From 320a4bf405b27a1e2eebfd4d80209c210f2dd837 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Thu, 28 Dec 2023 22:30:41 -0500 Subject: [PATCH] working console install --- charts/runtime/Chart.yaml | 2 +- ...figurationoverlays.platform.plural.sh.yaml | 99 ++ ...inition_dashboards.platform.plural.sh.yaml | 135 ++ ...aultstorageclasses.platform.plural.sh.yaml | 52 + ...efinition_licenses.platform.plural.sh.yaml | 108 ++ ...inition_logfilters.platform.plural.sh.yaml | 73 + ...efinition_logtails.platform.plural.sh.yaml | 63 + ...definition_proxies.platform.plural.sh.yaml | 133 ++ ...egistrycredentials.platform.plural.sh.yaml | 74 + ...ion_resourcegroups.platform.plural.sh.yaml | 114 ++ ...efinition_runbooks.platform.plural.sh.yaml | 244 +++ ...nition_secretsyncs.platform.plural.sh.yaml | 52 + ...tion_slashcommands.platform.plural.sh.yaml | 56 + ...statefulsetresizes.platform.plural.sh.yaml | 58 + ...finition_wireguardpeers.vpn.plural.sh.yaml | 164 ++ ...nition_wireguardservers.vpn.plural.sh.yaml | 1398 +++++++++++++++++ charts/runtime/crds/application.yaml | 532 +++++++ charts/runtime/templates/application.yaml | 235 +++ charts/runtime/templates/operator-cm.yaml | 19 + charts/runtime/templates/operator-rbac.yaml | 270 ++++ charts/runtime/templates/operator-svc.yaml | 28 + charts/runtime/templates/operator.yaml | 75 + charts/runtime/values.yaml | 9 + providers/aws.tf | 32 - templates/providers/apps/aws.tf | 38 + templates/providers/apps/azure.tf | 43 + templates/providers/apps/gcp.tf | 30 + templates/providers/bootstrap/aws.tf | 58 + .../providers/bootstrap}/azure.tf | 22 +- .../providers/bootstrap}/gcp.tf | 14 + templates/setup/console.tf | 27 + templates/setup/providers/aws.tf | 5 + templates/setup/providers/azure.tf | 6 + templates/setup/providers/gcp.tf | 6 + terraform/clouds/aws/kubernetes.tf | 13 - terraform/clouds/aws/locals.tf | 2 +- terraform/clouds/aws/outputs.tf | 4 + terraform/clouds/aws/postgres.tf | 5 +- terraform/clouds/aws/runtime.tf | 10 +- terraform/clouds/aws/variables.tf | 9 + terraform/clouds/azure/kubernetes.tf | 6 - terraform/clouds/azure/locals.tf | 2 +- terraform/clouds/azure/outputs.tf | 4 + terraform/clouds/azure/postgres.tf | 5 +- terraform/clouds/azure/runtime.tf | 11 +- terraform/clouds/azure/variables.tf | 9 + terraform/clouds/gcp/gke.tf | 1 + terraform/clouds/gcp/kubernetes.tf | 7 - terraform/clouds/gcp/locals.tf | 2 +- terraform/clouds/gcp/network.tf | 24 +- terraform/clouds/gcp/outputs.tf | 4 + terraform/clouds/gcp/postgres.tf | 20 +- terraform/clouds/gcp/runtime.tf | 11 +- terraform/clouds/gcp/variables.tf | 30 + test/.terraform.lock.hcl | 19 + test/main.tf | 28 + test/provider.tf | 16 + 57 files changed, 4408 insertions(+), 108 deletions(-) create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_configurationoverlays.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_dashboards.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_defaultstorageclasses.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_licenses.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logfilters.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logtails.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_proxies.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_registrycredentials.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_resourcegroups.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_runbooks.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_secretsyncs.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_slashcommands.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_statefulsetresizes.platform.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardpeers.vpn.plural.sh.yaml create mode 100644 charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardservers.vpn.plural.sh.yaml create mode 100644 charts/runtime/crds/application.yaml create mode 100644 charts/runtime/templates/application.yaml create mode 100644 charts/runtime/templates/operator-cm.yaml create mode 100644 charts/runtime/templates/operator-rbac.yaml create mode 100644 charts/runtime/templates/operator-svc.yaml create mode 100644 charts/runtime/templates/operator.yaml delete mode 100644 providers/aws.tf create mode 100644 templates/providers/apps/aws.tf create mode 100644 templates/providers/apps/azure.tf create mode 100644 templates/providers/apps/gcp.tf create mode 100644 templates/providers/bootstrap/aws.tf rename {providers => templates/providers/bootstrap}/azure.tf (50%) rename {providers => templates/providers/bootstrap}/gcp.tf (55%) create mode 100644 templates/setup/console.tf create mode 100644 templates/setup/providers/aws.tf create mode 100644 templates/setup/providers/azure.tf create mode 100644 templates/setup/providers/gcp.tf delete mode 100644 terraform/clouds/aws/kubernetes.tf delete mode 100644 terraform/clouds/azure/kubernetes.tf delete mode 100644 terraform/clouds/gcp/kubernetes.tf diff --git a/charts/runtime/Chart.yaml b/charts/runtime/Chart.yaml index 1edf11e..0495c5c 100644 --- a/charts/runtime/Chart.yaml +++ b/charts/runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: runtime description: Sets up the basic dependencies needed to get a network stack running type: application -version: 0.1.4 +version: 0.1.5 appVersion: "0.1.0" dependencies: - name: external-dns diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_configurationoverlays.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_configurationoverlays.platform.plural.sh.yaml new file mode 100644 index 0000000..56dc573 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_configurationoverlays.platform.plural.sh.yaml @@ -0,0 +1,99 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: configurationoverlays.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: ConfigurationOverlay + listKind: ConfigurationOverlayList + plural: configurationoverlays + singular: configurationoverlay + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ConfigurationOverlay is the Schema for the configurationoverlays + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigurationOverlaySpec defines the desired state of ConfigurationOverlay + properties: + documentation: + description: documentation for the specific field + type: string + folder: + description: Top level folder this overlay should live in, default + is "general" + type: string + inputType: + description: the datatype for the value given to the input field + enum: + - string + - enum + - int + - list + - bool + type: string + inputValues: + description: the values for enum input types + items: + type: string + type: array + name: + description: Name of the configuration input field + type: string + subfolder: + description: Subfolder this overlay lives in, default is "all" + type: string + type: + description: type of configuration value + enum: + - helm + - terraform + type: string + updates: + description: configuration path to update against + items: + description: OverlayUpdate defines an update to perform for this + update + properties: + path: + description: the path to update with + items: + type: string + type: array + required: + - path + type: object + type: array + required: + - documentation + - name + - updates + type: object + status: + description: ConfigurationOverlayStatus defines the observed state of + ConfigurationOverlay + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_dashboards.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_dashboards.platform.plural.sh.yaml new file mode 100644 index 0000000..3d9d2fb --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_dashboards.platform.plural.sh.yaml @@ -0,0 +1,135 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: dashboards.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: Dashboard + listKind: DashboardList + plural: dashboards + singular: dashboard + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Dashboard is the Schema for the dashboards API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DashboardSpec defines the desired state of Dashboard + properties: + defaultTime: + description: the starting time window for dashboard rendering + type: string + description: + description: description for this dashboard + type: string + graphs: + description: the graphs to render in the dashboard + items: + description: Specification for a single timeseries graph in a dashboard + properties: + format: + description: specify how y values should be rendered. Can be + any of [bytes, percent, none] + enum: + - bytes + - percent + - none + type: string + name: + description: Name of this graph + type: string + queries: + description: the queries rendered in this graph + items: + description: Specification for a graph query in a dashboard + properties: + legend: + description: The legend name for this query + type: string + legendFormat: + description: The format for the legend + type: string + query: + description: the query to use + type: string + required: + - query + type: object + type: array + required: + - name + - queries + type: object + type: array + labels: + description: a list of labels to fetch for filtering dashboard results + items: + description: DashboardLabelSpec is a structure specifying labels + to filter against in a dashboard these can be statically declared + or lazily fetched against the backend metric source + properties: + name: + description: label name + type: string + query: + description: query to fetch the labels from + properties: + label: + description: label name + type: string + query: + description: the backend query to use + type: string + required: + - label + - query + type: object + values: + description: statically specified values + items: + type: string + type: array + required: + - name + type: object + type: array + name: + description: the name for this dashboard + type: string + timeslices: + description: possible time windows for the dashboard to display + items: + type: string + type: array + required: + - defaultTime + - graphs + - labels + - timeslices + type: object + status: + description: DashboardStatus defines the observed state of Dashboard + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_defaultstorageclasses.