From 9f1916d8dd523581ab961c22f91045712d0611a5 Mon Sep 17 00:00:00 2001
From: Dmitry Ukov <dukov@mirantis.com>
Date: Wed, 8 Apr 2020 18:53:36 +0400
Subject: [PATCH] Add CAPI ControlPlane provider Kubeadm
Forked kustomization from 0.3.3 release
Change-Id: I7e7074fe6e68aff4c3280567160ebb25bd9f7780
---
.../cacpk/v0.3.3/certmanager/certificate.yaml | 25 +
.../v0.3.3/certmanager/kustomization.yaml | 5 +
.../v0.3.3/certmanager/kustomizeconfig.yaml | 19 +
...cluster.x-k8s.io_kubeadmcontrolplanes.yaml | 997 ++++++++++++++++++
.../cacpk/v0.3.3/crd/kustomization.yaml | 24 +
.../cacpk/v0.3.3/crd/kustomizeconfig.yaml | 17 +
.../cainjection_in_kubeadmcontrolplanes.yaml | 8 +
.../webhook_in_kubeadmcontrolplanes.yaml | 19 +
.../cacpk/v0.3.3/default/kustomization.yaml | 8 +
.../cacpk/v0.3.3/default/namespace.yaml | 6 +
.../function/cacpk/v0.3.3/kustomization.yaml | 17 +
.../cacpk/v0.3.3/manager/kustomization.yaml | 7 +
.../cacpk/v0.3.3/manager/manager.yaml | 28 +
.../manager/manager_auth_proxy_patch.yaml | 25 +
.../v0.3.3/manager/manager_image_patch.yaml | 11 +
.../v0.3.3/manager/manager_image_patch.yaml-e | 11 +
.../v0.3.3/manager/manager_pull_policy.yaml | 11 +
.../v0.3.3/manager/manager_pull_policy.yaml-e | 11 +
.../v0.3.3/patch_crd_webhook_namespace.yaml | 3 +
.../cacpk/v0.3.3/rbac/auth_proxy_role.yaml | 13 +
.../v0.3.3/rbac/auth_proxy_role_binding.yaml | 12 +
.../cacpk/v0.3.3/rbac/auth_proxy_service.yaml | 14 +
.../cacpk/v0.3.3/rbac/kustomization.yaml | 11 +
.../v0.3.3/rbac/leader_election_role.yaml | 32 +
.../rbac/leader_election_role_binding.yaml | 12 +
.../function/cacpk/v0.3.3/rbac/role.yaml | 100 ++
.../cacpk/v0.3.3/rbac/role_binding.yaml | 12 +
.../cacpk/v0.3.3/webhook/kustomization.yaml | 43 +
.../cacpk/v0.3.3/webhook/kustomizeconfig.yaml | 27 +
.../v0.3.3/webhook/manager_webhook_patch.yaml | 26 +
.../cacpk/v0.3.3/webhook/manifests.yaml | 54 +
.../cacpk/v0.3.3/webhook/service.yaml | 10 +
.../webhook/webhookcainjection_patch.yaml | 15 +
33 files changed, 1633 insertions(+)
create mode 100644 manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/crd/kustomization.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/default/kustomization.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/default/namespace.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/kustomization.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/manager/kustomization.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e
create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e
create mode 100644 manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/role.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/webhook/manifests.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/webhook/service.yaml
create mode 100644 manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml
diff --git a/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml b/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml
new file mode 100644
index 000000000..7decb1a4b
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/certmanager/certificate.yaml
@@ -0,0 +1,25 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for breaking changes
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+ name: selfsigned-issuer
+ namespace: system
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+ name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
+ namespace: system
+spec:
+ # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
+ dnsNames:
+ - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+ - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+ issuerRef:
+ kind: Issuer
+ name: selfsigned-issuer
+ secretName: $(SERVICE_NAME)-cert # this secret will not be prefixed, since it's not managed by kustomize
diff --git a/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml b/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml
new file mode 100644
index 000000000..bebea5a59
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/certmanager/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml
diff --git a/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml
new file mode 100644
index 000000000..28a895a40
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/certmanager/kustomizeconfig.yaml
@@ -0,0 +1,19 @@
+# This configuration is for teaching kustomize how to update name ref and var substitution
+nameReference:
+- kind: Issuer
+ group: cert-manager.io
+ fieldSpecs:
+ - kind: Certificate
+ group: cert-manager.io
+ path: spec/issuerRef/name
+
+varReference:
+- kind: Certificate
+ group: cert-manager.io
+ path: spec/commonName
+- kind: Certificate
+ group: cert-manager.io
+ path: spec/dnsNames
+- kind: Certificate
+ group: cert-manager.io
+ path: spec/secretName
diff --git a/manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml b/manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
new file mode 100644
index 000000000..19f1b92ea
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/crd/bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
@@ -0,0 +1,997 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.8
+ creationTimestamp: null
+ name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
+spec:
+ group: controlplane.cluster.x-k8s.io
+ names:
+ categories:
+ - cluster-api
+ kind: KubeadmControlPlane
+ listKind: KubeadmControlPlaneList
+ plural: kubeadmcontrolplanes
+ shortNames:
+ - kcp
+ singular: kubeadmcontrolplane
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: KubeadmControlPlane API Server is ready to receive requests
+ jsonPath: .status.ready
+ name: Ready
+ type: boolean
+ - description: This denotes whether or not the control plane has the uploaded
+ kubeadm-config configmap
+ jsonPath: .status.initialized
+ name: Initialized
+ type: boolean
+ - description: Total number of non-terminated machines targeted by this control
+ plane
+ jsonPath: .status.replicas
+ name: Replicas
+ type: integer
+ - description: Total number of fully running and ready control plane machines
+ jsonPath: .status.readyReplicas
+ name: Ready Replicas
+ type: integer
+ - description: Total number of non-terminated machines targeted by this control
+ plane that have the desired template spec
+ jsonPath: .status.updatedReplicas
+ name: Updated Replicas
+ type: integer
+ - description: Total number of unavailable machines targeted by this control plane
+ jsonPath: .status.unavailableReplicas
+ name: Unavailable Replicas
+ type: integer
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: KubeadmControlPlane is the Schema for the KubeadmControlPlane
+ API.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: KubeadmControlPlaneSpec defines the desired state of KubeadmControlPlane.
