calico/pod2daemon-flexvol:{{ default .Chart.AppVersion .Values.image.tag }} + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver +@@ -3646,7 +394,7 @@ + # container programs network policy and routes on each + # host. + - name: calico-node +- image: calico/node:v3.16.5 ++ image: calico/node:{{ default .Chart.AppVersion .Values.image.tag }} + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. +@@ -3672,7 +420,7 @@ + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE +- value: "k8s,bgp" ++ value: "k8s,kubeadm" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" +@@ -3702,7 +450,7 @@ + key: veth_mtu + # Disable AWS source-destination check on nodes. + - name: FELIX_AWSSRCDSTCHECK +- value: Disable ++ value: DoNothing + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. +@@ -3719,7 +467,15 @@ + value: "false" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN +- value: "info" ++ value: "{{ .Values.loglevel }}" ++ - name: FELIX_LOGSEVERITYFILE ++ value: "{{ .Values.loglevel }}" ++ - name: FELIX_LOGSEVERITYSYS ++ value: "" ++ - name: FELIX_PROMETHEUSGOMETRICSENABLED ++ value: "{{ .Values.prometheus }}" ++ - name: FELIX_PROMETHEUSMETRICSENABLED ++ value: "{{ .Values.prometheus }}" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: +@@ -3840,6 +596,7 @@ + spec: + nodeSelector: + kubernetes.io/os: linux ++ node-role.kubernetes.io/master: "" + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly +@@ -3850,7 +607,7 @@ + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers +- image: calico/kube-controllers:v3.16.5 ++ image: calico/kube-controllers:{{ default .Chart.AppVersion .Values.image.tag }} + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS diff --git a/charts/kubezero-calico/crds/crds.yaml b/charts/kubezero-calico/crds/crds.yaml index da6def43..afb8ee38 100644 --- a/charts/kubezero-calico/crds/crds.yaml +++ b/charts/kubezero-calico/crds/crds.yaml @@ -1,3 +1,4 @@ +--- # Source: calico/templates/kdd-crds.yaml @@ -192,6 +193,29 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object peerIP: description: The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be `[]:port` @@ -396,6 +420,16 @@ spec: spec: description: FelixConfigurationSpec contains the values of the Felix configuration. properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean awsSrcDstCheck: description: 'Set source-destination-check on AWS EC2 instances. Accepted value must be one of "DoNothing", "Enabled" or "Disabled". [Default: diff --git a/charts/kubezero-calico/templates/crds.yaml b/charts/kubezero-calico/templates/crds.yaml deleted file mode 100644 index 45ab72d4..00000000 --- a/charts/kubezero-calico/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.installCRDs }} -{{- range $path, $_ := .Files.Glob "crds/*.yaml" }} -{{ $.Files.Get $path }} ---- -{{- end }} -{{- end }} diff --git a/charts/kubezero-calico/values.yaml b/charts/kubezero-calico/values.yaml index 04a29796..281caa30 100644 --- a/charts/kubezero-calico/values.yaml +++ b/charts/kubezero-calico/values.yaml @@ -1,5 +1,3 @@ -installCRDs: false - image: tag: "" diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index 9096c450..518d68e2 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-cert-manager description: KubeZero Umbrella Chart for cert-manager type: application -version: 0.4.0 +version: 0.4.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: cert-manager - version: 1.0.3 + version: 1.0.4 repository: https://charts.jetstack.io + condition: cert-manager.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index a600e3ff..2559b105 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -1,6 +1,6 @@ # kubezero-cert-manager -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for cert-manager @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | 1.0.3 | +| https://charts.jetstack.io | cert-manager | 1.0.4 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## AWS - IAM Role @@ -38,10 +38,10 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| cert-manager.enabled | bool | `true` | | | cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | -| cert-manager.installCRDs | bool | `true` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | @@ -51,5 +51,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | clusterIssuer | object | `{}` | | -| localCA.enabled | bool | `true` | | +| localCA.enabled | bool | `false` | | | localCA.selfsigning | bool | `true` | | diff --git a/charts/kubezero-cert-manager/templates/cluster-ca.yaml b/charts/kubezero-cert-manager/templates/cluster-ca.yaml index bd2f45a9..01889599 100644 --- a/charts/kubezero-cert-manager/templates/cluster-ca.yaml +++ b/charts/kubezero-cert-manager/templates/cluster-ca.yaml @@ -3,11 +3,11 @@ # KubeZero / Local cluster CA # The resources are serialized via waves in Argo -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer metadata: name: kubezero-selfsigning-issuer - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: @@ -15,11 +15,11 @@ metadata: spec: selfSigned: {} --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kubezero-local-ca - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: @@ -30,6 +30,7 @@ spec: isCA: true issuerRef: name: kubezero-selfsigning-issuer + kind: ClusterIssuer usages: - "any" --- @@ -39,7 +40,7 @@ apiVersion: v1 kind: Secret metadata: name: kubezero-ca-tls - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} data: @@ -48,11 +49,11 @@ data: --- {{- end }} -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer metadata: name: kubezero-local-ca-issuer - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: diff --git a/charts/kubezero-cert-manager/templates/cluster-issuer.yaml b/charts/kubezero-cert-manager/templates/cluster-issuer.yaml index 4861733c..f7280fc4 100644 --- a/charts/kubezero-cert-manager/templates/cluster-issuer.yaml +++ b/charts/kubezero-cert-manager/templates/cluster-issuer.yaml @@ -1,5 +1,5 @@ {{- if .Values.clusterIssuer.name }} -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: {{ .Values.clusterIssuer.name }} diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index c415290d..9a7badec 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -17,34 +17,45 @@ localCA: # crt: cert-manager: - installCRDs: true + enabled: true + + global: + leaderElection: + namespace: "cert-manager" + + podAnnotations: {} + # iam.amazonaws.com/role: "" + tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + ingressShim: defaultIssuerName: letsencrypt-dns-prod defaultIssuerKind: ClusterIssuer + webhook: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + cainjector: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + extraArgs: - "--dns01-recursive-nameservers-only" # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # - --enable-certificate-owner-ref=true + prometheus: servicemonitor: enabled: false # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" - podAnnotations: {} - # iam.amazonaws.com/role: "" diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index 3857a76a..c88751d5 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.3.4 -appVersion: 1.7.3 +version: 0.4.0 +appVersion: 1.7.4 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index bdde2399..3fd2b38b 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,6 +1,6 @@ # kubezero-istio -![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.4](https://img.shields.io/badge/AppVersion-1.7.4-informational?style=flat-square) KubeZero Umbrella Chart for Istio @@ -34,10 +34,11 @@ Kubernetes: `>= 1.16.0` | ingress.dnsNames[0] | string | `"*"` | | | ingress.private.enabled | bool | `true` | | | ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | | +| ingress.public.enabled | bool | `true` | | | ingress.replicaCount | int | `2` | | | ingress.type | string | `"NodePort"` | | | istio-operator.hub | string | `"docker.io/istio"` | | -| istio-operator.tag | string | `"1.7.3"` | | +| istio-operator.tag | string | `"1.7.4"` | | | istiod.autoscaleEnabled | bool | `false` | | | istiod.replicaCount | int | `1` | | diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml index bdbd5bda..ef92c5e5 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml @@ -99,6 +99,7 @@ rules: - events - namespaces - pods + - pods/proxy - persistentvolumeclaims - secrets - services diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/crds/crd-all.gen.yaml similarity index 97% rename from charts/kubezero-istio/templates/istio-base.yaml rename to charts/kubezero-istio/crds/crd-all.gen.yaml index 64e4f027..be68f83b 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/crds/crd-all.gen.yaml @@ -1,66 +1,25 @@ -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: adapters.config.istio.io - labels: - app: mixer - package: adapter - istio: mixer-adapter - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: - app: mixer + app: istio-mixer chart: istio heritage: Tiller - istio: core - package: istio.io.mixer release: istio - name: attributemanifests.config.istio.io + name: httpapispecs.config.istio.io spec: group: config.istio.io names: categories: - istio-io - - policy-istio-io - kind: attributemanifest - listKind: attributemanifestList - plural: attributemanifests - singular: attributemanifest + - apim-istio-io + kind: HTTPAPISpec + listKind: HTTPAPISpecList + plural: httpapispecs + singular: httpapispec scope: Namespaced versions: - name: v1alpha2 @@ -68,45 +27,239 @@ spec: openAPIV3Schema: properties: spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' properties: - attributes: - additionalProperties: + api_keys: + items: + oneOf: + - not: + anyOf: + - required: + - query + - required: + - header + - required: + - cookie + - required: + - query + - required: + - header + - required: + - cookie properties: - description: - description: A human-readable description of the attribute's - purpose. + cookie: format: string type: string - valueType: - description: The type of data carried by this attribute. - enum: - - VALUE_TYPE_UNSPECIFIED - - STRING - - INT64 - - DOUBLE - - BOOL - - TIMESTAMP - - IP_ADDRESS - - EMAIL_ADDRESS - - URI - - DNS_NAME - - DURATION - - STRING_MAP + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string type: string type: object - description: The set of attributes this Istio component will be responsible - for producing at runtime. + type: array + apiKeys: + items: + oneOf: + - not: + anyOf: + - required: + - query + - required: + - header + - required: + - cookie + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object type: object - name: - description: Name of the component producing these attributes. - format: string - type: string - revision: - description: The revision of this document. - format: string - type: string + patterns: + description: List of HTTP patterns to match. + items: + oneOf: + - not: + anyOf: + - required: + - uriTemplate + - required: + - regex + - required: + - uriTemplate + - required: + - regex + properties: + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + httpMethod: + format: string + type: string + regex: + format: string + type: string + uriTemplate: + format: string + type: string + type: object + type: array type: object status: type: object @@ -116,6 +269,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -123,192 +277,85 @@ metadata: annotations: "helm.sh/resource-policy": keep labels: - app: istio-pilot + app: istio-mixer chart: istio heritage: Tiller - istio: security release: istio - name: authorizationpolicies.security.istio.io + name: httpapispecbindings.config.istio.io spec: - group: security.istio.io + group: config.istio.io names: categories: - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy + - apim-istio-io + kind: HTTPAPISpecBinding + listKind: HTTPAPISpecBindingList + plural: httpapispecbindings + singular: httpapispecbinding scope: Namespaced versions: - - name: v1beta1 + - name: v1alpha2 schema: openAPIV3Schema: properties: spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - type: string - rules: - description: Optional. + api_specs: items: properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: + name: + description: The short name of the HTTPAPISpec. format: string type: string - type: object - type: object + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + apiSpecs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed HTTPAPISpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array type: object status: type: object @@ -318,6 +365,186 @@ spec: storage: true subresources: status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpec + listKind: QuotaSpecList + plural: quotaspecs + singular: quotaspec + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: Determines the quotas used for individual requests. + properties: + rules: + description: A list of Quota rules. + items: + properties: + match: + description: If empty, match all request. + items: + properties: + clause: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Map of attribute names to StringMatch type. + type: object + type: object + type: array + quotas: + description: The list of quotas to charge. + items: + properties: + charge: + format: int32 + type: integer + quota: + format: string + type: string + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpecBinding + listKind: QuotaSpecBindingList + plural: quotaspecbindings + singular: quotaspecbinding + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + quotaSpecs: + items: + properties: + name: + description: The short name of the QuotaSpec. + format: string + type: string + namespace: + description: Optional namespace of the QuotaSpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed QuotaSpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2622,6 +2849,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2859,6 +3087,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3147,1171 +3376,7 @@ spec: storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-handler - package: handler - release: istio - name: handlers.