diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000000..6da030f91c7 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,15 @@ +root = true + +[*.{yaml,yml,yml.j2,yaml.j2}] +indent_style = space +indent_size = 2 +trim_trailing_whitespace = true +insert_final_newline = true +charset = utf-8 + +[{Dockerfile}] +indent_style = space +indent_size = 2 +trim_trailing_whitespace = true +insert_final_newline = true +charset = utf-8 diff --git a/.gitlab-ci/terraform.yml b/.gitlab-ci/terraform.yml index 0bd133f0db6..241cbe53e74 100644 --- a/.gitlab-ci/terraform.yml +++ b/.gitlab-ci/terraform.yml @@ -171,4 +171,4 @@ tf-elastx_ubuntu18-calico: TF_VAR_flavor_k8s_master: 3f73fc93-ec61-4808-88df-2580d94c1a9b # v1-standard-2 TF_VAR_flavor_k8s_node: 3f73fc93-ec61-4808-88df-2580d94c1a9b # v1-standard-2 TF_VAR_image: ubuntu-18.04-server-latest - TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]' \ No newline at end of file + TF_VAR_k8s_allowed_remote_ips: '["0.0.0.0/0"]' diff --git a/.gitlab-ci/vagrant.yml b/.gitlab-ci/vagrant.yml index fcc5de45946..7861dbe3ccc 100644 --- a/.gitlab-ci/vagrant.yml +++ b/.gitlab-ci/vagrant.yml @@ -51,4 +51,4 @@ vagrant_ubuntu18-weave-medium: vagrant_ubuntu20-flannel: stage: deploy-part2 extends: .vagrant - when: on_success \ No newline at end of file + when: on_success diff --git a/Dockerfile b/Dockerfile index 67ac6f81b25..fd3eec5a699 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,12 +6,12 @@ RUN apt update -y && \ apt install -y \ libssl-dev python3-dev sshpass apt-transport-https jq moreutils \ ca-certificates curl gnupg2 software-properties-common python3-pip rsync -RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ - add-apt-repository \ - "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ - $(lsb_release -cs) \ - stable" \ - && apt update -y && apt-get install docker-ce -y +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ + add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" \ + && apt update -y && apt-get install docker-ce -y COPY . . RUN /usr/bin/python3 -m pip install pip -U && /usr/bin/python3 -m pip install -r tests/requirements.txt && python3 -m pip install -r requirements.txt && update-alternatives --install /usr/bin/python python /usr/bin/python3 1 RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.5/bin/linux/amd64/kubectl \ diff --git a/README.md b/README.md index 396e168e699..4fe0520d1d8 100644 --- a/README.md +++ b/README.md @@ -115,22 +115,22 @@ Note: Upstart/SysV init based OS types are not supported. ## Supported Components - Core - - [kubernetes](https://github.com/kubernetes/kubernetes) v1.18.4 + - [kubernetes](https://github.com/kubernetes/kubernetes) v1.18.5 - [etcd](https://github.com/coreos/etcd) v3.3.12 - [docker](https://www.docker.com/) v19.03 (see note) - [containerd](https://containerd.io/) v1.2.13 - [cri-o](http://cri-o.io/) v1.17 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS) - Network Plugin - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6 - - [calico](https://github.com/projectcalico/calico) v3.14.1 + - [calico](https://github.com/projectcalico/calico) v3.15.0 - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions) - - [cilium](https://github.com/cilium/cilium) v1.7.4 + - [cilium](https://github.com/cilium/cilium) v1.8.0 - [contiv](https://github.com/contiv/install) v1.2.1 - [flanneld](https://github.com/coreos/flannel) v0.12.0 - - [kube-ovn](https://github.com/alauda/kube-ovn) v1.2.0 - - [kube-router](https://github.com/cloudnativelabs/kube-router) v0.4.0 + - [kube-ovn](https://github.com/alauda/kube-ovn) v1.2.1 + - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.0.0 - [multus](https://github.com/intel/multus-cni) v3.4.2 - - [weave](https://github.com/weaveworks/weave) v2.6.4 + - [weave](https://github.com/weaveworks/weave) v2.6.5 - Application - [cephfs-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.0-k8s1.11 - [rbd-provisioner](https://github.com/kubernetes-incubator/external-storage) v2.1.1-k8s1.11 diff --git a/_config.yml b/_config.yml index a2b6bf07ebd..9b686697c4e 100644 --- a/_config.yml +++ b/_config.yml @@ -1,2 +1,2 @@ --- -theme: jekyll-theme-slate \ No newline at end of file +theme: jekyll-theme-slate diff --git a/cluster.yml b/cluster.yml index 51162b1d4e4..f208f87ba79 100644 --- a/cluster.yml +++ b/cluster.yml @@ -4,6 +4,7 @@ - hosts: all gather_facts: false + tags: always tasks: - name: "Set up proxy environment" set_fact: @@ -33,6 +34,7 @@ - { role: bootstrap-os, tags: bootstrap-os} - name: Gather facts + tags: always import_playbook: facts.yml - hosts: k8s-cluster:etcd diff --git a/contrib/inventory_builder/inventory.py b/contrib/inventory_builder/inventory.py index 2cd2494afda..95d5eac0b31 100644 --- a/contrib/inventory_builder/inventory.py +++ b/contrib/inventory_builder/inventory.py @@ -41,6 +41,7 @@ import os import re +import subprocess import sys ROLES = ['all', 'kube-master', 'kube-node', 'etcd', 'k8s-cluster', @@ -69,6 +70,7 @@ def get_var_as_bool(name, default): DEBUG = get_var_as_bool("DEBUG", True) HOST_PREFIX = os.environ.get("HOST_PREFIX", "node") +USE_REAL_HOSTNAME = get_var_as_bool("USE_REAL_HOSTNAME", False) # Configurable as shell vars end @@ -167,6 +169,7 @@ def build_hostnames(self, changed_hosts): # FIXME(mattymo): Fix condition where delete then add reuses highest id next_host_id = highest_host_id + 1 + next_host = "" all_hosts = existing_hosts.copy() for host in changed_hosts: @@ -191,8 +194,14 @@ def build_hostnames(self, changed_hosts): self.debug("Skipping existing host {0}.".format(ip)) continue - next_host = "{0}{1}".format(HOST_PREFIX, next_host_id) - next_host_id += 1 + if USE_REAL_HOSTNAME: + cmd = ("ssh -oStrictHostKeyChecking=no " + + access_ip + " 'hostname -s'") + next_host = subprocess.check_output(cmd, shell=True) + next_host = next_host.strip().decode('ascii') + else: + next_host = "{0}{1}".format(HOST_PREFIX, next_host_id) + next_host_id += 1 all_hosts[next_host] = {'ansible_host': access_ip, 'ip': ip, 'access_ip': access_ip} diff --git a/contrib/metallb/library b/contrib/metallb/library deleted file mode 120000 index 494d3c39e3a..00000000000 --- a/contrib/metallb/library +++ /dev/null @@ -1 +0,0 @@ -../../library \ No newline at end of file diff --git a/contrib/metallb/metallb.yml b/contrib/metallb/metallb.yml deleted file mode 100644 index b7353ced767..00000000000 --- a/contrib/metallb/metallb.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- hosts: bastion[0] - gather_facts: False - roles: - - { role: kubespray-defaults} - - { role: bastion-ssh-config, tags: ["localhost", "bastion"]} -- hosts: kube-master[0] - tags: - - "provision" - roles: - - { role: kubespray-defaults} - - { role: provision } diff --git a/contrib/metallb/roles/provision/defaults/main.yml b/contrib/metallb/roles/provision/defaults/main.yml deleted file mode 100644 index 5e4a27fee8d..00000000000 --- a/contrib/metallb/roles/provision/defaults/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -metallb: - ip_range: - - "10.5.0.50-10.5.0.99" - protocol: "layer2" - # additional_address_pools: - # kube_service_pool: - # ip_range: - # - 10.5.1.50-10.5.1.99" - # protocol: "layer2" - # auto_assign: false - limits: - cpu: "100m" - memory: "100Mi" - port: "7472" - version: v0.9.3 diff --git a/contrib/metallb/roles/provision/templates/metallb-config.yml.j2 b/contrib/metallb/roles/provision/templates/metallb-config.yml.j2 deleted file mode 100644 index f35aada1307..00000000000 --- a/contrib/metallb/roles/provision/templates/metallb-config.yml.j2 +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: metallb-system - name: config -data: - config: | - address-pools: - - name: loadbalanced - protocol: {{ metallb.protocol }} - addresses: -{% for ip_range in metallb.ip_range %} - - {{ ip_range }} -{% endfor %} -{% if metallb.additional_address_pools is defined %}{% for pool in metallb.additional_address_pools %} - - name: {{ pool }} - protocol: {{ metallb.additional_address_pools[pool].protocol }} - addresses: -{% for ip_range in metallb.additional_address_pools[pool].ip_range %} - - {{ ip_range }} -{% endfor %} - auto-assign: {{ metallb.additional_address_pools[pool].auto_assign }} -{% endfor %} -{% endif %} diff --git a/contrib/metallb/roles/provision/templates/metallb.yml.j2 b/contrib/metallb/roles/provision/templates/metallb.yml.j2 deleted file mode 100644 index 4758c0b8e4b..00000000000 --- a/contrib/metallb/roles/provision/templates/metallb.yml.j2 +++ /dev/null @@ -1,266 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: metallb-system - labels: - app: metallb ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: metallb-system - name: controller - labels: - app: metallb ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: metallb-system - name: speaker - labels: - app: metallb - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: metallb-system:controller - labels: - app: metallb -rules: -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: [""] - resources: ["services/status"] - verbs: ["update"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: metallb-system:speaker - labels: - app: metallb -rules: -- apiGroups: [""] - resources: ["services", "endpoints", "nodes"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create"] -{% if podsecuritypolicy_enabled %} -- apiGroups: ["policy"] - resourceNames: ["metallb"] - resources: ["podsecuritypolicies"] - verbs: ["use"] ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: metallb - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - app: metallb -spec: - privileged: true - allowPrivilegeEscalation: false - allowedCapabilities: - - net_raw - volumes: - - secret - hostNetwork: true - hostPorts: - - min: {{ metallb.port }} - max: {{ metallb.port }} - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: true -{% endif %} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: metallb-system - name: config-watcher - labels: - app: metallb -rules: -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create"] ---- - -## Role bindings -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metallb-system:controller - labels: - app: metallb -subjects: -- kind: ServiceAccount - name: controller - namespace: metallb-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metallb-system:controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metallb-system:speaker - labels: - app: metallb -subjects: -- kind: ServiceAccount - name: speaker - namespace: metallb-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: metallb-system:speaker ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - namespace: metallb-system - name: config-watcher - labels: - app: metallb -subjects: -- kind: ServiceAccount - name: controller -- kind: ServiceAccount - name: speaker -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: config-watcher ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - namespace: metallb-system - name: speaker - labels: - app: metallb - component: speaker -spec: - selector: - matchLabels: - app: metallb - component: speaker - template: - metadata: - labels: - app: metallb - component: speaker - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ metallb.port }}" - spec: - serviceAccountName: speaker - terminationGracePeriodSeconds: 0 - hostNetwork: true - containers: - - name: speaker - image: metallb/speaker:{{ metallb.version }} - imagePullPolicy: IfNotPresent - args: - - --port={{ metallb.port }} - - --config=config - env: - - name: METALLB_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - ports: - - name: monitoring - containerPort: {{ metallb.port }} - resources: - limits: - cpu: {{ metallb.limits.cpu }} - memory: {{ metallb.limits.memory }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - all - add: - - net_raw - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: metallb-system - name: controller - labels: - app: metallb - component: controller -spec: - revisionHistoryLimit: 3 - selector: - matchLabels: - app: metallb - component: controller - template: - metadata: - labels: - app: metallb - component: controller - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ metallb.port }}" - spec: - serviceAccountName: controller - terminationGracePeriodSeconds: 0 - securityContext: - runAsNonRoot: true - runAsUser: 65534 # nobody - containers: - - name: controller - image: metallb/controller:{{ metallb.version }} - imagePullPolicy: IfNotPresent - args: - - --port={{ metallb.port }} - - --config=config - ports: - - name: monitoring - containerPort: {{ metallb.port }} - resources: - limits: - cpu: {{ metallb.limits.cpu }} - memory: {{ metallb.limits.memory }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - ---- diff --git a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2 b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2 index 9619139e496..866c09f3ea2 100644 --- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2 +++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-endpoint.json.j2 @@ -8,7 +8,7 @@ {% for host in groups['gfs-cluster'] %} { "addresses": [ - { + { "ip": "{{hostvars[host]['ip']|default(hostvars[host].ansible_default_ipv4['address'])}}" } ], diff --git a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-pv.yml.j2 b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-pv.yml.j2 index 4eef00535a2..f6ba4358efc 100644 --- a/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-pv.yml.j2 +++ b/contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/templates/glusterfs-kubernetes-pv.yml.j2 @@ -1,7 +1,7 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: glusterfs + name: glusterfs spec: capacity: storage: "{{ hostvars[groups['gfs-cluster'][0]].gluster_disk_size_gb }}Gi" diff --git a/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml b/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml index 9ff327366c6..77398009c37 100644 --- a/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml +++ b/contrib/vault/roles/vault/tasks/bootstrap/start_vault_temp.yml @@ -6,11 +6,11 @@ - name: bootstrap/start_vault_temp | Start single node Vault with file backend command: > - docker run -d --cap-add=IPC_LOCK --name {{ vault_temp_container_name }} - -p {{ vault_port }}:{{ vault_port }} - -e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}' - -v /etc/vault:/etc/vault - {{ vault_image_repo }}:{{ vault_version }} server + docker run -d --cap-add=IPC_LOCK --name {{ vault_temp_container_name }} + -p {{ vault_port }}:{{ vault_port }} + -e 'VAULT_LOCAL_CONFIG={{ vault_temp_config|to_json }}' + -v /etc/vault:/etc/vault + {{ vault_image_repo }}:{{ vault_version }} server - name: bootstrap/start_vault_temp | Start again single node Vault with file backend command: docker start {{ vault_temp_container_name }} diff --git a/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml b/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml index dff1f16ddfe..5471ea520de 100644 --- a/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml +++ b/contrib/vault/roles/vault/tasks/bootstrap/sync_secrets.yml @@ -21,9 +21,9 @@ - name: bootstrap/sync_secrets | Print out warning message if secrets are not available and vault is initialized pause: prompt: > - Vault orchestration may not be able to proceed. The Vault cluster is initialized, but - 'root_token' or 'unseal_keys' were not found in {{ vault_secrets_dir }}. These are - needed for many vault orchestration steps. + Vault orchestration may not be able to proceed. The Vault cluster is initialized, but + 'root_token' or 'unseal_keys' were not found in {{ vault_secrets_dir }}. These are + needed for many vault orchestration steps. when: vault_cluster_is_initialized and not vault_secrets_available - name: bootstrap/sync_secrets | Cat root_token from a vault host diff --git a/contrib/vault/roles/vault/tasks/shared/check_etcd.yml b/contrib/vault/roles/vault/tasks/shared/check_etcd.yml index f8599d5367e..444228701b2 100644 --- a/contrib/vault/roles/vault/tasks/shared/check_etcd.yml +++ b/contrib/vault/roles/vault/tasks/shared/check_etcd.yml @@ -25,6 +25,6 @@ - name: check_etcd | Fail if etcd is not available and needed fail: msg: > - Unable to start Vault cluster! Etcd is not available at - {{ vault_etcd_url.split(',') | first }} however it is needed by Vault as a backend. + Unable to start Vault cluster! Etcd is not available at + {{ vault_etcd_url.split(',') | first }} however it is needed by Vault as a backend. when: vault_etcd_needed|d() and not vault_etcd_available diff --git a/contrib/vault/roles/vault/tasks/shared/check_vault.yml b/contrib/vault/roles/vault/tasks/shared/check_vault.yml index c109048015e..32571f4795c 100644 --- a/contrib/vault/roles/vault/tasks/shared/check_vault.yml +++ b/contrib/vault/roles/vault/tasks/shared/check_vault.yml @@ -46,7 +46,7 @@ set_fact: vault_cluster_is_initialized: >- {{ vault_is_initialized or - hostvars[item]['vault_is_initialized'] or - ('value' in vault_etcd_exists.stdout|default('')) }} + hostvars[item]['vault_is_initialized'] or + ('value' in vault_etcd_exists.stdout|default('')) }} with_items: "{{ groups.vault }}" run_once: true diff --git a/contrib/vault/roles/vault/tasks/shared/create_role.yml b/contrib/vault/roles/vault/tasks/shared/create_role.yml index d3aa3e441e9..792f7548401 100644 --- a/contrib/vault/roles/vault/tasks/shared/create_role.yml +++ b/contrib/vault/roles/vault/tasks/shared/create_role.yml @@ -6,9 +6,9 @@ ca_cert: "{{ vault_cert_dir }}/ca.pem" name: "{{ create_role_name }}" rules: >- - {%- if create_role_policy_rules|d("default") == "default" -%} - {{ - { 'path': { + {%- if create_role_policy_rules|d("default") == "default" -%} + {{ + { 'path': { create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'}, create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'} }} | to_json + '\n' @@ -24,13 +24,13 @@ ca_cert: "{{ vault_cert_dir }}/ca.pem" secret: "{{ create_role_mount_path }}/roles/{{ create_role_name }}" data: | - {%- if create_role_options|d("default") == "default" -%} - { - allow_any_name: true - } - {%- else -%} - {{ create_role_options | to_json }} - {%- endif -%} + {%- if create_role_options|d("default") == "default" -%} + { + allow_any_name: true + } + {%- else -%} + {{ create_role_options | to_json }} + {%- endif -%} ## Userpass based auth method diff --git a/contrib/vault/roles/vault/tasks/shared/gen_userpass.yml b/contrib/vault/roles/vault/tasks/shared/gen_userpass.yml index a49b443e368..e609fc41afd 100644 --- a/contrib/vault/roles/vault/tasks/shared/gen_userpass.yml +++ b/contrib/vault/roles/vault/tasks/shared/gen_userpass.yml @@ -18,8 +18,8 @@ - name: shared/gen_userpass | Copy credentials to all hosts in the group copy: content: > - {{ - {'username': gen_userpass_username, - 'password': gen_userpass_password} | to_nice_json(indent=4) - }} + {{ + {'username': gen_userpass_username, + 'password': gen_userpass_password} | to_nice_json(indent=4) + }} dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass" diff --git a/contrib/vault/roles/vault/templates/http-proxy.conf.j2 b/contrib/vault/roles/vault/templates/http-proxy.conf.j2 index 0e24a9d773b..e790477719d 100644 --- a/contrib/vault/roles/vault/templates/http-proxy.conf.j2 +++ b/contrib/vault/roles/vault/templates/http-proxy.conf.j2 @@ -1,2 +1,2 @@ [Service] -Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %} \ No newline at end of file +Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %} diff --git a/docs/ansible.md b/docs/ansible.md index dea73fe465e..09d6bdd3480 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -138,6 +138,7 @@ The following tags are defined in playbooks: | upload | Distributing images/binaries across hosts | weave | Network plugin Weave | ingress_alb | AWS ALB Ingress Controller +| ambassador | Ambassador Ingress Controller Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all tags found in the codebase. New tags will be listed with the empty "Used for" diff --git a/docs/azure.md b/docs/azure.md index de2e007d030..d1baccc1823 100644 --- a/docs/azure.md +++ b/docs/azure.md @@ -13,6 +13,13 @@ Before creating the instances you must first set the `azure_` variables in the ` All of the values can be retrieved using the azure cli tool which can be downloaded here: After installation you have to run `az login` to get access to your account. +### azure_cloud + +Azure Stack has different API endpoints, depending on the Azure Stack deployment. These need to be provided to the Azure SDK. +Possible values are: `AzureChinaCloud`, `AzureGermanCloud`, `AzurePublicCloud` and `AzureUSGovernmentCloud`. +The full list of existing settings for the AzureChinaCloud, AzureGermanCloud, AzurePublicCloud and AzureUSGovernmentCloud +is available in the source code [here](https://github.com/kubernetes-sigs/cloud-provider-azure/blob/master/docs/cloud-provider-config.md) + ### azure\_tenant\_id + azure\_subscription\_id run `az account show` to retrieve your subscription id and tenant id: diff --git a/docs/dns-stack.md b/docs/dns-stack.md index 26314526600..bd9e00d7491 100644 --- a/docs/dns-stack.md +++ b/docs/dns-stack.md @@ -40,8 +40,6 @@ is not set, a default resolver is chosen (depending on cloud provider or 8.8.8.8 DNS servers to be added *after* the cluster DNS. Used by all ``resolvconf_mode`` modes. These serve as backup DNS servers in early cluster deployment when no cluster DNS is available yet. -## DNS modes supported by Kubespray - ### coredns_external_zones Array of optional external zones to coredns forward queries to. It's injected into @@ -69,9 +67,23 @@ coredns_external_zones: or as INI ```ini -coredns_external_zones=[{"cache": 30,"zones":["example.com","example.io:453"],"nameservers":["1.1.1.1","2.2.2.2"]}]' +coredns_external_zones='[{"cache": 30,"zones":["example.com","example.io:453"],"nameservers":["1.1.1.1","2.2.2.2"]}]' ``` +### dns_etchosts (coredns) + +Optional hosts file content to coredns use as /etc/hosts file. This will also be used by nodelocaldns, if enabled. + +Example: + +```yaml +dns_etchosts: | + 192.168.0.100 api.example.com + 192.168.0.200 ingress.example.com +``` + +## DNS modes supported by Kubespray + You can modify how Kubespray sets up DNS for your cluster with the variables ``dns_mode`` and ``resolvconf_mode``. ### dns_mode @@ -182,6 +194,10 @@ nodelocaldns_external_zones: - 192.168.0.53 ``` +### dns_etchosts (nodelocaldns) + +See [dns_etchosts](#dns_etchosts-coredns) above. + ## Limitations * Kubespray has yet ways to configure Kubedns addon to forward requests SkyDns can diff --git a/docs/getting-started.md b/docs/getting-started.md index 60ec3f6f7d1..4a1fea6b88d 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -36,7 +36,7 @@ ansible-playbook -i inventory/mycluster/hosts.yml cluster.yml -b -v \ --private-key=~/.ssh/private_key ``` -See more details in the [ansible guide](docs/ansible.md). +See more details in the [ansible guide](/docs/ansible.md). ### Adding nodes @@ -81,12 +81,12 @@ kube-apiserver via port 8080. A kubeconfig file is not necessary in this case, because kubectl will use to connect. The kubeconfig files generated will point to localhost (on kube-masters) and kube-node hosts will connect either to a localhost nginx proxy or to a loadbalancer if configured. -More details on this process are in the [HA guide](docs/ha-mode.md). +More details on this process are in the [HA guide](/docs/ha-mode.md). Kubespray permits connecting to the cluster remotely on any IP of any kube-master host on port 6443 by default. However, this requires authentication. One can get a kubeconfig from kube-master hosts -(see [below](#accessing-kubernetes-api)) or connect with a [username and password](vars.md#user-accounts). +(see [below](#accessing-kubernetes-api)) or connect with a [username and password](/docs/vars.md#user-accounts). For more information on kubeconfig and accessing a Kubernetes cluster, refer to the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/). diff --git a/docs/test_cases.md b/docs/test_cases.md index 67600dae183..3b572d8b87e 100644 --- a/docs/test_cases.md +++ b/docs/test_cases.md @@ -20,7 +20,7 @@ Note, the canal network plugin deploys flannel as well plus calico policy contro ## Test cases -The [CI Matrix](docs/ci.md) displays OS, Network Plugin and Container Manager tested. +The [CI Matrix](/docs/ci.md) displays OS, Network Plugin and Container Manager tested. All tests are breakdown into 3 "stages" ("Stage" means a build step of the build pipeline) as follows: diff --git a/docs/vagrant.md b/docs/vagrant.md index da385f74d65..f132ead8a13 100644 --- a/docs/vagrant.md +++ b/docs/vagrant.md @@ -24,7 +24,7 @@ The supported operating systems for vagrant are defined in the `SUPPORTED_OS` co ## File and image caching -Kubespray can take quite a while to start on a laptop. To improve provisioning speed, the variable 'download_run_once' is set. This will make kubespray download all files and containers just once and then redistributes them to the other nodes and as a bonus, also cache all downloads locally and re-use them on the next provisioning run. For more information on download settings see [download documentation](downloads.md). +Kubespray can take quite a while to start on a laptop. To improve provisioning speed, the variable 'download_run_once' is set. This will make kubespray download all files and containers just once and then redistributes them to the other nodes and as a bonus, also cache all downloads locally and re-use them on the next provisioning run. For more information on download settings see [download documentation](/docs/downloads.md). ## Example use of Vagrant diff --git a/docs/vars.md b/docs/vars.md index bf13b7ccbf3..db672a389e0 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -38,11 +38,11 @@ Some variables of note include: * *loadbalancer_apiserver* - If defined, all hosts will connect to this address instead of localhost for kube-masters and kube-master[0] for kube-nodes. See more details in the - [HA guide](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/ha-mode.md). + [HA guide](/docs/ha-mode.md). * *loadbalancer_apiserver_localhost* - makes all hosts to connect to the apiserver internally load balanced endpoint. Mutual exclusive to the `loadbalancer_apiserver`. See more details in the - [HA guide](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/ha-mode.md). + [HA guide](/docs/ha-mode.md). ## Cluster variables @@ -99,6 +99,7 @@ variables to match your requirements. addition to Kubespray deployed DNS * *nameservers* - Array of DNS servers configured for use by hosts * *searchdomains* - Array of up to 4 search domains +* *dns_etchosts* - Content of hosts file for coredns and nodelocaldns For more information, see [DNS Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.md). diff --git a/inventory/sample/group_vars/all/azure.yml b/inventory/sample/group_vars/all/azure.yml index 02ea0f91add..b9daeb91a79 100644 --- a/inventory/sample/group_vars/all/azure.yml +++ b/inventory/sample/group_vars/all/azure.yml @@ -1,6 +1,7 @@ ## When azure is used, you need to also set the following variables. ## see docs/azure.md for details on how to get these values +# azure_cloud: # azure_tenant_id: # azure_subscription_id: # azure_aad_client_id: diff --git a/inventory/sample/group_vars/etcd.yml b/inventory/sample/group_vars/etcd.yml index 737482f7ec0..cbc388e43e2 100644 --- a/inventory/sample/group_vars/etcd.yml +++ b/inventory/sample/group_vars/etcd.yml @@ -19,4 +19,4 @@ # etcd_peer_client_auth: true ## Settings for etcd deployment type -etcd_deployment_type: docker \ No newline at end of file +etcd_deployment_type: docker diff --git a/inventory/sample/group_vars/k8s-cluster/addons.yml b/inventory/sample/group_vars/k8s-cluster/addons.yml index d8f554cf664..4fd6a06074c 100644 --- a/inventory/sample/group_vars/k8s-cluster/addons.yml +++ b/inventory/sample/group_vars/k8s-cluster/addons.yml @@ -103,6 +103,11 @@ ingress_publish_status_address: "" # ingress_nginx_extra_args: # - --default-ssl-certificate=default/foo-tls +# ambassador ingress controller deployment +ingress_ambassador_enabled: false +# ingress_ambassador_namespace: "ambassador" +# ingress_ambassador_version: "*" + # ALB ingress controller deployment ingress_alb_enabled: false # alb_ingress_aws_region: "us-east-1" @@ -114,3 +119,19 @@ ingress_alb_enabled: false # Cert manager deployment cert_manager_enabled: false # cert_manager_namespace: "cert-manager" + +# MetalLB deployment +metallb_enabled: false +# metallb_ip_range: +# - "10.5.0.50-10.5.0.99" +# metallb_version: v0.9.3 +# metallb_protocol: "layer2" +# metallb_port: "7472" +# metallb_limits_cpu: "100m" +# metallb_limits_mem: "100Mi" +# metallb_additional_address_pools: +# kube_service_pool: +# ip_range: +# - "10.5.1.50-10.5.1.99" +# protocol: "layer2" +# auto_assign: false diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml index 3a7ce48792a..767802885ff 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml @@ -20,7 +20,7 @@ kube_users_dir: "{{ kube_config_dir }}/users" kube_api_anonymous_auth: true ## Change this to use another Kubernetes version, e.g. a current beta release -kube_version: v1.18.4 +kube_version: v1.18.5 # kubernetes image repo define kube_image_repo: "k8s.gcr.io" @@ -309,3 +309,6 @@ persistent_volumes_enabled: false # - TLS_RSA_WITH_AES_256_CBC_SHA # - TLS_RSA_WITH_AES_256_GCM_SHA384 # - TLS_RSA_WITH_RC4_128_SHA + +## Amount of time to retain events. (default 1h0m0s) +event_ttl_duration: "1h0m0s" diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml b/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml index 9dfaabbb4fe..d81af4ebcfa 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-net-calico.yml @@ -25,6 +25,13 @@ # defaults. The value should be a number, not a string. # calico_mtu: 1500 +# Configure the MTU to use for workload interfaces and tunnels. +# - If Wireguard is enabled, set to your network MTU - 60 +# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 +# - Otherwise, if IPIP is enabled, set to your network MTU - 20 +# - Otherwise, if not using any encapsulation, set to your network MTU. +# calico_veth_mtu: 1440 + # Advertise Cluster IPs # calico_advertise_cluster_ips: true diff --git a/roles/bastion-ssh-config/tasks/main.yml b/roles/bastion-ssh-config/tasks/main.yml index 7ea39bbd8cd..cf558087cd6 100644 --- a/roles/bastion-ssh-config/tasks/main.yml +++ b/roles/bastion-ssh-config/tasks/main.yml @@ -3,6 +3,7 @@ set_fact: bastion_ip: "{{ hostvars[groups['bastion'][0]]['ansible_host'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_host']) }}" delegate_to: localhost + connection: local # As we are actually running on localhost, the ansible_ssh_user is your local user when you try to use it directly # To figure out the real ssh user, we delegate this task to the bastion and store the ansible_user in real_user @@ -13,6 +14,7 @@ - name: create ssh bastion conf become: false delegate_to: localhost + connection: local template: src: ssh-bastion.conf dest: "{{ playbook_dir }}/ssh-bastion.conf" diff --git a/roles/container-engine/containerd/templates/apt_preferences.d/debian_containerd.j2 b/roles/container-engine/containerd/templates/apt_preferences.d/debian_containerd.j2 index 896d70ff9ea..5299573b365 100644 --- a/roles/container-engine/containerd/templates/apt_preferences.d/debian_containerd.j2 +++ b/roles/container-engine/containerd/templates/apt_preferences.d/debian_containerd.j2 @@ -1,3 +1,3 @@ -Package: {{ containerd_package }} -Pin: version {{ containerd_version }}* -Pin-Priority: 1001 +Package: {{ containerd_package }} +Pin: version {{ containerd_version }}* +Pin-Priority: 1001 diff --git a/roles/container-engine/docker/vars/debian.yml b/roles/container-engine/docker/vars/debian.yml index e19c090a36d..c266302eb0b 100644 --- a/roles/container-engine/docker/vars/debian.yml +++ b/roles/container-engine/docker/vars/debian.yml @@ -41,9 +41,9 @@ docker_repo_info: pkg_repo: apt_repository repos: - > - deb {{ docker_debian_repo_base_url }} - {{ ansible_distribution_release|lower }} - stable + deb {{ docker_debian_repo_base_url }} + {{ ansible_distribution_release|lower }} + stable dockerproject_repo_key_info: pkg_key: apt_key @@ -55,6 +55,6 @@ dockerproject_repo_info: pkg_repo: apt_repository repos: - > - deb {{ docker_debian_repo_base_url }} - {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }} - main + deb {{ docker_debian_repo_base_url }} + {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }} + main diff --git a/roles/container-engine/docker/vars/ubuntu-amd64.yml b/roles/container-engine/docker/vars/ubuntu-amd64.yml index ea9f143d05b..0f264e5e3c3 100644 --- a/roles/container-engine/docker/vars/ubuntu-amd64.yml +++ b/roles/container-engine/docker/vars/ubuntu-amd64.yml @@ -41,9 +41,9 @@ docker_repo_info: pkg_repo: apt_repository repos: - > - deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} - {{ ansible_distribution_release|lower }} - stable + deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} + {{ ansible_distribution_release|lower }} + stable dockerproject_repo_key_info: pkg_key: apt_key @@ -55,6 +55,6 @@ dockerproject_repo_info: pkg_repo: apt_repository repos: - > - deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} - {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }} - main + deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} + {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }} + main diff --git a/roles/container-engine/docker/vars/ubuntu-arm64.yml b/roles/container-engine/docker/vars/ubuntu-arm64.yml index fd25b6bcbe7..bd35458e52c 100644 --- a/roles/container-engine/docker/vars/ubuntu-arm64.yml +++ b/roles/container-engine/docker/vars/ubuntu-arm64.yml @@ -37,9 +37,9 @@ docker_repo_info: pkg_repo: apt_repository repos: - > - deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} - {{ ansible_distribution_release|lower }} - stable + deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} + {{ ansible_distribution_release|lower }} + stable dockerproject_repo_key_info: pkg_key: apt_key @@ -51,6 +51,6 @@ dockerproject_repo_info: pkg_repo: apt_repository repos: - > - deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} - {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }} - main + deb [arch={{ host_architecture }}] {{ docker_ubuntu_repo_base_url }} + {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }} + main diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 9d0db72ceb6..48dbc6573a9 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -49,7 +49,7 @@ download_delegate: "{% if download_localhost %}localhost{% else %}{{ groups['kub image_arch: "{{host_architecture | default('amd64')}}" # Versions -kube_version: v1.18.4 +kube_version: v1.18.5 kubeadm_version: "{{ kube_version }}" etcd_version: v3.3.12 @@ -65,23 +65,23 @@ quay_image_repo: "quay.io" # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults # after migration to container download -calico_version: "v3.14.1" -calico_ctl_version: "v3.14.1" -calico_cni_version: "v3.14.1" -calico_policy_version: "v3.14.1" -calico_typha_version: "v3.14.1" +calico_version: "v3.15.0" +calico_ctl_version: "{{ calico_version }}" +calico_cni_version: "{{ calico_version }}" +calico_policy_version: "{{ calico_version }}" +calico_typha_version: "{{ calico_version }}" typha_enabled: false flannel_version: "v0.12.0" cni_version: "v0.8.6" -weave_version: 2.6.4 +weave_version: 2.6.5 pod_infra_version: "3.2" contiv_version: 1.2.1 -cilium_version: "v1.7.4" -kube_ovn_version: "v1.2.0" -kube_router_version: "v0.4.0" +cilium_version: "v1.8.0" +kube_ovn_version: "v1.2.1" +kube_router_version: "v1.0.0" multus_version: "v3.4.2" # Get kubernetes major version (i.e. 1.17.4 => 1.17) @@ -118,11 +118,13 @@ crictl_checksums: # Checksums kubelet_checksums: arm: + v1.18.5: 9f8ab727964c6f42f1c17089bf2f7b4b2f2a5c61ffab3bad16eb02d9feb05855 v1.18.4: 796defe5f8b43a5316a487a377b4059df12b9b3c933f3fe4dff40e8144a11af6 v1.18.3: 491344027cbec40bc867a79c7130c27c143648544b5dfe4a28929cf26427dc3b v1.18.2: b7b9c43851dde9cbaa2061828410c60ee63e53fbf3ebc5559b7f4387dae67bb9 v1.18.1: 04d8e0a080dcb23d579c69e769e75bd5abaa1977d43550ec891560d76f1f7f37 v1.18.0: 985c1a1b492ccc6e46e1cd454790dae539d5b93208efb05e35114f66a183de99 + v1.17.8: 82320569bc9deff33d148c759a105f1a32de3d83855165100261a4ad395d1845 v1.17.7: 3b368039523357959e451a35867b5659701e135ca2069cb9487c7459084c46d9 v1.17.6: e522cda9b86de29da72fd306968e1ba44cb85b61a743083f8fee39899a755210 v1.17.5: d1eb5b7a3a88030490f1619f2e7d723926214ba941e2172112bccb71f41d9aab @@ -131,6 +133,7 @@ kubelet_checksums: v1.17.2: 9a2ab021f8556fabcb00022052810b3d8136704141891439de1340ac9e439d6d v1.17.1: 0219c940bad3238dfbdf8e4518241d861bbdd8fc93d172cc632c225d7dd57094 v1.17.0: 75ae6ad8f4a7f2ac3988b37a01c28093f240745d17c1781135d1844057c8ae94 + v1.16.12: edc35704864fdf5ea28b7bd17580e2155c8599f8f93ed0fb2979f89f747a3f97 v1.16.11: adb8c2ecc937b6486d73551121d986924a7e1f503a70d973cc683f8a6ae4f9ab v1.16.10: a1e3b5af8d6e97fdd11154435266f606361978e9a9d0b836f69427c274153c0c v1.16.9: 5c08b7754d0230dcd5493ab09e00c2e2397ce795cb450c0807220faa69e87548 @@ -143,11 +146,13 @@ kubelet_checksums: v1.16.1: 605581ba04a1e971dd90f4741495ebc6051601144d03b03c63e2f22d03556b4b v1.16.0: 3158e95f4b78b12af0225b4c54c487d7926ac61c783a4646290c0f3da0dce5df arm64: + v1.18.5: c3815bc740755aa9fd3ec240ad808a13628a4deb6ec2b4338e772fd0cf77e1a2 v1.18.4: ec4e18e7a2e94fb1ca83d739eadb8d81748cf6a48b87b8fe0d66131e9515e8c6 v1.18.3: f88deee2052b4d1e3a15fd7352b93728c23d69497a4199a56e62fa871bdf7edb v1.18.2: 89b5066ae17df8488c76a83c70cbcac0771fa36803e31b826f2770b5efcdbfbf v1.18.1: 2181cde9e6b24055d262b78758b365363273896968df673eb13d4f17a4f69c4a v1.18.0: db91a26f8baa2bce017172305e717e77be5cfc4272592be8cb0155e1cfa7719e + v1.17.8: 673355f62aa422915682ae595e4e53813e4656f2c272eb032f97492211cfced5 v1.17.7: eb1715a745281f6aee34644653f73787acdd9f3904e3d58e1319ded4a16be013 v1.17.6: 6ded412f13e5d8bd0368372150334580a05cd4dc7629f437c789a5aa6008e8e5 v1.17.5: 9220a7390d9c5cb5c770d947babdec288d044126b9982bbd5d5c8785354a6701 @@ -156,6 +161,7 @@ kubelet_checksums: v1.17.2: 133b69346da8e34daaf20f421657625a06630ec1e11f06961523836383cea72c v1.17.1: c773512ade5da3188ed4c312d5ba01bfbf3f376f6e580e5b074827a5b25450aa v1.17.0: b1a4a2325383854a69ec768e7dc00f69378d3ccbc554859d910bf5b582264ea2 + v1.16.12: 0ef9d42e27bf85e9ff276f2181e17e2912941c3a7ae9086de722ac3c9cea997f v1.16.11: 074a81dbe658bc47b9e5b9a4733743239c40bc83472b745c7c85774bf33ff3ab v1.16.10: 0634e04a13393dfe8604a7798a11f4c3d2cdc9443e26cbc6d3af35e9ac9727ee v1.16.9: 10c5dc66f309184389ffb7c2d8d9d4d8f291a81559385b5537bce8f0b8c7e918 @@ -168,11 +174,13 @@ kubelet_checksums: v1.16.1: d056f403814dcbadcbb9f6be0db20295c04b7fcad6dc13c145b1a51bd1a927a4 v1.16.0: 64bc4b211f05246f8ec33318db68a59ecc1ba7f1a6716eb1db7f3e0ea3495ca2 amd64: + v1.18.5: 8c328f65d30f0edd0fd4f529b09d6fc588cfb7b524d5c9f181e36de6e494e19c v1.18.4: 42bcd6a8fe1abeab12cbe9be0f16d4a7b15017937a5de66eb67a38073de7eb72 v1.18.3: 6aac8853028a4f185de5ccb5b41b3fbd87726161445dee56f351e3e51442d669 v1.18.2: bc13d29b58300c328f0078c7f72e37e1254c4303277348862af1e7f2b356b9e3 v1.18.1: 4c5737235e62a5bb0b5d3f51939ccd255ebda376d75941222b25241251b67fbc v1.18.0: 3a90e7abf9910aebf9ef5845918c665afd4136a8832604ccfabca2defb35ce0f + v1.17.8: b39081fb40332ae12d262b04dc81630e5c6550fb196f09b60f3d726283dff17f v1.17.7: a6b66c94a37dd6ae830a9af5b9200884a2c0af868096a3c2553b2e876723c2a2 v1.17.6: 4b7fd5123bfafe2249bf91ed83469c2655a8d3295966e5fbd952f89b64b75f57 v1.17.5: c5fbfa83444bdeefb51934c29f0b4b7ffc43ce5a98d7f957d8a11e3440055383 @@ -181,6 +189,7 @@ kubelet_checksums: v1.17.2: 33c6befab43ace4c4e89eab9c45d0cea5432f3cea4beaa956c786fe521f844bb v1.17.1: ffd04d1934c193fa63b3fc7d285d3646ed215f07f726390eefb0913b810716c3 v1.17.0: c2af77f501c3164e80171903028d35c632366f53dec0c8419828d4e55d86146f + v1.16.12: fbc8c16b148dbb3234a3e13f80e6c6736557c10f8c046edfb1dc5337fe2dd40f v1.16.11: edab125cf34c5e95cd883b52385861247cb68ed45605e0ba0774dcf55bde9519 v1.16.10: 82b38f444d11c2436040165b1addf46d0909a6daec9133cc979678835ef8e14b v1.16.9: 79e7a1500e154b53087cf7895a710d081d2c357bd34d05362edf230e3c269e63 @@ -194,11 +203,13 @@ kubelet_checksums: v1.16.0: 77ac3f347497434b790aba46e6e06bb2e6e7a6e76b05af739d33b0441d39a263 kubectl_checksums: arm: + v1.18.5: 5fc8dc6e3d09ceaf900dd06b9af3a7abb291293cea5219aea577bad852aa84b1 v1.18.4: 9617b1a929aad7e3bf9f1151f83548e5e3f89175f5d3f961733b8b0ec2e376c4 v1.18.3: 1816364467b98e7ae52731f593780f392d6835d33db5b12a671abfffb72a4eac v1.18.2: 353d61297cfbf01ed3f72b7df1658110c065355d670556ea3bdbf0d1b2824aea v1.18.1: 896c90b1b9d88e121876d93718591f3ecbab880b304767806c6c9fcb3b145805 v1.18.0: 34fc6d16c2f535ed381b5fd3a4d40b642fff4f9ff95f8250b8043a29b8c062b9 + v1.17.8: e1a75ee55e1270583143422cc611547623aeef2c69689354c69b0b8f445cf6ba v1.17.7: 1b862c79333b7edee64f0317f8c5de8699f99b00709734e3341d41cca3b8f29b v1.17.6: 2ad9897b84dd503c963ff790ce092aeb4c8e78ac64b7986a6c6ed1c601255419 v1.17.5: 470139a2ca98a85ab89210d07dc733d457d48a8419bbf038ee7e55276e2b5c35 @@ -207,6 +218,7 @@ kubectl_checksums: v1.17.2: 152e5b5e1a744ad8e4860bef212462750e0a38856990d6a4d0b3418bedb5346f v1.17.1: a1e580e9140536c4a370c207ee66481cfe8d8876dc9021755a9d20232a97033d v1.17.0: 594b3e2f89dca09d82b176b51bf6c8c0fa524ed209c14ec915c9b36fa876601d + v1.16.12: 0f39db272aa24e12f5842bd30623801e677232ec42d469935d3ecf0040a72970 v1.16.11: f0d50fbc930d97220d5dccea309025f42341b7a99b113032d05860f03c7f33dc v1.16.10: f196dfd5592f1d4cbe92b3e7a7de2307bbbf9cec0a09d4eb22b645650ed79af7 v1.16.9: 1d5627c9e186c6f3b501045e1328f54925d2ced852f93baf2e89a342fa85e788 @@ -219,11 +231,13 @@ kubectl_checksums: v1.16.1: ee975a46a67967bf008db15d70e429b62d68ce3adfc7c8ddb6ef26194d220896 v1.16.0: 86c130d211144f9665a4441f43ced8151e7df54a3af7e2874d46fbff79608e2e arm64: + v1.18.5: 28c1edb2d76f80e70e10fa8cd2a30b9fccc5f003d8b3e853535d8317db7f424a v1.18.4: 61c5004f6e9040163bc09459a11fd17b0f9ff55d7ba8f9b1e89368b5f2cdf072 v1.18.3: fc4479d1f7e58e6c8f40430a35f6b09b6f582909f69968e424fc20640ac45daf v1.18.2: 8d4bd6a716e32187e03c5998b4d9570f3b2eb9fb041ac9ed6e9728f04935c2fb v1.18.1: 39e9645c6bed1e7340b3d764db983b9fc35326b11325fd509c3660c9f55469ed v1.18.0: 0de307f90502cd58e5785cdcbebeb552df81fa2399190f8a662afea9e30bc74d + v1.17.8: 4dfd36dbd637b8dca9a7c4e789fb3fe4ca420062c90d3a872ae751dfb9777cb6 v1.17.7: 00c71ceffa9b50af081d2838b102be49ca224a8aa928f5c948b804af84c58818 v1.17.6: ceccf6ef3e0ac523cb75d46d1b4979ae1f8cf199926244a9d828cb77f024e46b v1.17.5: 160d1198a6da3eb082e197e368ba86c2acce435e073e9f3ee271aa59c7fb47d6 @@ -232,6 +246,7 @@ kubectl_checksums: v1.17.2: 29c36d5866a76ca693a255567ac26d7558c1f02e6b840895093e47afe06594d9 v1.17.1: 4208be10e2c12b67e71219cd39b0b2ab065d4ec1b26e19c5da88cb8ebc64ea2f v1.17.0: cba12bfe0ee447b06f00813d7d4ba3fbdbf5116eccc4d3291987044f2d6f93c2 + v1.16.12: 7f493dcf9d4edfeea68284c4cd7c74383be23f24e9aefd59c08dc37bc20b46db v1.16.11: a6bc2f6b099c19fd1f0748ebb8cc90a710e2af32f1c245c08c92e77db609ce3b v1.16.10: 94418c3817fdeac8263cdf019f78313a8a45b539e96a1962d11a308b75a18438 v1.16.9: c957a8a346b7e83c33b8ed6386b8d3e942e34bbc8794bdca33f7304977fc377e @@ -244,11 +259,13 @@ kubectl_checksums: v1.16.1: 8366cd74910411dd9546117edd98b3248b6d33e8ea9b7e65de84168e0f162d47 v1.16.0: bdec615287163fa53b315f9d0481da3900df4063b0a41c3a412077fe765ee6c2 amd64: + v1.18.5: 69d9b044ffaf544a4d1d4b40272f05d56aaf75d7e3c526d5418d1d3c78249e45 v1.18.4: 5fea9ad294ea73f952243178db5340dc29c14ad96aed3f92a18deedb73f221ec v1.18.3: 6fcf70aae5bc64870c358fac153cdfdc93f55d8bae010741ecce06bb14c083ea v1.18.2: 6ea8261b503c6c63d616878837dc70b758d4a3aeb9996ade8e83b51aedac9698 v1.18.1: f5144823e6d8a0b78611a8d12e7a25202126d079c3a232b18f37e61e872ff563 v1.18.0: bb16739fcad964c197752200ff89d89aad7b118cb1de5725dc53fe924c40e3f7 + v1.17.8: 01283cbc2b09555cbf2a71c162097552a62a4fd48a0a4c06e34e9b853b815486 v1.17.7: 7124a296518edda2ae326e754aec9be6d0ac86131e6f61b52f5ecaa413b66ae4 v1.17.6: 5e245f6af6fb761fbe4b3ac06b753f33b361ce0486c48c85b45731a7ee5e4cca v1.17.5: 03cd1fa19f90d38005148793efdb17a9b58d01dedea641a8496b9cf228db3ab4 @@ -257,6 +274,7 @@ kubectl_checksums: v1.17.2: 7732548b9c353114b0dfa173bc7bcdedd58a607a5b4ca49d867bdb4c05dc25a1 v1.17.1: a87a0acdc67d066bc331cb96c7fd29a883d67a41beeef538a0bd2878872ebad9 v1.17.0: 6e0aaaffe5507a44ec6b1b8a0fb585285813b78cc045f8804e70a6aac9d1cb4c + v1.16.12: db72e5c90de59e1bf287bef55eaf0b603c8d74b3dc552f356ccc02b08c2eb348 v1.16.11: fe65c523d52dbcd1973069a96ca4fd2d1c81ea941d79864114fd5e5c75549012 v1.16.10: 246d36e4ce67e74e95ff2ba578b9189f58e5def0e8830a24cd30fa3cf279742f v1.16.9: 0f3a6618a2e7402b11a1d9b9ffeff3ba0c6765dc361815413ce7441799aecf96 @@ -270,11 +288,13 @@ kubectl_checksums: v1.16.0: 4fc8a7024ef17b907820890f11ba7e59a6a578fa91ea593ce8e58b3260f7fb88 kubeadm_checksums: arm: + v1.18.5: 461641c8fb8db2afe6e103aca925a4ef9d161dcae08a96fc24674b0ea0122e04 v1.18.4: 0a8a021cb3d18295f53843b1ab7d2d8bf9b861d5d6bd160f24717d22aa5a8fa7 v1.18.3: 88b8004dcfbf8862e5ae4dadcd4e4ef86c91211e48cd45922d5a18634b06d1b3 v1.18.2: c3558beca26c1b970cee8419dcf24f9812483f6ef384cea9a704491bc3af1e2c v1.18.1: 4f919ad7215209dee97ea4c61668e44a2cce8f575b9cf4032e47f0c377924854 v1.18.0: 0f05bd526bb38be11459675c69bc882a2d3e583e48339fab49b620d292c2433e + v1.17.8: 1e8e653a07438131126f62b853b442356b341d2950f0d7c30d2a96e773a54611 v1.17.7: 47c911a7deff993e654da1e0644fe627e496292d7a7a5f43f33fa4cde6b6856d v1.17.6: a12f4281d018a7d53611cb1c0c537cd8f82dc01f3e16c16513622c1d6c9db658 v1.17.5: ae2b66de65a6a435ff06ea8e542904e92c5eec0c42c2e57905a2a31a52106ca1 @@ -283,6 +303,7 @@ kubeadm_checksums: v1.17.2: c0a74989da367d9c11b25d4fbd90e8d3d1a013a63c9be7bbce61b320715c1a83 v1.17.1: 501d1bacb863713dd9d0101d0021b0227869c4b1b9e903f6498333c613d384e1 v1.17.0: 5fcf1234d89bc2a364c53b76b36134fc57278b456138d93c278805f2c9b186f1 + v1.16.12: 0de9916e2117304d1f112a6d2bd53f08043f81329c2c12ca17635b98c88bc6a6 v1.16.11: 9489861c4856d9b0fdf7124a2bd38c01f29ecc4a83c1b602083e1cc739040d10 v1.16.10: e7c09d060fcbe5948ea43fa9b0465ea2c0fd91de76b403530df23062e3b44341 v1.16.9: fb2b48e7a866a09611d825fc122f6bc2b04473b0ccb06682436effd2351ad425 @@ -295,11 +316,13 @@ kubeadm_checksums: v1.16.1: 38293a03064f47c3817299475b8dc950563854aff99a87d07cf31f0ebf402015 v1.16.0: 6c666958e11b7d4513adecb3107c885c98bdc79f38d369c9f80eaaeae4ddfe66 arm64: + v1.18.5: 0e2a9de622177015c2514498382b0d821ac8f71c7ed5f02e5684d456ff3c0e4d v1.18.4: 67feef5289663ac1bf7c3ab6bdc2d5ac2f24e9ca5ddad82129fd8ea1f9c8b747 v1.18.3: 6a6fda8e2abdaed05f9df16528c8c0ae59cbe89fbda467cce204bf548965863f v1.18.2: e5a1f738443c15f5f8f3b316c6c7f8038f84f24b5d4bf2eef5bee39ca208952a v1.18.1: 0cb6589d9b4c09b007eae977ab8a185fc4140eda886408dced4f500a508e4e83 v1.18.0: 2ef1785159c80a9acd454a1c8be3c6b8db2260200b22e4359426e709ff786d01 + v1.17.8: 5a52e7d0306890e68ed66fc47ecd70bf14628c70527442fd0cd2973dbde7064c v1.17.7: 6c8622adf5a7a2dfc66ebe15058353b2e2660b01f1e8990bab7a9c7fca76bccb v1.17.6: b9f20f98aeecc7b011727ff8be9008a8229cdbea6d3dd93f782622c306306288 v1.17.5: 6f004152ca1f60bb6ac7446e2c317957df5cff5ac55b60c08ce7869792dc4196 @@ -308,6 +331,7 @@ kubeadm_checksums: v1.17.2: 091864574d38d3e30ed57734419b55d0957f39291d6f573ff8fffc8d474fb9ec v1.17.1: c640eb50406962628ac6e31fd840506a360b5d9c57d14007d0eaada28c49d64f v1.17.0: 0b94d1ace240a8f9995358ca2b66ac92072e3f3cd0543275b315dcd317798546 + v1.16.12: 67f675f8fb1ff3af56ca0a976323a65cabc35efa53b7896146684b8f53990741 v1.16.11: 21ae6f9275525130ec051ddbd09932f7baee2ab85b83f884a879a7b005f9fcb6 v1.16.10: 568d5be1cad4d2b2d4811055f2ec9fc478fd827d77d02b1ea1aa916eada7c32a v1.16.9: 2045b51d08ca4f1ca646edf8ed716b79200ac587d08b4281b03ca0297ecb01e5 @@ -320,11 +344,13 @@ kubeadm_checksums: v1.16.1: 000aaffa911d3d46dad0a4af8d59408ee56eea5b8eff5cb1b9fbee9986763165 v1.16.0: 9a1d21bfb6bd15697ac010665e5917a5364b340d5b60f2f0302c179d75da0f3f amd64: + v1.18.5: e428fc9d1cf860090346a83eb66082c3be6b6032f0db9e4f8e6d52492d46231f v1.18.4: cec00c2629805b660b5f41b13292dfe75cbd3803e57a1ded53def912fedb1a22 v1.18.3: a60974e9840e006076d204fd4ddcba96213beba10fb89ff01882095546c9684d v1.18.2: 290bb6acb12c844f76affbab1ce374903bd97c4f19ac8cd3e6fdb7208d638ac8 v1.18.1: fdb194647048f3e3ebdc93613b21a5b678fcbe0d212d08c0d56758d1bf2d2c85 v1.18.0: 0261331c2ea718c0cd39114871aa098f1b4685f6101cb78cc880f645e72d0654 + v1.17.8: c59b85696c4cbabe896ba71f4bbc99e4ad2444fcea851e3ee740705584420aad v1.17.7: 9d4b97e93ddb204798b91fec063743e218c92b42798779b5248a49e1476226e2 v1.17.6: d4cfc9a0a734ba015594974ee4253b8965b95cdb6e83d8a6a946675aad418b40 v1.17.5: 9bd2fd1118b3d07d12e2a806c04bf34d99e79886c5318ddc003ba38f30da390c @@ -333,6 +359,7 @@ kubeadm_checksums: v1.17.2: 33a1d8e3cea2bdbb9fa9cb257c516289ee50d957fcb6d7b35919f5f0e6ca2f41 v1.17.1: 11bd31833dab9adb5b53398772dd1582264c3d1757cb3395e691d6a7379081ec v1.17.0: 0d8443f50fb7caab2e5e7e53f9dc56d5ffe55f021ec061f2e2bcba0481df5a48 + v1.16.12: bb4d0f045600b883745016416c14533f823d582f4f20df691b7f79a6545b6480 v1.16.11: a40ed479d89271f2d5514121a3ad3cb0a9bc90845d511c0c87b1c99bcca880f1 v1.16.10: 726d42c569f25078d03b758477f17f543c845aef2ff48acd9d4269705ca1aa9d v1.16.9: 99b3bd3a59e5832b2bfe3f3936ffd1f983e22913b32111684311d11fd2cefbf1 @@ -357,11 +384,13 @@ cni_binary_checksums: amd64: 994fbfcdbb2eedcfa87e48d8edb9bb365f4e2747a7e47658482556c12fd9b2f5 calicoctl_binary_checksums: arm: + v3.15.0: 0 v3.14.1: 0 v3.14.0: 0 v3.13.3: 0 v3.11.1: 0 amd64: + v3.15.0: 4600d5d7f08ed9cf479fc8fa87518dbbca32a473d0a4a212cfecb610c18216aa v3.14.1: 5fe8a7b00a45cf48879eff42b08dcdb85cf0121f3720ac8cbd06566aaa385667 v3.14.0: 4e38c7e81653faf3659b0afddabde4dff736bb1b4cc59ebe238907a9641816a7 v3.13.3: 570539d436df51bb349bb1a8c6b200a3a6f20803a9d391aa2c5cf19a70a083d4 @@ -372,6 +401,7 @@ calicoctl_binary_checksums: v3.7.3: 932f68e893e80e95e10f064f1e7745e438d456f41a6ff12d11bb16ca0cab735c v3.7.5: e40a4fcda834eb0d2fe932c716403eef5761a521e3aef8e6ea25dd737d56242d arm64: + v3.15.0: 9b3d000801987599bee58e0dc4906d5cde87dc9dc4c9b410097a9b1c19e916ba v3.14.1: 326da28cb726988029f70fbf3d4de424a4edd9949fd435fad81f2203c93e4c36 v3.14.0: 14272da8dbb82c0f823fbb50a88d4815513dfafa20a7e33f635a8068ae5b2db6 v3.13.3: 0c47acd6d200ba1f8348b389cd7a54771542158fef657afc633a30ddad97e272 @@ -487,6 +517,8 @@ local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-p local_path_provisioner_image_tag: "v0.0.14" ingress_nginx_controller_image_repo: "{{ quay_image_repo }}/kubernetes-ingress-controller/nginx-ingress-controller" ingress_nginx_controller_image_tag: "0.32.0" +ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operator" +ingress_ambassador_image_tag: "v1.2.8" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_tag: "v1.1.8" cert_manager_version: "v0.11.1" @@ -985,6 +1017,15 @@ downloads: groups: - kube-node + ingress_ambassador_controller: + enabled: "{{ ingress_ambassador_enabled }}" + container: true + repo: "{{ ingress_ambassador_image_repo }}" + tag: "{{ ingress_ambassador_image_tag }}" + sha256: "{{ ingress_ambassador_digest_checksum|default(None) }}" + groups: + - kube-node + ingress_alb_controller: enabled: "{{ ingress_alb_enabled }}" container: true diff --git a/roles/download/tasks/download_container.yml b/roles/download/tasks/download_container.yml index fbf0831d291..234bf1f9557 100644 --- a/roles/download/tasks/download_container.yml +++ b/roles/download/tasks/download_container.yml @@ -25,6 +25,7 @@ stat: path: "{{ image_path_cached }}" delegate_to: localhost + connection: local delegate_facts: no register: cache_image changed_when: false diff --git a/roles/download/tasks/download_file.yml b/roles/download/tasks/download_file.yml index 86727dafc32..648f4335387 100644 --- a/roles/download/tasks/download_file.yml +++ b/roles/download/tasks/download_file.yml @@ -25,6 +25,7 @@ state: directory recurse: yes delegate_to: localhost + connection: local delegate_facts: false run_once: true become: false diff --git a/roles/download/tasks/prep_download.yml b/roles/download/tasks/prep_download.yml index 34bcaa2b90f..8e1d131ca5b 100644 --- a/roles/download/tasks/prep_download.yml +++ b/roles/download/tasks/prep_download.yml @@ -20,6 +20,7 @@ - name: prep_download | On localhost, check if passwordless root is possible command: "true" delegate_to: localhost + connection: local run_once: true register: test_become changed_when: false @@ -34,6 +35,7 @@ - name: prep_download | On localhost, check if user has access to docker without using sudo shell: "{{ image_info_command_on_localhost }}" delegate_to: localhost + connection: local run_once: true register: test_docker changed_when: false @@ -92,6 +94,7 @@ recurse: yes mode: 0755 delegate_to: localhost + connection: local delegate_facts: no run_once: true become: false diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml index aa77e4d0970..d3aaa9c23bd 100644 --- a/roles/etcd/tasks/check_certs.yml +++ b/roles/etcd/tasks/check_certs.yml @@ -30,14 +30,14 @@ with_items: "{{ expected_files }}" vars: expected_files: >- - ['{{ etcd_cert_dir }}/ca.pem', - {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %} - {% for host in all_etcd_hosts %} - '{{ etcd_cert_dir }}/node-{{ host }}-key.pem', - '{{ etcd_cert_dir }}/admin-{{ host }}-key.pem', - '{{ etcd_cert_dir }}/member-{{ host }}-key.pem' - {% if not loop.last %}{{','}}{% endif %} - {% endfor %}] + ['{{ etcd_cert_dir }}/ca.pem', + {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %} + {% for host in all_etcd_hosts %} + '{{ etcd_cert_dir }}/node-{{ host }}-key.pem', + '{{ etcd_cert_dir }}/admin-{{ host }}-key.pem', + '{{ etcd_cert_dir }}/member-{{ host }}-key.pem' + {% if not loop.last %}{{','}}{% endif %} + {% endfor %}] - name: "Check_certs | Set 'gen_master_certs' to true" set_fact: diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml index 074bd370f10..e25f13c2f09 100644 --- a/roles/etcd/tasks/gen_certs_script.yml +++ b/roles/etcd/tasks/gen_certs_script.yml @@ -111,9 +111,9 @@ - name: Gen_certs | Set cert names per node set_fact: - my_etcd_node_certs: ['ca.pem', - 'node-{{ inventory_hostname }}.pem', - 'node-{{ inventory_hostname }}-key.pem'] + my_etcd_node_certs: [ 'ca.pem', + 'node-{{ inventory_hostname }}.pem', + 'node-{{ inventory_hostname }}-key.pem'] tags: - facts diff --git a/roles/etcd/tasks/install_etcdctl_docker.yml b/roles/etcd/tasks/install_etcdctl_docker.yml index 1d87ccc8e8d..74ae07f1811 100644 --- a/roles/etcd/tasks/install_etcdctl_docker.yml +++ b/roles/etcd/tasks/install_etcdctl_docker.yml @@ -1,9 +1,9 @@ --- - name: Install | Copy etcdctl binary from docker container command: sh -c "{{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy; - {{ docker_bin_dir }}/docker create --name etcdctl-binarycopy {{ etcd_image_repo }}:{{ etcd_image_tag }} && - {{ docker_bin_dir }}/docker cp etcdctl-binarycopy:/usr/local/bin/etcdctl {{ bin_dir }}/etcdctl && - {{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy" + {{ docker_bin_dir }}/docker create --name etcdctl-binarycopy {{ etcd_image_repo }}:{{ etcd_image_tag }} && + {{ docker_bin_dir }}/docker cp etcdctl-binarycopy:/usr/local/bin/etcdctl {{ bin_dir }}/etcdctl && + {{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy" register: etcdctl_install_result until: etcdctl_install_result.rc == 0 retries: "{{ etcd_retries }}" diff --git a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 index 4a42327ce2f..6f0044ccbb1 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2 @@ -17,6 +17,11 @@ data: loadbalance cache {{ block['cache'] | default(5) }} reload +{% if dns_etchosts | default(None) %} + hosts /etc/coredns/hosts { + fallthrough + } +{% endif %} } {% endfor %} {% endif %} @@ -50,4 +55,13 @@ data: loop reload loadbalance +{% if dns_etchosts | default(None) %} + hosts /etc/coredns/hosts { + fallthrough + } +{% endif %} } +{% if dns_etchosts | default(None) %} + hosts: | + {{ dns_etchosts }} +{% endif %} diff --git a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 index 5f082c22eab..6a725342228 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 @@ -110,3 +110,7 @@ spec: items: - key: Corefile path: Corefile +{% if dns_etchosts | default(None) %} + - key: hosts + path: hosts +{% endif %} diff --git a/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2 b/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2 index dd5732f8965..3ec5eb771cd 100644 --- a/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/nodelocaldns-config.yml.j2 @@ -19,6 +19,11 @@ data: forward . {{ block['nameservers'] | join(' ') }} prometheus :9253 log +{% if dns_etchosts | default(None) %} + hosts /etc/coredns/hosts { + fallthrough + } +{% endif %} } {% endfor %} {% endif %} @@ -36,6 +41,11 @@ data: } prometheus :9253 health {{ nodelocaldns_ip }}:{{ nodelocaldns_health_port }} +{% if dns_etchosts | default(None) %} + hosts /etc/coredns/hosts { + fallthrough + } +{% endif %} } in-addr.arpa:53 { errors @@ -67,4 +77,13 @@ data: bind {{ nodelocaldns_ip }} forward . {{ upstreamForwardTarget }} prometheus :9253 +{% if dns_etchosts | default(None) %} + hosts /etc/coredns/hosts { + fallthrough + } +{% endif %} } +{% if dns_etchosts | default(None) %} + hosts: | + {{ dns_etchosts }} +{% endif %} diff --git a/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2 b/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2 index 6ef230d95f9..b92749c8b8e 100644 --- a/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/nodelocaldns-daemonset.yml.j2 @@ -79,6 +79,10 @@ spec: items: - key: Corefile path: Corefile +{% if dns_etchosts | default(None) %} + - key: hosts + path: hosts +{% endif %} - name: xtables-lock hostPath: path: /run/xtables.lock diff --git a/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 b/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 index 695cc55b459..b8dcc60fa5b 100644 --- a/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 +++ b/roles/kubernetes-apps/cloud_controller/oci/templates/controller-manager-config.yml.j2 @@ -18,14 +18,14 @@ auth: useInstancePrincipals: true {% else %} useInstancePrincipals: false - + region: {{ oci_region_id }} tenancy: {{ oci_tenancy_id }} user: {{ oci_user_id }} - key: | + key: | {{ oci_private_key }} - {% if oci_private_key_passphrase is defined %} + {% if oci_private_key_passphrase is defined %} passphrase: {{ oci_private_key_passphrase }} {% endif %} @@ -75,16 +75,16 @@ loadBalancer: # Optional rate limit controls for accessing OCI API rateLimiter: {% if oci_rate_limit.rate_limit_qps_read %} - rateLimitQPSRead: {{ oci_rate_limit.rate_limit_qps_read }} + rateLimitQPSRead: {{ oci_rate_limit.rate_limit_qps_read }} {% endif %} {% if oci_rate_limit.rate_limit_qps_write %} - rateLimitQPSWrite: {{ oci_rate_limit.rate_limit_qps_write }} + rateLimitQPSWrite: {{ oci_rate_limit.rate_limit_qps_write }} {% endif %} {% if oci_rate_limit.rate_limit_bucket_read %} - rateLimitBucketRead: {{ oci_rate_limit.rate_limit_bucket_read }} + rateLimitBucketRead: {{ oci_rate_limit.rate_limit_bucket_read }} {% endif %} {% if oci_rate_limit.rate_limit_bucket_write %} - rateLimitBucketWrite: {{ oci_rate_limit.rate_limit_bucket_write }} + rateLimitBucketWrite: {{ oci_rate_limit.rate_limit_bucket_write }} {% endif %} {% endif %} diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 index 8c339235dda..bf9aaf73f92 100644 --- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 +++ b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 @@ -17,4 +17,4 @@ rules: - nodes/spec - nodes/metrics verbs: - - "*" \ No newline at end of file + - "*" diff --git a/roles/kubernetes-apps/csi_driver/aws_ebs/templates/aws-ebs-csi-driver.yml.j2 b/roles/kubernetes-apps/csi_driver/aws_ebs/templates/aws-ebs-csi-driver.yml.j2 index aa9aca71fe1..99c6c5b6d6a 100644 --- a/roles/kubernetes-apps/csi_driver/aws_ebs/templates/aws-ebs-csi-driver.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/aws_ebs/templates/aws-ebs-csi-driver.yml.j2 @@ -1,5 +1,5 @@ --- -apiVersion: storage.k8s.io/v1beta1 +apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: ebs.csi.aws.com diff --git a/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-azuredisk-driver.yml.j2 b/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-azuredisk-driver.yml.j2 index 4c24cc24479..c7cba34d5be 100644 --- a/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-azuredisk-driver.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-azuredisk-driver.yml.j2 @@ -1,5 +1,5 @@ --- -apiVersion: storage.k8s.io/v1beta1 +apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: disk.csi.azure.com diff --git a/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-node-info-crd.yml.j2 b/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-node-info-crd.yml.j2 index 4ac7ff056a7..7e8454df0ae 100644 --- a/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-node-info-crd.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/azuredisk/templates/azure-csi-node-info-crd.yml.j2 @@ -1,35 +1,39 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: creationTimestamp: null name: csinodeinfos.csi.storage.k8s.io spec: group: csi.storage.k8s.io + scope: Cluster names: kind: CSINodeInfo plural: csinodeinfos - scope: Cluster - validation: - openAPIV3Schema: - properties: - csiDrivers: - description: List of CSI drivers running on the node and their properties. - items: - properties: - driver: - description: The CSI driver that this object refers to. - type: string - nodeID: - description: The node from the driver point of view. - type: string - topologyKeys: - description: List of keys supported by the driver. - items: + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + csiDrivers: + description: List of CSI drivers running on the node and their properties. + items: + properties: + driver: + description: The CSI driver that this object refers to. + type: string + nodeID: + description: The node from the driver point of view. type: string - type: array - type: array - version: v1alpha1 + topologyKeys: + description: List of keys supported by the driver. + items: + type: string + type: array + type: array status: acceptedNames: kind: "" diff --git a/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml b/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml index 9aa039339dc..5444f33c5e2 100644 --- a/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml +++ b/roles/kubernetes-apps/csi_driver/cinder/defaults/main.yml @@ -14,4 +14,4 @@ cinder_cacert: "{{ lookup('env','OS_CACERT') }}" # For now, only Cinder v3 is supported in Cinder CSI driver cinder_blockstorage_version: "v3" -cinder_csi_controller_replicas: 1 \ No newline at end of file +cinder_csi_controller_replicas: 1 diff --git a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin-rbac.yml.j2 b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin-rbac.yml.j2 index 241c67af3c5..2ca3e4486b4 100644 --- a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin-rbac.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-controllerplugin-rbac.yml.j2 @@ -8,7 +8,7 @@ metadata: namespace: kube-system --- -# external attacher +# external attacher kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-driver.yml.j2 b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-driver.yml.j2 index c2a9ee1790a..2f9f8a10adc 100644 --- a/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-driver.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/cinder/templates/cinder-csi-driver.yml.j2 @@ -1,4 +1,4 @@ -apiVersion: storage.k8s.io/v1beta1 +apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: cinder.csi.openstack.org diff --git a/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 b/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 index 65018ffabd4..4c693b3fded 100644 --- a/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 @@ -197,4 +197,4 @@ roleRef: subjects: - kind: ServiceAccount name: csi-gce-pd-node-sa - namespace: kube-system \ No newline at end of file + namespace: kube-system diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-ss.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-ss.yml.j2 index a11d635d75b..24651d90d17 100644 --- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-ss.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-ss.yml.j2 @@ -119,7 +119,7 @@ spec: path: /var/lib/csi/sockets/pluginproxy/csi.vsphere.vmware.com type: DirectoryOrCreate --- -apiVersion: storage.k8s.io/v1beta1 +apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: csi.vsphere.vmware.com diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/defaults/main.yml b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/defaults/main.yml index fa7b8b3a5f4..278518b1557 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/defaults/main.yml +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/defaults/main.yml @@ -6,4 +6,4 @@ local_path_provisioner_reclaim_policy: Delete local_path_provisioner_claim_root: /opt/local-path-provisioner/ local_path_provisioner_is_default_storageclass: "true" local_path_provisioner_debug: false -local_path_provisioner_helper_image_tag: "latest" \ No newline at end of file +local_path_provisioner_helper_image_tag: "latest" diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 index 5f178256f3e..1e8c6cedaf8 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-ns.yml.j2 @@ -2,4 +2,4 @@ apiVersion: v1 kind: Namespace metadata: - name: {{ local_path_provisioner_namespace }} \ No newline at end of file + name: {{ local_path_provisioner_namespace }} diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 index d126a5b34ec..128a106d07e 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-sa.yml.j2 @@ -3,4 +3,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: local-path-provisioner-service-account - namespace: {{ local_path_provisioner_namespace }} \ No newline at end of file + namespace: {{ local_path_provisioner_namespace }} diff --git a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-ds.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-ds.yml.j2 index f6be8cc7749..734b5ff28ce 100644 --- a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-ds.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-ds.yml.j2 @@ -42,6 +42,8 @@ spec: - name: local-volume-provisioner mountPath: /etc/provisioner/config readOnly: true + - mountPath: /dev + name: provisioner-dev {% for class_name, class_config in local_volume_provisioner_storage_classes.items() %} - name: local-volume-provisioner-hostpath-{{ class_name }} mountPath: {{ class_config.mount_dir }} @@ -51,6 +53,9 @@ spec: - name: local-volume-provisioner configMap: name: local-volume-provisioner + - name: provisioner-dev + hostPath: + path: /dev {% for class_name, class_config in local_volume_provisioner_storage_classes.items() %} - name: local-volume-provisioner-hostpath-{{ class_name }} hostPath: diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 index 4d776f1490e..bc030950ead 100644 --- a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2 @@ -10,4 +10,4 @@ rules: verbs: ["list", "create", "get", "update", "watch", "patch"] - apiGroups: ["", "extensions"] resources: ["nodes", "pods", "secrets", "services", "namespaces"] - verbs: ["get", "list", "watch"] \ No newline at end of file + verbs: ["get", "list", "watch"] diff --git a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 index dc95b1df103..a3d2834acb4 100644 --- a/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2 @@ -33,7 +33,7 @@ spec: # Limit the namespace where this ALB Ingress Controller deployment will # resolve ingress resources. If left commented, all namespaces are used. #- --watch-namespace=your-k8s-namespace - + # Setting the ingress-class flag below will ensure that only ingress resources with the # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may # choose any class you'd like for this controller to respect. @@ -42,7 +42,7 @@ spec: # by the ALB Ingress Controller, providing distinction between # clusters. - --cluster-name={{ cluster_name }} - + # Enables logging on all outbound requests sent to the AWS API. # If logging is desired, set to true. # - ---aws-api-debug @@ -71,4 +71,4 @@ spec: terminationGracePeriodSeconds: 30 {% if rbac_enabled %} serviceAccountName: alb-ingress -{% endif %} \ No newline at end of file +{% endif %} diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/README.md b/roles/kubernetes-apps/ingress_controller/ambassador/README.md new file mode 100644 index 00000000000..7149c498e5a --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/README.md @@ -0,0 +1,37 @@ +# Installation Guide + +- [Installation Guide](#installation-guide) + - [Ambassador](#ambassador) + - [Ambassador Operator](#ambassador-operator) + - [Configuration](#configuration) + - [Ingress annotations](#ingress-annotations) + +## Ambassador + +The Ambassador API Gateway provides all the functionality of a traditional ingress controller +(e.g., path-based routing) while exposing many additional capabilities such as authentication, +URL rewriting, CORS, rate limiting, and automatic metrics collection. + +## Ambassador Operator + +This addon deploys the Ambassador Operator, which in turn will install Ambassador in +a kubespray cluster. + +The Ambassador Operator is a Kubernetes Operator that controls Ambassador's complete lifecycle +in your cluster, automating many of the repeatable tasks you would otherwise have to perform +yourself. Once installed, the Operator will complete installations and seamlessly upgrade to new +versions of Ambassador as they become available. + +## Configuration + +* `ingress_ambassador_namespace` (default `ambassador`): namespace for installing Ambassador. +* `ingress_ambassador_update_window` (default `0 0 * * SUN`): _crontab_-like expression + for specifying when the Operator should try to update the Ambassador API Gateway. +* `ingress_ambassador_version` (defaulkt: `*`): SemVer rule for versions allowed for + installation/updates. + +## Ingress annotations + +The Ambassador API Gateway will automatically load balance `Ingress` resources +that include the annotation `kubernetes.io/ingress.class=ambassador`. All the other +resources will be just ignored. diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/ambassador/defaults/main.yml new file mode 100644 index 00000000000..5d8f4805096 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/defaults/main.yml @@ -0,0 +1,9 @@ +--- +ingress_ambassador_namespace: "ambassador" +ingress_ambassador_version: "*" +ingress_ambassador_update_window: "0 0 * * SUN" +ingress_ambassador_replicas: 1 +ingress_ambassador_insecure_port: 80 +ingress_ambassador_secure_port: 443 +ingress_ambassador_extra_args: [] +ingress_ambassador_host_network: false \ No newline at end of file diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/tasks/main.yml b/roles/kubernetes-apps/ingress_controller/ambassador/tasks/main.yml new file mode 100644 index 00000000000..91524dea208 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/tasks/main.yml @@ -0,0 +1,72 @@ +--- + +- name: Ambassador | Create addon dir + file: + path: "{{ kube_config_dir }}/addons/ambassador" + state: directory + owner: root + group: root + mode: 0755 + when: + - inventory_hostname == groups['kube-master'][0] + +- name: Ambassador | Templates list + set_fact: + ingress_ambassador_templates: + - { name: 00-namespace, file: 00-namespace.yml, type: ns } + - { name: crd-ambassador-installation, file: crd-ambassador-installation.yml, type: customresourcedefinition } + - { name: sa-ambassador, file: sa-ambassador.yml, type: sa } + - { name: clusterrole-ambassador, file: clusterrole-ambassador.yml, type: clusterrole } + - { name: clusterrolebinding-ambassador, file: clusterrolebinding-ambassador.yml, type: clusterrolebinding } + - { name: role-ambassador, file: role-ambassador.yml, type: role } + - { name: rolebinding-ambassador, file: rolebinding-ambassador.yml, type: rolebinding } + - { name: deploy-ambassador, file: deploy-ambassador.yml, type: deploy } + +- name: Ambassador | Create manifests + template: + src: "{{ item.file }}.j2" + dest: "{{ kube_config_dir }}/addons/ambassador/{{ item.file }}" + loop: "{{ ingress_ambassador_templates }}" + register: ingress_ambassador_manifests + when: + - inventory_hostname == groups['kube-master'][0] + +- name: Ambassador | Apply manifests + kube: + name: "{{ item.item.name }}" + namespace: "{{ ingress_ambassador_namespace }}" + kubectl: "{{ bin_dir }}/kubectl" + resource: "{{ item.item.type }}" + filename: "{{ kube_config_dir }}/addons/ambassador/{{ item.item.file }}" + state: "latest" + loop: "{{ ingress_ambassador_manifests.results }}" + when: + - inventory_hostname == groups['kube-master'][0] + +# load the AmbassadorInstallation _after_ the CustomResourceDefinition has been loaded + +- name: Ambassador | AmbassadorInstallation template + set_fact: + ingress_ambassador_cr_templates: + - { name: cr-ambassador-installation, file: cr-ambassador-installation.yml, type: cr } + +- name: Ambassador | Create installation manifests + template: + src: "{{ item.file }}.j2" + dest: "{{ kube_config_dir }}/addons/ambassador/{{ item.file }}" + loop: "{{ ingress_ambassador_cr_templates }}" + register: ingress_ambassador_cr_manifests + when: + - inventory_hostname == groups['kube-master'][0] + +- name: Ambassador | Apply AmbassadorInstallation + kube: + name: "{{ item.item.name }}" + namespace: "{{ ingress_ambassador_namespace }}" + kubectl: "{{ bin_dir }}/kubectl" + resource: "{{ item.item.type }}" + filename: "{{ kube_config_dir }}/addons/ambassador/{{ item.item.file }}" + state: "latest" + loop: "{{ ingress_ambassador_cr_manifests.results }}" + when: + - inventory_hostname == groups['kube-master'][0] diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/00-namespace.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/00-namespace.yml.j2 new file mode 100644 index 00000000000..17545693dc5 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/00-namespace.yml.j2 @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ ingress_ambassador_namespace }} + labels: + name: {{ ingress_ambassador_namespace }} diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrole-ambassador.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrole-ambassador.yml.j2 new file mode 100644 index 00000000000..11810d2b02d --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrole-ambassador.yml.j2 @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ambassador-operator-cluster + labels: + app.kubernetes.io/name: ambassador-operator + app.kubernetes.io/part-of: ambassador-operator +rules: + - apiGroups: ['*'] + resources: ['*'] + verbs: ['*'] + - nonResourceURLs: ['*'] + verbs: ['*'] diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrolebinding-ambassador.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrolebinding-ambassador.yml.j2 new file mode 100644 index 00000000000..d9dd8a3cfcb --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrolebinding-ambassador.yml.j2 @@ -0,0 +1,16 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ambassador-operator-cluster + labels: + app.kubernetes.io/name: ambassador-operator + app.kubernetes.io/part-of: ambassador-operator +subjects: + - kind: ServiceAccount + name: ambassador-operator + namespace: {{ ingress_ambassador_namespace }} +roleRef: + kind: ClusterRole + name: ambassador-operator-cluster + apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/cr-ambassador-installation.