+ properties:
+ infrastructureTemplate:
+ description: InfrastructureTemplate is a required reference to a custom
+ resource offered by an infrastructure provider.
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ kubeadmConfigSpec:
+ description: KubeadmConfigSpec is a KubeadmConfigSpec to use for initializing
+ and joining machines to the control plane.
+ properties:
+ clusterConfiguration:
+ description: ClusterConfiguration along with InitConfiguration
+ are the configurations necessary for the init command
+ properties:
+ apiServer:
+ description: APIServer contains extra settings for the API
+ server control plane component
+ properties:
+ certSANs:
+ description: CertSANs sets extra Subject Alternative Names
+ for the API Server signing cert.
+ items:
+ type: string
+ type: array
+ extraArgs:
+ additionalProperties:
+ type: string
+ description: 'ExtraArgs is an extra set of flags to pass
+ to the control plane component. TODO: This is temporary
+ and ideally we would like to switch all components to
+ use ComponentConfig + ConfigMaps.'
+ type: object
+ extraVolumes:
+ description: ExtraVolumes is an extra set of host volumes,
+ mounted to the control plane component.
+ items:
+ description: HostPathMount contains elements describing
+ volumes that are mounted from the host.
+ properties:
+ hostPath:
+ description: HostPath is the path in the host that
+ will be mounted inside the pod.
+ type: string
+ mountPath:
+ description: MountPath is the path inside the pod
+ where hostPath will be mounted.
+ type: string
+ name:
+ description: Name of the volume inside the pod template.
+ type: string
+ pathType:
+ description: PathType is the type of the HostPath.
+ type: string
+ readOnly:
+ description: ReadOnly controls write access to the
+ volume
+ type: boolean
+ required:
+ - hostPath
+ - mountPath
+ - name
+ type: object
+ type: array
+ timeoutForControlPlane:
+ description: TimeoutForControlPlane controls the timeout
+ that we use for API server to appear
+ type: string
+ type: object
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
+ representation of an object. Servers should convert recognized
+ schemas to the latest internal value, and may reject unrecognized
+ values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ certificatesDir:
+ description: 'CertificatesDir specifies where to store or
+ look for all required certificates. NB: if not provided,
+ this will default to `/etc/kubernetes/pki`'
+ type: string
+ clusterName:
+ description: The cluster name
+ type: string
+ controlPlaneEndpoint:
+ description: 'ControlPlaneEndpoint sets a stable IP address
+ or DNS name for the control plane; it can be a valid IP
+ address or a RFC-1123 DNS subdomain, both with optional
+ TCP port. In case the ControlPlaneEndpoint is not specified,
+ the AdvertiseAddress + BindPort are used; in case the ControlPlaneEndpoint
+ is specified but without a TCP port, the BindPort is used.
+ Possible usages are: e.g. In a cluster with more than one
+ control plane instances, this field should be assigned the
+ address of the external load balancer in front of the control
+ plane instances. e.g. in environments with enforced node
+ recycling, the ControlPlaneEndpoint could be used for assigning
+ a stable DNS to the control plane. NB: This value defaults
+ to the first value in the Cluster object status.apiEndpoints
+ array.'
+ type: string
+ controllerManager:
+ description: ControllerManager contains extra settings for
+ the controller manager control plane component
+ properties:
+ extraArgs:
+ additionalProperties:
+ type: string
+ description: 'ExtraArgs is an extra set of flags to pass
+ to the control plane component. TODO: This is temporary
+ and ideally we would like to switch all components to
+ use ComponentConfig + ConfigMaps.'
+ type: object
+ extraVolumes:
+ description: ExtraVolumes is an extra set of host volumes,
+ mounted to the control plane component.
+ items:
+ description: HostPathMount contains elements describing
+ volumes that are mounted from the host.
+ properties:
+ hostPath:
+ description: HostPath is the path in the host that
+ will be mounted inside the pod.
+ type: string
+ mountPath:
+ description: MountPath is the path inside the pod
+ where hostPath will be mounted.
+ type: string
+ name:
+ description: Name of the volume inside the pod template.
+ type: string
+ pathType:
+ description: PathType is the type of the HostPath.
+ type: string
+ readOnly:
+ description: ReadOnly controls write access to the
+ volume
+ type: boolean
+ required:
+ - hostPath
+ - mountPath
+ - name
+ type: object
+ type: array
+ type: object
+ dns:
+ description: DNS defines the options for the DNS add-on installed
+ in the cluster.
+ properties:
+ imageRepository:
+ description: ImageRepository sets the container registry
+ to pull images from. if not set, the ImageRepository
+ defined in ClusterConfiguration will be used instead.
+ type: string
+ imageTag:
+ description: ImageTag allows to specify a tag for the
+ image. In case this value is set, kubeadm does not change
+ automatically the version of the above components during
+ upgrades.
+ type: string
+ type:
+ description: Type defines the DNS add-on to be used
+ type: string
+ type: object
+ etcd:
+ description: 'Etcd holds configuration for etcd. NB: This
+ value defaults to a Local (stacked) etcd'
+ properties:
+ external:
+ description: External describes how to connect to an external
+ etcd cluster Local and External are mutually exclusive
+ properties:
+ caFile:
+ description: CAFile is an SSL Certificate Authority
+ file used to secure etcd communication. Required
+ if using a TLS connection.
+ type: string
+ certFile:
+ description: CertFile is an SSL certification file
+ used to secure etcd communication. Required if using
+ a TLS connection.
+ type: string
+ endpoints:
+ description: Endpoints of etcd members. Required for
+ ExternalEtcd.
+ items:
+ type: string
+ type: array
+ keyFile:
+ description: KeyFile is an SSL key file used to secure
+ etcd communication. Required if using a TLS connection.