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: handler - listKind: handlerList - plural: handlers - singular: handler - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Handler allows the operator to configure a specific adapter - implementation. - properties: - adapter: - description: The name of a specific adapter implementation. - format: string - type: string - compiledAdapter: - description: The name of the compiled in adapter this handler instantiates. - format: string - type: string - connection: - description: Information on how to connect to the out-of-process adapter. - properties: - address: - description: The address of the backend. - format: string - type: string - authentication: - description: Auth config for the connection to the backend. - oneOf: - - not: - anyOf: - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - properties: - mutual: - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: The path to the file holding client certificate - for mutual TLS. - format: string - type: string - privateKey: - description: The path to the file holding the private - key for mutual TLS. - format: string - type: string - serverName: - description: Used to configure mixer mutual TLS client - to supply server name for SNI. - format: string - type: string - type: object - tls: - properties: - authHeader: - description: Access token is passed as authorization header. - enum: - - PLAIN - - BEARER - type: string - caCertificates: - format: string - type: string - customHeader: - description: Customized header key to hold access token, - e.g. - format: string - type: string - oauth: - description: Oauth config to fetch access token from auth - provider. - properties: - clientId: - description: OAuth client id for mixer. - format: string - type: string - clientSecret: - description: The path to the file holding the client - secret for oauth. - format: string - type: string - endpointParams: - additionalProperties: - format: string - type: string - description: Additional parameters for requests to - the token endpoint. - type: object - scopes: - description: List of requested permissions. - items: - format: string - type: string - type: array - tokenUrl: - description: The Resource server's token endpoint - URL. - format: string - type: string - type: object - serverName: - format: string - type: string - tokenPath: - format: string - type: string - type: object - type: object - timeout: - description: Timeout for remote calls to the backend. - type: string - type: object - name: - description: Must be unique in the entire Mixer configuration. - format: string - type: string - params: - description: Depends on adapter implementation. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpecBinding - listKind: HTTPAPISpecBindingList - plural: httpapispecbindings - singular: httpapispecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_specs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - apiSpecs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed HTTPAPISpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpec - listKind: HTTPAPISpecList - plural: httpapispecs - singular: httpapispec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_keys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - apiKeys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - patterns: - description: List of HTTP patterns to match. - items: - oneOf: - - not: - anyOf: - - required: - - uriTemplate - - required: - - regex - - required: - - uriTemplate - - required: - - regex - properties: - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - httpMethod: - format: string - type: string - regex: - format: string - type: string - uriTemplate: - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-instance - package: instance - release: istio - name: instances.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: instance - listKind: instanceList - plural: instances - singular: instance - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: An Instance tells Mixer how to create instances for particular - template. - properties: - attributeBindings: - additionalProperties: - format: string - type: string - type: object - compiledTemplate: - description: The name of the compiled in template this instance creates - instances for. - format: string - type: string - name: - format: string - type: string - params: - description: Depends on referenced template. - type: object - x-kubernetes-preserve-unknown-fields: true - template: - description: The name of the template this instance creates instances - for. - format: string - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpecBinding - listKind: QuotaSpecBindingList - plural: quotaspecbindings - singular: quotaspecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - quotaSpecs: - items: - properties: - name: - description: The short name of the QuotaSpec. - format: string - type: string - namespace: - description: Optional namespace of the QuotaSpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed QuotaSpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpec - listKind: QuotaSpecList - plural: quotaspecs - singular: quotaspec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Determines the quotas used for individual requests. - properties: - rules: - description: A list of Quota rules. - items: - properties: - match: - description: If empty, match all request. - items: - properties: - clause: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Map of attribute names to StringMatch type. - type: object - type: object - type: array - quotas: - description: The list of quotas to charge. - items: - properties: - charge: - format: int32 - type: integer - quota: - format: string - type: string - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept - for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: rules.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: rule - listKind: ruleList - plural: rules - singular: rule - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - actions: - description: The actions that will be executed when match evaluates - to `true`. - items: - properties: - handler: - description: Fully qualified name of the handler to invoke. - format: string - type: string - instances: - items: - format: string - type: string - type: array - name: - description: A handle to refer to the results of the action. - format: string - type: string - type: object - type: array - match: - description: Match is an attribute based predicate. - format: string - type: string - requestHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - responseHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - sampling: - properties: - random: - description: Provides filtering of actions based on random selection - per request. - properties: - attributeExpression: - description: Specifies an attribute expression to use to override - the numerator in the `percent_sampled` field. - format: string - type: string - percentSampled: - description: The default sampling rate, expressed as a percentage. - properties: - denominator: - description: Specifies the denominator. - enum: - - HUNDRED - - TEN_THOUSAND - type: string - numerator: - description: Specifies the numerator. - type: integer - type: object - useIndependentRandomness: - description: By default sampling will be based on the value - of the request header `x-request-id`. - type: boolean - type: object - rateLimit: - properties: - maxUnsampledEntries: - description: Number of entries to allow during the `sampling_duration` - before sampling is enforced. - format: int64 - type: integer - samplingDuration: - description: Window in which to enforce the sampling rate. - type: string - samplingRate: - description: The rate at which to sample entries once the - unsampled limit has been reached. - format: int64 - type: integer - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4608,6 +3673,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4878,46 +3944,7 @@ spec: storage: false subresources: status: {} ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5479,7 +4506,8 @@ spec: description: Retry policy for HTTP requests. properties: attempts: - description: Number of retries for a given request. + description: Number of retries to be allowed for a given + request. format: int32 type: integer perTryTimeout: @@ -6271,7 +5299,8 @@ spec: description: Retry policy for HTTP requests. properties: attempts: - description: Number of retries for a given request. + description: Number of retries to be allowed for a given + request. format: int32 type: integer perTryTimeout: @@ -6528,6 +5557,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -6668,225 +5698,915 @@ spec: storage: false subresources: status: {} + --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istio-reader-service-account - namespace: istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istio-reader + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer release: istio + name: attributemanifests.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: attributemanifest + listKind: attributemanifestList + plural: attributemanifests + singular: attributemanifest + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + attributes: + additionalProperties: + properties: + description: + description: A human-readable description of the attribute's + purpose. + format: string + type: string + valueType: + description: The type of data carried by this attribute. + enum: + - VALUE_TYPE_UNSPECIFIED + - STRING + - INT64 + - DOUBLE + - BOOL + - TIMESTAMP + - IP_ADDRESS + - EMAIL_ADDRESS + - URI + - DNS_NAME + - DURATION + - STRING_MAP + type: string + type: object + description: The set of attributes this Istio component will be responsible + for producing at runtime. + type: object + name: + description: Name of the component producing these attributes. + format: string + type: string + revision: + description: The revision of this document. + format: string + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istiod-service-account - namespace: istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istiod + app: mixer + chart: istio + heritage: Tiller + istio: mixer-handler + package: handler release: istio + name: handlers.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: handler + listKind: handlerList + plural: handlers + singular: handler + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: Handler allows the operator to configure a specific adapter + implementation. + properties: + adapter: + description: The name of a specific adapter implementation. + format: string + type: string + compiledAdapter: + description: The name of the compiled in adapter this handler instantiates. + format: string + type: string + connection: + description: Information on how to connect to the out-of-process adapter. + properties: + address: + description: The address of the backend. + format: string + type: string + authentication: + description: Auth config for the connection to the backend. + oneOf: + - not: + anyOf: + - properties: + tls: + allOf: + - oneOf: + - not: + anyOf: + - required: + - tokenPath + - required: + - oauth + - required: + - tokenPath + - required: + - oauth + - oneOf: + - not: + anyOf: + - required: + - authHeader + - required: + - customHeader + - required: + - authHeader + - required: + - customHeader + required: + - tls + - required: + - mutual + - properties: + tls: + allOf: + - oneOf: + - not: + anyOf: + - required: + - tokenPath + - required: + - oauth + - required: + - tokenPath + - required: + - oauth + - oneOf: + - not: + anyOf: + - required: + - authHeader + - required: + - customHeader + - required: + - authHeader + - required: + - customHeader + required: + - tls + - required: + - mutual + properties: + mutual: + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: The path to the file holding client certificate + for mutual TLS. + format: string + type: string + privateKey: + description: The path to the file holding the private + key for mutual TLS. + format: string + type: string + serverName: + description: Used to configure mixer mutual TLS client + to supply server name for SNI. + format: string + type: string + type: object + tls: + properties: + authHeader: + description: Access token is passed as authorization header. + enum: + - PLAIN + - BEARER + type: string + caCertificates: + format: string + type: string + customHeader: + description: Customized header key to hold access token, + e.g. + format: string + type: string + oauth: + description: Oauth config to fetch access token from auth + provider. + properties: + clientId: + description: OAuth client id for mixer. + format: string + type: string + clientSecret: + description: The path to the file holding the client + secret for oauth. + format: string + type: string + endpointParams: + additionalProperties: + format: string + type: string + description: Additional parameters for requests to + the token endpoint. + type: object + scopes: + description: List of requested permissions. + items: + format: string + type: string + type: array + tokenUrl: + description: The Resource server's token endpoint + URL. + format: string + type: string + type: object + serverName: + format: string + type: string + tokenPath: + format: string + type: string + type: object + type: object + timeout: + description: Timeout for remote calls to the backend. + type: string + type: object + name: + description: Must be unique in the entire Mixer configuration. + format: string + type: string + params: + description: Depends on adapter implementation. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istio-reader-istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istio-reader + app: mixer + chart: istio + heritage: Tiller + istio: mixer-instance + package: instance release: istio -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] + name: instances.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: instance + listKind: instanceList + plural: instances + singular: instance + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: An Instance tells Mixer how to create instances for particular + template. + properties: + attributeBindings: + additionalProperties: + format: string + type: string + type: object + compiledTemplate: + description: The name of the compiled in template this instance creates + instances for. + format: string + type: string + name: + format: string + type: string + params: + description: Depends on referenced template. + type: object + x-kubernetes-preserve-unknown-fields: true + template: + description: The name of the template this instance creates instances + for. + format: string + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istiod-istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istiod + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer release: istio -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] + name: rules.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: rule + listKind: ruleList + plural: rules + singular: rule + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + actions: + description: The actions that will be executed when match evaluates + to `true`. + items: + properties: + handler: + description: Fully qualified name of the handler to invoke. + format: string + type: string + instances: + items: + format: string + type: string + type: array + name: + description: A handle to refer to the results of the action. + format: string + type: string + type: object + type: array + match: + description: Match is an attribute based predicate. + format: string + type: string + requestHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + responseHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + sampling: + properties: + random: + description: Provides filtering of actions based on random selection + per request. + properties: + attributeExpression: + description: Specifies an attribute expression to use to override + the numerator in the `percent_sampled` field. + format: string + type: string + percentSampled: + description: The default sampling rate, expressed as a percentage. + properties: + denominator: + description: Specifies the denominator. + enum: + - HUNDRED + - TEN_THOUSAND + type: string + numerator: + description: Specifies the numerator. + type: integer + type: object + useIndependentRandomness: + description: By default sampling will be based on the value + of the request header `x-request-id`. + type: boolean + type: object + rateLimit: + properties: + maxUnsampledEntries: + description: Number of entries to allow during the `sampling_duration` + before sampling is enforced. + format: int64 + type: integer + samplingDuration: + description: Window in which to enforce the sampling rate. + type: string + samplingRate: + description: The rate at which to sample entries once the + unsampled limit has been reached. + format: int64 + type: integer + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istio-reader-istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istio-reader + app: istio-pilot + chart: istio + heritage: Tiller + istio: security release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-pilot-istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio - istio: istiod -webhooks: - - name: validation.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/validate" - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - - security.istio.io - - authentication.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + type: string + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istiod-istio-system - namespace: istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: pilot + app: istio-pilot + chart: istio + heritage: Tiller + istio: security release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- diff --git a/charts/kubezero-istio/crds/crd-mixer.yaml b/charts/kubezero-istio/crds/crd-mixer.yaml new file mode 100644 index 00000000..eba26fa7 --- /dev/null +++ b/charts/kubezero-istio/crds/crd-mixer.yaml @@ -0,0 +1,82 @@ +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + status: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + status: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- + diff --git a/charts/kubezero-istio/crds/crd-operator.yaml b/charts/kubezero-istio/crds/crd-operator.yaml new file mode 100644 index 00000000..6ed970d2 --- /dev/null +++ b/charts/kubezero-istio/crds/crd-operator.yaml @@ -0,0 +1,74 @@ +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + type: string + name: Status + - jsonPath: .metadata.creationTimestamp + description: + "CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: + "Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: + "Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- + diff --git a/charts/kubezero-istio/templates/envoyfilter.yaml b/charts/kubezero-istio/templates/envoyfilter.yaml index 3351376c..ef12ebd9 100644 --- a/charts/kubezero-istio/templates/envoyfilter.yaml +++ b/charts/kubezero-istio/templates/envoyfilter.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ingress.public.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: @@ -30,6 +31,7 @@ spec: name: 5 int_value: 60 state: STATE_LISTENING +{{- end }} {{- if .Values.ingress.private.enabled }} --- diff --git a/charts/kubezero-istio/templates/ingress-certificate.yaml b/charts/kubezero-istio/templates/ingress-certificate.yaml index eab9e8c8..b8a3277e 100644 --- a/charts/kubezero-istio/templates/ingress-certificate.yaml +++ b/charts/kubezero-istio/templates/ingress-certificate.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress.dnsNames }} -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: public-ingress-cert diff --git a/charts/kubezero-istio/templates/ingress-gateway.yaml b/charts/kubezero-istio/templates/ingress-gateway.yaml index 66f447c1..c2b64b6a 100644 --- a/charts/kubezero-istio/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio/templates/ingress-gateway.yaml @@ -1,4 +1,5 @@ -apiVersion: networking.istio.io/v1alpha3 +{{- if .Values.ingress.public.enabled }} +apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: ingressgateway @@ -28,10 +29,10 @@ spec: privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt credentialName: public-ingress-cert - +{{- end }} {{- if .Values.ingress.private.enabled }} --- -apiVersion: networking.istio.io/v1alpha3 +apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: private-ingressgateway @@ -84,4 +85,16 @@ spec: privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt credentialName: public-ingress-cert + - port: + number: 6379 + name: redis + protocol: TCP + hosts: + {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + - port: + number: 6380 + name: redis-1 + protocol: TCP + hosts: + {{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- end }} diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 68209009..634b58ec 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -120,6 +120,16 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31672 {{- end }} + - name: redis + port: 6379 + {{- if eq .Values.ingress.type "NodePort" }} + nodePort: 31379 + {{- end }} + - name: redis-1 + port: 6380 + {{- if eq .Values.ingress.type "NodePort" }} + nodePort: 31380 + {{- end }} global: jwtPolicy: first-party-jwt diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index c01c9e57..195eed96 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -8,6 +8,9 @@ metadata: spec: profile: empty components: + base: + enabled: true + {{- if .Values.ingress.public.enabled }} ingressGateways: - enabled: true k8s: @@ -62,6 +65,7 @@ spec: value: 90 name: istio-ingressgateway + {{- end }} pilot: enabled: true k8s: @@ -102,6 +106,7 @@ spec: interval: 30s time: 60s values: + {{- if .Values.ingress.public.enabled }} gateways: istio-ingressgateway: autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }} @@ -134,6 +139,7 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30443 {{- end }} + {{- end }} global: jwtPolicy: first-party-jwt logAsJson: true diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 3e1f876e..0a5a1539 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -export ISTIO_VERSION=1.7.3 +export ISTIO_VERSION=1.7.4 if [ ! -d istio-$ISTIO_VERSION ]; then NAME="istio-$ISTIO_VERSION" @@ -10,17 +10,17 @@ if [ ! -d istio-$ISTIO_VERSION ]; then curl -sL "$URL" | tar xz fi -# Now lets extract what we need +# Get matching istioctl +[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } + +# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs +# Now lets extract istio-operator chart rm -rf charts/istio-operator cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts # Apply our patch patch -i istio-operator.patch -p0 -[ -x istioctl ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } - -# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs -./istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml - -# Remove double CRD -patch -i istio-base.patch -p3 +# Extract crds +rm -rf crds +cp -r istio-${ISTIO_VERSION}/manifests/charts/base/crds . diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 79fec8b6..9f1658db 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -6,6 +6,8 @@ ingress: autoscaleEnabled: false replicaCount: 2 type: NodePort + public: + enabled: true private: enabled: true nodeSelector: "31080_31443_31671_31672_31224" @@ -13,5 +15,6 @@ ingress: - "*" istio-operator: + operatorNamespace: istio-system hub: docker.io/istio - tag: 1.7.3 + tag: 1.7.4 diff --git a/charts/kubezero-kiam/Chart.yaml b/charts/kubezero-kiam/Chart.yaml index ba2ddfcb..8503fc58 100644 --- a/charts/kubezero-kiam/Chart.yaml +++ b/charts/kubezero-kiam/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-kiam description: KubeZero Umbrella Chart for Kiam type: application -version: 0.2.11 +version: 0.2.12 appVersion: 3.6 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: kiam - version: 5.8.1 + version: 5.9.0 repository: https://uswitch.github.io/kiam-helm-charts/charts/ condition: kiam.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-kiam/README.md b/charts/kubezero-kiam/README.md index 8366b57d..a71327a9 100644 --- a/charts/kubezero-kiam/README.md +++ b/charts/kubezero-kiam/README.md @@ -1,6 +1,6 @@ # kubezero-kiam -![Version: 0.2.11](https://img.shields.io/badge/Version-0.2.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square) +![Version: 0.2.12](https://img.shields.io/badge/Version-0.2.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square) KubeZero Umbrella Chart for Kiam @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.8.1 | +| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.9.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## KubeZero default configuration @@ -47,8 +47,8 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.gatewayTimeoutCreation | string | `"5s"` | | | kiam.agent.host.interface | string | `"cali+"` | | | kiam.agent.host.iptables | bool | `false` | | -| kiam.agent.image.tag | string | `"v3.6"` | | -| kiam.agent.log.level | string | `"warn"` | | +| kiam.agent.log.level | string | `"info"` | | +| kiam.agent.priorityClassName | string | `"system-node-critical"` | | | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | | @@ -69,9 +69,9 @@ By default all access to the meta-data service is blocked, expect for: | kiam.server.assumeRoleArn | string | `""` | kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role | | kiam.server.deployment.enabled | bool | `true` | | | kiam.server.deployment.replicas | int | `1` | | -| kiam.server.image.tag | string | `"v3.6"` | | -| kiam.server.log.level | string | `"warn"` | | +| kiam.server.log.level | string | `"info"` | | | kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| kiam.server.priorityClassName | string | `"system-cluster-critical"` | | | kiam.server.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | | diff --git a/charts/kubezero-kiam/templates/certificates.yaml b/charts/kubezero-kiam/templates/certificates.yaml index c2a9775f..9d4b21cf 100644 --- a/charts/kubezero-kiam/templates/certificates.yaml +++ b/charts/kubezero-kiam/templates/certificates.yaml @@ -1,28 +1,32 @@ -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kiam-agent + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: secretName: kiam-agent-tls issuerRef: name: kubezero-local-ca-issuer + kind: ClusterIssuer usages: - "any" dnsNames: - "kiam-agent" --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kiam-server + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: secretName: kiam-server-tls issuerRef: name: kubezero-local-ca-issuer + kind: ClusterIssuer usages: - "any" dnsNames: diff --git a/charts/kubezero-kiam/values.yaml b/charts/kubezero-kiam/values.yaml index d09c24bc..3c5b38df 100644 --- a/charts/kubezero-kiam/values.yaml +++ b/charts/kubezero-kiam/values.yaml @@ -3,8 +3,6 @@ annotateKubeSystemNameSpace: false kiam: enabled: true server: - image: - tag: "v3.6" # kiam.server.assumeRoleArn -- kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role assumeRoleArn: '' useHostNetwork: true @@ -33,6 +31,7 @@ kiam: effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + priorityClassName: system-cluster-critical prometheus: servicemonitor: enabled: false @@ -40,11 +39,9 @@ kiam: labels: release: metrics log: - level: warn + level: info agent: - image: - tag: "v3.6" gatewayTimeoutCreation: "5s" updateStrategy: RollingUpdate # IP tables set on each node at boot, see CloudBender @@ -68,6 +65,7 @@ kiam: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + priorityClassName: system-node-critical prometheus: servicemonitor: enabled: false @@ -75,7 +73,7 @@ kiam: labels: release: metrics log: - level: warn + level: info # extraEnv: # - name: GRPC_GO_LOG_SEVERITY_LEVEL # value: "info" diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index a9431a99..d0998312 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.4.1 -appVersion: 1.2.1 +version: 0.5.0 +appVersion: 1.3.