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_defaultstorageclasses.platform.plural.sh.yaml new file mode 100644 index 0000000..d507b52 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_defaultstorageclasses.platform.plural.sh.yaml @@ -0,0 +1,52 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: defaultstorageclasses.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: DefaultStorageClass + listKind: DefaultStorageClassList + plural: defaultstorageclasses + singular: defaultstorageclass + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: DefaultStorageClass is the Schema for the defaultstorageclasses + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + pattern: ^default$ + type: string + type: object + spec: + description: DefaultStorageClassSpec defines the desired state of DefaultStorageClass + properties: + name: + type: string + type: object + status: + description: DefaultStorageClassStatus defines the observed state of DefaultStorageClass + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_licenses.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_licenses.platform.plural.sh.yaml new file mode 100644 index 0000000..47a3198 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_licenses.platform.plural.sh.yaml @@ -0,0 +1,108 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: licenses.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: License + listKind: LicenseList + plural: licenses + singular: license + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: License is the Schema for the licenses API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LicenseSpec defines the desired state of License + properties: + secretRef: + description: the reference to a secret containing your license key + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object + status: + description: LicenseStatus defines the observed state of License + properties: + policy: + description: the policy this license adheres to + properties: + features: + description: the features allowed for this plan + items: + description: LicenseFeature defines a feature allowed by this + license + properties: + description: + description: description of the feature + type: string + name: + description: the name of the feature + type: string + required: + - description + - name + type: object + type: array + free: + description: whether this is on a free plan + type: boolean + limits: + additionalProperties: + format: int64 + type: integer + description: limits attached to this plan + type: object + plan: + description: the plan you're on + type: string + required: + - free + type: object + secrets: + additionalProperties: + type: string + description: additional secrets attached to this license + type: object + required: + - policy + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logfilters.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logfilters.platform.plural.sh.yaml new file mode 100644 index 0000000..bb7d226 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logfilters.platform.plural.sh.yaml @@ -0,0 +1,73 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: logfilters.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: LogFilter + listKind: LogFilterList + plural: logfilters + singular: logfilter + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: LogFilter is the Schema for the logfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LogFilterSpec defines the desired state of LogFilter + properties: + description: + description: description for this logfilter + type: string + labels: + description: labels to query against + items: + description: A label to filter logs against + properties: + name: + description: name of the label + type: string + value: + description: value of the label + type: string + required: + - name + - value + type: object + type: array + name: + description: name for this logfilter + type: string + query: + description: loki query to use for the filter + type: string + required: + - description + - name + type: object + status: + description: LogFilterStatus defines the observed state of LogFilter + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logtails.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logtails.platform.plural.sh.yaml new file mode 100644 index 0000000..26c750a --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_logtails.platform.plural.sh.yaml @@ -0,0 +1,63 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: logtails.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: LogTail + listKind: LogTailList + plural: logtails + singular: logtail + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: LogTail is the Schema for the logtails API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LogTailSpec defines the desired state of LogTail + properties: + container: + description: The specific container to tail + type: string + follow: + description: whether to interactively follow the logs + type: boolean + limit: + description: number of lines to tail + format: int32 + type: integer + target: + description: the kubectl-type target to use for this log tail, eg + deployment/name-of-my-deployment + type: string + required: + - follow + - limit + - target + type: object + status: + description: LogTailStatus defines the observed state of LogTail + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_proxies.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_proxies.platform.plural.sh.yaml new file mode 100644 index 0000000..d06ed9d --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_proxies.platform.plural.sh.yaml @@ -0,0 +1,133 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: proxies.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: Proxy + listKind: ProxyList + plural: proxies + singular: proxy + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Proxy is the Schema for the proxies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxySpec defines the desired state of Proxy + properties: + credentials: + description: credentials to use when authenticating against a proxied + resource + properties: + key: + description: key in the secret to use + type: string + secret: + description: secret storing auth info + type: string + user: + description: username to auth with + type: string + userKey: + description: key in the secret that stores the username + type: string + required: + - key + - secret + type: object + dbConfig: + description: db-specific configuration for this proxy + properties: + engine: + description: db engine + enum: + - postgres + - mysql + type: string + name: + description: name of the database to connect to + type: string + port: + description: port to use + format: int32 + type: integer + required: + - engine + - name + - port + type: object + description: + description: Description for this proxy spec + type: string + shConfig: + description: sh-specific configuration for this proxy + properties: + args: + description: arguments to pass to the command + items: + type: string + type: array + command: + description: command to execute in the proxied pod + type: string + container: + description: The container name to shell into (if the pod has + multiple containers configured) + type: string + required: + - command + type: object + target: + description: selector to set up the proxy against + type: string + type: + description: the type of proxy to use, can be a db, shell or web proxy + enum: + - db + - sh + - web + type: string + webConfig: + description: web-specific configuration for this proxy + properties: + path: + description: path to direct users to on sign-in + type: string + port: + description: port of the service to forward + format: int32 + type: integer + required: + - port + type: object + required: + - target + - type + type: object + status: + description: ProxyStatus defines the observed state of Proxy + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_registrycredentials.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_registrycredentials.platform.plural.sh.yaml new file mode 100644 index 0000000..4bda10d --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_registrycredentials.platform.plural.sh.yaml @@ -0,0 +1,74 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: registrycredentials.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: RegistryCredential + listKind: RegistryCredentialList + plural: registrycredentials + singular: registrycredential + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RegistryCredentialSpec is a specification of registry credentials + properties: + email: + description: Registry user email address + type: string + password: + description: The password Secret to select from + properties: + key: + description: Key for Secret data + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + server: + description: Registry FQDN + type: string + username: + description: Registry username + type: string + required: + - email + - password + - server + - username + type: object + status: + description: RegistryCredentialStatus defines the observed state of RegistryCredential + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_resourcegroups.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_resourcegroups.platform.plural.sh.yaml new file mode 100644 index 0000000..5c91211 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_resourcegroups.platform.plural.sh.yaml @@ -0,0 +1,114 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: resourcegroups.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: ResourceGroup + listKind: ResourceGroupList + plural: resourcegroups + singular: resourcegroup + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ResourceGroup is the Schema for the resourcegroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ResourceGroupSpec defines the desired state of ResourceGroup + properties: + selector: + description: the node selector to use for this group + properties: + matchExpressions: + description: A list of node selector requirements by node's labels. + items: + description: A node selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of + values. Valid operators are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. If + the operator is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted + as an integer. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements by node's fields. + items: + description: A node selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: The label key that the selector applies to. + type: string + operator: + description: Represents a key's relationship to a set of + values. Valid operators are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. If + the operator is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted + as an integer. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + status: + description: ResourceGroupStatus defines the observed state of ResourceGroup + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_runbooks.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_runbooks.platform.plural.sh.yaml new file mode 100644 index 0000000..a2d4952 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_runbooks.platform.plural.sh.yaml @@ -0,0 +1,244 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: runbooks.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: Runbook + listKind: RunbookList + plural: runbooks + singular: runbook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Runbook is the Schema for the runbooks API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RunbookSpec defines the desired state of Runbook + properties: + actions: + description: actions that can be performed in a runbook. These will + be references in input forms + items: + description: RunbookAction represents an action to be performed + in a runbook + properties: + action: + description: The type of this action, eg config or kubernetes + enum: + - config + type: string + configuration: + description: The details of a configuration action + properties: + statefulSets: + description: stateful sets to clean before rebuilding (for + pvc resizes) + items: + description: details for any statefulset resizes to apply + properties: + force: + description: force completion even if a recreation + of the statefulset fails (useful for some operator + interactions) + type: boolean + name: + description: name of statefulset + type: string + persistentVolume: + description: persistent volume to resize + type: string + valueFrom: + description: the value to use from the args for the + execution + type: string + required: + - name + - persistentVolume + - valueFrom + type: object + type: array + updates: + description: The updates you want to perform + items: + description: An update to a configuration path + properties: + path: + description: path in the configuration to update + items: + type: string + type: array + valueFrom: + description: the value to use from the args for this + execution + type: string + required: + - path + - valueFrom + type: object + type: array + required: + - updates + type: object + name: + description: The name to reference this action + type: string + redirectTo: + description: The url to redirect to after executing this action + type: string + required: + - action + - name + type: object + type: array + alerts: + description: alerts to tie to this runbook + items: + description: RunbookAlert represents an alert to join to this runbook + properties: + name: + description: the name of the alert + type: string + required: + - name + type: object + type: array + datasources: + description: datasources to hydrate graphs and tables in the runbooks + display + items: + description: RunbookDatasource defines the query to extract data + for a runbook + properties: + kubernetes: + description: a kubernetes datasource spec + properties: + name: + description: the name of this resource + type: string + resource: + description: the kubernetes resource kind, eg deployment + enum: + - deployment + - statefulset + type: string + required: + - name + - resource + type: object + name: + description: The name to reference this datasource + type: string + prometheus: + description: a prometheus query spec + properties: + format: + description: the format for the value returned + enum: + - cpu + - memory + - none + type: string + legend: + description: the legend to use in the graph of this metric + type: string + query: + description: the prometheus query + type: string + required: + - format + - legend + - query + type: object + type: + description: The type of this datasource + enum: + - prometheus + - kubernetes + - nodes + type: string + required: + - name + - type + type: object + type: array + description: + description: Short description of what this runbook does + type: string + display: + description: the display in supported xml for the runbook in the console + UI + type: string + name: + description: The name for the runbook displayed in the plural console + type: string + required: + - actions + - description + - display + - name + type: object + status: + description: RunbookStatus defines the observed state of Runbook + properties: + alerts: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state + of cluster Important: Run "make" to regenerate code after modifying + this file' + items: + description: RunbookAlertStatus represents the status of an alert + joined to a runbook + properties: + annotations: + additionalProperties: + type: string + description: the alert annotations + type: object + fingerprint: + description: the fingerprint of this alert + type: string + labels: + additionalProperties: + type: string + description: the alert labels + type: object + name: + description: the name of the alert + type: string + startsAt: + description: the time it fired + type: string + required: + - annotations + - fingerprint + - labels + - name + - startsAt + type: object + type: array + required: + - alerts + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_secretsyncs.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_secretsyncs.platform.plural.sh.yaml new file mode 100644 index 0000000..0b32c8a --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_secretsyncs.platform.plural.sh.yaml @@ -0,0 +1,52 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: secretsyncs.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: SecretSync + listKind: SecretSyncList + plural: secretsyncs + singular: secretsync + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SecretSync is the Schema for the secretsyncs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SecretSyncSpec defines the desired state of SecretSync + properties: + name: + description: The secrets name that you intend to sync into the current + namespace + type: string + namespace: + description: the namespace for the synced secrets + type: string + type: object + status: + description: SecretSyncStatus defines the observed state of SecretSync + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_slashcommands.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_slashcommands.platform.plural.sh.yaml new file mode 100644 index 0000000..ae7f3ad --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_slashcommands.platform.plural.sh.yaml @@ -0,0 +1,56 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: slashcommands.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: SlashCommand + listKind: SlashCommandList + plural: slashcommands + singular: slashcommand + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: SlashCommand is the Schema for the slashcommands API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SlashCommandSpec a slack-type slash command for use in incident + chats + properties: + help: + description: a markdown help doc for this command + type: string + type: + description: the slash command to type + enum: + - deploy + type: string + required: + - help + type: object + status: + description: SlashCommandStatus defines the observed state of SlashCommand + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_statefulsetresizes.platform.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_statefulsetresizes.platform.plural.sh.yaml new file mode 100644 index 0000000..8417522 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_statefulsetresizes.platform.plural.sh.yaml @@ -0,0 +1,58 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: statefulsetresizes.platform.plural.sh +spec: + group: platform.plural.sh + names: + kind: StatefulSetResize + listKind: StatefulSetResizeList + plural: statefulsetresizes + singular: statefulsetresize + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: StatefulSetResize is the Schema for the statefulsetresizes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: StatefulSetResizeSpec defines the desired state of StatefulSetResize + properties: + force: + description: force completion even if a recreation of the statefulset + fails (useful for some operator interactions) + type: boolean + name: + description: Name of the stateful set + type: string + persistentVolume: + description: Name of the persistent volume you wish to resize + type: string + size: + description: Size you want to set it to + type: string + type: object + status: + description: StatefulSetResizeStatus defines the observed state of StatefulSetResize + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardpeers.vpn.