+ type: string
+ required:
+ - caFile
+ - certFile
+ - endpoints
+ - keyFile
+ type: object
+ local:
+ description: Local provides configuration knobs for configuring
+ the local etcd instance Local and External are mutually
+ exclusive
+ properties:
+ dataDir:
+ description: DataDir is the directory etcd will place
+ its data. Defaults to "/var/lib/etcd".
+ type: string
+ extraArgs:
+ additionalProperties:
+ type: string
+ description: ExtraArgs are extra arguments provided
+ to the etcd binary when run inside a static pod.
+ type: object
+ imageRepository:
+ description: ImageRepository sets the container registry
+ to pull images from. if not set, the ImageRepository
+ defined in ClusterConfiguration will be used instead.
+ type: string
+ imageTag:
+ description: ImageTag allows to specify a tag for
+ the image. In case this value is set, kubeadm does
+ not change automatically the version of the above
+ components during upgrades.
+ type: string
+ peerCertSANs:
+ description: PeerCertSANs sets extra Subject Alternative
+ Names for the etcd peer signing cert.
+ items:
+ type: string
+ type: array
+ serverCertSANs:
+ description: ServerCertSANs sets extra Subject Alternative
+ Names for the etcd server signing cert.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ featureGates:
+ additionalProperties:
+ type: boolean
+ description: FeatureGates enabled by the user.
+ type: object
+ imageRepository:
+ description: ImageRepository sets the container registry to
+ pull images from. If empty, `k8s.gcr.io` will be used by
+ default; in case of kubernetes version is a CI build (kubernetes
+ version starts with `ci/` or `ci-cross/`) `gcr.io/kubernetes-ci-images`
+ will be used as a default for control plane components and
+ for kube-proxy, while `k8s.gcr.io` will be used for all
+ the other images.
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST
+ resource this object represents. Servers may infer this
+ from the endpoint the client submits requests to. Cannot
+ be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ kubernetesVersion:
+ description: 'KubernetesVersion is the target version of the
+ control plane. NB: This value defaults to the Machine object
+ spec.kuberentesVersion'
+ type: string
+ networking:
+ description: 'Networking holds configuration for the networking
+ topology of the cluster. NB: This value defaults to the
+ Cluster object spec.clusterNetwork.'
+ properties:
+ dnsDomain:
+ description: DNSDomain is the dns domain used by k8s services.
+ Defaults to "cluster.local".
+ type: string
+ podSubnet:
+ description: PodSubnet is the subnet used by pods. If
+ unset, the API server will not allocate CIDR ranges
+ for every node. Defaults to the first element of the
+ Cluster object's spec.clusterNetwork.services.cidrBlocks
+ if that is set
+ type: string
+ serviceSubnet:
+ description: ServiceSubnet is the subnet used by k8s services.
+ Defaults to the first element of the Cluster object's
+ spec.clusterNetwork.pods.cidrBlocks field, or to "10.96.0.0/12"
+ if that's unset.
+ type: string
+ type: object
+ scheduler:
+ description: Scheduler contains extra settings for the scheduler
+ control plane component
+ properties:
+ extraArgs:
+ additionalProperties:
+ type: string
+ description: 'ExtraArgs is an extra set of flags to pass
+ to the control plane component. TODO: This is temporary
+ and ideally we would like to switch all components to
+ use ComponentConfig + ConfigMaps.'
+ type: object
+ extraVolumes:
+ description: ExtraVolumes is an extra set of host volumes,
+ mounted to the control plane component.
+ items:
+ description: HostPathMount contains elements describing
+ volumes that are mounted from the host.
+ properties:
+ hostPath:
+ description: HostPath is the path in the host that
+ will be mounted inside the pod.
+ type: string
+ mountPath:
+ description: MountPath is the path inside the pod
+ where hostPath will be mounted.
+ type: string
+ name:
+ description: Name of the volume inside the pod template.
+ type: string
+ pathType:
+ description: PathType is the type of the HostPath.
+ type: string
+ readOnly:
+ description: ReadOnly controls write access to the
+ volume
+ type: boolean
+ required:
+ - hostPath
+ - mountPath
+ - name
+ type: object
+ type: array
+ type: object
+ useHyperKubeImage:
+ description: UseHyperKubeImage controls if hyperkube should
+ be used for Kubernetes components instead of their respective
+ separate images
+ type: boolean
+ type: object
+ files:
+ description: Files specifies extra files to be passed to user_data
+ upon creation.
+ items:
+ description: File defines the input for generating write_files
+ in cloud-init.
+ properties:
+ content:
+ description: Content is the actual content of the file.
+ type: string
+ encoding:
+ description: Encoding specifies the encoding of the file
+ contents.
+ enum:
+ - base64
+ - gzip
+ - gzip+base64
+ type: string
+ owner:
+ description: Owner specifies the ownership of the file,
+ e.g. "root:root".
+ type: string
+ path:
+ description: Path specifies the full path on disk where
+ to store the file.
+ type: string
+ permissions:
+ description: Permissions specifies the permissions to assign
+ to the file, e.g. "0640".
+ type: string
+ required:
+ - content
+ - path
+ type: object
+ type: array
+ format:
+ description: Format specifies the output format of the bootstrap
+ data
+ enum:
+ - cloud-config
+ type: string
+ initConfiguration:
+ description: InitConfiguration along with ClusterConfiguration
+ are the configurations necessary for the init command
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
+ representation of an object. Servers should convert recognized
+ schemas to the latest internal value, and may reject unrecognized
+ values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ bootstrapTokens:
+ description: BootstrapTokens is respected at `kubeadm init`
+ time and describes a set of Bootstrap Tokens to create.
+ This information IS NOT uploaded to the kubeadm cluster
+ configmap, partly because of its sensitive nature
+ items:
+ description: BootstrapToken describes one bootstrap token,
+ stored as a Secret in the cluster
+ properties:
+ description:
+ description: Description sets a human-friendly message
+ why this token exists and what it's used for, so other
+ administrators can know its purpose.