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/cr-ambassador-installation.yml.j2 new file mode 100644 index 00000000000..d1a6fb21609 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/cr-ambassador-installation.yml.j2 @@ -0,0 +1,37 @@ +apiVersion: getambassador.io/v2 +kind: AmbassadorInstallation +metadata: + name: ambassador + labels: + app.kubernetes.io/name: ambassador-operator + app.kubernetes.io/part-of: ambassador-operator +spec: + installOSS: true +{% if ingress_ambassador_update_window %} + updateWindow: "{{ ingress_ambassador_update_window }}" +{% endif %} +{% if ingress_ambassador_version %} + version: "{{ ingress_ambassador_version }}" +{% endif %} + helmValues: + tolerations: + - key: "node-role.kubernetes.io/master" + operator: Equal + effect: NoSchedule + deploymentTool: amb-oper-kubespray +{% if ingress_ambassador_host_network %} + hostNetwork: true +{% endif %} + replicaCount: {{ ingress_ambassador_replicas }} + service: + ports: + - name: http + port: 80 + hostPort: {{ ingress_ambassador_insecure_port }} + targetPort: 8080 + protocol: TCP + - name: https + port: 443 + hostPort: {{ ingress_ambassador_secure_port }} + targetPort: 8443 + protocol: TCP \ No newline at end of file diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/crd-ambassador-installation.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/crd-ambassador-installation.yml.j2 new file mode 100644 index 00000000000..287b706639f --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/crd-ambassador-installation.yml.j2 @@ -0,0 +1,186 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ambassadorinstallations.getambassador.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.version + name: VERSION + type: string + - JSONPath: .spec.updateWindow + name: UPDATE-WINDOW + type: integer + - JSONPath: .status.lastCheckTime + description: Last time checked + name: LAST-CHECK + type: string + - JSONPath: .status.conditions[?(@.type=='Deployed')].status + description: Indicates if deployment has completed + name: DEPLOYED + type: string + - JSONPath: .status.conditions[?(@.type=='Deployed')].reason + description: Reason for deployment completed + name: REASON + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=='Deployed')].message + description: Message for deployment completed + name: MESSAGE + priority: 1 + type: string + - JSONPath: .status.deployedRelease.appVersion + description: Deployed version of Ambassador + name: DEPLOYED-VERSION + type: string + - JSONPath: .status.deployedRelease.flavor + description: Deployed flavor of Ambassador (OSS or AES) + name: DEPLOYED-FLAVOR + type: string + group: getambassador.io + names: + kind: AmbassadorInstallation + listKind: AmbassadorInstallationList + plural: ambassadorinstallations + singular: ambassadorinstallation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: AmbassadorInstallation is the Schema for the ambassadorinstallations + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AmbassadorInstallationSpec defines the desired state of AmbassadorInstallation + properties: + baseImage: + description: An (optional) image to use instead of the image specified + in the Helm chart. + type: string + helmRepo: + description: An (optional) Helm repository. + type: string + installOSS: + description: 'Installs [Ambassador OSS](https://www.getambassador.io/docs/latest/topics/install/install-ambassador-oss/) + instead of [AES](https://www.getambassador.io/docs/latest/topics/install/). + Default is false which means it installs AES by default. TODO: 1. + AES/AOSS is not installed and the user installs using `installOSS: + true`, then we straightaway install AOSS. 2. AOSS is installed via + operator and the user sets `installOSS: false`, then we perform the + migration as detailed here - https://www.getambassador.io/docs/latest/topics/install/upgrade-to-edge-stack/ + 3. AES is installed and the user sets `installOSS: true`, then we + point users to the docs which gives them pointers on how to do + that themselves.' + type: boolean + logLevel: + description: 'An (optional) log level: debug, info...' + enum: + - info + - debug + - warn + - warning + - error + - critical + - fatal + type: string + updateWindow: + description: "`updateWindow` is an optional item that will control when + the updates can take place. This is used to force system updates to + happen late at night if that’s what the sysadmins want. \n * There + can be any number of `updateWindow` entries (separated by commas). + \ * `Never` turns off automatic updates even if there are other entries + in the comma-separated list. `Never` is used by sysadmins to disable + all updates during blackout periods by doing a `kubectl apply` + or using our Edge Policy Console to set this. * Each `updateWindow` + is in crontab format (see https://crontab.guru/) Some examples of + `updateWindows` are: - `* 0-6 * * * SUN`: every Sunday, from _0am_ + to _6am_ - `* 5 1 * * *`: every first day of the month, at _5am_ + * The Operator cannot guarantee minute time granularity, so specifying + \ a minute in the crontab expression can lead to some updates happening + \ sooner/later than expected." + type: string + version: + description: "We are using SemVer for the version number and it can + be specified with any level of precision and can optionally end in + `*`. These are interpreted as: \n * `1.0` = exactly version 1.0 * + `1.1` = exactly version 1.1 * `1.1.*` = version 1.1 and any bug fix + versions `1.1.1`, `1.1.2`, `1.1.3`, etc. * `2.*` = version 2.0 and + any incremental and bug fix versions `2.0`, `2.0.1`, `2.0.2`, `2.1`, + `2.2`, `2.2.1`, etc. * `*` = all versions. * `3.0-ea` = version `3.0-ea1` + and any subsequent EA releases on `3.0`. Also selects the final + 3.0 once the final GA version is released. * `4.*-ea` = version `4.0-ea1` + and any subsequent EA release on `4.0`. Also selects the final GA + `4.0`. Also selects any incremental and bug fix versions `4.*` and + `4.*.*`. Also selects the most recent `4.*` EA release i.e., if + `4.0.5` is the last GA version and there is a `4.1-EA3`, then this + \ selects `4.1-EA3` over the `4.0.5` GA. \n You can find the reference + docs about the SemVer syntax accepted [here](https://github.com/Masterminds/semver#basic-comparisons)." + type: string + type: object + status: + description: AmbassadorInstallationStatus defines the observed state of + AmbassadorInstallation + properties: + conditions: + description: List of conditions the installation has experienced. + items: + description: AmbInsCondition defines an Ambassador installation condition, + as well as the last time there was a transition to this condition.. + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + deployedRelease: + description: the currently deployed Helm chart + nullable: true + properties: + appVersion: + type: string + flavor: + type: string + manifest: + type: string + name: + type: string + version: + type: string + type: object + lastCheckTime: + description: Last time a successful update check was performed. + format: date-time + nullable: true + type: string + required: + - conditions + type: object + type: object + version: v2 + versions: + - name: v2 + served: true + storage: true diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/deploy-ambassador.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/deploy-ambassador.yml.j2 new file mode 100644 index 00000000000..1cfa8e1bb8f --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/deploy-ambassador.yml.j2 @@ -0,0 +1,43 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ambassador-operator + namespace: {{ ingress_ambassador_namespace }} + labels: + app.kubernetes.io/name: ambassador-operator + app.kubernetes.io/part-of: ambassador-operator + getambassador.io/installer: operator +spec: + replicas: 1 + selector: + matchLabels: + name: ambassador-operator + app.kubernetes.io/name: ambassador-operator + app.kubernetes.io/part-of: ambassador-operator + template: + metadata: + labels: + name: ambassador-operator + getambassador.io/installer: operator + app.kubernetes.io/name: ambassador-operator + app.kubernetes.io/part-of: ambassador-operator + spec: + serviceAccountName: ambassador-operator + containers: + - name: ambassador-operator + image: {{ ingress_ambassador_image_repo }}:{{ ingress_ambassador_image_tag }} + command: + - ambassador-operator + imagePullPolicy: Always + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "ambassador-operator" diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/role-ambassador.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/role-ambassador.yml.j2 new file mode 100644 index 00000000000..5209cfab593 --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/role-ambassador.yml.j2 @@ -0,0 +1,82 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ambassador-operator +rules: + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - ambassador-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - getambassador.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/rolebinding-ambassador.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/rolebinding-ambassador.yml.j2 new file mode 100644 index 00000000000..96403bec50c --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/rolebinding-ambassador.yml.j2 @@ -0,0 +1,12 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ambassador-operator +subjects: + - kind: ServiceAccount + name: ambassador-operator +roleRef: + kind: Role + name: ambassador-operator + apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/ingress_controller/ambassador/templates/sa-ambassador.yml.j2 b/roles/kubernetes-apps/ingress_controller/ambassador/templates/sa-ambassador.yml.j2 new file mode 100644 index 00000000000..1673532f54f --- /dev/null +++ b/roles/kubernetes-apps/ingress_controller/ambassador/templates/sa-ambassador.yml.j2 @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ambassador-operator + namespace: {{ ingress_ambassador_namespace }} + labels: + app.kubernetes.io/name: ambassador-operator + app.kubernetes.io/part-of: ambassador-operator diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2 index 2b5b40005a0..40f6ebd044b 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-certificate.yml.j2 @@ -1,10 +1,11 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: certificates.certmanager.k8s.io annotations: "helm.sh/hook": crd-install + "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update" labels: app: cert-manager chart: cert-manager-v0.5.2 @@ -12,12 +13,708 @@ metadata: heritage: Tiller spec: group: certmanager.k8s.io - version: v1alpha1 scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + description: Certificate is a type to represent a Certificate from ACME + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. + A valid Certificate requires at least one of a CommonName, DNSName, + or URISAN to be valid. + type: object + required: + - issuerRef + - secretName + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on + the Certificate. + type: array + items: + type: string + duration: + description: Certificate default Duration + type: string + emailSANs: + description: EmailSANs is a list of Email Subject Alternative Names + to be set on this Certificate. + type: array + items: + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + type: array + items: + type: string + isCA: + description: IsCA will mark this Certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + type: object + required: + - name + properties: + group: + type: string + kind: + type: string + name: + type: string + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize + is not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + type: string + enum: + - rsa + - ecdsa + keyEncoding: + description: KeyEncoding is the private key cryptography standards + (PKCS) for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will + be used by default. + type: string + enum: + - pkcs1 + - pkcs8 + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + maximum: 8192 + minimum: 0 + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + type: object + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + organization: + description: Organization is the organization to be used on the Certificate + type: array + items: + type: string + privateKey: + description: Options to control private keys used for the Certificate. + type: object + properties: + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + type: string + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to + be set on this Certificate. + type: array + items: + type: string + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + type: array + items: + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + sgc"' + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: CertificateStatus defines the observed state of Certificate + type: object + properties: + conditions: + type: array + items: + description: CertificateCondition contains condition information + for an Certificate. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string + lastFailureTime: + type: string + format: date-time + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in spec.secretName. + type: string + format: date-time + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer + - name: v1alpha3 + served: true + storage: false + "schema": + "openAPIV3Schema": + description: Certificate is a type to represent a Certificate from ACME + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. + A valid Certificate requires at least one of a CommonName, DNSName, + or URISAN to be valid. + type: object + required: + - issuerRef + - secretName + properties: + commonName: + description: 'CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to + avoid generating invalid CSRs. This value is ignored by TLS clients + when any subject alt name is set. This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4' + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on + the Certificate. + type: array + items: + type: string + duration: + description: Certificate default Duration + type: string + emailSANs: + description: EmailSANs is a list of Email Subject Alternative Names + to be set on this Certificate. + type: array + items: + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + type: array + items: + type: string + isCA: + description: IsCA will mark this Certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + type: object + required: + - name + properties: + group: + type: string + kind: + type: string + name: + type: string + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize + is not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + type: string + enum: + - rsa + - ecdsa + keyEncoding: + description: KeyEncoding is the private key cryptography standards + (PKCS) for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will + be used by default. + type: string + enum: + - pkcs1 + - pkcs8 + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + maximum: 8192 + minimum: 0 + keystores: + description: Keystores configures additional keystore output formats + stored in the `secretName` Secret resource. + type: object + properties: + jks: + description: JKS configures options for storing a JKS keystore + in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables JKS keystore creation for the + Certificate. If true, a file named `keystore.jks` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the JKS keystore. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + pkcs12: + description: PKCS12 configures options for storing a PKCS12 keystore + in the `spec.secretName` Secret resource. + type: object + required: + - create + - passwordSecretRef + properties: + create: + description: Create enables PKCS12 keystore creation for the + Certificate. If true, a file named `keystore.p12` will be + created in the target Secret resource, encrypted using the + password stored in `passwordSecretRef`. The keystore file + will only be updated upon re-issuance. + type: boolean + passwordSecretRef: + description: PasswordSecretRef is a reference to a key in + a Secret resource containing the password used to encrypt + the PKCS12 keystore. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + privateKey: + description: Options to control private keys used for the Certificate. + type: object + properties: + rotationPolicy: + description: RotationPolicy controls how private keys should be + regenerated when a re-issuance is being processed. If set to + Never, a private key will only be generated if one does not + already exist in the target `spec.secretName`. If one does exists + but it does not have the correct algorithm or size, a warning + will be raised to await user intervention. If set to Always, + a private key matching the specified requirements will be generated + whenever a re-issuance occurs. Default is 'Never' for backward + compatibility. + type: string + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + countries: + description: Countries to be used on the Certificate. + type: array + items: + type: string + localities: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnits: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + organizations: + description: Organizations to be used on the Certificate. + type: array + items: + type: string + postalCodes: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + provinces: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddresses: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to + be set on this Certificate. + type: array + items: + type: string + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + type: array + items: + description: 'KeyUsage specifies valid usage contexts for keys. + See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 + Valid KeyUsage values are as follows: "signing", "digital signature", + "content commitment", "key encipherment", "key agreement", "data + encipherment", "cert sign", "crl sign", "encipher only", "decipher + only", "any", "server auth", "client auth", "code signing", "email + protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec + user", "timestamping", "ocsp signing", "microsoft sgc", "netscape + sgc"' + type: string + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + status: + description: CertificateStatus defines the observed state of Certificate + type: object + properties: + conditions: + type: array + items: + description: CertificateCondition contains condition information + for an Certificate. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string + lastFailureTime: + type: string + format: date-time + nextPrivateKeySecretName: + description: The name of the Secret resource containing the private + key to be used for the next certificate iteration. The keymanager + controller will automatically set this field if the `Issuing` condition + is set to `True`. It will automatically unset this field when the + Issuing condition is not set or False. + type: string + notAfter: + description: The expiration time of the certificate stored in the + secret named by this resource in spec.secretName. + type: string + format: date-time + revision: + description: "The current 'revision' of the certificate as issued. + \n When a CertificateRequest resource is created, it will have the + `cert-manager.io/certificate-revision` set to one greater than the + current value of this field. \n Upon issuance, this field will be + set to the value of the annotation on the CertificateRequest resource + used to issue the certificate. \n Persisting the value on the CertificateRequest + resource allows the certificates controller to know whether a request + is part of an old issuance or if it is part of the ongoing revision's + issuance by checking if the revision value in the annotation is + greater than this field." + type: integer names: kind: Certificate plural: certificates shortNames: - cert - certs - + diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 index 7064b67dbdd..ca1fabaf626 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-clusterissuer.yml.j2 @@ -1,10 +1,11 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterissuers.certmanager.k8s.io annotations: "helm.sh/hook": crd-install + "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update" labels: app: cert-manager chart: cert-manager-v0.5.2 @@ -12,8 +13,1762 @@ metadata: heritage: Tiller spec: group: certmanager.k8s.io - version: v1alpha1 + scope: Cluster names: kind: ClusterIssuer plural: clusterissuers - scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + type: object + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + type: object + required: + - privateKeySecretRef + - server + properties: + email: + description: Email is the email for this account + type: string + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + encoded data. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + type: array + items: + type: object + properties: + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port is + optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + type: array + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + type: array + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + type: object + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + additionalProperties: + type: string + ca: + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + selfSigned: + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + type: object + required: + - auth + - path + - server + properties: + auth: + description: Vault authentication + type: object + properties: + appRole: + description: This Secret contains a AppRole and Secret + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + tokenSecretRef: + description: This Secret contains the Vault token key + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + type: string + format: byte + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for Venafi Cloud + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for the Venafi TPP instance + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + status: + description: IssuerStatus contains status information about an Issuer + type: object + properties: + acme: + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + conditions: + type: array + items: + description: IssuerCondition contains condition information for an + Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string \ No newline at end of file diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 index 0a24f6851dc..f393168ff1d 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/crd-issuer.yml.j2 @@ -1,10 +1,11 @@ --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: issuers.certmanager.k8s.io annotations: "helm.sh/hook": crd-install + "api-approved.kubernetes.io": "unapproved-will-be-remove-with-cert-manager-update" labels: app: cert-manager chart: cert-manager-v0.5.2 @@ -12,8 +13,1762 @@ metadata: heritage: Tiller spec: group: certmanager.k8s.io - version: v1alpha1 + scope: Namespaced names: kind: Issuer plural: issuers - scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + type: object + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + type: object + required: + - privateKeySecretRef + - server + properties: + email: + description: Email is the email for this account + type: string + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + type: string + enum: + - HS256 + - HS384 + - HS512 + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or indeed + with the External Account Binding keyID above. The secret + key stored in the Secret **must** be un-padded, base64 URL + encoded data. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + type: array + items: + type: object + properties: + dns01: + type: object + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + type: object + required: + - accountSecretRef + - host + properties: + accountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + host: + type: string + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + type: object + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + properties: + accessTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientSecretSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + clientTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + serviceConsumerDomain: + type: string + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + type: object + required: + - resourceGroupName + - subscriptionID + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + environment: + type: string + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + type: object + required: + - project + properties: + project: + type: string + serviceAccountSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + type: object + required: + - email + properties: + apiKeySecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + apiTokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + email: + type: string + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + type: string + enum: + - None + - Follow + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + type: object + required: + - tokenSecretRef + properties: + tokenSecretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + type: object + required: + - nameserver + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port is + optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + type: object + required: + - region + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + type: object + required: + - groupName + - solverName + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + type: object + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + type: object + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver ingress. + type: object + additionalProperties: + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + type: object + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + properties: + annotations: + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + labels: + description: Labels that should be added to + the created ACME HTTP01 solver pods. + type: object + additionalProperties: + type: string + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + type: object + properties: + affinity: + description: If specified, the pod's scheduling + constraints + type: object + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + type: array + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + type: object + required: + - preference + - weight + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + type: array + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + type: object + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchFields: + description: A list of node + selector requirements + by node's fields. + type: array + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + type: array + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + type: object + required: + - podAffinityTerm + - weight + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + type: array + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + type: object + required: + - key + - operator + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + type: integer + format: int32 + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + type: array + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + type: object + required: + - topologyKey + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + type: object + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + type: array + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + type: object + required: + - key + - operator + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + type: array + items: + type: string + matchLabels: + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + additionalProperties: + type: string + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + type: array + items: + type: string + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + nodeSelector: + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + additionalProperties: + type: string + tolerations: + description: If specified, the pod's tolerations. + type: array + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + type: object + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + type: integer + format: int64 + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + type: object + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + type: array + items: + type: string + matchLabels: + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + additionalProperties: + type: string + ca: + type: object + required: + - secretName + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + selfSigned: + type: object + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + type: array + items: + type: string + vault: + type: object + required: + - auth + - path + - server + properties: + auth: + description: Vault authentication + type: object + properties: + appRole: + description: This Secret contains a AppRole and Secret + type: object + required: + - path + - roleId + - secretRef + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + type: object + required: + - role + - secretRef + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, setting + a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login` + to authenticate with Vault. If unspecified, the default + value "/v1/auth/kubernetes" will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + tokenSecretRef: + description: This Secret contains the Vault token key + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + type: string + format: byte + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + type: object + required: + - zone + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + type: object + required: + - apiTokenSecretRef + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + type: object + required: + - name + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for Venafi Cloud + type: string + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + type: object + required: + - credentialsRef + - url + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + type: string + format: byte + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + type: object + required: + - name + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + url: + description: URL is the base URL for the Venafi TPP instance + type: string + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + status: + description: IssuerStatus contains status information about an Issuer + type: object + properties: + acme: + type: object + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + conditions: + type: array + items: + description: IssuerCondition contains condition information for an + Issuer. + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + type: string + format: date-time + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + enum: + - "True" + - "False" + - Unknown + type: + description: Type of the condition, currently ('Ready'). + type: string \ No newline at end of file diff --git a/roles/kubernetes-apps/ingress_controller/meta/main.yml b/roles/kubernetes-apps/ingress_controller/meta/main.yml index ec6ab89edb4..3ee08be6d77 100644 --- a/roles/kubernetes-apps/ingress_controller/meta/main.yml +++ b/roles/kubernetes-apps/ingress_controller/meta/main.yml @@ -7,6 +7,13 @@ dependencies: - ingress-nginx - ingress-controller + - role: kubernetes-apps/ingress_controller/ambassador + when: ingress_ambassador_enabled + tags: + - apps + - ambassador + - ingress-controller + - role: kubernetes-apps/ingress_controller/cert_manager when: cert_manager_enabled tags: diff --git a/roles/kubernetes-apps/meta/main.yml b/roles/kubernetes-apps/meta/main.yml index 61e07a4713c..1c9d69adc1f 100644 --- a/roles/kubernetes-apps/meta/main.yml +++ b/roles/kubernetes-apps/meta/main.yml @@ -97,3 +97,10 @@ dependencies: - inventory_hostname == groups['kube-master'][0] tags: - oci + + - role: kubernetes-apps/metallb + when: + - metallb_enabled + - inventory_hostname == groups['kube-master'][0] + tags: + - metallb diff --git a/contrib/metallb/README.md b/roles/kubernetes-apps/metallb/README.md similarity index 100% rename from contrib/metallb/README.md rename to roles/kubernetes-apps/metallb/README.md diff --git a/roles/kubernetes-apps/metallb/defaults/main.yml b/roles/kubernetes-apps/metallb/defaults/main.yml new file mode 100644 index 00000000000..479f0636345 --- /dev/null +++ b/roles/kubernetes-apps/metallb/defaults/main.yml @@ -0,0 +1,7 @@ +--- +metallb_enabled: false +metallb_version: v0.9.3 +metallb_protocol: "layer2" +metallb_port: "7472" +metallb_limits_cpu: "100m" +metallb_limits_mem: "100Mi" diff --git a/contrib/metallb/roles/provision/tasks/main.yml b/roles/kubernetes-apps/metallb/tasks/main.yml similarity index 55% rename from contrib/metallb/roles/provision/tasks/main.yml rename to roles/kubernetes-apps/metallb/tasks/main.yml index cb065b6da48..c7bbc1fc55a 100644 --- a/contrib/metallb/roles/provision/tasks/main.yml +++ b/roles/kubernetes-apps/metallb/tasks/main.yml @@ -5,6 +5,12 @@ when: - "kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp" +- name: Kubernetes Apps | Check cluster settings for MetalLB + fail: + msg: "metallb_ip_range is mandatory to be specified for MetalLB" + when: + - metallb_ip_range is not defined or not metallb_ip_range + - name: Kubernetes Apps | Check AppArmor status command: which apparmor_parser register: apparmor_status @@ -38,3 +44,25 @@ with_items: "{{ rendering.results }}" when: - "inventory_hostname == groups['kube-master'][0]" + +- name: Kubernetes Apps | Check existing secret of MetalLB + command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system get secret memberlist" + register: metallb_secret + become: true + ignore_errors: yes + when: + - inventory_hostname == groups['kube-master'][0] + +- name: Kubernetes Apps | Create random bytes for MetalLB + command: "openssl rand -base64 32" + register: metallb_rand + when: + - inventory_hostname == groups['kube-master'][0] + - metallb_secret.rc != 0 + +- name: Kubernetes Apps | Install secret of MetalLB if not existing + command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf -n metallb-system create secret generic memberlist --from-literal=secretkey={{ metallb_rand.stdout }}" + become: true + when: + - inventory_hostname == groups['kube-master'][0] + - metallb_secret.rc != 0 diff --git a/roles/kubernetes-apps/metallb/templates/metallb-config.yml.j2 b/roles/kubernetes-apps/metallb/templates/metallb-config.yml.j2 new file mode 100644 index 00000000000..73b29d72d29 --- /dev/null +++ b/roles/kubernetes-apps/metallb/templates/metallb-config.yml.j2 @@ -0,0 +1,25 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: metallb-system + name: config +data: + config: | + address-pools: + - name: loadbalanced + protocol: {{ metallb_protocol }} + addresses: +{% for ip_range in metallb_ip_range %} + - {{ ip_range }} +{% endfor %} +{% if metallb_additional_address_pools is defined %}{% for pool in metallb_additional_address_pools %} + - name: {{ pool }} + protocol: {{ metallb_additional_address_pools[pool].protocol }} + addresses: +{% for ip_range in metallb_additional_address_pools[pool].ip_range %} + - {{ ip_range }} +{% endfor %} + auto-assign: {{ metallb_additional_address_pools[pool].auto_assign }} +{% endfor %} +{% endif %} diff --git a/roles/kubernetes-apps/metallb/templates/metallb.yml.j2 b/roles/kubernetes-apps/metallb/templates/metallb.yml.j2 new file mode 100644 index 00000000000..b975b1df1fe --- /dev/null +++ b/roles/kubernetes-apps/metallb/templates/metallb.yml.j2 @@ -0,0 +1,398 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: metallb-system + labels: + app: metallb +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: + app: metallb + name: controller + namespace: metallb-system +spec: + allowPrivilegeEscalation: false + allowedCapabilities: [] + allowedHostPaths: [] + defaultAddCapabilities: [] + defaultAllowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - secret + - emptyDir +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + labels: + app: metallb + name: speaker + namespace: metallb-system +spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + allowedHostPaths: [] + defaultAddCapabilities: [] + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: RunAsAny + hostIPC: false + hostNetwork: true + hostPID: false + hostPorts: + - max: {{ metallb_port }} + min: {{ metallb_port }} + privileged: true + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - secret + - emptyDir +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: metallb + name: controller + namespace: metallb-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: metallb + name: speaker + namespace: metallb-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: metallb + name: metallb-system:controller +rules: +- apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - update +- apiGroups: + - '' + resources: + - services/status + verbs: + - update +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resourceNames: + - controller + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: metallb + name: metallb-system:speaker +rules: +- apiGroups: + - '' + resources: + - services + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +- apiGroups: + - policy + resourceNames: + - speaker + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: metallb + name: config-watcher + namespace: metallb-system +rules: +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: metallb + name: pod-lister + namespace: metallb-system +rules: +- apiGroups: + - '' + resources: + - pods + verbs: + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: metallb + name: metallb-system:controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metallb-system:controller +subjects: +- kind: ServiceAccount + name: controller + namespace: metallb-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: metallb + name: metallb-system:speaker +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metallb-system:speaker +subjects: +- kind: ServiceAccount + name: speaker + namespace: metallb-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: metallb + name: config-watcher + namespace: metallb-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: config-watcher +subjects: +- kind: ServiceAccount + name: controller +- kind: ServiceAccount + name: speaker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: metallb + name: pod-lister + namespace: metallb-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-lister +subjects: +- kind: ServiceAccount + name: speaker +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: metallb + component: speaker + name: speaker + namespace: metallb-system +spec: + selector: + matchLabels: + app: metallb + component: speaker + template: + metadata: + annotations: + prometheus.io/port: '{{ metallb_port }}' + prometheus.io/scrape: 'true' + labels: + app: metallb + component: speaker + spec: + containers: + - args: + - --port={{ metallb_port }} + - --config=config + env: + - name: METALLB_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: METALLB_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: METALLB_ML_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: METALLB_ML_LABELS + value: "app=metallb,component=speaker" + - name: METALLB_ML_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METALLB_ML_SECRET_KEY + valueFrom: + secretKeyRef: + name: memberlist + key: secretkey + image: metallb/speaker:{{ metallb_version }} + imagePullPolicy: Always + name: speaker + ports: + - containerPort: {{ metallb_port }} + name: monitoring + resources: + limits: + cpu: {{ metallb_limits_cpu }} + memory: {{ metallb_limits_mem }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + drop: + - ALL + readOnlyRootFilesystem: true + hostNetwork: true + nodeSelector: + beta.kubernetes.io/os: linux + serviceAccountName: speaker + terminationGracePeriodSeconds: 2 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: metallb + component: controller + name: controller + namespace: metallb-system +spec: + revisionHistoryLimit: 3 + selector: + matchLabels: + app: metallb + component: controller + template: + metadata: + annotations: + prometheus.io/port: '{{ metallb_port }}' + prometheus.io/scrape: 'true' + labels: + app: metallb + component: controller + spec: + containers: + - args: + - --port={{ metallb_port }} + - --config=config + image: metallb/controller:{{ metallb_version }} + imagePullPolicy: Always + name: controller + ports: + - containerPort: {{ metallb_port }} + name: monitoring + resources: + limits: + cpu: {{ metallb_limits_cpu }} + memory: {{ metallb_limits_mem }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + nodeSelector: + beta.kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 65534 + serviceAccountName: controller + terminationGracePeriodSeconds: 0 diff --git a/roles/kubernetes-apps/metrics_server/templates/metrics-apiservice.yaml.j2 b/roles/kubernetes-apps/metrics_server/templates/metrics-apiservice.yaml.j2 index fae0b354e91..934168793cf 100644 --- a/roles/kubernetes-apps/metrics_server/templates/metrics-apiservice.yaml.j2 +++ b/roles/kubernetes-apps/metrics_server/templates/metrics-apiservice.yaml.j2 @@ -1,4 +1,4 @@ -apiVersion: apiregistration.k8s.io/v1beta1 +apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1beta1.metrics.k8s.io diff --git a/roles/kubernetes/client/tasks/main.yml b/roles/kubernetes/client/tasks/main.yml index 6634154757a..bbb1ce0e029 100644 --- a/roles/kubernetes/client/tasks/main.yml +++ b/roles/kubernetes/client/tasks/main.yml @@ -36,6 +36,7 @@ mode: "0750" state: directory delegate_to: localhost + connection: local become: no run_once: yes when: kubeconfig_localhost @@ -88,6 +89,7 @@ dest: "{{ artifacts_dir }}/admin.conf" mode: 0640 delegate_to: localhost + connection: local become: no run_once: yes when: kubeconfig_localhost @@ -112,4 +114,5 @@ become: no run_once: yes delegate_to: localhost + connection: local when: kubectl_localhost and kubeconfig_localhost diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml index ab53de54cd0..bf9d1aade80 100644 --- a/roles/kubernetes/master/defaults/main/main.yml +++ b/roles/kubernetes/master/defaults/main/main.yml @@ -194,3 +194,6 @@ secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm # - TLS_RSA_WITH_AES_256_CBC_SHA # - TLS_RSA_WITH_AES_256_GCM_SHA384 # - TLS_RSA_WITH_RC4_128_SHA + +## Amount of time to retain events. (default 1h0m0s) +event_ttl_duration: "1h0m0s" diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 index 1d8f9e26cd3..d8f8ada7ae0 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 @@ -158,7 +158,7 @@ apiServer: encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml {% endif %} storage-backend: {{ kube_apiserver_storage_backend }} -{% if kube_api_runtime_config is defined %} +{% if kube_api_runtime_config|length > 0 %} runtime-config: {{ kube_api_runtime_config | join(',') }} {% endif %} allow-privileged: "true" @@ -186,6 +186,9 @@ apiServer: tls-cipher-suites: {% for tls in tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %} {% endif %} +{% if event_ttl_duration is defined %} + event-ttl: {{ event_ttl_duration }} +{%endif%} {% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %} extraVolumes: {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} @@ -322,32 +325,32 @@ apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration bindAddress: {{ kube_proxy_bind_address }} clientConnection: - acceptContentTypes: {{ kube_proxy_client_accept_content_types }} - burst: {{ kube_proxy_client_burst }} - contentType: {{ kube_proxy_client_content_type }} - kubeconfig: {{ kube_proxy_client_kubeconfig }} - qps: {{ kube_proxy_client_qps }} + acceptContentTypes: {{ kube_proxy_client_accept_content_types }} + burst: {{ kube_proxy_client_burst }} + contentType: {{ kube_proxy_client_content_type }} + kubeconfig: {{ kube_proxy_client_kubeconfig }} + qps: {{ kube_proxy_client_qps }} clusterCIDR: {{ kube_pods_subnet }} configSyncPeriod: {{ kube_proxy_config_sync_period }} conntrack: - maxPerCore: {{ kube_proxy_conntrack_max_per_core }} - min: {{ kube_proxy_conntrack_min }} - tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }} - tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }} + maxPerCore: {{ kube_proxy_conntrack_max_per_core }} + min: {{ kube_proxy_conntrack_min }} + tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }} + tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }} enableProfiling: {{ kube_proxy_enable_profiling }} healthzBindAddress: {{ kube_proxy_healthz_bind_address }} hostnameOverride: {{ kube_override_hostname }} iptables: - masqueradeAll: {{ kube_proxy_masquerade_all }} - masqueradeBit: {{ kube_proxy_masquerade_bit }} - minSyncPeriod: {{ kube_proxy_min_sync_period }} - syncPeriod: {{ kube_proxy_sync_period }} + masqueradeAll: {{ kube_proxy_masquerade_all }} + masqueradeBit: {{ kube_proxy_masquerade_bit }} + minSyncPeriod: {{ kube_proxy_min_sync_period }} + syncPeriod: {{ kube_proxy_sync_period }} ipvs: - excludeCIDRs: {{ kube_proxy_exclude_cidrs }} - minSyncPeriod: {{ kube_proxy_min_sync_period }} - scheduler: {{ kube_proxy_scheduler }} - syncPeriod: {{ kube_proxy_sync_period }} - strictARP: {{ kube_proxy_strict_arp }} + excludeCIDRs: {{ kube_proxy_exclude_cidrs }} + minSyncPeriod: {{ kube_proxy_min_sync_period }} + scheduler: {{ kube_proxy_scheduler }} + syncPeriod: {{ kube_proxy_sync_period }} + strictARP: {{ kube_proxy_strict_arp }} metricsBindAddress: {{ kube_proxy_metrics_bind_address }} mode: {{ kube_proxy_mode }} nodePortAddresses: {{ kube_proxy_nodeport_addresses }} diff --git a/roles/kubernetes/master/templates/secrets_encryption.yaml.j2 b/roles/kubernetes/master/templates/secrets_encryption.yaml.j2 index 0fc4bb85055..fae9bab32bc 100644 --- a/roles/kubernetes/master/templates/secrets_encryption.yaml.j2 +++ b/roles/kubernetes/master/templates/secrets_encryption.yaml.j2 @@ -1,7 +1,8 @@ kind: EncryptionConfig apiVersion: v1 resources: - - resources: {{ kube_encryption_resources }} + - resources: +{{ kube_encryption_resources|to_nice_yaml|indent(4, True) }} providers: - {{ kube_encryption_algorithm }}: keys: diff --git a/roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2 b/roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2 index 15559732c6a..265a91cc3d7 100644 --- a/roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2 +++ b/roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2 @@ -14,4 +14,4 @@ contexts: - context: cluster: webhook-token-auth-cluster user: webhook-token-auth-user - name: webhook-token-auth \ No newline at end of file + name: webhook-token-auth diff --git a/roles/kubernetes/node-label/tasks/main.yml b/roles/kubernetes/node-label/tasks/main.yml index 646fd098117..aa5ffe81555 100644 --- a/roles/kubernetes/node-label/tasks/main.yml +++ b/roles/kubernetes/node-label/tasks/main.yml @@ -40,7 +40,7 @@ - name: Set label to node command: >- - {{ bin_dir }}/kubectl label node {{ inventory_hostname }} {{ item }} --overwrite=true + {{ bin_dir }}/kubectl label node {{ inventory_hostname }} {{ item }} --overwrite=true loop: "{{ role_node_labels + inventory_node_labels }}" delegate_to: "{{ groups['kube-master'][0] }}" changed_when: false diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index 7ec5a0d698c..53adbdc8944 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -146,3 +146,5 @@ azure_exclude_master_from_standard_lb: true azure_disable_outbound_snat: false # use instance metadata service where possible azure_use_instance_metadata: true +# use specific Azure API endpoints +azure_cloud: AzurePublicCloud diff --git a/roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml b/roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml index f16a90b7962..62337fc2967 100644 --- a/roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml +++ b/roles/kubernetes/node/tasks/cloud-credentials/azure-credential-check.yml @@ -75,3 +75,8 @@ fail: msg: "azure_vmtype is missing. Supported values are 'standard' or 'vmss'" when: azure_vmtype is not defined or not azure_vmtype + +- name: check azure_cloud value + fail: + msg: "azure_cloud has an invalid value '{{ azure_cloud }}'. Supported values are 'AzureChinaCloud', 'AzureGermanCloud', 'AzurePublicCloud', 'AzureUSGovernmentCloud'." + when: azure_cloud not in ["AzureChinaCloud", "AzureGermanCloud", "AzurePublicCloud", "AzureUSGovernmentCloud"] diff --git a/roles/kubernetes/node/tasks/facts.yml b/roles/kubernetes/node/tasks/facts.yml index a879651d7e0..b7b3ad01180 100644 --- a/roles/kubernetes/node/tasks/facts.yml +++ b/roles/kubernetes/node/tasks/facts.yml @@ -1,14 +1,25 @@ --- -- name: look up docker cgroup driver - shell: "docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'" - register: docker_cgroup_driver_result - changed_when: false - when: container_manager in ['crio', 'docker'] +- block: + - name: look up docker cgroup driver + shell: "docker info | grep 'Cgroup Driver' | awk -F': ' '{ print $2; }'" + register: docker_cgroup_driver_result + changed_when: false -- name: set standalone_kubelet fact - set_fact: - standalone_kubelet: >- - {%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%} + - name: set kubelet_cgroup_driver_detected fact for docker + set_fact: + kubelet_cgroup_driver_detected: "{{ docker_cgroup_driver_result.stdout }}" + when: container_manager == 'docker' + +- block: + - name: look up crio cgroup driver + shell: "crio-status info | grep 'cgroup driver' | awk -F': ' '{ print $2; }'" + register: crio_cgroup_driver_result + changed_when: false + + - name: set kubelet_cgroup_driver_detected fact for crio + set_fact: + kubelet_cgroup_driver_detected: "{{ crio_cgroup_driver_result.stdout }}" + when: container_manager == 'crio' - name: set kubelet_cgroup_driver_detected fact for containerd set_fact: @@ -16,18 +27,13 @@ {%- if containerd_use_systemd_cgroup -%}systemd{%- else -%}cgroupfs{%- endif -%} when: container_manager == 'containerd' -- name: set kubelet_cgroup_driver_detected fact for other engines - set_fact: - kubelet_cgroup_driver_detected: "{{ docker_cgroup_driver_result.stdout }}" - when: container_manager in ['crio', 'docker'] - - name: os specific vars include_vars: "{{ item }}" with_first_found: - - files: - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}.yml" - - "{{ ansible_os_family|lower }}.yml" - skip: true + - files: + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" + - "{{ ansible_distribution|lower }}.yml" + - "{{ ansible_os_family|lower }}.yml" + skip: true diff --git a/roles/kubernetes/node/templates/cloud-configs/azure-cloud-config.j2 b/roles/kubernetes/node/templates/cloud-configs/azure-cloud-config.j2 index 9def9ea3b0f..ffb79261229 100644 --- a/roles/kubernetes/node/templates/cloud-configs/azure-cloud-config.j2 +++ b/roles/kubernetes/node/templates/cloud-configs/azure-cloud-config.j2 @@ -1,4 +1,5 @@ { + "cloud": "{{ azure_cloud }}" "tenantId": "{{ azure_tenant_id }}", "subscriptionId": "{{ azure_subscription_id }}", "aadClientId": "{{ azure_aad_client_id }}", diff --git a/roles/kubernetes/preinstall/handlers/main.yml b/roles/kubernetes/preinstall/handlers/main.yml index 2e8528f566d..fd4cec362bb 100644 --- a/roles/kubernetes/preinstall/handlers/main.yml +++ b/roles/kubernetes/preinstall/handlers/main.yml @@ -16,11 +16,22 @@ notify: - Preinstall | apply resolvconf cloud-init - Preinstall | reload kubelet - when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos + when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] - name: Preinstall | apply resolvconf cloud-init command: /usr/bin/coreos-cloudinit --from-file {{ resolveconf_cloud_init_conf }} - when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos + when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] + +- name: Preinstall | update resolvconf for Fedora CoreOS + command: /bin/true + notify: + - Preinstall | reload NetworkManager + - Preinstall | reload kubelet + when: is_fedora_coreos + +- name: Preinstall | reload NetworkManager + command: systemctl restart NetworkManager.service + when: is_fedora_coreos - name: Preinstall | reload kubelet service: diff --git a/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml b/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml index 9bace42dc6c..62a863808b3 100644 --- a/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml +++ b/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml @@ -3,6 +3,7 @@ stat: path: "{{ inventory_dir }}/../credentials" delegate_to: localhost + connection: local register: old_credential_dir become: no @@ -10,6 +11,7 @@ stat: path: "{{ inventory_dir }}/credentials" delegate_to: localhost + connection: local register: new_credential_dir become: no when: old_credential_dir.stat.exists @@ -19,6 +21,7 @@ args: creates: "{{ inventory_dir }}/credentials" delegate_to: localhost + connection: local become: no when: - old_credential_dir.stat.exists diff --git a/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml b/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml index 690317013c7..805b93a37f6 100644 --- a/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml +++ b/roles/kubernetes/preinstall/tasks/0060-resolvconf.yml @@ -1,7 +1,7 @@ --- - name: create temporary resolveconf cloud init file command: cp -f /etc/resolv.conf "{{ resolvconffile }}" - when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos + when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] - name: Add domain/search/nameservers/options to resolv.conf blockinfile: @@ -47,7 +47,7 @@ - name: get temporary resolveconf cloud init file content command: cat {{ resolvconffile }} register: cloud_config - when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos + when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] - name: persist resolvconf cloud init file template: @@ -56,4 +56,4 @@ owner: root mode: 0644 notify: Preinstall | update resolvconf for Container Linux by CoreOS and Flatcar - when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_fedora_coreos + when: ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] diff --git a/roles/kubernetes/preinstall/tasks/0062-networkmanager.yml b/roles/kubernetes/preinstall/tasks/0062-networkmanager.yml new file mode 100644 index 00000000000..4d94231aad8 --- /dev/null +++ b/roles/kubernetes/preinstall/tasks/0062-networkmanager.yml @@ -0,0 +1,40 @@ +--- +- name: NetworkManager | Add nameservers to NM configuration + ini_file: + path: /etc/NetworkManager/system-connections/default_connection.nmconnection + section: ipv4 + option: dns + value: "{{ ( coredns_server + nameservers|d([]) + cloud_resolver|d([])) | unique | join(';') }}" + mode: '0600' + backup: yes + notify: Preinstall | update resolvconf for Fedora CoreOS + +- name: NetworkManager | Add DNS search to NM configuration + ini_file: + path: /etc/NetworkManager/system-connections/default_connection.nmconnection + section: ipv4 + option: dns-search + value: "{{ ([ 'default.svc.' + dns_domain, 'svc.' + dns_domain ] + searchdomains|default([])) | join(';') }}" + mode: '0600' + backup: yes + notify: Preinstall | update resolvconf for Fedora CoreOS + +- name: NetworkManager | Add DNS options to NM configuration + ini_file: + path: /etc/NetworkManager/system-connections/default_connection.nmconnection + section: ipv4 + option: dns-options + value: "ndots:{{ ndots }};timeout:2;attempts:2;" + mode: '0600' + backup: yes + notify: Preinstall | update resolvconf for Fedora CoreOS + +- name: NetworkManager | Ignore DNS auto configuration + ini_file: + path: /etc/NetworkManager/system-connections/default_connection.nmconnection + section: ipv4 + option: ignore-auto-dns + value: 'true' + mode: '0600' + backup: yes + notify: Preinstall | update resolvconf for Fedora CoreOS diff --git a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml index 9edab21f5ca..a8c40f6f966 100644 --- a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml +++ b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml @@ -9,6 +9,7 @@ {% endif %} {% endfor %} delegate_to: localhost + connection: local delegate_facts: yes run_once: yes @@ -43,8 +44,8 @@ - name: Hosts | Extract existing entries for localhost from hosts file set_fact: etc_hosts_localhosts_dict: >- - {%- set splitted = (item | regex_replace('[ \t]+', ' ')|regex_replace('#.*$')|trim).split( ' ') -%} - {{ etc_hosts_localhosts_dict|default({}) | combine({splitted[0]: splitted[1::] }) }} + {%- set splitted = (item | regex_replace('[ \t]+', ' ')|regex_replace('#.*$')|trim).split( ' ') -%} + {{ etc_hosts_localhosts_dict|default({}) | combine({splitted[0]: splitted[1::] }) }} with_items: "{{ (etc_hosts_content['content'] | b64decode).splitlines() }}" when: - etc_hosts_content.content is defined diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml index 932f99deeb5..e1a6a71af7a 100644 --- a/roles/kubernetes/preinstall/tasks/main.yml +++ b/roles/kubernetes/preinstall/tasks/main.yml @@ -33,6 +33,7 @@ - dns_mode != 'none' - resolvconf_mode == 'host_resolvconf' - systemd_resolved_enabled.rc != 0 + - not is_fedora_coreos tags: - bootstrap-os - resolvconf @@ -46,6 +47,15 @@ - bootstrap-os - resolvconf +- import_tasks: 0062-networkmanager.yml + when: + - dns_mode != 'none' + - resolvconf_mode == 'host_resolvconf' + - is_fedora_coreos + tags: + - bootstrap-os + - resolvconf + - import_tasks: 0070-system-packages.yml when: - not dns_late diff --git a/roles/kubernetes/tokens/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml index 5d27928737d..160f46bb8e0 100644 --- a/roles/kubernetes/tokens/tasks/check-tokens.yml +++ b/roles/kubernetes/tokens/tasks/check-tokens.yml @@ -27,9 +27,9 @@ sync_tokens: >- {%- set tokens = {'sync': False} -%} {%- for server in groups['kube-master'] | intersect(ansible_play_batch) - if (not hostvars[server].known_tokens.stat.exists) or - (hostvars[server].known_tokens.stat.checksum|default('') != known_tokens_master.stat.checksum|default('')) -%} - {%- set _ = tokens.update({'sync': True}) -%} + if (not hostvars[server].known_tokens.stat.exists) or + (hostvars[server].known_tokens.stat.checksum|default('') != known_tokens_master.stat.checksum|default('')) -%} + {%- set _ = tokens.update({'sync': True}) -%} {%- endfor -%} {{ tokens.sync }} run_once: true diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 015c47b8a8a..80e6f3b25b2 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -15,7 +15,7 @@ is_fedora_coreos: false disable_swap: true ## Change this to use another Kubernetes version, e.g. a current beta release -kube_version: v1.18.4 +kube_version: v1.18.5 ## The minimum version working kube_version_min_required: v1.16.0 @@ -320,9 +320,11 @@ persistent_volumes_enabled: false cephfs_provisioner_enabled: false rbd_provisioner_enabled: false ingress_nginx_enabled: false +ingress_ambassador_enabled: false ingress_alb_enabled: false cert_manager_enabled: false expand_persistent_volumes: false +metallb_enabled: false ## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461) # openstack_blockstorage_version: "v1/v2/auto (default)" @@ -433,13 +435,13 @@ loadbalancer_apiserver_type: "nginx" apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local" kube_apiserver_endpoint: |- {% if loadbalancer_apiserver is defined -%} - https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }} + https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }} {%- elif not is_kube_master and loadbalancer_apiserver_localhost -%} - https://localhost:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }} + https://localhost:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }} {%- elif is_kube_master -%} - https://{{ kube_apiserver_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_port }} + https://{{ kube_apiserver_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_port }} {%- else -%} - https://{{ first_kube_master }}:{{ kube_apiserver_port }} + https://{{ first_kube_master }}:{{ kube_apiserver_port }} {%- endif %} kube_apiserver_insecure_endpoint: >- http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }} diff --git a/roles/kubespray-defaults/tasks/fallback_ips.yml b/roles/kubespray-defaults/tasks/fallback_ips.yml index 546ac1e2be7..291bd3fccfe 100644 --- a/roles/kubespray-defaults/tasks/fallback_ips.yml +++ b/roles/kubespray-defaults/tasks/fallback_ips.yml @@ -4,9 +4,10 @@ # Thanks https://medium.com/opsops/ansible-default-ipv4-is-not-what-you-think-edb8ab154b10 - name: Gather ansible_default_ipv4 from all hosts + tags: always include_tasks: fallback_ips_gather.yml when: hostvars[delegate_host_to_gather_facts].ansible_default_ipv4 is not defined - loop: "{{ groups['all'] }}" + loop: "{{ groups['k8s-cluster']|default([]) + groups['etcd']|default([]) + groups['calico-rr']|default([]) }}" loop_control: loop_var: delegate_host_to_gather_facts run_once: yes @@ -20,6 +21,7 @@ {{ item }}: "{{ found.get('address', '127.0.0.1') }}" {% endfor %} delegate_to: localhost + connection: local delegate_facts: yes become: no run_once: yes diff --git a/roles/kubespray-defaults/tasks/fallback_ips_gather.yml b/roles/kubespray-defaults/tasks/fallback_ips_gather.yml index c5f5b74276f..2d2d000d625 100644 --- a/roles/kubespray-defaults/tasks/fallback_ips_gather.yml +++ b/roles/kubespray-defaults/tasks/fallback_ips_gather.yml @@ -7,4 +7,5 @@ gather_subset: '!all,network' filter: "ansible_default_ipv4" delegate_to: "{{ delegate_host_to_gather_facts }}" + connection: "{{ (delegate_host_to_gather_facts == 'localhost') | ternary('local', omit) }}" delegate_facts: yes diff --git a/roles/kubespray-defaults/tasks/main.yaml b/roles/kubespray-defaults/tasks/main.yaml index b27cafc1502..fe268e9533c 100644 --- a/roles/kubespray-defaults/tasks/main.yaml +++ b/roles/kubespray-defaults/tasks/main.yaml @@ -7,7 +7,7 @@ # do not run gather facts when bootstrap-os in roles - name: set fallback_ips - include_tasks: fallback_ips.yml + import_tasks: fallback_ips.yml when: - "'bootstrap-os' not in ansible_play_role_names" - fallback_ips is not defined @@ -15,7 +15,7 @@ - always - name: set no_proxy - include_tasks: no_proxy.yml + import_tasks: no_proxy.yml when: - "'bootstrap-os' not in ansible_play_role_names" - http_proxy is defined or https_proxy is defined diff --git a/roles/kubespray-defaults/tasks/no_proxy.yml b/roles/kubespray-defaults/tasks/no_proxy.yml index 82613882d55..01c6e9ddf2e 100644 --- a/roles/kubespray-defaults/tasks/no_proxy.yml +++ b/roles/kubespray-defaults/tasks/no_proxy.yml @@ -19,6 +19,7 @@ {%- endif -%} 127.0.0.1,localhost,{{ kube_service_addresses }},{{ kube_pods_subnet }} delegate_to: localhost + connection: local delegate_facts: yes become: no run_once: yes diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml index 838e134a9e6..77aeba6ef6f 100644 --- a/roles/network_plugin/calico/tasks/install.yml +++ b/roles/network_plugin/calico/tasks/install.yml @@ -198,11 +198,11 @@ "apiVersion": "projectcalico.org/v3", "kind": "BGPPeer", "metadata": { - "name": "global-{{ item.router_id }}" + "name": "global-{{ item.router_id }}" }, "spec": { - "asNumber": "{{ item.as }}", - "peerIP": "{{ item.router_id }}" + "asNumber": "{{ item.as }}", + "peerIP": "{{ item.router_id }}" }}' | {{ bin_dir }}/calicoctl.sh apply -f - register: output retries: 4 @@ -220,11 +220,11 @@ "apiVersion": "projectcalico.org/v3", "kind": "BGPPeer", "metadata": { - "name": "peer-to-rrs" + "name": "peer-to-rrs" }, "spec": { - "nodeSelector": "!has(i-am-a-route-reflector)", - "peerSelector": "has(i-am-a-route-reflector)" + "nodeSelector": "!has(i-am-a-route-reflector)", + "peerSelector": "has(i-am-a-route-reflector)" }}' | {{ bin_dir }}/calicoctl.sh apply -f - register: output retries: 4 @@ -242,11 +242,11 @@ "apiVersion": "projectcalico.org/v3", "kind": "BGPPeer", "metadata": { - "name": "rr-mesh" + "name": "rr-mesh" }, "spec": { - "nodeSelector": "has(i-am-a-route-reflector)", - "peerSelector": "has(i-am-a-route-reflector)" + "nodeSelector": "has(i-am-a-route-reflector)", + "peerSelector": "has(i-am-a-route-reflector)" }}' | {{ bin_dir }}/calicoctl.sh apply -f - register: output retries: 4 @@ -315,13 +315,13 @@ "apiVersion": "projectcalico.org/v3", "kind": "Node", "metadata": { - "name": "{{ inventory_hostname }}" + "name": "{{ inventory_hostname }}" }, "spec": { - "bgp": { - "asNumber": "{{ local_as }}" - }, - "orchRefs":[{"nodeName":"{{ inventory_hostname }}","orchestrator":"k8s"}] + "bgp": { + "asNumber": "{{ local_as }}" + }, + "orchRefs":[{"nodeName":"{{ inventory_hostname }}","orchestrator":"k8s"}] }}' | {{ bin_dir }}/calicoctl.sh apply -f - register: output retries: 4 @@ -339,12 +339,12 @@ "apiVersion": "projectcalico.org/v3", "kind": "BGPPeer", "metadata": { - "name": "{{ inventory_hostname }}-{{ item.router_id }}" + "name": "{{ inventory_hostname }}-{{ item.router_id }}" }, "spec": { - "asNumber": "{{ item.as }}", - "node": "{{ inventory_hostname }}", - "peerIP": "{{ item.router_id }}" + "asNumber": "{{ item.as }}", + "node": "{{ inventory_hostname }}", + "peerIP": "{{ item.router_id }}" }}' | {{ bin_dir }}/calicoctl.sh apply -f - register: output retries: 4 diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2 index 6e3f19d8e58..1cb80f312d6 100644 --- a/roles/network_plugin/calico/templates/calico-node.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-node.yml.j2 @@ -209,6 +209,11 @@ spec: # # Configure the IP Pool from which Pod IPs will be chosen. # - name: CALICO_IPV4POOL_CIDR # value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}" +{% if calico_veth_mtu is defined %} +# Set MTU for the Wireguard tunnel device. + - name: FELIX_WIREGUARDMTU + value: "{{ calico_veth_mtu }}" +{% endif %} - name: CALICO_IPV4POOL_IPIP value: "{{ calico_ipv4pool_ipip }}" # Disable IPv6 on Kubernetes. @@ -368,10 +373,10 @@ spec: secret: secretName: typha-client items: - - key: tls.crt - path: typha-client.crt - - key: tls.key - path: typha-client.key + - key: tls.crt + path: typha-client.crt + - key: tls.key + path: typha-client.key - name: typha-cacert hostPath: path: "/etc/kubernetes/ssl/" diff --git a/roles/network_plugin/calico/templates/calico-typha.yml.j2 b/roles/network_plugin/calico/templates/calico-typha.yml.j2 index 279e694c118..31cce13aa12 100644 --- a/roles/network_plugin/calico/templates/calico-typha.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-typha.yml.j2 @@ -145,17 +145,17 @@ spec: periodSeconds: 10 {% if typha_secure %} volumes: - - name: typha-server - secret: - secretName: typha-server - items: - - key: tls.crt - path: server_certificate.pem - - key: tls.key - path: server_key.pem - - name: cacert - hostPath: - path: "{{ kube_cert_dir }}" + - name: typha-server + secret: + secretName: typha-server + items: + - key: tls.crt + path: server_certificate.pem + - key: tls.key + path: server_key.pem + - name: cacert + hostPath: + path: "{{ kube_cert_dir }}" {% endif %} --- diff --git a/roles/network_plugin/calico/templates/kdd-crds.yml.j2 b/roles/network_plugin/calico/templates/kdd-crds.yml.j2 index 7decacc4985..d4725f828c5 100644 --- a/roles/network_plugin/calico/templates/kdd-crds.yml.j2 +++ b/roles/network_plugin/calico/templates/kdd-crds.yml.j2 @@ -1,212 +1,2742 @@ # Create all the CustomResourceDefinitions needed for -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: felixconfigurations.crd.projectcalico.org + name: felixconfigurations.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: FelixConfiguration + listKind: FelixConfigurationList plural: felixconfigurations singular: felixconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Felix Configuration contains the configuration for Felix. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FelixConfigurationSpec contains the values of the Felix configuration. + properties: + awsSrcDstCheck: + description: 'Set source-destination-check on AWS EC2 instances. Accepted + value must be one of "DoNothing", "Enabled" or "Disabled". [Default: + DoNothing]' + enum: + - DoNothing + - Enable + - Disable + type: string + bpfConnectTimeLoadBalancingEnabled: + description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, + controls whether Felix installs the connection-time load balancer. The + connect-time load balancer is required for the host to be able to + reach Kubernetes services and it improves the performance of pod-to-service + connections. The only reason to disable it is for debugging purposes. [Default: + true]' + type: boolean + bpfDataIfacePattern: + description: 'BPFDataIfacePattern is a regular expression that controls + which interfaces Felix should attach BPF programs to in order to + catch traffic to/from the network. This needs to match the interfaces + that Calico workload traffic flows over as well as any interfaces + that handle incoming traffic to nodeports and services from outside + the cluster. It should not match the workload interfaces (usually + named cali...). [Default: ^(en.*|eth.*|tunl0$)]' + type: string + bpfDisableUnprivileged: + description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled + sysctl to disable unprivileged use of BPF. This ensures that unprivileged + users cannot access Calico''s BPF maps and cannot insert their own + BPF programs to interfere with Calico''s. [Default: true]' + type: boolean + bpfEnabled: + description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. + [Default: false]' + type: boolean + bpfExternalServiceMode: + description: 'BPFExternalServiceMode in BPF mode, controls how connections + from outside the cluster to services (node ports and cluster IPs) + are forwarded to remote workloads. If set to "Tunnel" then both + request and response traffic is tunneled to the remote node. If + set to "DSR", the request traffic is tunneled but the response traffic + is sent directly from the remote node. In "DSR" mode, the remote + node appears to use the IP of the ingress node; this requires a + permissive L2 network. [Default: Tunnel]' + type: string + bpfKubeProxyEndpointSlicesEnabled: + description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls + whether Felix's embedded kube-proxy accepts EndpointSlices or not. + type: boolean + bpfKubeProxyIptablesCleanupEnabled: + description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF + mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s + iptables chains. Should only be enabled if kube-proxy is not running. [Default: + true]' + type: boolean + bpfKubeProxyMinSyncPeriod: + description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the + minimum time between updates to the dataplane for Felix''s embedded + kube-proxy. Lower values give reduced set-up latency. Higher values + reduce Felix CPU usage by batching up more work. [Default: 1s]' + type: string + bpfLogLevel: + description: 'BPFLogLevel controls the log level of the BPF programs + when in BPF dataplane mode. One of "Off", "Info", or "Debug". The + logs are emitted to the BPF trace pipe, accessible with the command + `tc exec bpf debug`. [Default: Off].' + type: string + chainInsertMode: + description: 'ChainInsertMode controls whether Felix hooks the kernel’s + top-level iptables chains by inserting a rule at the top of the + chain or by appending a rule at the bottom. insert is the safe default + since it prevents Calico’s rules from being bypassed. If you switch + to append mode, be sure that the other rules in the chains signal + acceptance by falling through to the Calico rules, otherwise the + Calico policy will be bypassed. [Default: insert]' + type: string + dataplaneDriver: + type: string + debugDisableLogDropping: + type: boolean + debugMemoryProfilePath: + type: string + debugSimulateCalcGraphHangAfter: + type: string + debugSimulateDataplaneHangAfter: + type: string + defaultEndpointToHostAction: + description: 'DefaultEndpointToHostAction controls what happens to + traffic that goes from a workload endpoint to the host itself (after + the traffic hits the endpoint egress policy). By default Calico + blocks traffic from workload endpoints to the host itself with an + iptables “DROP” action. If you want to allow some or all traffic + from endpoint to host, set this parameter to RETURN or ACCEPT. Use + RETURN if you have your own rules in the iptables “INPUT” chain; + Calico will insert its rules at the top of that chain, then “RETURN” + packets to the “INPUT” chain once it has completed processing workload + endpoint egress policy. Use ACCEPT to unconditionally accept packets + from workloads after processing workload endpoint egress policy. + [Default: Drop]' + type: string + deviceRouteProtocol: + description: This defines the route protocol added to programmed device + routes, by default this will be RTPROT_BOOT when left blank. + type: integer + deviceRouteSourceAddress: + description: This is the source address to use on programmed device + routes. By default the source address is left blank, leaving the + kernel to choose the source address used. + type: string + disableConntrackInvalidCheck: + type: boolean + endpointReportingDelay: + type: string + endpointReportingEnabled: + type: boolean + externalNodesList: + description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes + which may source tunnel traffic and have the tunneled traffic be + accepted at calico nodes. + items: + type: string + type: array + failsafeInboundHostPorts: + description: 'FailsafeInboundHostPorts is a comma-delimited list of + UDP/TCP ports that Felix will allow incoming traffic to host endpoints + on irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. Each + port should be specified as tcp: or udp:. + For back-compatibility, if the protocol is not specified, it defaults + to “tcp”. To disable all inbound host ports, use the value none. + The default value allows ssh access and DHCP. [Default: tcp:22, + udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' + items: + description: ProtoPort is combination of protocol and port, both + must be specified. + properties: + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + failsafeOutboundHostPorts: + description: 'FailsafeOutboundHostPorts is a comma-delimited list + of UDP/TCP ports that Felix will allow outgoing traffic from host + endpoints to irrespective of the security policy. This is useful + to avoid accidentally cutting off a host with incorrect configuration. + Each port should be specified as tcp: or udp:. + For back-compatibility, if the protocol is not specified, it defaults + to “tcp”. To disable all outbound host ports, use the value none. + The default value opens etcd’s standard ports to ensure that Felix + does not get cut off from etcd as well as allowing DHCP and DNS. + [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, + udp:53, udp:67]' + items: + description: ProtoPort is combination of protocol and port, both + must be specified. + properties: + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + genericXDPEnabled: + description: 'GenericXDPEnabled enables Generic XDP so network cards + that don''t support XDP offload or driver modes can use XDP. This + is not recommended since it doesn''t provide better performance + than iptables. [Default: false]' + type: boolean + healthEnabled: + type: boolean + healthHost: + type: string + healthPort: + type: integer + interfaceExclude: + description: 'InterfaceExclude is a comma-separated list of interfaces + that Felix should exclude when monitoring for host endpoints. The + default value ensures that Felix ignores Kubernetes'' IPVS dummy + interface, which is used internally by kube-proxy. If you want to + exclude multiple interface names using a single value, the list + supports regular expressions. For regular expressions you must wrap + the value with ''/''. For example having values ''/^kube/,veth1'' + will exclude all interfaces that begin with ''kube'' and also the + interface ''veth1''. [Default: kube-ipvs0]' + type: string + interfacePrefix: + description: 'InterfacePrefix is the interface name prefix that identifies + workload endpoints and so distinguishes them from host endpoint + interfaces. Note: in environments other than bare metal, the orchestrators + configure this appropriately. For example our Kubernetes and Docker + integrations set the ‘cali’ value, and our OpenStack integration + sets the ‘tap’ value. [Default: cali]' + type: string + ipipEnabled: + type: boolean + ipipMTU: + description: 'IPIPMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + ipsetsRefreshInterval: + description: 'IpsetsRefreshInterval is the period at which Felix re-checks + all iptables state to ensure that no other process has accidentally + broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: + 90s]' + type: string + iptablesBackend: + description: IptablesBackend specifies which backend of iptables will + be used. The default is legacy. + type: string + iptablesFilterAllowAction: + type: string + iptablesLockFilePath: + description: 'IptablesLockFilePath is the location of the iptables + lock file. You may need to change this if the lock file is not in + its standard location (for example if you have mapped it into Felix’s + container at a different path). [Default: /run/xtables.lock]' + type: string + iptablesLockProbeInterval: + description: 'IptablesLockProbeInterval is the time that Felix will + wait between attempts to acquire the iptables lock if it is not + available. Lower values make Felix more responsive when the lock + is contended, but use more CPU. [Default: 50ms]' + type: string + iptablesLockTimeout: + description: 'IptablesLockTimeout is the time that Felix will wait + for the iptables lock, or 0, to disable. To use this feature, Felix + must share the iptables lock file with all other processes that + also take the lock. When running Felix inside a container, this + requires the /run directory of the host to be mounted into the calico/node + or calico/felix container. [Default: 0s disabled]' + type: string + iptablesMangleAllowAction: + type: string + iptablesMarkMask: + description: 'IptablesMarkMask is the mask that Felix selects its + IPTables Mark bits from. Should be a 32 bit hexadecimal number with + at least 8 bits set, none of which clash with any other mark bits + in use on the system. [Default: 0xff000000]' + format: int32 + type: integer + iptablesNATOutgoingInterfaceFilter: + type: string + iptablesPostWriteCheckInterval: + description: 'IptablesPostWriteCheckInterval is the period after Felix + has done a write to the dataplane that it schedules an extra read + back in order to check the write was not clobbered by another process. + This should only occur if another application on the system doesn’t + respect the iptables lock. [Default: 1s]' + type: string + iptablesRefreshInterval: + description: 'IptablesRefreshInterval is the period at which Felix + re-checks the IP sets in the dataplane to ensure that no other process + has accidentally broken Calico’s rules. Set to 0 to disable IP sets + refresh. Note: the default for this value is lower than the other + refresh intervals as a workaround for a Linux kernel bug that was + fixed in kernel version 4.11. If you are using v4.11 or greater + you may want to set this to, a higher value to reduce Felix CPU + usage. [Default: 10s]' + type: string + ipv6Support: + type: boolean + kubeNodePortRanges: + description: 'KubeNodePortRanges holds list of port ranges used for + service node ports. Only used if felix detects kube-proxy running + in ipvs mode. Felix uses these ranges to separate host and workload + traffic. [Default: 30000:32767].' + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + logFilePath: + description: 'LogFilePath is the full path to the Felix log. Set to + none to disable file logging. [Default: /var/log/calico/felix.log]' + type: string + logPrefix: + description: 'LogPrefix is the log prefix that Felix uses when rendering + LOG rules. [Default: calico-packet]' + type: string + logSeverityFile: + description: 'LogSeverityFile is the log severity above which logs + are sent to the log file. [Default: Info]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]' + type: string + logSeveritySys: + description: 'LogSeveritySys is the log severity above which logs + are sent to the syslog. Set to None for no logging to syslog. [Default: + Info]' + type: string + maxIpsetSize: + type: integer + metadataAddr: + description: 'MetadataAddr is the IP address or domain name of the + server that can answer VM queries for cloud-init metadata. In OpenStack, + this corresponds to the machine running nova-api (or in Ubuntu, + nova-api-metadata). A value of none (case insensitive) means that + Felix should not set up any NAT rule for the metadata path. [Default: + 127.0.0.1]' + type: string + metadataPort: + description: 'MetadataPort is the port of the metadata server. This, + combined with global.MetadataAddr (if not ‘None’), is used to set + up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + In most cases this should not need to be changed [Default: 8775].' + type: integer + natOutgoingAddress: + description: NATOutgoingAddress specifies an address to use when performing + source NAT for traffic in a natOutgoing pool that is leaving the + network. By default the address used is an address on the interface + the traffic is leaving on (ie it uses the iptables MASQUERADE target) + type: string + natPortRange: + anyOf: + - type: integer + - type: string + description: NATPortRange specifies the range of ports that is used + for port mapping when doing outgoing NAT. When unset the default + behavior of the network stack is used. + pattern: ^.* + x-kubernetes-int-or-string: true + netlinkTimeout: + type: string + openstackRegion: + description: 'OpenstackRegion is the name of the region that a particular + Felix belongs to. In a multi-region Calico/OpenStack deployment, + this must be configured somehow for each Felix (here in the datamodel, + or in felix.cfg or the environment on each compute node), and must + match the [calico] openstack_region value configured in neutron.conf + on each node. [Default: Empty]' + type: string + policySyncPathPrefix: + description: 'PolicySyncPathPrefix is used to by Felix to communicate + policy changes to external services, like Application layer policy. + [Default: Empty]' + type: string + prometheusGoMetricsEnabled: + description: 'PrometheusGoMetricsEnabled disables Go runtime metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + prometheusMetricsEnabled: + description: 'PrometheusMetricsEnabled enables the Prometheus metrics + server in Felix if set to true. [Default: false]' + type: boolean + prometheusMetricsHost: + description: 'PrometheusMetricsHost is the host that the Prometheus + metrics server should bind to. [Default: empty]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. [Default: 9091]' + type: integer + prometheusProcessMetricsEnabled: + description: 'PrometheusProcessMetricsEnabled disables process metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + removeExternalRoutes: + description: Whether or not to remove device routes that have not + been programmed by Felix. Disabling this will allow external applications + to also add device routes. This is enabled by default which means + we will remove externally added routes. + type: boolean + reportingInterval: + description: 'ReportingInterval is the interval at which Felix reports + its status into the datastore or 0 to disable. Must be non-zero + in OpenStack deployments. [Default: 30s]' + type: string + reportingTTL: + description: 'ReportingTTL is the time-to-live setting for process-wide + status reports. [Default: 90s]' + type: string + routeRefreshInterval: + description: 'RouterefreshInterval is the period at which Felix re-checks + the routes in the dataplane to ensure that no other process has + accidentally broken Calico’s rules. Set to 0 to disable route refresh. + [Default: 90s]' + type: string + routeSource: + description: 'RouteSource configures where Felix gets its routing + information. - WorkloadIPs: use workload endpoints to construct + routes. - CalicoIPAM: the default - use IPAM data to construct routes.' + type: string + routeTableRange: + description: Calico programs additional Linux route tables for various + purposes. RouteTableRange specifies the indices of the route tables + that Calico should use. + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + sidecarAccelerationEnabled: + description: 'SidecarAccelerationEnabled enables experimental sidecar + acceleration [Default: false]' + type: boolean + usageReportingEnabled: + description: 'UsageReportingEnabled reports anonymous Calico version + number and cluster size to projectcalico.org. Logs warnings returned + by the usage server. For example, if a significant security vulnerability + has been discovered in the version of Calico being used. [Default: + true]' + type: boolean + usageReportingInitialDelay: + description: 'UsageReportingInitialDelay controls the minimum delay + before Felix makes a report. [Default: 300s]' + type: string + usageReportingInterval: + description: 'UsageReportingInterval controls the interval at which + Felix makes reports. [Default: 86400s]' + type: string + useInternalDataplaneDriver: + type: boolean + vxlanEnabled: + type: boolean + vxlanMTU: + description: 'VXLANMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + vxlanPort: + type: integer + vxlanVNI: + type: integer + wireguardEnabled: + description: 'WireguardEnabled controls whether Wireguard is enabled. + [Default: false]' + type: boolean + wireguardInterfaceName: + description: 'WireguardInterfaceName specifies the name to use for + the Wireguard interface. [Default: wg.calico]' + type: string + wireguardListeningPort: + description: 'WireguardListeningPort controls the listening port used + by Wireguard. [Default: 51820]' + type: integer + wireguardMTU: + description: 'WireguardMTU controls the MTU on the Wireguard interface. + See Configuring MTU [Default: 1420]' + type: integer + wireguardRoutingRulePriority: + description: 'WireguardRoutingRulePriority controls the priority value + to use for the Wireguard routing rule. [Default: 99]' + type: integer + xdpEnabled: + description: 'XDPEnabled enables XDP acceleration for suitable untracked + incoming deny rules. [Default: true]' + type: boolean + xdpRefreshInterval: + description: 'XDPRefreshInterval is the period at which Felix re-checks + all XDP state to ensure that no other process has accidentally broken + Calico''s BPF maps or attached programs. Set to 0 to disable XDP + refresh. [Default: 90s]' + type: string + required: + - bpfLogLevel + type: object + type: object + served: true + storage: true --- {% if calico_version is version('v3.6.0', '>=') %} -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ipamblocks.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: IPAMBlock + listKind: IPAMBlockList plural: ipamblocks singular: ipamblock - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMBlockSpec contains the specification for an IPAMBlock + resource. + properties: + affinity: + type: string + allocations: + items: + type: integer + # TODO: This nullable is manually added in. We should update controller-gen + # to handle []*int properly itself. + nullable: true + type: array + attributes: + items: + properties: + handle_id: + type: string + secondary: + additionalProperties: + type: string + type: object + type: object + type: array + cidr: + type: string + deleted: + type: boolean + strictAffinity: + type: boolean + unallocated: + items: + type: integer + type: array + required: + - allocations + - attributes + - cidr + - deleted + - strictAffinity + - unallocated + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: blockaffinities.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: BlockAffinity + listKind: BlockAffinityList plural: blockaffinities singular: blockaffinity - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BlockAffinitySpec contains the specification for a BlockAffinity + resource. + properties: + cidr: + type: string + deleted: + description: Deleted indicates that this block affinity is being deleted. + This field is a string for compatibility with older releases that + mistakenly treat this field as a string. + type: string + node: + type: string + state: + type: string + required: + - cidr + - deleted + - node + - state + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ipamhandles.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: IPAMHandle + listKind: IPAMHandleList plural: ipamhandles singular: ipamhandle - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMHandleSpec contains the specification for an IPAMHandle + resource. + properties: + block: + additionalProperties: + type: integer + type: object + handleID: + type: string + required: + - block + - handleID + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ipamconfigs.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: IPAMConfig + listKind: IPAMConfigList plural: ipamconfigs singular: ipamconfig - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMConfigSpec contains the specification for an IPAMConfig + resource. + properties: + autoAllocateBlocks: + type: boolean + strictAffinity: + type: boolean + required: + - autoAllocateBlocks + - strictAffinity + type: object + type: object + served: true + storage: true --- {% endif %} -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgppeers.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: BGPPeer + listKind: BGPPeerList plural: bgppeers singular: bgppeer - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPPeerSpec contains the specification for a BGPPeer resource. + properties: + asNumber: + description: The AS Number of the peer. + format: int32 + type: integer + node: + description: The node name identifying the Calico node instance that + is peering with this peer. If this is not set, this represents a + global peer, i.e. a peer that peers with every node in the deployment. + type: string + nodeSelector: + description: Selector for the nodes that should have this peering. When + this is set, the Node field must be empty. + type: string + peerIP: + description: The IP address of the peer. + type: string + peerSelector: + description: Selector for the remote nodes to peer with. When this + is set, the PeerIP and ASNumber fields must be empty. For each + peering between the local node and selected remote nodes, we configure + an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, + and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The + remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, + or the global default if that is not set. + type: string + required: + - asNumber + - peerIP + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: BGPConfiguration + listKind: BGPConfigurationList plural: bgpconfigurations singular: bgpconfiguration - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: BGPConfiguration contains the configuration for any BGP routing. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPConfigurationSpec contains the values of the BGP configuration. + properties: + asNumber: + description: 'ASNumber is the default AS number used by a node. [Default: + 64512]' + format: int32 + type: integer + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: INFO]' + type: string + nodeToNodeMeshEnabled: + description: 'NodeToNodeMeshEnabled sets whether full node to node + BGP mesh is enabled. [Default: true]' + type: boolean + serviceClusterIPs: + description: ServiceClusterIPs are the CIDR blocks from which service + cluster IPs are allocated. If specified, Calico will advertise these + blocks, as well as any cluster IPs within them. + items: + description: ServiceClusterIPBlock represents a single whitelisted + CIDR block for ClusterIPs. + properties: + cidr: + type: string + type: object + type: array + serviceExternalIPs: + description: ServiceExternalIPs are the CIDR blocks for Kubernetes + Service External IPs. Kubernetes Service ExternalIPs will only be + advertised if they are within one of these blocks. + items: + description: ServiceExternalIPBlock represents a single whitelisted + CIDR External IP block. + properties: + cidr: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ippools.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: IPPool + listKind: IPPoolList plural: ippools singular: ippool - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPPoolSpec contains the specification for an IPPool resource. + properties: + blockSize: + description: The block size to use for IP address assignments from + this pool. Defaults to 26 for IPv4 and 112 for IPv6. + type: integer + cidr: + description: The pool CIDR. + type: string + disabled: + description: When disabled is true, Calico IPAM will not assign addresses + from this pool. + type: boolean + ipip: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + properties: + enabled: + description: When enabled is true, ipip tunneling will be used + to deliver packets to destinations within this pool. + type: boolean + mode: + description: The IPIP mode. This can be one of "always" or "cross-subnet". A + mode of "always" will also use IPIP tunneling for routing to + destination IP addresses within this pool. A mode of "cross-subnet" + will only use IPIP tunneling when the destination node is on + a different subnet to the originating node. The default value + (if not specified) is "always". + type: string + type: object + ipipMode: + description: Contains configuration for IPIP tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. IPIP tunelling + is disabled). + type: string + nat-outgoing: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + type: boolean + natOutgoing: + description: When nat-outgoing is true, packets sent from Calico networked + containers in this pool to destinations outside of this pool will + be masqueraded. + type: boolean + nodeSelector: + description: Allows IPPool to allocate for a specific node by label + selector. + type: string + vxlanMode: + description: Contains configuration for VXLAN tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. VXLAN + tunelling is disabled). + type: string + required: + - cidr + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: hostendpoints.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: HostEndpoint + listKind: HostEndpointList plural: hostendpoints singular: hostendpoint - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HostEndpointSpec contains the specification for a HostEndpoint + resource. + properties: + expectedIPs: + description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. + If \"InterfaceName\" is not present, Calico will look for an interface + matching any of the IPs in the list and apply policy to that. Note: + \tWhen using the selector match criteria in an ingress or egress + security Policy \tor Profile, Calico converts the selector into + a set of IP addresses. For host \tendpoints, the ExpectedIPs field + is used for that purpose. (If only the interface \tname is specified, + Calico does not learn the IPs of the interface for use in match + \tcriteria.)" + items: + type: string + type: array + interfaceName: + description: "Either \"*\", or the name of a specific Linux interface + to apply policy to; or empty. \"*\" indicates that this HostEndpoint + governs all traffic to, from or through the default network namespace + of the host named by the \"Node\" field; entering and leaving that + namespace via any interface, including those from/to non-host-networked + local workloads. \n If InterfaceName is not \"*\", this HostEndpoint + only governs traffic that enters or leaves the host through the + specific interface named by InterfaceName, or - when InterfaceName + is empty - through the specific interface that has one of the IPs + in ExpectedIPs. Therefore, when InterfaceName is empty, at least + one expected IP must be specified. Only external interfaces (such + as “eth0”) are supported here; it isn't possible for a HostEndpoint + to protect traffic through a specific local workload interface. + \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; + initially just pre-DNAT policy. Please check Calico documentation + for the latest position." + type: string + node: + description: The node name identifying the Calico node instance. + type: string + ports: + description: Ports contains the endpoint's named ports, which may + be referenced in security policy rules. + items: + properties: + name: + type: string + port: + type: integer + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + required: + - name + - port + - protocol + type: object + type: array + profiles: + description: A list of identifiers of security Profile objects that + apply to this endpoint. Each profile is applied in the order that + they appear in this list. Profile rules are applied after the selector-based + security policy. + items: + type: string + type: array + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterinformations.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: ClusterInformation + listKind: ClusterInformationList plural: clusterinformations singular: clusterinformation - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ClusterInformation contains the cluster specific information. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterInformationSpec contains the values of describing + the cluster. + properties: + calicoVersion: + description: CalicoVersion is the version of Calico that the cluster + is running + type: string + clusterGUID: + description: ClusterGUID is the GUID of the cluster + type: string + clusterType: + description: ClusterType describes the type of the cluster + type: string + datastoreReady: + description: DatastoreReady is used during significant datastore migrations + to signal to components such as Felix that it should wait before + accessing the datastore. + type: boolean + variant: + description: Variant declares which variant of Calico should be active. + type: string + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworkpolicies.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: GlobalNetworkPolicy + listKind: GlobalNetworkPolicyList plural: globalnetworkpolicies singular: globalnetworkpolicy - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + description: ApplyOnForward indicates to apply the rules in this policy + on forward traffic. + type: boolean + doNotTrack: + description: DoNotTrack indicates whether packets matched by the rules + in this policy should go through the data plane's connection tracking, + such as Linux conntrack. If True, the rules in this policy are + applied before any data plane connection tracking, and packets allowed + by this policy are marked as not to be tracked. + type: boolean + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + namespaceSelector: + description: NamespaceSelector is an optional field for an expression + used to select a pod based on namespaces. + type: string + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + preDNAT: + description: PreDNAT indicates to apply the rules in this policy before + any DNAT. + type: boolean + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress rules are present in the policy. The + default is: \n - [ PolicyTypeIngress ], if there are no Egress rules + (including the case where there are also no Ingress rules) \n + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress + rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are + both Ingress and Egress rules. \n When the policy is read back again, + Types will always be one of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworksets.crd.projectcalico.org spec: - scope: Cluster group: crd.projectcalico.org - version: v1 names: kind: GlobalNetworkSet + listKind: GlobalNetworkSetList plural: globalnetworksets singular: globalnetworkset - + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs + that share labels to allow rules to refer to them via selectors. The labels + of GlobalNetworkSet are not namespaced. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalNetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networkpolicies.crd.projectcalico.org spec: - scope: Namespaced group: crd.projectcalico.org - version: v1 names: kind: NetworkPolicy + listKind: NetworkPolicyList plural: networkpolicies singular: networkpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel’s iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress are present in the policy. The default + is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including + the case where there are also no Ingress rules) \n - [ PolicyTypeEgress + ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, + PolicyTypeEgress ], if there are both Ingress and Egress rules. + \n When the policy is read back again, Types will always be one + of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true {% if calico_version is version('v3.7.0', '>=') %} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networksets.crd.projectcalico.org spec: - scope: Namespaced group: crd.projectcalico.org - version: v1 names: kind: NetworkSet + listKind: NetworkSetList plural: networksets singular: networkset + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true {% endif %} diff --git a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 index 2b16f1f8664..1fbf26235d5 100644 --- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 @@ -26,10 +26,12 @@ rules: - apiGroups: - "" resources: +{% if cilium_version | regex_replace('v') is version('1.8', '<') %} # to automatically read from k8s and import the node's pod CIDR to cilium's # etcd so all nodes know how to reach another pod running in in a different # node. - nodes +{% endif %} # to perform the translation of a CNP that contains `ToGroup` to its endpoints - services - endpoints @@ -59,6 +61,14 @@ rules: {% endif %} verbs: - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 index d379477ec35..18fdad7bc5a 100644 --- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 @@ -92,7 +92,7 @@ spec: {% if cilium_enable_ipv4 %} host: 127.0.0.1 {% else %} - host: host: '[::1]' + host: '::1' {% endif %} path: /healthz port: 9234 diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 index 43a96821fa8..dd8e1b9100c 100755 --- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 @@ -59,11 +59,14 @@ spec: command: - /cni-uninstall.sh livenessProbe: - exec: - command: - - cilium - - status - - --brief + httpGet: + host: '127.0.0.1' + path: /healthz + port: 9876 + scheme: HTTP + httpHeaders: + - name: "brief" + value: "true" failureThreshold: 10 # The initial delay for the liveness probe is intentionally large to # avoid an endless kill & restart cycle if in the event that the initial @@ -81,11 +84,14 @@ spec: protocol: TCP {% endif %} readinessProbe: - exec: - command: - - cilium - - status - - --brief + httpGet: + host: '127.0.0.1' + path: /healthz + port: 9876 + scheme: HTTP + httpHeaders: + - name: "brief" + value: "true" failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 30 @@ -131,6 +137,8 @@ spec: - mountPath: /lib/modules name: lib-modules readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock dnsPolicy: ClusterFirstWithHostNet hostNetwork: true hostPID: false @@ -138,7 +146,7 @@ spec: - command: - /init-container.sh env: - - name: CLEAN_CILIUM_STATE + - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state @@ -214,6 +222,11 @@ spec: - hostPath: path: /lib/modules name: lib-modules + # To access iptables concurrently with other processes (e.g. kube-proxy) + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock # To read the etcd config stored in config maps - configMap: defaultMode: 420 diff --git a/roles/network_plugin/contiv/tasks/main.yml b/roles/network_plugin/contiv/tasks/main.yml index 81ca64bdcc2..f79e1e6fd82 100644 --- a/roles/network_plugin/contiv/tasks/main.yml +++ b/roles/network_plugin/contiv/tasks/main.yml @@ -146,9 +146,9 @@ - name: Contiv | Copy netctl binary from docker container command: sh -c "{{ docker_bin_dir }}/docker rm -f netctl-binarycopy; - {{ docker_bin_dir }}/docker create --name netctl-binarycopy {{ contiv_image_repo }}:{{ contiv_image_tag }} && - {{ docker_bin_dir }}/docker cp netctl-binarycopy:/contiv/bin/netctl {{ bin_dir }}/netctl && - {{ docker_bin_dir }}/docker rm -f netctl-binarycopy" + {{ docker_bin_dir }}/docker create --name netctl-binarycopy {{ contiv_image_repo }}:{{ contiv_image_tag }} && + {{ docker_bin_dir }}/docker cp netctl-binarycopy:/contiv/bin/netctl {{ bin_dir }}/netctl && + {{ docker_bin_dir }}/docker rm -f netctl-binarycopy" register: contiv_task_result until: contiv_task_result.rc == 0 retries: 4 diff --git a/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2 b/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2 index 80884d71997..5909e461f74 100644 --- a/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-cleanup.yml.j2 @@ -29,15 +29,15 @@ spec: securityContext: privileged: true volumeMounts: - - mountPath: /etc/openvswitch - name: etc-openvswitch - readOnly: false - - mountPath: /var/run - name: var-run - readOnly: false - - mountPath: /opt/cni/bin - name: cni-bin-dir - readOnly: false + - mountPath: /etc/openvswitch + name: etc-openvswitch + readOnly: false + - mountPath: /var/run + name: var-run + readOnly: false + - mountPath: /opt/cni/bin + name: cni-bin-dir + readOnly: false readinessProbe: exec: command: diff --git a/roles/network_plugin/contiv/templates/contiv-config.yml.j2 b/roles/network_plugin/contiv/templates/contiv-config.yml.j2 index 18b7748eb65..48f128ee78c 100644 --- a/roles/network_plugin/contiv/templates/contiv-config.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-config.yml.j2 @@ -22,10 +22,10 @@ data: } contiv_k8s_config: |- { - "K8S_API_SERVER": "{{ kube_apiserver_endpoint_for_contiv }}", - "K8S_CA": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", - "K8S_KEY": "", - "K8S_CERT": "", - "K8S_TOKEN": "", - "SVC_SUBNET": "{{ kube_service_addresses }}" + "K8S_API_SERVER": "{{ kube_apiserver_endpoint_for_contiv }}", + "K8S_CA": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt", + "K8S_KEY": "", + "K8S_CERT": "", + "K8S_TOKEN": "", + "SVC_SUBNET": "{{ kube_service_addresses }}" } diff --git a/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2 b/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2 index 9725a0f2a22..675d1cd6d3a 100644 --- a/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-etcd-proxy.yml.j2 @@ -20,12 +20,12 @@ spec: dnsPolicy: ClusterFirstWithHostNet hostPID: true affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: DoesNotExist + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist containers: - name: contiv-etcd-proxy image: {{ contiv_etcd_image_repo }}:{{ contiv_etcd_image_tag }} diff --git a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 index c21399fb693..b5b21fcb80f 100644 --- a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 @@ -78,8 +78,8 @@ spec: value: kubernetes - name: CONTIV_NETPLUGIN_VTEP_IP valueFrom: - fieldRef: - fieldPath: status.podIP + fieldRef: + fieldPath: status.podIP - name: CONTIV_NETPLUGIN_ETCD_ENDPOINTS valueFrom: configMapKeyRef: diff --git a/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2 b/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2 index 0b05588baad..edebbeaebed 100644 --- a/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-ovs.yml.j2 @@ -57,15 +57,15 @@ spec: name: contiv-config key: contiv_ovs_vswitchd_extra_flags volumeMounts: - - mountPath: /etc/openvswitch - name: etc-openvswitch - readOnly: false - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /var/run - name: var-run - readOnly: false + - mountPath: /etc/openvswitch + name: etc-openvswitch + readOnly: false + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /var/run + name: var-run + readOnly: false volumes: # Used by contiv-ovs - name: etc-openvswitch diff --git a/roles/network_plugin/kube-ovn/defaults/main.yml b/roles/network_plugin/kube-ovn/defaults/main.yml index 9cc4c5c84da..8f02a8cf164 100644 --- a/roles/network_plugin/kube-ovn/defaults/main.yml +++ b/roles/network_plugin/kube-ovn/defaults/main.yml @@ -13,4 +13,4 @@ kube_ovn_pinger_cpu_limit: 200m kube_ovn_pinger_memory_limit: 400Mi traffic_mirror: true -encap_checksum: true \ No newline at end of file +encap_checksum: true diff --git a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 index fc6eba4bcbf..28906be4f1e 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-kube-ovn-crd.yml.j2 @@ -1,10 +1,62 @@ -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ips.kubeovn.io spec: group: kubeovn.io - version: v1 + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - name: Provider + type: string + jsonPath: .spec.provider + - name: IP + type: string + jsonPath: .spec.ipAddress + - name: Mac + type: string + jsonPath: .spec.macAddress + - name: Node + type: string + jsonPath: .spec.nodeName + - name: Subnet + type: string + jsonPath: .spec.subnet + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + podName: + type: string + namespace: + type: string + subnet: + type: string + attachSubnets: + type: array + items: + type: string + nodeName: + type: string + ipAddress: + type: string + attachIps: + type: array + items: + type: string + macAddress: + type: string + attachMacs: + type: array + items: + type: string + containerID: + type: string scope: Cluster names: plural: ips @@ -12,27 +64,111 @@ spec: kind: IP shortNames: - ip - additionalPrinterColumns: - - name: IP - type: string - JSONPath: .spec.ipAddress - - name: Mac - type: string - JSONPath: .spec.macAddress - - name: Node - type: string - JSONPath: .spec.nodeName - - name: Subnet - type: string - JSONPath: .spec.subnet --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: subnets.kubeovn.io spec: group: kubeovn.io - version: v1 + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Protocol + type: string + jsonPath: .spec.protocol + - name: CIDR + type: string + jsonPath: .spec.cidrBlock + - name: Private + type: boolean + jsonPath: .spec.private + - name: NAT + type: boolean + jsonPath: .spec.natOutgoing + - name: Default + type: boolean + jsonPath: .spec.default + - name: GatewayType + type: string + jsonPath: .spec.gatewayType + - name: Used + type: number + jsonPath: .status.usingIPs + - name: Available + type: number + jsonPath: .status.availableIPs + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + availableIPs: + type: number + usingIPs: + type: number + activateGateway: + type: string + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + reason: + type: string + message: + type: string + lastUpdateTime: + type: string + lastTransitionTime: + type: string + spec: + type: object + properties: + default: + type: boolean + protocol: + type: string + cidrBlock: + type: string + namespaces: + type: array + items: + type: string + gateway: + type: string + provider: + type: string + excludeIps: + type: array + items: + type: string + gatewayType: + type: string + allowSubnets: + type: array + items: + type: string + gatewayNode: + type: string + natOutgoing: + type: boolean + private: + type: boolean + vlan: + type: string + underlayGateway: + type: boolean scope: Cluster names: plural: subnets @@ -40,54 +176,42 @@ spec: kind: Subnet shortNames: - subnet - subresources: - status: {} - additionalPrinterColumns: - - name: Provider - type: string - JSONPath: .spec.provider - - name: Protocol - type: string - JSONPath: .spec.protocol - - name: CIDR - type: string - JSONPath: .spec.cidrBlock - - name: Private - type: boolean - JSONPath: .spec.private - - name: NAT - type: boolean - JSONPath: .spec.natOutgoing - - name: Default - type: boolean - JSONPath: .spec.default - - name: GatewayType - type: string - JSONPath: .spec.gatewayType - - name: Used - type: number - JSONPath: .status.usingIPs - - name: Available - type: number - JSONPath: .status.availableIPs - validation: - openAPIV3Schema: - properties: - spec: - required: ["cidrBlock"] - properties: - cidrBlock: - type: "string" - gateway: - type: "string" --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: vlans.kubeovn.io spec: group: kubeovn.io - version: v1 + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + vlanId: + type: integer + providerInterfaceName: + type: string + logicalInterfaceName: + type: string + subnet: + type: string + additionalPrinterColumns: + - name: VlanID + type: string + jsonPath: .spec.vlanId + - name: ProviderInterfaceName + type: string + jsonPath: .spec.providerInterfaceName + - name: Subnet + type: string + jsonPath: .spec.subnet scope: Cluster names: plural: vlans @@ -95,13 +219,3 @@ spec: kind: Vlan shortNames: - vlan - additionalPrinterColumns: - - name: VlanID - type: string - JSONPath: .spec.vlanId - - name: ProviderInterfaceName - type: string - JSONPath: .spec.providerInterfaceName - - name: Subnet - type: string - JSONPath: .spec.subnet \ No newline at end of file diff --git a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 index 7b639d6d2d8..2ffe0dd6180 100644 --- a/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 +++ b/roles/network_plugin/kube-ovn/templates/cni-ovn.yml.j2 @@ -349,4 +349,4 @@ spec: path: /var/log/openvswitch - name: host-log-ovn hostPath: - path: /var/log/ovn \ No newline at end of file + path: /var/log/ovn diff --git a/roles/network_plugin/kube-router/defaults/main.yml b/roles/network_plugin/kube-router/defaults/main.yml index 885e3474e90..a1e68feeaa2 100644 --- a/roles/network_plugin/kube-router/defaults/main.yml +++ b/roles/network_plugin/kube-router/defaults/main.yml @@ -57,4 +57,4 @@ kube_router_enable_metrics: false kube_router_metrics_path: /metrics # Prometheus metrics port to use -kube_router_metrics_port: 9255 \ No newline at end of file +kube_router_metrics_port: 9255 diff --git a/roles/network_plugin/kube-router/templates/kube-router.yml.j2 b/roles/network_plugin/kube-router/templates/kube-router.yml.j2 index 2510a861f30..bce36cfbd55 100644 --- a/roles/network_plugin/kube-router/templates/kube-router.yml.j2 +++ b/roles/network_plugin/kube-router/templates/kube-router.yml.j2 @@ -39,6 +39,7 @@ spec: - --run-firewall={{ kube_router_run_firewall | bool }} - --run-service-proxy={{ kube_router_run_service_proxy | bool }} - --kubeconfig=/var/lib/kube-router/kubeconfig + - --bgp-graceful-restart=true {% if kube_router_advertise_cluster_ip %} - --advertise-cluster-ip {% endif %} @@ -75,7 +76,7 @@ spec: httpGet: path: /healthz port: 20244 - initialDelaySeconds: 5 + initialDelaySeconds: 10 periodSeconds: 3 resources: requests: @@ -97,6 +98,9 @@ spec: - name: kubeconfig mountPath: /var/lib/kube-router readOnly: true + - name: xtables-lock + mountPath: /run/xtables.lock + readOnly: false {% if kube_router_enable_metrics %} ports: - containerPort: {{ kube_router_metrics_port }} @@ -128,6 +132,10 @@ spec: - name: kubeconfig hostPath: path: /var/lib/kube-router + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate --- apiVersion: v1 diff --git a/roles/network_plugin/multus/files/multus-clusterrole.yml b/roles/network_plugin/multus/files/multus-clusterrole.yml index ec2ec3a0648..b574069cd9b 100644 --- a/roles/network_plugin/multus/files/multus-clusterrole.yml +++ b/roles/network_plugin/multus/files/multus-clusterrole.yml @@ -25,4 +25,4 @@ rules: verbs: - create - patch - - update \ No newline at end of file + - update diff --git a/roles/upgrade/pre-upgrade/tasks/main.yml b/roles/upgrade/pre-upgrade/tasks/main.yml index a8b149394cb..f47954b1c39 100644 --- a/roles/upgrade/pre-upgrade/tasks/main.yml +++ b/roles/upgrade/pre-upgrade/tasks/main.yml @@ -3,8 +3,8 @@ # Node NotReady: type = ready, status = Unknown - name: See if node is in ready state shell: >- - {{ bin_dir }}/kubectl get node {{ inventory_hostname }} - -o jsonpath='{ range .status.conditions[?(@.type == "Ready")].status }{ @ }{ end }' + {{ bin_dir }}/kubectl get node {{ inventory_hostname }} + -o jsonpath='{ range .status.conditions[?(@.type == "Ready")].status }{ @ }{ end }' register: kubectl_node_ready delegate_to: "{{ groups['kube-master'][0] }}" failed_when: false @@ -14,8 +14,8 @@ # else unschedulable key doesn't exist - name: See if node is schedulable shell: >- - {{ bin_dir }}/kubectl get node {{ inventory_hostname }} - -o jsonpath='{ .spec.unschedulable }' + {{ bin_dir }}/kubectl get node {{ inventory_hostname }} + -o jsonpath='{ .spec.unschedulable }' register: kubectl_node_schedulable delegate_to: "{{ groups['kube-master'][0] }}" failed_when: false diff --git a/scale.yml b/scale.yml index b735a74137b..b4f3dd058d8 100644 --- a/scale.yml +++ b/scale.yml @@ -4,6 +4,7 @@ - hosts: all gather_facts: false + tags: always tasks: - name: "Set up proxy environment" set_fact: @@ -32,6 +33,7 @@ - { role: bootstrap-os, tags: bootstrap-os} - name: Gather facts + tags: always import_playbook: facts.yml - name: Generate the etcd certificates beforehand diff --git a/scripts/collect-info.yaml b/scripts/collect-info.yaml index 15f1c627fef..4c203648e39 100644 --- a/scripts/collect-info.yaml +++ b/scripts/collect-info.yaml @@ -133,6 +133,7 @@ dest: "{{ dir|default('.') }}/logs.tar.gz" remove: true delegate_to: localhost + connection: local become: false run_once: true diff --git a/scripts/openstack-cleanup/main.py b/scripts/openstack-cleanup/main.py index e7098142fc6..0ab9ffc135d 100755 --- a/scripts/openstack-cleanup/main.py +++ b/scripts/openstack-cleanup/main.py @@ -11,7 +11,7 @@ log = logging.getLogger('openstack-cleanup') -parser = argparse.ArgumentParser(description='Cleanup OpenStack VMs') +parser = argparse.ArgumentParser(description='Cleanup OpenStack resources') parser.add_argument('-v', '--verbose', action='store_true', help='Increase verbosity') @@ -29,16 +29,44 @@ def main(): if args.dry_run: print('Running in dry-run mode') else: - print('This will delete VMs... (ctrl+c to cancel)') + print('This will delete resources... (ctrl+c to cancel)') time.sleep(PAUSE_SECONDS) conn = openstack.connect() - for server in conn.compute.servers(): - created_at = datetime.datetime.strptime(server.created_at, DATE_FORMAT) - if created_at < oldest_allowed: - print('Will delete server %(name)s' % server) - if not args.dry_run: - conn.compute.delete_server(server) + + print('Security groups...') + map_if_old(conn.network.delete_security_group, + conn.network.security_groups()) + + print('Servers...') + map_if_old(conn.compute.delete_server, + conn.compute.servers()) + + print('Subnets...') + map_if_old(conn.network.delete_subnet, + conn.network.subnets()) + + print('Networks...') + for n in conn.network.networks(): + if not n.is_router_external: + fn_if_old(conn.network.delete_network, n) + + +# runs the given fn to all elements of the that are older than allowed +def map_if_old(fn, items): + for item in items: + fn_if_old(fn, item) + + +# run the given fn function only if the passed item is older than allowed +def fn_if_old(fn, item): + created_at = datetime.datetime.strptime(item.created_at, DATE_FORMAT) + if item.name == "default": # skip default security group + return + if created_at < oldest_allowed: + print('Will delete %(name)s (%(id)s)' % item) + if not args.dry_run: + fn(item) if __name__ == '__main__': diff --git a/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml b/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml index 8c5b3bf9416..4798b539dd1 100644 --- a/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml +++ b/test-infra/image-builder/roles/kubevirt-images/defaults/main.yml @@ -70,4 +70,4 @@ images: filename: openSUSE-Leap-15.1-OpenStack.x86_64-0.0.4-Build6.106.qcow2 url: https://download.opensuse.org/repositories/Cloud:/Images:/Leap_15.1/images/openSUSE-Leap-15.1-OpenStack.x86_64-0.0.4-Build6.106.qcow2 checksum: sha256:e3c016a889505c5ae51dafe6eedc836a9e9546ab951fdc96f07eb35e34d12b8c - converted: true \ No newline at end of file + converted: true diff --git a/tests/cloud_playbooks/delete-aws.yml b/tests/cloud_playbooks/delete-aws.yml index bffb8c60fa5..b72caf0ee75 100644 --- a/tests/cloud_playbooks/delete-aws.yml +++ b/tests/cloud_playbooks/delete-aws.yml @@ -15,3 +15,4 @@ region: "{{ ansible_ec2_placement_region }}" wait: True delegate_to: localhost + connection: local diff --git a/tests/files/packet_centos7-weave-upgrade-ha.yml b/tests/files/packet_centos7-weave-upgrade-ha.yml index 8a25765328a..d455a9f7ad5 100644 --- a/tests/files/packet_centos7-weave-upgrade-ha.yml +++ b/tests/files/packet_centos7-weave-upgrade-ha.yml @@ -10,4 +10,4 @@ kubernetes_audit: true dns_min_replicas: 1 # Needed to upgrade from 1.16 to 1.17, otherwise upgrade is partial and bug followed -upgrade_cluster_setup: true \ No newline at end of file +upgrade_cluster_setup: true diff --git a/tests/files/packet_centos8-kube-ovn.yml b/tests/files/packet_centos8-kube-ovn.yml index 6fab5020478..a58dc0c69f3 100644 --- a/tests/files/packet_centos8-kube-ovn.yml +++ b/tests/files/packet_centos8-kube-ovn.yml @@ -6,4 +6,4 @@ mode: default # Kubespray settings kube_network_plugin: kube-ovn deploy_netchecker: true -dns_min_replicas: 1 \ No newline at end of file +dns_min_replicas: 1 diff --git a/tests/files/packet_debian10-containerd.yml b/tests/files/packet_debian10-containerd.yml index e00a2904ff6..4503f71b060 100644 --- a/tests/files/packet_debian10-containerd.yml +++ b/tests/files/packet_debian10-containerd.yml @@ -14,4 +14,4 @@ helm_version: v3.1.0 # https://gitlab.com/miouge/kubespray-ci/-/blob/a4fd5ed6857807f1c353cb60848aedebaf7d2c94/manifests/http-proxy.yml#L42 http_proxy: http://172.30.30.30:8888 -https_proxy: http://172.30.30.30:8888 \ No newline at end of file +https_proxy: http://172.30.30.30:8888 diff --git a/tests/files/packet_opensuse-canal.yml b/tests/files/packet_opensuse-canal.yml index a735d77e81d..7dc12c06111 100644 --- a/tests/files/packet_opensuse-canal.yml +++ b/tests/files/packet_opensuse-canal.yml @@ -7,3 +7,6 @@ mode: default kube_network_plugin: canal deploy_netchecker: true dns_min_replicas: 1 + +# test Ambassador +ingress_ambassador_enabled: true diff --git a/tests/files/tf-elastx_ubuntu18-calico.yml b/tests/files/tf-elastx_ubuntu18-calico.yml index 53e03d7fe79..43ef55aa34c 100644 --- a/tests/files/tf-elastx_ubuntu18-calico.yml +++ b/tests/files/tf-elastx_ubuntu18-calico.yml @@ -4,4 +4,4 @@ deploy_netchecker: true sonobuoy_enabled: true # Ignore ping errors -ignore_assert_errors: true \ No newline at end of file +ignore_assert_errors: true diff --git a/tests/files/vagrant_ubuntu18-flannel.yml b/tests/files/vagrant_ubuntu18-flannel.yml index e878a5e388a..d4543a901f1 100644 --- a/tests/files/vagrant_ubuntu18-flannel.yml +++ b/tests/files/vagrant_ubuntu18-flannel.yml @@ -4,4 +4,4 @@ kube_network_plugin: flannel deploy_netchecker: true -dns_min_replicas: 1 \ No newline at end of file +dns_min_replicas: 1 diff --git a/tests/files/vagrant_ubuntu20-flannel.yml b/tests/files/vagrant_ubuntu20-flannel.yml index e878a5e388a..d4543a901f1 100644 --- a/tests/files/vagrant_ubuntu20-flannel.yml +++ b/tests/files/vagrant_ubuntu20-flannel.yml @@ -4,4 +4,4 @@ kube_network_plugin: flannel deploy_netchecker: true -dns_min_replicas: 1 \ No newline at end of file +dns_min_replicas: 1 diff --git a/tests/testcases/010_check-apiserver.yml b/tests/testcases/010_check-apiserver.yml index bb865727dff..330e5e6bf24 100644 --- a/tests/testcases/010_check-apiserver.yml +++ b/tests/testcases/010_check-apiserver.yml @@ -17,4 +17,4 @@ that: - apiserver_response.json.gitVersion == kube_version fail_msg: "apiserver version different than expected {{ kube_version }}" - when: kube_version is defined \ No newline at end of file + when: kube_version is defined diff --git a/tests/testcases/015_check-nodes-ready.yml b/tests/testcases/015_check-nodes-ready.yml index 14a3468f5f1..be8370cc3b3 100644 --- a/tests/testcases/015_check-nodes-ready.yml +++ b/tests/testcases/015_check-nodes-ready.yml @@ -30,4 +30,4 @@ # Check that all nodes are Status=Ready - '(get_nodes_yaml.stdout | from_yaml)["items"] | map(attribute = "status.conditions") | map("items2dict", key_name="type", value_name="status") | map(attribute="Ready") | list | min' retries: 30 - delay: 10 \ No newline at end of file + delay: 10 diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml index 4e8903439cf..bee470ef753 100644 --- a/tests/testcases/030_check-network.yml +++ b/tests/testcases/030_check-network.yml @@ -51,13 +51,13 @@ - name: Get hostnet pods command: "{{ bin_dir }}/kubectl get pods -n test -o - jsonpath='{range .items[?(.spec.hostNetwork)]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'" + jsonpath='{range .items[?(.spec.hostNetwork)]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'" register: hostnet_pods no_log: true - name: Get running pods command: "{{ bin_dir }}/kubectl get pods -n test -o - jsonpath='{range .items[?(.status.phase==\"Running\")]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'" + jsonpath='{range .items[?(.status.phase==\"Running\")]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'" register: running_pods no_log: true diff --git a/upgrade-cluster.yml b/upgrade-cluster.yml index d5108f20280..403d210afac 100644 --- a/upgrade-cluster.yml +++ b/upgrade-cluster.yml @@ -4,6 +4,7 @@ - hosts: all gather_facts: false + tags: always tasks: - name: "Set up proxy environment" set_fact: @@ -35,6 +36,7 @@ - { role: bootstrap-os, tags: bootstrap-os} - name: Gather facts + tags: always import_playbook: facts.yml - name: Download images to ansible host cache via first kube-master node