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardpeers.vpn.plural.sh.yaml new file mode 100644 index 0000000..a3c7a79 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardpeers.vpn.plural.sh.yaml @@ -0,0 +1,164 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: wireguardpeers.vpn.plural.sh +spec: + group: vpn.plural.sh + names: + kind: WireguardPeer + listKind: WireguardPeerList + plural: wireguardpeers + singular: wireguardpeer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The Wireguard Server this peer belongs to + jsonPath: .spec.wireguardRef + name: Wireguard Server + type: string + - description: The IP address of this wireguard peer + jsonPath: .spec.address + name: Address + type: string + - description: The name of the secret containing the configuration of the wireguard + peer + jsonPath: .status.configRef.name + name: Config Secret + type: string + - description: WireguardPeer ready status + jsonPath: .status.ready + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WireguardPeer is the Schema for the wireguardpeers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WireguardPeerSpec defines the desired state of WireguardPeer + properties: + PrivateKeyRef: + description: reference to the secret and key containing the private + key of the wireguard peer + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + address: + description: the IP address of the wireguard peer + type: string + publicKey: + description: the public key of the wireguard peer + type: string + wireguardRef: + description: the name of the active wireguard instance + minLength: 1 + type: string + required: + - wireguardRef + type: object + status: + description: WireguardPeerStatus defines the observed state of WireguardPeer + properties: + conditions: + description: Conditions defines current service state of the PacketMachine. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + config: + description: The configuration of the wireguard peer without the private + key + type: string + configRef: + description: Reference to the secret containing the configuration + of the wireguard peer + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardservers.vpn.plural.sh.yaml b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardservers.vpn.plural.sh.yaml new file mode 100644 index 0000000..cdff807 --- /dev/null +++ b/charts/runtime/crds/apiextensions.k8s.io_v1_customresourcedefinition_wireguardservers.vpn.plural.sh.yaml @@ -0,0 +1,1398 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: wireguardservers.vpn.plural.sh +spec: + group: vpn.plural.sh + names: + kind: WireguardServer + listKind: WireguardServerList + plural: wireguardservers + singular: wireguardserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: WireguardServer hostname + jsonPath: .status.hostname + name: Hostname + type: string + - description: WireguardServer port + jsonPath: .status.port + name: Port + type: string + - description: WireguardServer ready status + jsonPath: .status.ready + name: Ready + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: WireguardServer is the Schema for the wireguardservers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WireguardServerSpec defines the desired state of WireguardServer + properties: + allowedIPs: + description: The CIDRs that peers can connect to through the wireguard + server. Use 0.0.0.0/0 to allow all. + items: + type: string + type: array + dns: + description: The DNS servers to use for the wireguard server + items: + type: string + type: array + enableHA: + default: false + description: Deploy 3 wireguard servers so that the VPN can be highly + available and spread over 3 availability zones + type: boolean + mtu: + description: Network MTU to use for the VPN + type: string + networkCIDR: + default: 10.8.0.1/24 + description: The CIDR to use for the wireguard server and network + type: string + port: + description: Port for the wireguard server + format: int32 + type: integer + resources: + description: The resources to set for the wireguard server + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + serviceAnnotations: + additionalProperties: + type: string + description: ServiceAnnotations for wireguard k8s service + type: object + serviceType: + description: Service type to use for the VPN + type: string + sidecars: + description: Sidecars for wireguard k8s deployment + items: + description: A single application container that you want to run + within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The container image''s + CMD is used if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If a variable + cannot be resolved, the reference in the input string will + be unchanged. Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the variable + exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within a shell. + The container image''s ENTRYPOINT is used if this is not provided. + Variable references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the reference + in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: + i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether + the variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + items: + type: string + type: array + env: + description: List of environment variables to set in the container. + Cannot be updated. + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be + a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in + the container and any service environment variables. + If a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the pod: supports + metadata.name, metadata.namespace, `metadata.labels['''']`, + `metadata.annotations['''']`, spec.nodeName, + spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs.' + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of the + exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment variables + in the container. The keys defined within a source must be + a C_IDENTIFIER. All invalid keys will be reported as an event + when the container is starting. When a key exists in multiple + sources, the value associated with the last source will take + precedence. Values defined by an Env with a duplicate key + will take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source of a set + of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the ConfigMap must be + defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each + key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management + to default or override container images in workload controllers + like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system should take + in response to container lifecycle events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately after a container + is created. If the handler fails, the container is terminated + and restarted according to its restart policy. Other management + of the container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: 'PreStop is called immediately before a container + is terminated due to an API request or management event + such as liveness/startup probe failure, preemption, resource + contention, etc. The handler is not called if the container + crashes or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the container + will eventually terminate within the Pod''s termination + grace period (unless delayed by finalizers). Other management + of the container blocks until the hook completes or until + the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for + the command is root ('/') in the container's + filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, you need + to explicitly call out to that shell. Exit status + of 0 is treated as live/healthy and non-zero is + unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to + the pod IP. You probably want to set "Host" in + httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the + host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward compatibility. + There are no validation of this field and lifecycle + hooks will fail in runtime when tcp handler is specified. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. Container + will be restarted if the probe fails. Cannot be updated. More + info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Exposing + a port here gives the system additional information about + the network connections a container uses, but is primarily + informational. Not specifying a port here DOES NOT prevent + that port from being exposed. Any port which is listening + on the default "0.0.0.0" address inside a container will be + accessible from the network. Cannot be updated. + items: + description: ContainerPort represents a network port in a + single container. + properties: + containerPort: + description: Number of port to expose on the pod's IP + address. This must be a valid port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external port to. + type: string + hostPort: + description: Number of port to expose on the host. If + specified, this must be a valid port number, 0 < x < + 65536. If HostNetwork is specified, this must match + ContainerPort. Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in a pod + must have a unique name. Name for the port that can + be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be UDP, TCP, or SCTP. + Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if the probe + fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resources: + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security options the + container should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext. More + info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether + a process can gain more privileges than its parent process. + This bool directly controls if the no_new_privs flag will + be set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) run as Privileged + 2) has CAP_SYS_ADMIN Note that this field cannot be set + when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by + the container runtime. Note that this field cannot be + set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities + type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent to + root on the host. Defaults to false. Note that this field + cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of proc mount to + use for the containers. The default is DefaultProcMount + which uses the container runtime defaults for readonly + paths and masked paths. This requires the ProcMountType + feature flag to be enabled. Note that this field cannot + be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root + filesystem. Default is false. Note that this field cannot + be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a + non-root user. If true, the Kubelet will validate the + image at runtime to ensure that it does not run as UID + 0 (root) and fail to start the container if it does. If + unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both + SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata + if unspecified. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a + random SELinux context for each container. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by this container. + If seccomp options are provided at both the pod & container + level, the container options override the pod options. + Note that this field cannot be set when spec.os.name is + windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile + must be preconfigured on the node to work. Must be + a descending path, relative to the kubelet's configured + seccomp profile location. Must only be set if type + is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - + a profile defined in a file on the node should be + used. RuntimeDefault - the container runtime default + profile should be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options from the PodSecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is + linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components + that enable the WindowsHostProcessContainers feature + flag. Setting this field without the feature flag + will result in errors when validating the Pod. All + of a Pod's containers must have the same effective + HostProcess value (it is not allowed to have a mix + of HostProcess containers and non-HostProcess containers). In + addition, if HostProcess is true then HostNetwork + must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set + in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: 'StartupProbe indicates that the Pod has successfully + initialized. If specified, no other probes are executed until + this completes successfully. If this probe fails, the Pod + will be restarted, just as if the livenessProbe failed. This + can be used to provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time to load + data or warm a cache, than during steady-state operation. + This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to take. + properties: + command: + description: Command is the command line to execute + inside the container, the working directory for the + command is root ('/') in the container's filesystem. + The command is simply exec'd, it is not run inside + a shell, so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is treated + as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe + to be considered failed after having succeeded. Defaults + to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving a GRPC port. + This is a beta field and requires enabling GRPCContainerProbe + feature gate. + properties: + port: + description: Port number of the gRPC service. Number + must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the service to + place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request to perform. + properties: + host: + description: Host name to connect to, defaults to the + pod IP. You probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP + allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: The header field name + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the container has + started before liveness probes are initiated. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe + to be considered successful after having failed. Defaults + to 1. Must be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action involving a TCP + port. + properties: + host: + description: 'Optional: Host name to connect to, defaults + to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port to access on + the container. Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully upon probe failure. The grace + period is the duration in seconds after the processes + running in the pod are sent a termination signal and the + time when the processes are forcibly halted with a kill + signal. Set this value longer than the expected cleanup + time for your process. If this value is nil, the pod's + terminationGracePeriodSeconds will be used. Otherwise, + this value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity to + shut down). This is a beta field and requires enabling + ProbeTerminationGracePeriod feature gate. Minimum value + is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which the probe times + out. Defaults to 1 second. Minimum value is 1. More info: + https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate a buffer + for stdin in the container runtime. If this is not set, reads + from stdin in the container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should close the + stdin channel after it has been opened by a single attach. + When stdin is true the stdin stream will remain open across + multiple attach sessions. If stdinOnce is set to true, stdin + is opened on container start, is empty until the first client + attaches to stdin, and then remains open and accepts data + until the client disconnects, at which time stdin is closed + and remains closed until the container is restarted. If this + flag is false, a container processes that reads from stdin + will never receive an EOF. Default is false + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file to which the + container''s termination message will be written is mounted + into the container''s filesystem. Message written is intended + to be brief final status, such as an assertion failure message. + Will be truncated by the node if greater than 4096 bytes. + The total message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be + populated. File will use the contents of terminationMessagePath + to populate the container status message on both success and + failure. FallbackToLogsOnError will use the last chunk of + container log output if the termination message file is empty + and the container exited with an error. The log output is + limited to 2048 bytes or 80 lines, whichever is smaller. Defaults + to File. Cannot be updated. + type: string + tty: + description: Whether this container should allocate a TTY for + itself, also requires 'stdin' to be true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block devices to be + used by the container. + items: + description: volumeDevice describes a mapping of a raw block + device within a container. + properties: + devicePath: + description: devicePath is the path inside of the container + that the device will be mapped to. + type: string + name: + description: name must match the name of a persistentVolumeClaim + in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's filesystem. + Cannot be updated. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: Path within the container at which the volume + should be mounted. Must not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines how mounts are + propagated from the host to container and the other + way around. When not set, MountPropagationNone is used. + This field is beta in 1.10. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise + (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's + volume should be mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume from which + the container's volume should be mounted. Behaves similarly + to SubPath but environment variable references $(VAR_NAME) + are expanded using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath are mutually + exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If not specified, + the container runtime's default will be used, which might + be configured in the container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + wireguardImage: + description: WireguardImage for wireguard k8s deployment + type: string + required: + - wireguardImage + type: object + status: + description: WireguardServerStatus defines the observed state of Wireguard + properties: + conditions: + description: Conditions defines current service state of the PacketMachine. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. This should be when the underlying condition changed. + If that is not known, then using the time when the API field + changed is acceptable. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. This field may be empty. + type: string + reason: + description: The reason for the condition's last transition + in CamelCase. The specific API may choose whether or not this + field is considered a guaranteed API. This field may not be + empty. + type: string + severity: + description: Severity provides an explicit classification of + Reason code, so the users or machines can immediately understand + the current situation and act accordingly. The Severity field + MUST be set only when Status=False. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + hostname: + type: string + port: + type: string + ready: + description: Ready is true when the provider resource is ready. + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/runtime/crds/application.yaml b/charts/runtime/crds/application.yaml new file mode 100644 index 0000000..698341d --- /dev/null +++ b/charts/runtime/crds/application.yaml @@ -0,0 +1,532 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/application/pull/2 + controller-gen.kubebuilder.io/version: v0.4.