+ type: string
+ expires:
+ description: Expires specifies the timestamp when this
+ token expires. Defaults to being set dynamically at
+ runtime based on the TTL. Expires and TTL are mutually
+ exclusive.
+ format: date-time
+ type: string
+ groups:
+ description: Groups specifies the extra groups that
+ this token will authenticate as when/if used for authentication
+ items:
+ type: string
+ type: array
+ token:
+ description: Token is used for establishing bidirectional
+ trust between nodes and control-planes. Used for joining
+ nodes in the cluster.
+ type: object
+ ttl:
+ description: TTL defines the time to live for this token.
+ Defaults to 24h. Expires and TTL are mutually exclusive.
+ type: string
+ usages:
+ description: Usages describes the ways in which this
+ token can be used. Can by default be used for establishing
+ bidirectional trust, but that can be changed here.
+ items:
+ type: string
+ type: array
+ required:
+ - token
+ type: object
+ type: array
+ kind:
+ description: 'Kind is a string value representing the REST
+ resource this object represents. Servers may infer this
+ from the endpoint the client submits requests to. Cannot
+ be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ localAPIEndpoint:
+ description: LocalAPIEndpoint represents the endpoint of the
+ API server instance that's deployed on this control plane
+ node In HA setups, this differs from ClusterConfiguration.ControlPlaneEndpoint
+ in the sense that ControlPlaneEndpoint is the global endpoint
+ for the cluster, which then loadbalances the requests to
+ each individual API server. This configuration object lets
+ you customize what IP/DNS name and port the local API server
+ advertises it's accessible on. By default, kubeadm tries
+ to auto-detect the IP of the default interface and use that,
+ but in case that process fails you may set the desired value
+ here.
+ properties:
+ advertiseAddress:
+ description: AdvertiseAddress sets the IP address for
+ the API server to advertise.
+ type: string
+ bindPort:
+ description: BindPort sets the secure port for the API
+ Server to bind to. Defaults to 6443.
+ format: int32
+ type: integer
+ required:
+ - advertiseAddress
+ - bindPort
+ type: object
+ nodeRegistration:
+ description: NodeRegistration holds fields that relate to
+ registering the new control-plane node to the cluster
+ properties:
+ criSocket:
+ description: CRISocket is used to retrieve container runtime
+ info. This information will be annotated to the Node
+ API object, for later re-use
+ type: string
+ kubeletExtraArgs:
+ additionalProperties:
+ type: string
+ description: KubeletExtraArgs passes through extra arguments
+ to the kubelet. The arguments here are passed to the
+ kubelet command line via the environment file kubeadm
+ writes at runtime for the kubelet to source. This overrides
+ the generic base-level configuration in the kubelet-config-1.X
+ ConfigMap Flags have higher priority when parsing. These
+ values are local and specific to the node kubeadm is
+ executing on.
+ type: object
+ name:
+ description: Name is the `.Metadata.Name` field of the
+ Node API object that will be created in this `kubeadm
+ init` or `kubeadm join` operation. This field is also
+ used in the CommonName field of the kubelet's client
+ certificate to the API server. Defaults to the hostname
+ of the node if not provided.
+ type: string
+ taints:
+ description: 'Taints specifies the taints the Node API
+ object should be registered with. If this field is unset,
+ i.e. nil, in the `kubeadm init` process it will be defaulted
+ to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+ If you don''t want to taint your control-plane node,
+ set this field to an empty slice, i.e. `taints: {}`
+ in the YAML file. This field is solely used for Node
+ registration.'
+ items:
+ description: The node this Taint is attached to has
+ the "effect" on any pod that does not tolerate the
+ Taint.
+ properties:
+ effect:
+ description: Required. The effect of the taint on
+ pods that do not tolerate the taint. Valid effects
+ are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: Required. The taint key to be applied
+ to a node.
+ type: string
+ timeAdded:
+ description: TimeAdded represents the time at which
+ the taint was added. It is only written for NoExecute
+ taints.
+ format: date-time
+ type: string
+ value:
+ description: Required. The taint value corresponding
+ to the taint key.
+ type: string
+ required:
+ - effect
+ - key
+ type: object
+ type: array
+ type: object
+ type: object
+ joinConfiguration:
+ description: JoinConfiguration is the kubeadm configuration for
+ the join command
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this
+ representation of an object. Servers should convert recognized
+ schemas to the latest internal value, and may reject unrecognized
+ values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ caCertPath:
+ description: 'CACertPath is the path to the SSL certificate
+ authority used to secure comunications between node and
+ control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
+ TODO: revisit when there is defaulting from k/k'
+ type: string
+ controlPlane:
+ description: ControlPlane defines the additional control plane
+ instance to be deployed on the joining node. If nil, no
+ additional control plane instance will be deployed.
+ properties:
+ localAPIEndpoint:
+ description: LocalAPIEndpoint represents the endpoint
+ of the API server instance to be deployed on this node.
+ properties:
+ advertiseAddress:
+ description: AdvertiseAddress sets the IP address
+ for the API server to advertise.
+ type: string
+ bindPort:
+ description: BindPort sets the secure port for the
+ API Server to bind to. Defaults to 6443.
+ format: int32
+ type: integer
+ required:
+ - advertiseAddress
+ - bindPort
+ type: object
+ type: object
+ discovery:
+ description: 'Discovery specifies the options for the kubelet
+ to use during the TLS Bootstrap process TODO: revisit when
+ there is defaulting from k/k'
+ properties:
+ bootstrapToken:
+ description: BootstrapToken is used to set the options
+ for bootstrap token based discovery BootstrapToken and
+ File are mutually exclusive
+ properties:
+ apiServerEndpoint:
+ description: APIServerEndpoint is an IP or domain
+ name to the API server from which info will be fetched.