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -18,6 +18,10 @@ dependencies: - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ + - name: eck-operator + version: 1.3.0 + repository: https://helm.elastic.co + condition: eck-operator.enabled - name: fluentd version: 2.5.1 repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/charts/kubezero-logging/eck/all-in-one.yaml b/charts/kubezero-logging/eck/all-in-one.yaml deleted file mode 100644 index e2a15744..00000000 --- a/charts/kubezero-logging/eck/all-in-one.yaml +++ /dev/null @@ -1,3008 +0,0 @@ ---- -# Source: crds/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: apmservers.apm.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: APM version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: apm.k8s.elastic.co - names: - categories: - - elastic - kind: ApmServer - listKind: ApmServerList - plural: apmservers - shortNames: - - apm - singular: apmserver - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server - resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows APM agent central configuration - management in Kibana. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the APM Server pods. - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of the APM Server. - type: string - required: - - version - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking - to Elasticsearch clusters. - type: string - health: - description: ApmServerHealth expresses the status of the Apm Server - instances. - type: string - kibanaAssociationStatus: - description: KibanaAssociationStatus is the status of any auto-linking - to Kibana. - type: string - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that contains - the secret token - type: string - service: - description: ExternalService is the name of the service the agents should - connect to. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: beats.beat.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: available - type: integer - - JSONPath: .status.expectedNodes - description: Expected nodes - name: expected - type: integer - - JSONPath: .spec.type - description: Beat type - name: type - type: string - - JSONPath: .spec.version - description: Beat version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: beat.k8s.elastic.co - names: - categories: - - elastic - kind: Beat - listKind: BeatList - plural: beats - shortNames: - - beat - singular: beat - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Beat is the Schema for the Beats API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BeatSpec defines the desired state of a Beat. - properties: - config: - description: Config holds the Beat configuration. At most one of [`Config`, - `ConfigRef`] can be specified. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Beat configuration. Beat settings must be specified - as yaml, under a single "beat.yml" entry. At most one of [`Config`, - `ConfigRef`] can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: DaemonSet specifies the Beat should be deployed as a DaemonSet, - and allows providing its spec. Cannot be used along with `deployment`. - If both are absent a default for the Type is used. - properties: {} - type: object - deployment: - description: Deployment specifies the Beat should be deployed as a Deployment, - and allows providing its spec. Cannot be used along with `daemonSet`. - If both are absent a default for the Type is used. - properties: - replicas: - format: int32 - type: integer - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - image: - description: Image is the Beat Docker image to deploy. Version and Type - have to match the Beat in the image. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows automatic setup of dashboards - and visualizations. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes Secrets - containing sensitive configuration options for the Beat. Secrets data - can be then referenced in the Beat config using the Secret's keys - or as specified in `Entries` field of each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to Elasticsearch resource in a different namespace. Can only - be used if ECK is enforcing RBAC on references. - type: string - type: - description: Type is the type of the Beat to deploy (filebeat, metricbeat, - heartbeat, auditbeat, journalbeat, packetbeat, etc.). Any string can - be used, but well-known types will have the image field defaulted - and have the appropriate Elasticsearch roles created automatically. - It also allows for dashboard setup when combined with a `KibanaRef`. - maxLength: 20 - pattern: '[a-zA-Z0-9-]+' - type: string - version: - description: Version of the Beat. - type: string - required: - - type - - version - type: object - status: - description: BeatStatus defines the observed state of a Beat. - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - expectedNodes: - format: int32 - type: integer - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: elasticsearches.elasticsearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Elasticsearch version - name: version - type: string - - JSONPath: .status.phase - name: phase - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: elasticsearch.k8s.elastic.co - names: - categories: - - elastic - kind: Elasticsearch - listKind: ElasticsearchList - plural: elasticsearches - shortNames: - - es - singular: elasticsearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes - cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch - cluster. - properties: - auth: - description: Auth contains user authentication and authorization security - settings for Elasticsearch. - properties: - fileRealm: - description: FileRealm to propagate to the Elasticsearch cluster. - items: - description: FileRealmSource references users to create in the - Elasticsearch cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - roles: - description: Roles to propagate to the Elasticsearch cluster. - items: - description: RoleSource references roles to create in the Elasticsearch - cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - type: object - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes - sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch - nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - count: - description: Count of Elasticsearch nodes to deploy. - format: int32 - minimum: 1 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the - Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, - annotations, affinity rules, resource requests, and so on) for - the Pods belonging to this NodeSet. - type: object - volumeClaimTemplates: - description: VolumeClaimTemplates is a list of persistent volume - claims to be used by each Pod in this NodeSet. Every claim in - this list must have a matching volumeMount in one of the containers - defined in the PodTemplate. Items defined here take precedence - over any default claims added by the operator with the same - name. - items: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of - this representation of an object. Servers should convert - recognized schemas to the latest internal value, and may - reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST - resource this object represents. Servers may infer this - from the endpoint the client submits requests to. Cannot - be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - spec: - description: 'Spec defines the desired characteristics of - a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the desired access - modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: This field requires the VolumeSnapshotDataSource - alpha feature gate to be enabled and currently VolumeSnapshot - is the only supported data source. If the provisioner - can support VolumeSnapshot data source, it will create - a new volume and data will be restored to the volume - at the same time. If the provisioner does not support - VolumeSnapshot data source, volume will not be created - and the failure will be reported as an event. In the - future, we plan to support more data source types - and the behavior of the provisioner may change. - properties: - apiGroup: - description: APIGroup is the group for the resource - being referenced. If APIGroup is not specified, - the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum resources - the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - selector: - description: A label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required by the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of volume - is required by the claim. Value of Filesystem is implied - when not included in claim spec. This is a beta feature. - type: string - volumeName: - description: VolumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - status: - description: 'Status represents the current information/status - of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the actual access - modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: Represents the actual resources of the - underlying volume. - type: object - conditions: - description: Current Condition of persistent volume - claim. If underlying persistent volume is being resized - then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contails - details about state of pvc - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned - from one status to another. - format: date-time - type: string - message: - description: Human-readable message indicating - details about last transition. - type: string - reason: - description: Unique, this should be a short, machine - understandable string that gives the reason - for condition's last transition. If it reports - "ResizeStarted" that means the underlying persistent - volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - phase: - description: Phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: array - required: - - count - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: PodDisruptionBudget provides access to the default pod - disruption budget for the Elasticsearch cluster. The default budget - selects all cluster pods and sets `maxUnavailable` to 1. To disable, - set `PodDisruptionBudget` to the empty value (`{}` in YAML). - properties: - metadata: - description: ObjectMeta is the metadata of the PDB. The name and - namespace provided here are managed by ECK and will be ignored. - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at most "maxUnavailable" - pods selected by "selector" are unavailable after the eviction, - i.e. even in absence of the evicted pod. For example, one - can prevent all voluntary evictions by specifying 0. This - is a mutually exclusive setting with "minAvailable". - minAvailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at least "minAvailable" - pods selected by "selector" will still be available after - the eviction, i.e. even in the absence of the evicted pod. So - for example you can prevent all voluntary evictions by specifying - "100%". - selector: - description: Label query over pods whose evictions are managed - by the disruption budget. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: object - type: object - remoteClusters: - description: RemoteClusters enables you to establish uni-directional - connections to a remote Elasticsearch cluster. - items: - description: RemoteCluster declares a remote Elasticsearch cluster - connection. - properties: - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch - cluster running within the same k8s cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, - defaults to the current namespace. - type: string - required: - - name - type: object - name: - description: Name is the name of the remote cluster as it is set - in the Elasticsearch settings. The name is expected to be unique - for each remote clusters. - minLength: 1 - type: string - required: - - name - type: object - type: array - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. a remote Elasticsearch cluster) in a different - namespace. Can only be used if ECK is enforcing RBAC on references. - type: string - transport: - description: Transport holds transport layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - type: object - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should - be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider when - applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: MaxSurge is the maximum number of new pods that - can be created exceeding the original number of pods defined - in the specification. MaxSurge is only taken into consideration - when scaling up. Setting a negative value will disable the - restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: MaxUnavailable is the maximum number of pods that - can be unavailable (not ready) during the update due to circumstances - under the control of the operator. Setting a negative value - will disable this restriction. Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - required: - - nodeSets - - version - type: object - status: - description: ElasticsearchStatus defines the observed state of Elasticsearch - properties: - availableNodes: - format: int32 - type: integer - health: - description: ElasticsearchHealth is the health of the cluster as returned - by the health API. - type: string - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch - is in from the controller point of view. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: enterprisesearches.enterprisesearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Enterprise Search version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: enterprisesearch.k8s.elastic.co - names: - categories: - - elastic - kind: EnterpriseSearch - listKind: EnterpriseSearchList - plural: enterprisesearches - shortNames: - - ent - singular: enterprisesearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise Search. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise - Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Enterprise Search configuration. Configuration - settings are merged and have precedence over settings specified in - `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise - Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Enterprise Search - pods. - type: object - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch - clusters. - type: string - availableNodes: - format: int32 - type: integer - health: - description: EnterpriseSearchHealth expresses the health of the Enterprise - Search instances. - type: string - service: - description: ExternalService is the name of the service associated to - the Enterprise Search Pods. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: kibanas.kibana.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Kibana version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: kibana.k8s.elastic.co - names: - categories: - - elastic - kind: Kibana - listKind: KibanaList - plural: kibanas - shortNames: - - kb - singular: kibana - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Kibana pods - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Kibana. - type: string - required: - - version - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - format: int32 - type: integer - health: - description: KibanaHealth expresses the status of the Kibana instances. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# Source: eck/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: elastic-system ---- -# Source: eck/templates/service-account.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: elastic-operator - namespace: elastic-system ---- -# Source: eck/templates/webhook.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "elastic-webhook-server-cert" - namespace: elastic-system ---- -# Source: eck/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: elastic-operator -rules: -- apiGroups: - - "authorization.k8s.io" - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resources: - - pods - - endpoints - - events - - persistentvolumeclaims - - secrets - - services - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments - - statefulsets - - daemonsets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - - elasticsearches/status - - elasticsearches/finalizers - - enterpriselicenses - - enterpriselicenses/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - - kibanas/status - - kibanas/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - - apmservers/status - - apmservers/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - - enterprisesearches/status - - enterprisesearches/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - - beats/status - - beats/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -# Source: eck/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "elastic-operator-view" - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["elasticsearch.k8s.elastic.co"] - resources: ["elasticsearches"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apm.k8s.elastic.co"] - resources: ["apmservers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["kibana.k8s.elastic.co"] - resources: ["kibanas"] - verbs: ["get", "list", "watch"] - - apiGroups: ["enterprisesearch.k8s.elastic.co"] - resources: ["enterprisesearches"] - verbs: ["get", "list", "watch"] - - apiGroups: ["beat.k8s.elastic.co"] - resources: ["beats"] - verbs: ["get", "list", "watch"] ---- -# Source: eck/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "elastic-operator-edit" - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["elasticsearch.k8s.elastic.co"] - resources: ["elasticsearches"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["apm.k8s.elastic.co"] - resources: ["apmservers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["kibana.k8s.elastic.co"] - resources: ["kibanas"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["enterprisesearch.k8s.elastic.co"] - resources: ["enterprisesearches"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["beat.k8s.elastic.co"] - resources: ["beats"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] ---- -# Source: eck/templates/managed-ns-role-bindings.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: elastic-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -# Source: eck/templates/operator-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: elastic-operator - namespace: elastic-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -# Source: eck/templates/webhook.yaml -apiVersion: v1 -kind: Service -metadata: - name: elastic-webhook-server - namespace: elastic-system -spec: - ports: - - name: https - port: 443 - targetPort: 9443 - selector: - control-plane: elastic-operator ---- -# Source: eck/templates/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: elastic-operator - namespace: elastic-system - labels: - control-plane: elastic-operator -spec: - selector: - matchLabels: - control-plane: elastic-operator - serviceName: elastic-operator - template: - metadata: - annotations: - # Rename the fields "error" to "error.message" and "source" to "event.source" - # This is to avoid a conflict with the ECS "error" and "source" documents. - "co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]" - labels: - control-plane: elastic-operator - spec: - terminationGracePeriodSeconds: 10 - serviceAccountName: elastic-operator - containers: - - image: "docker.elastic.co/eck/eck-operator:1.2.1" - imagePullPolicy: IfNotPresent - name: manager - args: - - "manager" - - "--log-verbosity=0" - - "--metrics-port=0" - - "--container-registry=docker.elastic.co" - - "--max-concurrent-reconciles=3" - - "--ca-cert-validity=8760h" - - "--ca-cert-rotate-before=24h" - - "--cert-validity=8760h" - - "--cert-rotate-before=24h" - - "--enable-webhook" - env: - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_IMAGE - value: "docker.elastic.co/eck/eck-operator:1.2.1" - - name: WEBHOOK_SECRET - value: "elastic-webhook-server-cert" - resources: - limits: - cpu: 1 - memory: 512Mi - requests: - cpu: 100m - memory: 150Mi - ports: - - containerPort: 9443 - name: https-webhook - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: "elastic-webhook-server-cert" ---- -# Source: eck/templates/webhook.yaml -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: elastic-webhook.k8s.elastic.co -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1beta1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-beat-k8s-elastic-co-v1beta1-beat - failurePolicy: Ignore - name: elastic-beat-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - beat.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - beats -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - kibanas -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1beta1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - kibanas - diff --git a/charts/kubezero-logging/eck/kustomization.yaml b/charts/kubezero-logging/eck/kustomization.yaml deleted file mode 100644 index 6adfff15..00000000 --- a/charts/kubezero-logging/eck/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -resources: -- all-in-one.yaml - -# map operator to controller nodes -patchesStrategicMerge: -- map-operator.yaml diff --git a/charts/kubezero-logging/eck/map-operator.yaml b/charts/kubezero-logging/eck/map-operator.yaml deleted file mode 100644 index e21c16f1..00000000 --- a/charts/kubezero-logging/eck/map-operator.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: elastic-operator -spec: - template: - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule diff --git a/charts/kubezero-logging/eck/update.sh b/charts/kubezero-logging/eck/update.sh deleted file mode 100755 index 7083513a..00000000 --- a/charts/kubezero-logging/eck/update.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -ECK_VERSION=1.2.1 - -curl -o all-in-one.yaml https://download.elastic.co/downloads/eck/${ECK_VERSION}/all-in-one.yaml - -kubectl kustomize . > ../templates/eck-operator.yaml diff --git a/charts/kubezero-logging/templates/eck/eck-operator.yaml b/charts/kubezero-logging/templates/eck/eck-operator.yaml deleted file mode 100644 index 366a36e9..00000000 --- a/charts/kubezero-logging/templates/eck/eck-operator.yaml +++ /dev/null @@ -1,3059 +0,0 @@ -{{- if .Values.es.nodeSets }} -apiVersion: v1 -kind: Namespace -metadata: - name: elastic-system ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: apmservers.apm.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: APM version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: apm.k8s.elastic.co - names: - categories: - - elastic - kind: ApmServer - listKind: ApmServerList - plural: apmservers - shortNames: - - apm - singular: apmserver - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server - resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows APM agent central configuration - management in Kibana. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the APM Server pods. - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of the APM Server. - type: string - required: - - version - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking - to Elasticsearch clusters. - type: string - health: - description: ApmServerHealth expresses the status of the Apm Server - instances. - type: string - kibanaAssociationStatus: - description: KibanaAssociationStatus is the status of any auto-linking - to Kibana. - type: string - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that contains - the secret token - type: string - service: - description: ExternalService is the name of the service the agents should - connect to. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: beats.beat.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: available - type: integer - - JSONPath: .status.expectedNodes - description: Expected nodes - name: expected - type: integer - - JSONPath: .spec.type - description: Beat type - name: type - type: string - - JSONPath: .spec.version - description: Beat version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: beat.k8s.elastic.co - names: - categories: - - elastic - kind: Beat - listKind: BeatList - plural: beats - shortNames: - - beat - singular: beat - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Beat is the Schema for the Beats API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BeatSpec defines the desired state of a Beat. - properties: - config: - description: Config holds the Beat configuration. At most one of [`Config`, - `ConfigRef`] can be specified. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Beat configuration. Beat settings must be specified - as yaml, under a single "beat.yml" entry. At most one of [`Config`, - `ConfigRef`] can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: DaemonSet specifies the Beat should be deployed as a DaemonSet, - and allows providing its spec. Cannot be used along with `deployment`. - If both are absent a default for the Type is used. - type: object - deployment: - description: Deployment specifies the Beat should be deployed as a Deployment, - and allows providing its spec. Cannot be used along with `daemonSet`. - If both are absent a default for the Type is used. - properties: - replicas: - format: int32 - type: integer - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - image: - description: Image is the Beat Docker image to deploy. Version and Type - have to match the Beat in the image. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows automatic setup of dashboards - and visualizations. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes Secrets - containing sensitive configuration options for the Beat. Secrets data - can be then referenced in the Beat config using the Secret's keys - or as specified in `Entries` field of each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to Elasticsearch resource in a different namespace. Can only - be used if ECK is enforcing RBAC on references. - type: string - type: - description: Type is the type of the Beat to deploy (filebeat, metricbeat, - heartbeat, auditbeat, journalbeat, packetbeat, etc.). Any string can - be used, but well-known types will have the image field defaulted - and have the appropriate Elasticsearch roles created automatically. - It also allows for dashboard setup when combined with a `KibanaRef`. - maxLength: 20 - pattern: '[a-zA-Z0-9-]+' - type: string - version: - description: Version of the Beat. - type: string - required: - - type - - version - type: object - status: - description: BeatStatus defines the observed state of a Beat. - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - expectedNodes: - format: int32 - type: integer - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: elasticsearches.elasticsearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Elasticsearch version - name: version - type: string - - JSONPath: .status.phase - name: phase - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: elasticsearch.k8s.elastic.co - names: - categories: - - elastic - kind: Elasticsearch - listKind: ElasticsearchList - plural: elasticsearches - shortNames: - - es - singular: elasticsearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes - cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch - cluster. - properties: - auth: - description: Auth contains user authentication and authorization security - settings for Elasticsearch. - properties: - fileRealm: - description: FileRealm to propagate to the Elasticsearch cluster. - items: - description: FileRealmSource references users to create in the - Elasticsearch cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - roles: - description: Roles to propagate to the Elasticsearch cluster. - items: - description: RoleSource references roles to create in the Elasticsearch - cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - type: object - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes - sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch - nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - count: - description: Count of Elasticsearch nodes to deploy. - format: int32 - minimum: 1 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the - Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, - annotations, affinity rules, resource requests, and so on) for - the Pods belonging to this NodeSet. - type: object - volumeClaimTemplates: - description: VolumeClaimTemplates is a list of persistent volume - claims to be used by each Pod in this NodeSet. Every claim in - this list must have a matching volumeMount in one of the containers - defined in the PodTemplate. Items defined here take precedence - over any default claims added by the operator with the same - name. - items: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of - this representation of an object. Servers should convert - recognized schemas to the latest internal value, and may - reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST - resource this object represents. Servers may infer this - from the endpoint the client submits requests to. Cannot - be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - spec: - description: 'Spec defines the desired characteristics of - a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the desired access - modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: This field requires the VolumeSnapshotDataSource - alpha feature gate to be enabled and currently VolumeSnapshot - is the only supported data source. If the provisioner - can support VolumeSnapshot data source, it will create - a new volume and data will be restored to the volume - at the same time. If the provisioner does not support - VolumeSnapshot data source, volume will not be created - and the failure will be reported as an event. In the - future, we plan to support more data source types - and the behavior of the provisioner may change. - properties: - apiGroup: - description: APIGroup is the group for the resource - being referenced. If APIGroup is not specified, - the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum resources - the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - selector: - description: A label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required by the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of volume - is required by the claim. Value of Filesystem is implied - when not included in claim spec. This is a beta feature. - type: string - volumeName: - description: VolumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - status: - description: 'Status represents the current information/status - of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the actual access - modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: Represents the actual resources of the - underlying volume. - type: object - conditions: - description: Current Condition of persistent volume - claim. If underlying persistent volume is being resized - then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contails - details about state of pvc - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned - from one status to another. - format: date-time - type: string - message: - description: Human-readable message indicating - details about last transition. - type: string - reason: - description: Unique, this should be a short, machine - understandable string that gives the reason - for condition's last transition. If it reports - "ResizeStarted" that means the underlying persistent - volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - phase: - description: Phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: array - required: - - count - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: PodDisruptionBudget provides access to the default pod - disruption budget for the Elasticsearch cluster. The default budget - selects all cluster pods and sets `maxUnavailable` to 1. To disable, - set `PodDisruptionBudget` to the empty value (`{}` in YAML). - properties: - metadata: - description: ObjectMeta is the metadata of the PDB. The name and - namespace provided here are managed by ECK and will be ignored. - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at most "maxUnavailable" - pods selected by "selector" are unavailable after the eviction, - i.e. even in absence of the evicted pod. For example, one - can prevent all voluntary evictions by specifying 0. This - is a mutually exclusive setting with "minAvailable". - minAvailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at least "minAvailable" - pods selected by "selector" will still be available after - the eviction, i.e. even in the absence of the evicted pod. So - for example you can prevent all voluntary evictions by specifying - "100%". - selector: - description: Label query over pods whose evictions are managed - by the disruption budget. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: object - type: object - remoteClusters: - description: RemoteClusters enables you to establish uni-directional - connections to a remote Elasticsearch cluster. - items: - description: RemoteCluster declares a remote Elasticsearch cluster - connection. - properties: - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch - cluster running within the same k8s cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, - defaults to the current namespace. - type: string - required: - - name - type: object - name: - description: Name is the name of the remote cluster as it is set - in the Elasticsearch settings. The name is expected to be unique - for each remote clusters. - minLength: 1 - type: string - required: - - name - type: object - type: array - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. a remote Elasticsearch cluster) in a different - namespace. Can only be used if ECK is enforcing RBAC on references. - type: string - transport: - description: Transport holds transport layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - type: object - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should - be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider when - applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: MaxSurge is the maximum number of new pods that - can be created exceeding the original number of pods defined - in the specification. MaxSurge is only taken into consideration - when scaling up. Setting a negative value will disable the - restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: MaxUnavailable is the maximum number of pods that - can be unavailable (not ready) during the update due to circumstances - under the control of the operator. Setting a negative value - will disable this restriction. Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - required: - - nodeSets - - version - type: object - status: - description: ElasticsearchStatus defines the observed state of Elasticsearch - properties: - availableNodes: - format: int32 - type: integer - health: - description: ElasticsearchHealth is the health of the cluster as returned - by the health API. - type: string - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch - is in from the controller point of view. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: enterprisesearches.enterprisesearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Enterprise Search version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: enterprisesearch.k8s.elastic.co - names: - categories: - - elastic - kind: EnterpriseSearch - listKind: EnterpriseSearchList - plural: enterprisesearches - shortNames: - - ent - singular: enterprisesearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise Search. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise - Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Enterprise Search configuration. Configuration - settings are merged and have precedence over settings specified in - `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise - Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Enterprise Search - pods. - type: object - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch - clusters. - type: string - availableNodes: - format: int32 - type: integer - health: - description: EnterpriseSearchHealth expresses the health of the Enterprise - Search instances. - type: string - service: - description: ExternalService is the name of the service associated to - the Enterprise Search Pods. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: kibanas.kibana.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Kibana version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: kibana.k8s.elastic.co - names: - categories: - - elastic - kind: Kibana - listKind: KibanaList - plural: kibanas - shortNames: - - kb - singular: kibana - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Kibana pods - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Kibana. - type: string - required: - - version - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - format: int32 - type: integer - health: - description: KibanaHealth expresses the status of the Kibana instances. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: elastic-webhook.k8s.elastic.co -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1beta1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-beat-k8s-elastic-co-v1beta1-beat - failurePolicy: Ignore - name: elastic-beat-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - beat.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - beats -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - kibanas -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1beta1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - kibanas ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: elastic-operator - namespace: elastic-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: elastic-operator-edit -rules: -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: elastic-operator-view -rules: -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - verbs: - - get - - list - - watch -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - verbs: - - get - - list - - watch -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - verbs: - - get - - list - - watch -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - verbs: - - get - - list - - watch -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: elastic-operator -rules: -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resources: - - pods - - endpoints - - events - - persistentvolumeclaims - - secrets - - services - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments - - statefulsets - - daemonsets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - - elasticsearches/status - - elasticsearches/finalizers - - enterpriselicenses - - enterpriselicenses/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - - kibanas/status - - kibanas/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - - apmservers/status - - apmservers/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - - enterprisesearches/status - - enterprisesearches/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - - beats/status - - beats/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: elastic-operator - namespace: elastic-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: elastic-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -apiVersion: v1 -kind: Secret -metadata: - name: elastic-webhook-server-cert - namespace: elastic-system ---- -apiVersion: v1 -kind: Service -metadata: - name: elastic-webhook-server - namespace: elastic-system -spec: - ports: - - name: https - port: 443 - targetPort: 9443 - selector: - control-plane: elastic-operator ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - control-plane: elastic-operator - name: elastic-operator - namespace: elastic-system -spec: - selector: - matchLabels: - control-plane: elastic-operator - serviceName: elastic-operator - template: - metadata: - annotations: - co.elastic.logs/raw: '[{"type":"container","json.keys_under_root":true,"paths":["/var/log/containers/*${data.kubernetes.container.id}.log"],"processors":[{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"error","to":"_error"}]}},{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"_error","to":"error.message"}]}},{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"source","to":"_source"}]}},{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"_source","to":"event.source"}]}}]}]' - labels: - control-plane: elastic-operator - spec: - containers: - - args: - - manager - - --log-verbosity=0 - - --metrics-port=0 - - --container-registry=docker.elastic.co - - --max-concurrent-reconciles=3 - - --ca-cert-validity=8760h - - --ca-cert-rotate-before=24h - - --cert-validity=8760h - - --cert-rotate-before=24h - - --enable-webhook - env: - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_IMAGE - value: docker.elastic.co/eck/eck-operator:1.2.1 - - name: WEBHOOK_SECRET - value: elastic-webhook-server-cert - image: docker.elastic.co/eck/eck-operator:1.2.1 - imagePullPolicy: IfNotPresent - name: manager - ports: - - containerPort: 9443 - name: https-webhook - protocol: TCP - resources: - limits: - cpu: 1 - memory: 512Mi - requests: - cpu: 100m - memory: 150Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - nodeSelector: - node-role.kubernetes.io/master: "" - serviceAccountName: elastic-operator - terminationGracePeriodSeconds: 10 - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: elastic-webhook-server-cert -{{- end }} diff --git a/charts/kubezero-logging/values-all.yaml b/charts/kubezero-logging/values-all.yaml index e5997b72..c016628f 100644 --- a/charts/kubezero-logging/values-all.yaml +++ b/charts/kubezero-logging/values-all.yaml @@ -5,11 +5,11 @@ # This is for backwards compatibility with older zdt-logging setup fullnameOverride: logging -# Version for ElasticSearch and Kibana have to match so we define it at top-level -version: 7.6.0 - elastic_password: "dsfsfs" # super_secret_elastic_password +eck-operator: + enabled: true + es: nodeSets: - name: default-zone-0 diff --git a/charts/kubezero-logging/values-remote-es.yaml b/charts/kubezero-logging/values-remote-es.