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: applications.app.k8s.io +spec: + group: app.k8s.io + names: + categories: + - all + kind: Application + listKind: ApplicationList + plural: applications + shortNames: + - app + singular: application + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The type of the application + jsonPath: .spec.descriptor.type + name: Type + type: string + - description: The creation date + jsonPath: .spec.descriptor.version + name: Version + type: string + - description: The application object owns the matched resources + jsonPath: .spec.addOwnerRef + name: Owner + type: boolean + - description: Numbers of components ready + jsonPath: .status.componentsReady + name: Ready + type: string + - description: The creation date + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Application is the Schema for the applications API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ApplicationSpec defines the specification for an Application. + properties: + addOwnerRef: + description: AddOwnerRef objects - flag to indicate if we need to + add OwnerRefs to matching objects Matching is done by using Selector + to query all ComponentGroupKinds + type: boolean + assemblyPhase: + description: AssemblyPhase represents the current phase of the application's + assembly. An empty value is equivalent to "Succeeded". + type: string + componentKinds: + description: ComponentGroupKinds is a list of Kinds for Application's + components (e.g. Deployments, Pods, Services, CRDs). It can be used + in conjunction with the Application's Selector to list or watch + the Applications components. + items: + description: GroupKind specifies a Group and a Kind, but does not + force a version. This is useful for identifying concepts during + lookup stages without having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + descriptor: + description: Descriptor regroups information and metadata about an + application. + properties: + description: + description: Description is a brief string description of the + Application. + type: string + icons: + description: Icons is an optional list of icons for an application. + Icon information includes the source, size, and mime type. + items: + description: ImageSpec contains information about an image used + as an icon. + properties: + size: + description: (optional) The size of the image in pixels + (e.g., 25x25). + type: string + src: + description: The source for image represented as either + an absolute URL to the image or a Data URL containing + the image. Data URLs are defined in RFC 2397. + type: string + type: + description: (optional) The mine type of the image (e.g., + "image/png"). + type: string + required: + - src + type: object + type: array + keywords: + description: Keywords is an optional list of key words associated + with the application (e.g. MySQL, RDBMS, database). + items: + type: string + type: array + links: + description: Links are a list of descriptive URLs intended to + be used to surface additional documentation, dashboards, etc. + items: + description: Link contains information about an URL to surface + documentation, dashboards, etc. + properties: + description: + description: Description is human readable content explaining + the purpose of the link. + type: string + url: + description: Url typically points at a website address. + type: string + type: object + type: array + maintainers: + description: Maintainers is an optional list of maintainers of + the application. The maintainers in this list maintain the the + source code, images, and package for the application. + items: + description: ContactData contains information about an individual + or organization. + properties: + email: + description: Email is the email address. + type: string + name: + description: Name is the descriptive name. + type: string + url: + description: Url could typically be a website address. + type: string + type: object + type: array + notes: + description: Notes contain a human readable snippets intended + as a quick start for the users of the Application. CommonMark + markdown syntax may be used for rich text representation. + type: string + owners: + description: Owners is an optional list of the owners of the installed + application. The owners of the application should be contacted + in the event of a planned or unplanned disruption affecting + the application. + items: + description: ContactData contains information about an individual + or organization. + properties: + email: + description: Email is the email address. + type: string + name: + description: Name is the descriptive name. + type: string + url: + description: Url could typically be a website address. + type: string + type: object + type: array + type: + description: Type is the type of the application (e.g. WordPress, + MySQL, Cassandra). + type: string + version: + description: Version is an optional version indicator for the + Application. + type: string + type: object + info: + description: Info contains human readable key,value pairs for the + Application. + items: + description: InfoItem is a human readable key,value pair containing + important information about how to access the Application. + properties: + name: + description: Name is a human readable title for this piece of + information. + type: string + type: + description: Type of the value for this InfoItem. + type: string + value: + description: Value is human readable content. + type: string + valueFrom: + description: ValueFrom defines a reference to derive the value + from another source. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a + valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container + within a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container + that triggered the event) or if no container name + is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to + have some well-defined way of referencing a part of + an object. TODO: this design is not final and this + field is subject to change in the future.' + type: string + key: + description: The key to select. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this + reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + ingressRef: + description: Select an Ingress. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a + valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container + within a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container + that triggered the event) or if no container name + is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to + have some well-defined way of referencing a part of + an object. TODO: this design is not final and this + field is subject to change in the future.' + type: string + host: + description: The optional host to select. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + path: + description: The optional HTTP path. + type: string + protocol: + description: Protocol for the ingress + type: string + resourceVersion: + description: 'Specific resourceVersion to which this + reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + secretKeyRef: + description: Selects a key of a Secret. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a + valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container + within a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container + that triggered the event) or if no container name + is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to + have some well-defined way of referencing a part of + an object. TODO: this design is not final and this + field is subject to change in the future.' + type: string + key: + description: The key to select. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this + reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + serviceRef: + description: Select a Service. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a + valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container + within a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container + that triggered the event) or if no container name + is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to + have some well-defined way of referencing a part of + an object. TODO: this design is not final and this + field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + path: + description: The optional HTTP path. + type: string + port: + description: The optional port to select. + format: int32 + type: integer + protocol: + description: Protocol for the service + type: string + resourceVersion: + description: 'Specific resourceVersion to which this + reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: + description: Type of source. + type: string + type: object + type: object + type: array + selector: + description: 'Selector is a label query over kinds that created by + the application. It must match the component objects'' labels. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + type: object + status: + description: ApplicationStatus defines controller's the observed state + of Application + properties: + components: + description: Object status array for all matching objects + items: + description: ObjectStatus is a generic status holder for objects + properties: + group: + description: Object group + type: string + kind: + description: Kind of object + type: string + link: + description: Link to object + type: string + name: + description: Name of object + type: string + status: + description: 'Status. Values: InProgress, Ready, Unknown' + type: string + type: object + type: array + componentsReady: + description: 'ComponentsReady: status of the components in the format + ready/total' + type: string + conditions: + description: Conditions represents the latest state of the object + items: + description: Condition describes the state of an object at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: Last time the condition was probed + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + observedGeneration: + description: ObservedGeneration is the most recent generation observed. + It corresponds to the Object's generation, which is updated on mutation + by the API Server. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/charts/runtime/templates/application.yaml b/charts/runtime/templates/application.yaml new file mode 100644 index 0000000..9dd124d --- /dev/null +++ b/charts/runtime/templates/application.yaml @@ -0,0 +1,235 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: application-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: kube-app-manager-leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: kube-app-manager-kube-app-manager-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - app.k8s.io + resources: + - applications + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - app.k8s.io + resources: + - applications/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: kube-app-manager-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: kube-app-manager-leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kube-app-manager-leader-election-role +subjects: +- kind: ServiceAccount + name: application-system + namespace: bootstrap +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: kube-app-manager-kube-app-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-app-manager-kube-app-manager-role +subjects: +- kind: ServiceAccount + name: application-system + namespace: bootstrap +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: kube-app-manager-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-app-manager-proxy-role +subjects: +- kind: ServiceAccount + name: application-system + namespace: bootstrap +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + name: kube-app-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + controller-tools.k8s.io: "1.0" + name: kube-app-manager-service +spec: + ports: + - port: 443 + selector: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + controller-tools.k8s.io: "1.0" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + controller-tools.k8s.io: "1.0" + name: kube-app-manager-controller +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + template: + metadata: + labels: + app.kubernetes.io/name: kube-app-manager + control-plane: kube-app-manager + controller-tools.k8s.io: "1.0" + spec: + serviceAccountName: application-system + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 6 }} + {{- end }} + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.1 + + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + # - --enable-leader-election + command: + - /kube-app-manager + image: {{ .Values.application.registry }}/kube-app-manager:{{ .Values.application.tag }} + imagePullPolicy: Always + name: kube-app-manager + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/charts/runtime/templates/operator-cm.yaml b/charts/runtime/templates/operator-cm.yaml new file mode 100644 index 0000000..3e0bc3c --- /dev/null +++ b/charts/runtime/templates/operator-cm.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: plural-operator-selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: plural-operator-serving-cert +spec: + dnsNames: + - plural-operator-webhook-service.{{ .Release.Namespace }}.svc + - plural-operator-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: plural-operator-selfsigned-issuer + secretName: plural-operator-webhook-server-cert diff --git a/charts/runtime/templates/operator-rbac.yaml b/charts/runtime/templates/operator-rbac.yaml new file mode 100644 index 0000000..f15b234 --- /dev/null +++ b/charts/runtime/templates/operator-rbac.yaml @@ -0,0 +1,270 @@ +# permissions for end users to edit secretsyncs. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: plural-operator + labels: + {{ include "runtime.labels" . | nindent 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: plural-operator-role + labels: + {{ include "runtime.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + - platform.plural.sh + - apps + resources: + - secretsyncs + - secrets + - runbooks + - statefulsetresizes + - persistentvolumeclaims + - statefulsets + - defaultstorageclasses + - resourcegroups + - licenses + - registrycredentials + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoring.coreos.com + resources: + - alertmanagerconfigs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - platform.plural.sh + resources: + - secretsyncs/status + - runbooks/status + - licenses/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - update +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - watch + - list + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - watch + - list + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - watch + - list + - update + - patch + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - delete +- apiGroups: + - vpn.plural.sh + resources: + - wireguardpeers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - vpn.plural.sh + resources: + - wireguardpeers/finalizers + verbs: + - update +- apiGroups: + - vpn.plural.sh + resources: + - wireguardpeers/status + verbs: + - get + - patch + - update +- apiGroups: + - vpn.plural.sh + resources: + - wireguardservers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - vpn.plural.sh + resources: + - wireguardservers/finalizers + verbs: + - update +- apiGroups: + - vpn.plural.sh + resources: + - wireguardservers/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role + labels: + {{ include "runtime.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: plrl-operator-rolebinding + labels: + {{ include "runtime.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: plural-operator-role +subjects: +- kind: ServiceAccount + name: plural-operator + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: plrl-operator-leader-election-rolebinding + labels: + {{ include "runtime.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: plural-operator diff --git a/charts/runtime/templates/operator-svc.yaml b/charts/runtime/templates/operator-svc.yaml new file mode 100644 index 0000000..20d521f --- /dev/null +++ b/charts/runtime/templates/operator-svc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: plural-operator + labels: +{{ include "bootstrap.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - port: 8080 + targetPort: metrics + protocol: TCP + name: metrics + selector: + control-plane: plural-operator +--- +apiVersion: v1 +kind: Service +metadata: + name: plural-operator-webhook-service +spec: + ports: + - port: 443 + targetPort: webhook-server + protocol: TCP + name: https-webhook-server + selector: + control-plane: plural-operator diff --git a/charts/runtime/templates/operator.yaml b/charts/runtime/templates/operator.yaml new file mode 100644 index 0000000..9fa2284 --- /dev/null +++ b/charts/runtime/templates/operator.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: plural-operator + labels: + control-plane: plural-operator + {{- include "runtime.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + control-plane: plural-operator + replicas: 2 + template: + metadata: + labels: + control-plane: plural-operator + {{- include "runtime.labels" . | nindent 8 }} + spec: + securityContext: + runAsNonRoot: true + containers: + - command: + - /manager + args: + - --leader-elect + image: "{{ .Values.plural.image.repository }}:{{ .Values.plural.image.tag }}" + imagePullPolicy: Always + name: manager + securityContext: + allowPrivilegeEscalation: false + env: + - name: PLURAL_OAUTH_SIDECAR_CONFIG_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PLURAL_OAUTH_SIDECAR_CONFIG_NAME + value: plural-operator-oauth-sidecar-config + ports: + - containerPort: 8081 + name: health + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 9443 + name: webhook-server + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-cert + readOnly: true + volumes: + - name: webhook-cert + secret: + defaultMode: 420 + secretName: plural-operator-webhook-server-cert + serviceAccountName: plural-operator + terminationGracePeriodSeconds: 10 diff --git a/charts/runtime/values.yaml b/charts/runtime/values.yaml index 08d0e77..98c0630 100644 --- a/charts/runtime/values.yaml +++ b/charts/runtime/values.yaml @@ -19,6 +19,15 @@ external-dns: name: plural-env key: PLURAL_ACCESS_TOKEN +application: + registry: dkr.plural.sh/bootstrap + tag: v0.8.3 + +plural: + image: + repository: dkr.plural.sh/bootstrap/plural-operator + tag: 0.5.5 + ownerEmail: someone@example.com acmeServer: https://acme.zerossl.com/v2/DV90 letsencryptServer: https://acme-v02.api.letsencrypt.org/directory diff --git a/providers/aws.tf b/providers/aws.tf deleted file mode 100644 index ef45e08..0000000 --- a/providers/aws.tf +++ /dev/null @@ -1,32 +0,0 @@ -terraform { - required_version = ">= 1.0" - - backend "s3" { - bucket = "{{ .Bucket }}" - key = "{{ .Cluster }}/terraform.tfstate" - region = "{{ .Region }}" - } - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.57" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" - } - random = { - source = "hashicorp/random" - version = "3.6.0" - } - helm = { - source = "hashicorp/helm" - version = "2.12.1" - } - } -} - -provider "aws" { - region = "{{ .Region }}" -} diff --git a/templates/providers/apps/aws.tf b/templates/providers/apps/aws.tf new file mode 100644 index 0000000..2ecf3e7 --- /dev/null +++ b/templates/providers/apps/aws.tf @@ -0,0 +1,38 @@ +terraform { + required_version = ">= 1.0" + + backend "s3" { + bucket = "{{ .Bucket }}" + key = "{{ .Cluster }}/apps/terraform.tfstate" + region = "{{ .Region }}" + } + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.57" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + } +} + +provider "aws" { + region = "{{ .Region }}" +} + +data "aws_eks_cluster" "cluster" { + name = "{{ .Cluster }}" +} + +data "aws_eks_cluster_auth" "cluster" { + name = "{{ .Cluster }}" +} + +provider "kubernetes" { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token +} \ No newline at end of file diff --git a/templates/providers/apps/azure.tf b/templates/providers/apps/azure.tf new file mode 100644 index 0000000..640af98 --- /dev/null +++ b/templates/providers/apps/azure.tf @@ -0,0 +1,43 @@ +terraform { + required_version = ">=1.3" + + backend "azurerm" { + storage_account_name = "{{ .Context.StorageAccount }}" + resource_group_name = "{{ .Project }}" + container_name = "{{ .Bucket }}" + key = "{{ .Cluster }}/apps/terraform.tfstate" + } + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.51.0, < 4.