+ type: string
+ caCertHashes:
+ description: 'CACertHashes specifies a set of public
+ key pins to verify when token-based discovery is
+ used. The root CA found during discovery must match
+ one of these values. Specifying an empty set disables
+ root CA pinning, which can be unsafe. Each hash
+ is specified as "<type>:<value>", where the only
+ currently supported type is "sha256". This is a
+ hex-encoded SHA-256 hash of the Subject Public Key
+ Info (SPKI) object in DER-encoded ASN.1. These hashes
+ can be calculated using, for example, OpenSSL: openssl
+ x509 -pubkey -in ca.crt openssl rsa -pubin -outform
+ der 2>&/dev/null | openssl dgst -sha256 -hex'
+ items:
+ type: string
+ type: array
+ token:
+ description: Token is a token used to validate cluster
+ information fetched from the control-plane.
+ type: string
+ unsafeSkipCAVerification:
+ description: UnsafeSkipCAVerification allows token-based
+ discovery without CA verification via CACertHashes.
+ This can weaken the security of kubeadm since other
+ nodes can impersonate the control-plane.
+ type: boolean
+ required:
+ - token
+ - unsafeSkipCAVerification
+ type: object
+ file:
+ description: File is used to specify a file or URL to
+ a kubeconfig file from which to load cluster information
+ BootstrapToken and File are mutually exclusive
+ properties:
+ kubeConfigPath:
+ description: KubeConfigPath is used to specify the
+ actual file path or URL to the kubeconfig file from
+ which to load cluster information
+ type: string
+ required:
+ - kubeConfigPath
+ type: object
+ timeout:
+ description: Timeout modifies the discovery timeout
+ type: string
+ tlsBootstrapToken:
+ description: 'TLSBootstrapToken is a token used for TLS
+ bootstrapping. If .BootstrapToken is set, this field
+ is defaulted to .BootstrapToken.Token, but can be overridden.
+ If .File is set, this field **must be set** in case
+ the KubeConfigFile does not contain any other authentication
+ information TODO: revisit when there is defaulting from
+ k/k'
+ type: string
+ type: object
+ kind:
+ description: 'Kind is a string value representing the REST
+ resource this object represents. Servers may infer this
+ from the endpoint the client submits requests to. Cannot
+ be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ nodeRegistration:
+ description: NodeRegistration holds fields that relate to
+ registering the new control-plane node to the cluster
+ properties:
+ criSocket:
+ description: CRISocket is used to retrieve container runtime
+ info. This information will be annotated to the Node
+ API object, for later re-use
+ type: string
+ kubeletExtraArgs:
+ additionalProperties:
+ type: string
+ description: KubeletExtraArgs passes through extra arguments
+ to the kubelet. The arguments here are passed to the
+ kubelet command line via the environment file kubeadm
+ writes at runtime for the kubelet to source. This overrides
+ the generic base-level configuration in the kubelet-config-1.X
+ ConfigMap Flags have higher priority when parsing. These
+ values are local and specific to the node kubeadm is
+ executing on.
+ type: object
+ name:
+ description: Name is the `.Metadata.Name` field of the
+ Node API object that will be created in this `kubeadm
+ init` or `kubeadm join` operation. This field is also
+ used in the CommonName field of the kubelet's client
+ certificate to the API server. Defaults to the hostname
+ of the node if not provided.
+ type: string
+ taints:
+ description: 'Taints specifies the taints the Node API
+ object should be registered with. If this field is unset,
+ i.e. nil, in the `kubeadm init` process it will be defaulted
+ to []v1.Taint{''node-role.kubernetes.io/master=""''}.
+ If you don''t want to taint your control-plane node,
+ set this field to an empty slice, i.e. `taints: {}`
+ in the YAML file. This field is solely used for Node
+ registration.'
+ items:
+ description: The node this Taint is attached to has
+ the "effect" on any pod that does not tolerate the
+ Taint.
+ properties:
+ effect:
+ description: Required. The effect of the taint on
+ pods that do not tolerate the taint. Valid effects
+ are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: Required. The taint key to be applied
+ to a node.
+ type: string
+ timeAdded:
+ description: TimeAdded represents the time at which
+ the taint was added. It is only written for NoExecute
+ taints.
+ format: date-time
+ type: string
+ value:
+ description: Required. The taint value corresponding
+ to the taint key.
+ type: string
+ required:
+ - effect
+ - key
+ type: object
+ type: array
+ type: object
+ type: object
+ ntp:
+ description: NTP specifies NTP configuration
+ properties:
+ enabled:
+ description: Enabled specifies whether NTP should be enabled
+ type: boolean
+ servers:
+ description: Servers specifies which NTP servers to use
+ items:
+ type: string
+ type: array
+ type: object
+ postKubeadmCommands:
+ description: PostKubeadmCommands specifies extra commands to run
+ after kubeadm runs
+ items:
+ type: string
+ type: array
+ preKubeadmCommands:
+ description: PreKubeadmCommands specifies extra commands to run
+ before kubeadm runs
+ items:
+ type: string
+ type: array
+ useExperimentalRetryJoin:
+ description: "UseExperimentalRetryJoin replaces a basic kubeadm
+ command with a shell script with retries for joins. \n This
+ is meant to be an experimental temporary workaround on some
+ environments where joins fail due to timing (and other issues).
+ The long term goal is to add retries to kubeadm proper and use
+ that functionality. \n This will add about 40KB to userdata
+ \n For more information, refer to https://github.com/kubernetes-sigs/cluster-api/pull/2763#discussion_r397306055."
+ type: boolean
+ users:
+ description: Users specifies extra users to add
+ items:
+ description: User defines the input for a generated user in
+ cloud-init.
+ properties:
+ gecos:
+ description: Gecos specifies the gecos to use for the user
+ type: string
+ groups:
+ description: Groups specifies the additional groups for
+ the user
+ type: string
+ homeDir:
+ description: HomeDir specifies the home directory to use
+ for the user
+ type: string
+ inactive:
+ description: Inactive specifies whether to mark the user
+ as inactive
+ type: boolean
+ lockPassword:
+ description: LockPassword specifies if password login should
+ be disabled
+ type: boolean
+ name:
+ description: Name specifies the user name
+ type: string
+ passwd:
+ description: Passwd specifies a hashed password for the
+ user
+ type: string
+ primaryGroup:
+ description: PrimaryGroup specifies the primary group for
+ the user
+ type: string
+ shell:
+ description: Shell specifies the user's shell
+ type: string
+ sshAuthorizedKeys:
+ description: SSHAuthorizedKeys specifies a list of ssh authorized
+ keys for the user
+ items:
+ type: string
+ type: array
+ sudo:
+ description: Sudo specifies a sudo role for the user
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ verbosity:
+ description: Verbosity is the number for the kubeadm log level
+ verbosity. It overrides the `--v` flag in kubeadm commands.