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index caf9fde2..5b76faac 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -1,8 +1,16 @@ # use this for backwards compatability # fullnameOverride: "" +eck-operator: + enabled: false + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/master: "" + # Version for ElasticSearch and Kibana have to match so we define it at top-level -version: 7.8.1 +version: 7.10.0 elastic_password: "" # super_secret_elastic_password @@ -67,7 +75,7 @@ fluentd: enabled: true additionalLabels: release: metrics - namespace: monitoring + # namespace: monitoring output: # Default should be "logging-kubezero-logging-es-http" if fullnameOverride is NOT used diff --git a/charts/kubezero-metrics/Chart.yaml b/charts/kubezero-metrics/Chart.yaml index 77bcd5fe..a6e19e6d 100644 --- a/charts/kubezero-metrics/Chart.yaml +++ b/charts/kubezero-metrics/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-metrics description: KubeZero Umbrella Chart for prometheus-operator type: application -version: 0.2.1 +version: 0.3.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,9 +16,10 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: kube-prometheus-stack - version: 10.1.3 + version: 11.1.1 repository: https://prometheus-community.github.io/helm-charts - name: prometheus-adapter - version: 2.7.0 + version: 2.7.1 repository: https://prometheus-community.github.io/helm-charts + condition: prometheus-adapter.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index 26b48bde..89d5f9e3 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -1,6 +1,6 @@ # kubezero-metrics -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for prometheus-operator @@ -18,8 +18,8 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 10.0.1 | -| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.0 | +| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 11.1.1 | +| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -41,6 +41,9 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.grafana.plugins[0] | string | `"grafana-piechart-panel"` | | | kube-prometheus-stack.grafana.service.portName | string | `"http-grafana"` | | | kube-prometheus-stack.grafana.testFramework.enabled | bool | `false` | | +| kube-prometheus-stack.kube-state-metrics.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| kube-prometheus-stack.kube-state-metrics.tolerations[0].effect | string | `"NoSchedule"` | | +| kube-prometheus-stack.kube-state-metrics.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kube-prometheus-stack.kubeApiServer.enabled | bool | `true` | | | kube-prometheus-stack.kubeControllerManager.enabled | bool | `true` | | | kube-prometheus-stack.kubeControllerManager.service.port | int | `10257` | | @@ -69,7 +72,6 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | | | kube-prometheus-stack.prometheus.enabled | bool | `true` | | | kube-prometheus-stack.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | | -| kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.cpu | string | `"1000m"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.memory | string | `"1Gi"` | | @@ -77,17 +79,17 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` | | | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | | | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName | string | `"ebs-sc-gp2-xfs"` | | -| kube-prometheus-stack.prometheusOperator.admissionWebhooks.enabled | bool | `false` | | -| kube-prometheus-stack.prometheusOperator.createCustomResource | bool | `true` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | | -| kube-prometheus-stack.prometheusOperator.manageCrds | bool | `false` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[0] | string | `"kube-system"` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[1] | string | `"logging"` | | | kube-prometheus-stack.prometheusOperator.namespaces.releaseNamespace | bool | `true` | | | kube-prometheus-stack.prometheusOperator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| kube-prometheus-stack.prometheusOperator.tlsProxy.enabled | bool | `false` | | | kube-prometheus-stack.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` | | | kube-prometheus-stack.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| prometheus-adapter.enabled | bool | `true` | | | prometheus-adapter.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | prometheus-adapter.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus"` | | | prometheus-adapter.rules.default | bool | `false` | | diff --git a/charts/kubezero-metrics/templates/istio-service.yaml b/charts/kubezero-metrics/templates/istio-service.yaml index 01849889..09c75fa9 100644 --- a/charts/kubezero-metrics/templates/istio-service.yaml +++ b/charts/kubezero-metrics/templates/istio-service.yaml @@ -3,6 +3,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: grafana + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: @@ -21,6 +22,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: prometheus + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index e04470ae..2f20d6ac 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -59,10 +59,6 @@ kube-prometheus-stack: prometheusOperator: enabled: true - #image: - # tag: v0.42.1 - #prometheusConfigReloaderImage: - # tag: v0.42.1 # Run on controller nodes tolerations: @@ -71,24 +67,20 @@ kube-prometheus-stack: nodeSelector: node-role.kubernetes.io/master: "" - # Argo takes care of CRDs - manageCrds: false - createCustomResource: true - - # Operator has TLS support starting 0.39, but chart does not support CAConfig and operator flags yet - # see: https://github.com/coreos/prometheus-operator/blob/master/Documentation/user-guides/webhook.md#deploying-the-admission-webhook - # Until then we disable them as the patching interferes with Argo anyways - tlsProxy: - enabled: false - admissionWebhooks: - enabled: false - namespaces: releaseNamespace: true additional: - kube-system - logging + admissionWebhooks: + patch: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/master: "" + nodeExporter: enabled: true serviceMonitor: @@ -141,12 +133,21 @@ kube-prometheus-stack: testFramework: enabled: false + # Assign state metrics to control plane + kube-state-metrics: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/master: "" + # Todo alertmanager: enabled: false # Metrics adapter prometheus-adapter: + enabled: true prometheus: url: http://metrics-kube-prometheus-st-prometheus tolerations: diff --git a/charts/kubezero-redis/.helmignore b/charts/kubezero-redis/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/kubezero-redis/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/kubezero-redis/Chart.yaml b/charts/kubezero-redis/Chart.yaml new file mode 100644 index 00000000..d538fcb8 --- /dev/null +++ b/charts/kubezero-redis/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +name: kubezero-redis +description: KubeZero Umbrella Chart for Redis HA +type: application +version: 0.1.0 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - redis +maintainers: + - name: Quarky9 +dependencies: + - name: kubezero-lib + version: ">= 0.1.3" + repository: https://zero-down-time.github.io/kubezero/ + - name: redis + version: 12.0.0 + repository: https://charts.bitnami.com/bitnami +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-redis/README.md b/charts/kubezero-redis/README.md new file mode 100644 index 00000000..0f975d26 --- /dev/null +++ b/charts/kubezero-redis/README.md @@ -0,0 +1,44 @@ +# kubezero-redis + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +KubeZero Umbrella Chart for Redis HA + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.16.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.com/bitnami | redis | 12.0.0 | +| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| istio.enabled | bool | `false` | | +| redis.cluster.slaveCount | int | `0` | | +| redis.master.persistence.enabled | bool | `false` | | +| redis.metrics.enabled | bool | `false` | | +| redis.metrics.serviceMonitor.enabled | bool | `false` | | +| redis.metrics.serviceMonitor.namespace | string | `"monitoring"` | | +| redis.metrics.serviceMonitor.selector.release | string | `"metrics"` | | +| redis.usePassword | bool | `false` | | + +# Dashboards + +## Redis + +# Resources +- https://github.com/helm/charts/tree/master/stable/redis +- https://github.com/rustudorcalin/deploying-redis-cluster +- diff --git a/charts/kubezero-redis/README.md.gotmpl b/charts/kubezero-redis/README.md.gotmpl new file mode 100644 index 00000000..bda58610 --- /dev/null +++ b/charts/kubezero-redis/README.md.gotmpl @@ -0,0 +1,26 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +# Dashboards +https://grafana.com/grafana/dashboards/11835 + +## Redis + +# Resources +- https://github.com/helm/charts/tree/master/stable/redis +- https://github.com/rustudorcalin/deploying-redis-cluster +- diff --git a/charts/kubezero-redis/templates/istio-authorization-policy.yaml b/charts/kubezero-redis/templates/istio-authorization-policy.yaml new file mode 100644 index 00000000..97a2a7f7 --- /dev/null +++ b/charts/kubezero-redis/templates/istio-authorization-policy.yaml @@ -0,0 +1,26 @@ +{{- if .Values.istio.enabled }} +{{- if .Values.istio.ipBlocks }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Namespace }}-redis-deny-not-in-ipblocks + namespace: istio-system + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + selector: + matchLabels: + app: istio-private-ingressgateway + action: DENY + rules: + - from: + - source: + notIpBlocks: + {{- with .Values.istio.ipBlocks }} + {{- . | toYaml | nindent 8 }} + {{- end }} + to: + - operation: + ports: ["{{ default 6379 .Values.redis.redisPort }}"] +{{- end }} +{{- end }} diff --git a/charts/kubezero-redis/templates/istio-service.yaml b/charts/kubezero-redis/templates/istio-service.yaml new file mode 100644 index 00000000..edb8823c --- /dev/null +++ b/charts/kubezero-redis/templates/istio-service.yaml @@ -0,0 +1,22 @@ +{{- if .Values.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: redis + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + hosts: + - {{ .Values.istio.url }} + gateways: + - {{ .Values.istio.gateway }} + tcp: + - match: + - port: {{ default 6379 .Values.redis.redisPort }} + route: + - destination: + host: redis-headless + port: + number: {{ default 6379 .Values.redis.redisPort }} +{{- end }} diff --git a/charts/kubezero-redis/values.yaml b/charts/kubezero-redis/values.yaml new file mode 100644 index 00000000..1c1319e1 --- /dev/null +++ b/charts/kubezero-redis/values.yaml @@ -0,0 +1,27 @@ +redis: + redisPort: 6379 + + cluster: + slaveCount: 0 + + usePassword: false + + master: + persistence: + enabled: false +# resources: +# requests: +# memory: 256Mi +# cpu: 100m + + metrics: + enabled: false + serviceMonitor: + enabled: false + selector: + release: metrics +# extraArgs: +# redis.addr: "redis://localhost:6379" + +istio: + enabled: false diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index 93a898f0..ab65a73a 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -44,4 +44,4 @@ Kubernetes: `>= 1.16.0` | platform | string | `"aws"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) +Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/deploy/bootstrap.sh b/deploy/bootstrap.sh index c78e4256..d55324d7 100755 --- a/deploy/bootstrap.sh +++ b/deploy/bootstrap.sh @@ -1,7 +1,22 @@ #!/bin/bash set -ex -LOCATION=${1-""} +ACTION=$1 +ARTIFACTS=("$2") +LOCATION=${3:-""} + +DEPLOY_DIR=$( dirname $( realpath $0 )) +which yq || { echo "yq not found!"; exit 1; } + +TMPDIR=$(mktemp -d kubezero.XXX) + +# First lets generate kubezero.yaml +# This will be stored as secret during the initial kubezero chart install +helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > $TMPDIR/kubezero.yaml + +if [ ${ARTIFACTS[0]} == "all" ]; then + ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "kubezero.