+ format: int32
+ type: integer
+ type: object
+ replicas:
+ description: Number of desired machines. Defaults to 1. When stacked
+ etcd is used only odd numbers are permitted, as per [etcd best practice](https://etcd.io/docs/v3.3.12/faq/#why-an-odd-number-of-cluster-members).
+ This is a pointer to distinguish between explicit zero and not specified.
+ format: int32
+ type: integer
+ upgradeAfter:
+ description: UpgradeAfter is a field to indicate an upgrade should
+ be performed after the specified time even if no changes have been
+ made to the KubeadmControlPlane
+ format: date-time
+ type: string
+ version:
+ description: Version defines the desired Kubernetes version.
+ minLength: 2
+ pattern: ^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)([-0-9a-zA-Z_\.+]*)?$
+ type: string
+ required:
+ - infrastructureTemplate
+ - kubeadmConfigSpec
+ - version
+ type: object
+ status:
+ description: KubeadmControlPlaneStatus defines the observed state of KubeadmControlPlane.
+ properties:
+ failureMessage:
+ description: ErrorMessage indicates that there is a terminal problem
+ reconciling the state, and will be set to a descriptive error message.
+ type: string
+ failureReason:
+ description: FailureReason indicates that there is a terminal problem
+ reconciling the state, and will be set to a token value suitable
+ for programmatic interpretation.
+ type: string
+ initialized:
+ description: Initialized denotes whether or not the control plane
+ has the uploaded kubeadm-config configmap.
+ type: boolean
+ ready:
+ description: Ready denotes that the KubeadmControlPlane API Server
+ is ready to receive requests.
+ type: boolean
+ readyReplicas:
+ description: Total number of fully running and ready control plane
+ machines.
+ format: int32
+ type: integer
+ replicas:
+ description: Total number of non-terminated machines targeted by this
+ control plane (their labels match the selector).
+ format: int32
+ type: integer
+ selector:
+ description: 'Selector is the label selector in string format to avoid
+ introspection by clients, and is used to provide the CRD-based integration
+ for the scale subresource and additional integrations for things
+ like kubectl describe.. The string will be in the same format as
+ the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors'
+ type: string
+ unavailableReplicas:
+ description: Total number of unavailable machines targeted by this
+ control plane. This is the total number of machines that are still
+ required for the deployment to have 100% available capacity. They
+ may either be machines that are running but not yet ready or machines
+ that still have not been created.
+ format: int32
+ type: integer
+ updatedReplicas:
+ description: Total number of non-terminated machines targeted by this
+ control plane that have the desired template spec.
+ format: int32
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ scale:
+ labelSelectorPath: .status.selector
+ specReplicasPath: .spec.replicas
+ statusReplicasPath: .status.replicas
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/manifests/function/cacpk/v0.3.3/crd/kustomization.yaml b/manifests/function/cacpk/v0.3.3/crd/kustomization.yaml
new file mode 100644
index 000000000..61134db8c
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/crd/kustomization.yaml
@@ -0,0 +1,24 @@
+commonLabels:
+ cluster.x-k8s.io/v1alpha3: v1alpha3
+
+# This kustomization.yaml is not intended to be run by itself,
+# since it depends on service name and namespace that are out of this kustomize package.
+# It should be run by config/
+resources:
+ - bases/controlplane.cluster.x-k8s.io_kubeadmcontrolplanes.yaml
+# +kubebuilder:scaffold:crdkustomizeresource
+
+patchesStrategicMerge:
+ # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+ # patches here are for enabling the conversion webhook for each CRD
+ - patches/webhook_in_kubeadmcontrolplanes.yaml
+ # +kubebuilder:scaffold:crdkustomizewebhookpatch
+
+ # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
+ # patches here are for enabling the CA injection for each CRD
+ - patches/cainjection_in_kubeadmcontrolplanes.yaml
+# +kubebuilder:scaffold:crdkustomizecainjectionpatch
+
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+configurations:
+ - kustomizeconfig.yaml
diff --git a/manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml
new file mode 100644
index 000000000..e3fd575d6
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/crd/kustomizeconfig.yaml
@@ -0,0 +1,17 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+ - kind: Service
+ version: v1
+ fieldSpecs:
+ - kind: CustomResourceDefinition
+ group: apiextensions.k8s.io
+ path: spec/conversion/webhook/clientConfig/service/name
+
+namespace:
+ - kind: CustomResourceDefinition
+ group: apiextensions.k8s.io
+ path: spec/conversion/webhook/clientConfig/service/namespace
+ create: false
+
+varReference:
+ - path: metadata/annotations
diff --git a/manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml b/manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml
new file mode 100644
index 000000000..08aec1dbb
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/crd/patches/cainjection_in_kubeadmcontrolplanes.yaml
@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+ name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
diff --git a/manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml b/manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml
new file mode 100644
index 000000000..0b71de009
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/crd/patches/webhook_in_kubeadmcontrolplanes.yaml
@@ -0,0 +1,19 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
+spec:
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+ # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+ caBundle: Cg==
+ service:
+ namespace: system
+ name: webhook-service
+ path: /convert
diff --git a/manifests/function/cacpk/v0.3.3/default/kustomization.yaml b/manifests/function/cacpk/v0.3.3/default/kustomization.yaml
new file mode 100644
index 000000000..17f25ac03
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/default/kustomization.yaml
@@ -0,0 +1,8 @@
+namespace: capi-kubeadm-control-plane-system
+
+resources:
+- namespace.yaml
+
+bases:
+- ../rbac
+- ../manager
diff --git a/manifests/function/cacpk/v0.3.3/default/namespace.yaml b/manifests/function/cacpk/v0.3.3/default/namespace.yaml
new file mode 100644
index 000000000..8b55c3cd8
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/default/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ control-plane: controller-manager
+ name: system
diff --git a/manifests/function/cacpk/v0.3.3/kustomization.yaml b/manifests/function/cacpk/v0.3.3/kustomization.yaml
new file mode 100644
index 000000000..15967b1c0