*.enabled" | awk -F "." '{print $2}')) +fi # Update only if we use upstream if [ -z "$LOCATION" ]; then @@ -9,20 +24,27 @@ if [ -z "$LOCATION" ]; then helm repo update fi -DEPLOY_DIR=$( dirname $( realpath $0 )) -which yq || { echo "yq not found!"; exit 1; } - # Waits for max 300s and retries function wait_for() { local TRIES=0 while true; do - $@ && break - [ $TRIES -eq 200 ] && return 1 + eval " $@" && break + [ $TRIES -eq 100 ] && return 1 let TRIES=$TRIES+1 sleep 3 done } + +function chart_location() { + if [ -z "$LOCATION" ]; then + echo "$1 --repo https://zero-down-time.github.io/kubezero" + else + echo "$LOCATION/$1" + fi +} + + function _helm() { local action=$1 local chart=$2 @@ -30,89 +52,257 @@ function _helm() { local namespace=$4 shift 4 - local location + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds $@ > $TMPDIR/helm.yaml - if [ -z "$LOCATION" ]; then - location="$chart --repo https://zero-down-time.github.io/kubezero" - else - location="$LOCATION/$chart" + if [ $action == "apply" ]; then + # make sure namespace exists prior to calling helm as the create-namespace options doesn't work + kubectl get ns $namespace || kubectl create ns $namespace + fi + + # If resources are out of the single $namespace, apply without restrictions + nr_ns=$(grep -e '^ namespace:' $TMPDIR/helm.yaml | sed "s/\"//g" | sort | uniq | wc -l) + if [ $nr_ns -gt 1 ]; then + kubectl $action -f $TMPDIR/helm.yaml + else + kubectl $action --namespace $namespace -f $TMPDIR/helm.yaml fi - - [ -n "$namespace" ] && kubectl get ns $namespace || kubectl create ns $namespace - helm template $location --namespace $namespace --name-template $release $@ | kubectl $action -f - } + function deploy() { _helm apply $@ } + function delete() { _helm delete $@ } + +function is_enabled() { + local chart=$1 + + enabled=$(yq r $TMPDIR/kubezero.yaml kubezero.${chart}.enabled) + if [ "$enabled" == "true" ]; then + yq r $TMPDIR/kubezero.yaml kubezero.${chart}.values > $TMPDIR/values.yaml + return 0 + fi + return 1 +} + + +########## +# Calico # +########## +function calico() { + local chart="kubezero-calico" + local release="calico" + local namespace="kube-system" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$? + kubectl apply -f $TMPDIR/helm.yaml + # Don't delete the only CNI + #elif [ $task == "delete" ]; then + # delete $chart $release $namespace -f $TMPDIR/values.yaml + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + ################ # cert-manager # ################ +function cert-manager() { + local chart="kubezero-cert-manager" + local release="cert-manager" + local namespace="cert-manager" -# Let's start with minimal cert-manager to get the webhook in place -deploy kubezero-cert-manager cert-manager cert-manager + local task=$1 -echo "Waiting for cert-manager to be ready..." -wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2 -kubectl rollout status deployment -n cert-manager cert-manager-webhook -wait_for kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0" 2>/dev/null 1>&2 + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$? -# Either inject cert-manager backup or bootstrap -if [ -f cert-manager-backup.yaml ]; then - kubectl apply -f cert-manager-backup.yaml -else - deploy kubezero-cert-manager cert-manager cert-manager --set localCA.enabled=true - wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2 - kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer + # If any error occurs, wait for initial webhook deployment and try again + # see: https://cert-manager.io/docs/concepts/webhook/#webhook-connection-problems-shortly-after-cert-manager-installation + if [ $rc -ne 0 ]; then + wait_for "kubectl get deployment -n $namespace cert-manager-webhook" + kubectl rollout status deployment -n $namespace cert-manager-webhook + wait_for 'kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0"' + deploy $chart $release $namespace -f $TMPDIR/values.yaml + fi + + wait_for "kubectl get ClusterIssuer -n $namespace kubezero-local-ca-issuer" + kubectl wait --timeout=180s --for=condition=Ready -n $namespace ClusterIssuer/kubezero-local-ca-issuer + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns $namespace + + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set cert-manager.installCRDs=false > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set cert-manager.installCRDs=true > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +######## +# Kiam # +######## +function kiam() { + local chart="kubezero-kiam" + local release="kiam" + local namespace="kube-system" + + local task=$1 + + if [ $task == "deploy" ]; then + # Certs only first + deploy $chart $release $namespace --set kiam.enabled=false + kubectl wait --timeout=120s --for=condition=Ready -n kube-system Certificate/kiam-server + + # Make sure kube-system and cert-manager are allowed to kiam + kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' + kubectl annotate --overwrite namespace cert-manager 'iam.amazonaws.com/permitted=.*CertManagerRole.*' + + # Get kiam rolled out and make sure it is working + deploy $chart $release $namespace -f $TMPDIR/values.yaml + wait_for 'kubectl get daemonset -n kube-system kiam-agent' + kubectl rollout status daemonset -n kube-system kiam-agent + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + fi +} + + +####### +# EBS # +####### +function aws-ebs-csi-driver() { + local chart="kubezero-aws-ebs-csi-driver" + local release="aws-ebs-csi-driver" + local namespace="kube-system" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + fi +} + + +######### +# Istio # +######### +function istio() { + local chart="kubezero-istio" + local release="istio" + local namespace="istio-system" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + elif [ $task == "delete" ]; then + for i in $(kubectl get istiooperators -A -o name); do + kubectl delete $i -n istio-system + done + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns istio-system + + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +########### +# Metrics # +########### +function metrics() { + local chart="kubezero-metrics" + local release="metrics" + local namespace="monitoring" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns monitoring + + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +########### +# Logging # +########### +function logging() { + local chart="kubezero-logging" + local release="logging" + local namespace="logging" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns logging + + # Doesnt work right now due to V2 Helm implementation of the eck-operator-crd chart + #elif [ $task == "crds" ]; then + # helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + # helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + # diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + # kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +## MAIN ## +if [ $1 == "deploy" ]; then + for t in ${ARTIFACTS[@]}; do + is_enabled $t && $t deploy + done + +elif [ $1 == "crds" ]; then + for t in ${ARTIFACTS[@]}; do + is_enabled $t && $t crds + done + +# Delete in reverse order, continue even if errors +elif [ $1 == "delete" ]; then + set +e + for (( idx=${#ARTIFACTS[@]}-1 ; idx>=0 ; idx-- )) ; do + is_enabled ${ARTIFACTS[idx]} && ${ARTIFACTS[idx]} delete + done fi -echo "KubeZero installed successfully." -read - -# Remove all kubezero -delete kubezero-cert-manager cert-manager cert-manager - -exit 0 - -# Determine if we bootstrap or update -helm list -n argocd -f kubezero -q | grep -q kubezero && rc=$? || rc=$? -if [ $rc -eq 0 ]; then - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml -else - - - # Make sure kube-system is allowed to kiam - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' - - # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - kubectl wait --for=condition=Ready -n kube-system certificates/kiam-server - - # Now lets make sure kiam is working - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2 - kubectl rollout status daemonset -n kube-system kiam-agent - - # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2 - kubectl rollout status deployment -n istio-operator istio-operator - - # Metrics - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-6.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get crds servicemonitors.monitoring.coreos.com 2>/dev/null 1>&2 - - # Finally we could enable the actual config and deploy all - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml -fi +[ "$DEBUG" == "" ] && rm -rf $TMPDIR diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 2ac91f71..4bc914eb 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -2,18 +2,6 @@ set -e DEPLOY_DIR=$( dirname $( realpath $0 )) -which yq || { echo "yq not found!"; exit 1; } - -# Waits for max 300s and retries -function wait_for() { - local TRIES=0 - while true; do - $@ && break - [ $TRIES -eq 200 ] && return 1 - let TRIES=$TRIES+1 - sleep 3 - done -} helm repo add kubezero https://zero-down-time.github.io/kubezero helm repo update @@ -24,72 +12,6 @@ if [ $rc -eq 0 ]; then helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml else - # During bootstrap we first generate a minimal values.yaml to prevent various deadlocks - - # Generate ArgoCD password if not in values.yaml yet and add it - grep -q argocdServerAdminPassword values.yaml && rc=$? || rc=$? - if [ $rc -ne 0 ]; then - _argo_date="$(date -u --iso-8601=seconds)" - _argo_passwd="$($DEPLOY_DIR/argocd_password.py)" - - cat < _argocd_values.yaml -argo-cd: - configs: - secret: - # ArgoCD password: ${_argo_passwd%%:*} Please move to secure location ! - argocdServerAdminPassword: "${_argo_passwd##*:}" - argocdServerAdminPasswordMtime: "$_argo_date" -EOF - yq merge -i --overwrite values.yaml _argocd_values.yaml && rm -f _argocd_values.yaml - fi - - # Deploy initial argocd - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-1.yaml > generated-values.yaml - helm install -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml - # Wait for argocd-server to be running - kubectl rollout status deployment -n argocd kubezero-argocd-server - - # Now wait for cert-manager and the local CA to be bootstrapped - echo "Waiting for cert-manager to be deployed..." - wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2 - kubectl rollout status deployment -n cert-manager cert-manager-webhook - - # Either inject cert-manager backup or bootstrap - if [ -f cert-manager-backup.yaml ]; then - kubectl apply -f cert-manager-backup.yaml - else - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-2.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2 - kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer - fi - - # Make sure kube-system is allowed to kiam - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' - - # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - kubectl wait --for=condition=Ready -n kube-system certificates/kiam-server - - # Now lets make sure kiam is working - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2 - kubectl rollout status daemonset -n kube-system kiam-agent - - # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2 - kubectl rollout status deployment -n istio-operator istio-operator - - # Metrics - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-6.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get crds servicemonitors.monitoring.coreos.com 2>/dev/null 1>&2 - - # Finally we could enable the actual config and deploy all - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml + echo "To bootstrap clusters please use bootstrap.sh !" + exit 1 fi diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index 074e876d..fb5e85b7 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -134,6 +134,11 @@ kubezero: logging: enabled: {{ .Values.logging.enabled }} values: + {{- with index .Values "logging" "eck-operator" }} + eck-operator: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.logging.elastic_password }} elastic_password: {{ .Values.logging.elastic_password }} {{- end }} diff --git a/deploy/values-step-1.yaml b/deploy/values-step-1.yaml deleted file mode 100644 index 4a78cef2..00000000 --- a/deploy/values-step-1.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kiam: - enabled: false - ready: false - -cert-manager: - ready: false - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-2.yaml b/deploy/values-step-2.yaml deleted file mode 100644 index 23ee9418..00000000 --- a/deploy/values-step-2.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kiam: - enabled: false - ready: false - -cert-manager: - ready: true - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-3.yaml b/deploy/values-step-3.yaml deleted file mode 100644 index c5522496..00000000 --- a/deploy/values-step-3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kiam: - certsOnly: true - ready: false - -cert-manager: - ready: true - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-4.yaml b/deploy/values-step-4.yaml deleted file mode 100644 index 4091229e..00000000 --- a/deploy/values-step-4.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kiam: - ready: false - -cert-manager: - ready: true - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-5.yaml b/deploy/values-step-5.yaml deleted file mode 100644 index f1bfe0c7..00000000 --- a/deploy/values-step-5.yaml +++ /dev/null @@ -1,9 +0,0 @@ -istio: - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-6.yaml b/deploy/values-step-6.yaml deleted file mode 100644 index 5b08cd77..00000000 --- a/deploy/values-step-6.yaml +++ /dev/null @@ -1,6 +0,0 @@ -metrics: - enabled: true - ready: false - -logging: - enabled: false diff --git a/deploy/values.yaml b/deploy/values.yaml index 8fa526fb..720ecffd 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -39,12 +39,15 @@ metrics: logging: enabled: false + eck-operator: + enabled: false fluentd: - enabled: false + enabled: false fluent-bit: - enabled: false + enabled: false argo-cd: + enabled: false server: {} istio: enabled: true