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/kustomization.yaml
@@ -0,0 +1,17 @@
+namePrefix: capi-kubeadm-control-plane-
+
+commonLabels:
+ cluster.x-k8s.io/provider: "control-plane-kubeadm"
+
+bases:
+- crd
+- default
+- webhook
+
+patchesJson6902:
+- target:
+ group: apiextensions.k8s.io
+ version: v1
+ kind: CustomResourceDefinition
+ name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io
+ path: patch_crd_webhook_namespace.yaml
diff --git a/manifests/function/cacpk/v0.3.3/manager/kustomization.yaml b/manifests/function/cacpk/v0.3.3/manager/kustomization.yaml
new file mode 100644
index 000000000..4fe69200e
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/manager/kustomization.yaml
@@ -0,0 +1,7 @@
+resources:
+- manager.yaml
+
+patchesStrategicMerge:
+- manager_pull_policy.yaml
+- manager_image_patch.yaml
+- manager_auth_proxy_patch.yaml
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager.yaml b/manifests/function/cacpk/v0.3.3/manager/manager.yaml
new file mode 100644
index 000000000..41e87eee5
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/manager/manager.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: controller-manager
+ namespace: system
+ labels:
+ control-plane: controller-manager
+spec:
+ selector:
+ matchLabels:
+ control-plane: controller-manager
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ control-plane: controller-manager
+ spec:
+ containers:
+ - command:
+ - /manager
+ args:
+ - --enable-leader-election
+ image: controller:latest
+ name: manager
+ terminationGracePeriodSeconds: 10
+ tolerations:
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
new file mode 100644
index 000000000..61cb5e7cb
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/manager/manager_auth_proxy_patch.yaml
@@ -0,0 +1,25 @@
+# This patch inject a sidecar container which is a HTTP proxy for the controller manager,
+# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: controller-manager
+ namespace: system
+spec:
+ template:
+ spec:
+ containers:
+ - name: kube-rbac-proxy
+ image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1
+ args:
+ - "--secure-listen-address=0.0.0.0:8443"
+ - "--upstream=http://127.0.0.1:8080/"
+ - "--logtostderr=true"
+ - "--v=10"
+ ports:
+ - containerPort: 8443
+ name: https
+ - name: manager
+ args:
+ - "--metrics-addr=127.0.0.1:8080"
+ - "--enable-leader-election"
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml
new file mode 100644
index 000000000..52efc6131
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml
@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: controller-manager
+ namespace: system
+spec:
+ template:
+ spec:
+ containers:
+ - image: us.gcr.io/k8s-artifacts-prod/cluster-api/kubeadm-control-plane-controller:v0.3.3
+ name: manager
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e
new file mode 100644
index 000000000..46ae15ec1
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/manager/manager_image_patch.yaml-e
@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: controller-manager
+ namespace: system
+spec:
+ template:
+ spec:
+ containers:
+ - image: gcr.io/k8s-staging-cluster-api/kubeadm-control-plane-controller:master
+ name: manager
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml
new file mode 100644
index 000000000..cd7ae12c0
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml
@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: controller-manager
+ namespace: system
+spec:
+ template:
+ spec:
+ containers:
+ - name: manager
+ imagePullPolicy: IfNotPresent
diff --git a/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e
new file mode 100644
index 000000000..74a0879c6
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/manager/manager_pull_policy.yaml-e
@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: controller-manager
+ namespace: system
+spec:
+ template:
+ spec:
+ containers:
+ - name: manager
+ imagePullPolicy: Always
diff --git a/manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml b/manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml
new file mode 100644
index 000000000..110f3a494
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/patch_crd_webhook_namespace.yaml
@@ -0,0 +1,3 @@
+- op: replace
+ path: "/spec/conversion/webhook/clientConfig/service/namespace"
+ value: capi-webhook-system
diff --git a/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml
new file mode 100644
index 000000000..618f5e417
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: proxy-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+ resources:
+ - tokenreviews
+ verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+ resources:
+ - subjectaccessreviews
+ verbs: ["create"]
diff --git a/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml
new file mode 100644
index 000000000..48ed1e4b8
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: proxy-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: proxy-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: system
diff --git a/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml
new file mode 100644
index 000000000..6cf656be1
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/auth_proxy_service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ control-plane: controller-manager
+ name: controller-manager-metrics-service
+ namespace: system
+spec:
+ ports:
+ - name: https
+ port: 8443
+ targetPort: https
+ selector:
+ control-plane: controller-manager
diff --git a/manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml b/manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml
new file mode 100644
index 000000000..817f1fe61
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/kustomization.yaml
@@ -0,0 +1,11 @@
+resources:
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 3 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
diff --git a/manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml
new file mode 100644
index 000000000..eaa79158f
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role.yaml
@@ -0,0 +1,32 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: leader-election-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - configmaps/status
+ verbs:
+ - get
+ - update
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
diff --git a/manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml
new file mode 100644
index 000000000..eed16906f
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/leader_election_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: leader-election-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: leader-election-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: system
diff --git a/manifests/function/cacpk/v0.3.3/rbac/role.yaml b/manifests/function/cacpk/v0.3.3/rbac/role.yaml
new file mode 100644
index 000000000..481c8a77e
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/role.yaml
@@ -0,0 +1,100 @@
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: manager-role
+rules:
+- apiGroups:
+ - bootstrap.cluster.x-k8s.io
+ - controlplane.cluster.x-k8s.io
+ - infrastructure.cluster.x-k8s.io
+ resources:
+ - '*'
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - cluster.x-k8s.io
+ resources:
+ - clusters
+ - clusters/status
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - cluster.x-k8s.io
+ resources:
+ - machines
+ - machines/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ creationTimestamp: null
+ name: manager-role
+ namespace: kube-system
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - get
+ - list
+ - watch
+- apiGroups:
+ - rbac
+ resources:
+ - rolebindings
+ verbs:
+ - create
+ - get
+ - list
+ - watch
+- apiGroups:
+ - rbac
+ resources:
+ - roles
+ verbs:
+ - create
+ - get
+ - list
+ - watch
diff --git a/manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml b/manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml
new file mode 100644
index 000000000..8f2658702
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/rbac/role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: manager-role
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: system
diff --git a/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml b/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml
new file mode 100644
index 000000000..23314b771
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/webhook/kustomization.yaml
@@ -0,0 +1,43 @@
+namespace: capi-webhook-system
+
+resources:
+- manifests.yaml
+- service.yaml
+- ../certmanager
+- ../manager
+
+configurations:
+- kustomizeconfig.yaml
+
+patchesStrategicMerge:
+- manager_webhook_patch.yaml
+- webhookcainjection_patch.yaml
+
+vars:
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+ objref:
+ kind: Certificate
+ group: cert-manager.io
+ version: v1alpha2
+ name: serving-cert # this name should match the one in certificate.yaml
+ fieldref:
+ fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+ objref:
+ kind: Certificate
+ group: cert-manager.io
+ version: v1alpha2
+ name: serving-cert # this name should match the one in certificate.yaml
+- name: SERVICE_NAMESPACE # namespace of the service
+ objref:
+ kind: Service
+ version: v1
+ name: webhook-service
+ fieldref:
+ fieldpath: metadata.namespace
+- name: SERVICE_NAME
+ objref:
+ kind: Service
+ version: v1
+ name: webhook-service
diff --git a/manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml b/manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml
new file mode 100644
index 000000000..fddf04146
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/webhook/kustomizeconfig.yaml
@@ -0,0 +1,27 @@
+# the following config is for teaching kustomize where to look at when substituting vars.
+# It requires kustomize v2.1.0 or newer to work properly.
+nameReference:
+- kind: Service
+ version: v1
+ fieldSpecs:
+ - kind: MutatingWebhookConfiguration
+ group: admissionregistration.k8s.io
+ path: webhooks/clientConfig/service/name
+ - kind: ValidatingWebhookConfiguration
+ group: admissionregistration.k8s.io
+ path: webhooks/clientConfig/service/name
+
+namespace:
+- kind: MutatingWebhookConfiguration
+ group: admissionregistration.k8s.io
+ path: webhooks/clientConfig/service/namespace
+ create: true
+- kind: ValidatingWebhookConfiguration
+ group: admissionregistration.k8s.io
+ path: webhooks/clientConfig/service/namespace
+ create: true
+
+varReference:
+- path: metadata/annotations
+- kind: Deployment
+ path: spec/template/spec/volumes/secret/secretName
diff --git a/manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml b/manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml
new file mode 100644
index 000000000..671fb1f8e
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/webhook/manager_webhook_patch.yaml
@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: controller-manager
+ namespace: system
+spec:
+ template:
+ spec:
+ containers:
+ - name: manager
+ args:
+ - "--metrics-addr=127.0.0.1:8080"
+ - "--webhook-port=9443"
+ ports:
+ - containerPort: 9443
+ name: webhook-server
+ protocol: TCP
+ volumeMounts:
+ - mountPath: /tmp/k8s-webhook-server/serving-certs
+ name: cert
+ readOnly: true
+ volumes:
+ - name: cert
+ secret:
+ defaultMode: 420
+ secretName: $(SERVICE_NAME)-cert
diff --git a/manifests/function/cacpk/v0.3.3/webhook/manifests.yaml b/manifests/function/cacpk/v0.3.3/webhook/manifests.yaml
new file mode 100644
index 000000000..d5ca20073
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/webhook/manifests.yaml
@@ -0,0 +1,54 @@
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ creationTimestamp: null
+ name: mutating-webhook-configuration
+webhooks:
+- clientConfig:
+ caBundle: Cg==
+ service:
+ name: webhook-service
+ namespace: system
+ path: /mutate-controlplane-cluster-x-k8s-io-v1alpha3-kubeadmcontrolplane
+ failurePolicy: Fail
+ matchPolicy: Equivalent
+ name: default.kubeadmcontrolplane.controlplane.cluster.x-k8s.io
+ rules:
+ - apiGroups:
+ - controlplane.cluster.x-k8s.io
+ apiVersions:
+ - v1alpha3
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kubeadmcontrolplanes
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+ creationTimestamp: null
+ name: validating-webhook-configuration
+webhooks:
+- clientConfig:
+ caBundle: Cg==
+ service:
+ name: webhook-service
+ namespace: system
+ path: /validate-controlplane-cluster-x-k8s-io-v1alpha3-kubeadmcontrolplane
+ failurePolicy: Fail
+ matchPolicy: Equivalent
+ name: validation.kubeadmcontrolplane.controlplane.cluster.x-k8s.io
+ rules:
+ - apiGroups:
+ - controlplane.cluster.x-k8s.io
+ apiVersions:
+ - v1alpha3
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - kubeadmcontrolplanes
diff --git a/manifests/function/cacpk/v0.3.3/webhook/service.yaml b/manifests/function/cacpk/v0.3.3/webhook/service.yaml
new file mode 100644
index 000000000..9bc95014f
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/webhook/service.yaml
@@ -0,0 +1,10 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: webhook-service
+ namespace: system
+spec:
+ ports:
+ - port: 443
+ targetPort: webhook-server
diff --git a/manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml b/manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml
new file mode 100644
index 000000000..7e79bf995
--- /dev/null
+++ b/manifests/function/cacpk/v0.3.3/webhook/webhookcainjection_patch.yaml
@@ -0,0 +1,15 @@
+# This patch add annotation to admission webhook config and
+# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: mutating-webhook-configuration
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: validating-webhook-configuration
+ annotations:
+ cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)