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + } +} + +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } +} + + + +data "azurerm_kubernetes_cluster" "cluster" { + name = "{{ .Cluster }}" + resource_group_name = "{{ .Project }}" +} + +provider "kubernetes" { + host = data.azurerm_kubernetes_cluster.cluster.kube_config[0].host + client_certificate = base64decode(data.azurerm_kubernetes_cluster.cluster.kube_config[0].client_certificate) + client_key = base64decode(data.azurerm_kubernetes_cluster.cluster.kube_config[0].client_key) + cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.cluster.kube_config[0].cluster_ca_certificate) +} diff --git a/templates/providers/apps/gcp.tf b/templates/providers/apps/gcp.tf new file mode 100644 index 0000000..11e2423 --- /dev/null +++ b/templates/providers/apps/gcp.tf @@ -0,0 +1,30 @@ +terraform { + backend "gcs" { + bucket = "{{ .Bucket }}" + prefix = "{{ .Cluster }}/apps" + } + + required_providers { + google = { + source = "hashicorp/google" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + } + required_version = ">= 0.13" +} + +data "google_client_config" "default" {} + +data "google_container_cluster" "cluster" { + name = "{{ .Cluster }}" + location = "{{ .Region }}" +} + +provider "kubernetes" { + host = data.google_container_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.google_container_cluster.cluster.master_auth.0.cluster_ca_certificate) + token = data.google_client_config.current.access_token +} \ No newline at end of file diff --git a/templates/providers/bootstrap/aws.tf b/templates/providers/bootstrap/aws.tf new file mode 100644 index 0000000..9eba8b7 --- /dev/null +++ b/templates/providers/bootstrap/aws.tf @@ -0,0 +1,58 @@ +terraform { + required_version = ">= 1.0" + + backend "s3" { + bucket = "{{ .Bucket }}" + key = "{{ .Cluster }}/bootstrap/terraform.tfstate" + region = "{{ .Region }}" + } + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.57" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + random = { + source = "hashicorp/random" + version = "3.6.0" + } + helm = { + source = "hashicorp/helm" + version = "2.12.1" + } + local = { + souce = "hashicorp/local" + version = "2.4.1" + } + } +} + +provider "aws" { + region = "{{ .Region }}" +} + +data "aws_eks_cluster" "cluster" { + name = module.aws.cluster.cluster_name +} + +data "aws_eks_cluster_auth" "cluster" { + name = module.aws.cluster.cluster_name +} + +provider "kubernetes" { + host = module.aws.cluster.cluster_endpoint + cluster_ca_certificate = base64decode(module.aws.cluster.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.cluster.token +} + +provider "helm" { + kubernetes { + host = module.aws.cluster.cluster_endpoint + cluster_ca_certificate = base64decode(module.aws.cluster.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.cluster.token + } +} \ No newline at end of file diff --git a/providers/azure.tf b/templates/providers/bootstrap/azure.tf similarity index 50% rename from providers/azure.tf rename to templates/providers/bootstrap/azure.tf index 1685150..35e938f 100644 --- a/providers/azure.tf +++ b/templates/providers/bootstrap/azure.tf @@ -5,7 +5,7 @@ terraform { storage_account_name = "{{ .Context.StorageAccount }}" resource_group_name = "{{ .Project }}" container_name = "{{ .Bucket }}" - key = "{{ .Cluster }}/terraform.tfstate" + key = "{{ .Cluster }}/bootstrap/terraform.tfstate" } required_providers { @@ -29,6 +29,10 @@ terraform { source = "hashicorp/helm" version = "2.12.1" } + local = { + souce = "hashicorp/local" + version = "2.4.1" + } } } @@ -42,4 +46,20 @@ provider "azurerm" { prevent_deletion_if_contains_resources = false } } +} + +provider "kubernetes" { + host = module.azure.cluster.cluster_fqdn + cluster_ca_certificate = base64decode(module.azure.cluster.cluster_ca_certificate) + client_certificate = base64decode(module.azure.cluster.client_certificate) + client_key = base64decode(module.azure.cluster.client_key) +} + +provider "helm" { + kubernetes { + host = module.azure.cluster.cluster_fqdn + cluster_ca_certificate = base64decode(module.azure.cluster.cluster_ca_certificate) + client_certificate = base64decode(module.azure.cluster.client_certificate) + client_key = base64decode(module.azure.cluster.client_key) + } } \ No newline at end of file diff --git a/providers/gcp.tf b/templates/providers/bootstrap/gcp.tf similarity index 55% rename from providers/gcp.tf rename to templates/providers/bootstrap/gcp.tf index 2d5f687..2d13b31 100644 --- a/providers/gcp.tf +++ b/templates/providers/bootstrap/gcp.tf @@ -20,6 +20,20 @@ terraform { source = "hashicorp/helm" version = "2.12.1" } + local = { + souce = "hashicorp/local" + version = "2.4.1" + } } required_version = ">= 0.13" +} + +data "google_client_config" "default" {} + +provider "helm" { + kubernetes { + host = module.gcp.cluster.endpoint + cluster_ca_certificate = base64decode(module.gcp.cluster.ca_certificate) + token = data.google_client_config.current.access_token + } } \ No newline at end of file diff --git a/templates/setup/console.tf b/templates/setup/console.tf new file mode 100644 index 0000000..27101bd --- /dev/null +++ b/templates/setup/console.tf @@ -0,0 +1,27 @@ + +resource "null_resource" "console" { + provisioner "local-exec" { + command = "plural cd control-plane-values --name {{ .Cluster }} --dsn \"${module.mgmt.db_url}\" --domain {{ .Domain }} --file console.yaml" + working_dir = "${path.module}/../helm-values" + } +} + +data "local_sensitive_file" "console" { + filename = "${path.module}/../helm-values/console.yaml" + depends_on = [ null_resource.console ] +} + +resource "helm_release" "console" { + name = "console" + namespace = "plrl-console" + chart = "console" + repository = "https://pluralsh.github.io/console" + version = "0.1.15" + create_namespace = true + timeout = 300 + values = [ + data.local_sensitive_file.console + ] + + depends_on = [ null_resource.console, module.mgmt.cluster ] +} \ No newline at end of file diff --git a/templates/setup/providers/aws.tf b/templates/setup/providers/aws.tf new file mode 100644 index 0000000..1c7f8ac --- /dev/null +++ b/templates/setup/providers/aws.tf @@ -0,0 +1,5 @@ +module "mgmt" { + source = "../terraform/clouds/aws" + cluster_name = "{{ .Cluster }}" + runtime_values_file = "../helm-values/runtime.yaml" +} \ No newline at end of file diff --git a/templates/setup/providers/azure.tf b/templates/setup/providers/azure.tf new file mode 100644 index 0000000..767980d --- /dev/null +++ b/templates/setup/providers/azure.tf @@ -0,0 +1,6 @@ +module "mgmt" { + source = "../terraform/clouds/azure" + resource_group_name = "{{ .Project }}" + cluster_name = "{{ .Cluster }}" + runtime_values_file = "../helm-values/runtime.yaml" +} \ No newline at end of file diff --git a/templates/setup/providers/gcp.tf b/templates/setup/providers/gcp.tf new file mode 100644 index 0000000..915a386 --- /dev/null +++ b/templates/setup/providers/gcp.tf @@ -0,0 +1,6 @@ +module "mgmt" { + source = "../terraform/clouds/gcp" + project_id = "{{ .Project }}" + cluster_name = "{{ .Cluster }}" + runtime_values_file = "../helm-values/runtime.yaml" +} \ No newline at end of file diff --git a/terraform/clouds/aws/kubernetes.tf b/terraform/clouds/aws/kubernetes.tf deleted file mode 100644 index 6ede75b..0000000 --- a/terraform/clouds/aws/kubernetes.tf +++ /dev/null @@ -1,13 +0,0 @@ -data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_name -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_name -} - -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.cluster.token -} \ No newline at end of file diff --git a/terraform/clouds/aws/locals.tf b/terraform/clouds/aws/locals.tf index fc8b777..dc0425f 100644 --- a/terraform/clouds/aws/locals.tf +++ b/terraform/clouds/aws/locals.tf @@ -1,3 +1,3 @@ locals { - db_url = format("postgresql://console:%s@%s:5432/console", random_password.password.result, module.db.db_instance_address) + db_url = format("postgresql://console:%s@%s:5432/console", random_password.password.result, try(module.db[0].db_instance_address, "")) } \ No newline at end of file diff --git a/terraform/clouds/aws/outputs.tf b/terraform/clouds/aws/outputs.tf index 2305bf4..1138641 100644 --- a/terraform/clouds/aws/outputs.tf +++ b/terraform/clouds/aws/outputs.tf @@ -14,4 +14,8 @@ output "db" { output "db_url" { value = local.db_url sensitive = true +} + +output "runtime_ready" { + value = helm_release.runtime } \ No newline at end of file diff --git a/terraform/clouds/aws/postgres.tf b/terraform/clouds/aws/postgres.tf index 42bbd80..f5806b0 100644 --- a/terraform/clouds/aws/postgres.tf +++ b/terraform/clouds/aws/postgres.tf @@ -2,11 +2,12 @@ resource "random_password" "password" { length = 20 min_lower = 1 min_numeric = 1 - min_special = 1 min_upper = 1 + special = false } module "db" { + count = var.create_db ? 1 : 0 source = "terraform-aws-modules/rds/aws" identifier = "plural" @@ -15,7 +16,7 @@ module "db" { engine_version = "14" family = "postgres14" # DB parameter group major_engine_version = "14" # DB option group - instance_class = "db.t4g.large" + instance_class = var.db_instance_class allocated_storage = 20 db_name = "console" diff --git a/terraform/clouds/aws/runtime.tf b/terraform/clouds/aws/runtime.tf index 757642c..c77eac8 100644 --- a/terraform/clouds/aws/runtime.tf +++ b/terraform/clouds/aws/runtime.tf @@ -1,11 +1,3 @@ -provider "helm" { - kubernetes { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.cluster.token - } -} - module "eks_blueprints_addons" { source = "aws-ia/eks-blueprints-addons/aws" version = "~> 1.12" #ensure to update this to the latest/desired version @@ -41,7 +33,7 @@ resource "helm_release" "runtime" { namespace = "plural-runtime" chart = "runtime" repository = "https://pluralsh.github.io/bootstrap" - version = "0.1.3" + version = "0.1.5" create_namespace = true timeout = 300 values = [ diff --git a/terraform/clouds/aws/variables.tf b/terraform/clouds/aws/variables.tf index 649a468..cdfa709 100644 --- a/terraform/clouds/aws/variables.tf +++ b/terraform/clouds/aws/variables.tf @@ -3,6 +3,11 @@ variable "cluster_name" { default = "plural" } +variable "create_db" { + type = bool + default = true +} + variable "kubernetes_version" { type = string default = "1.27" @@ -46,4 +51,8 @@ variable "deletion_protection" { variable "runtime_values_file" { type = string default = "../../helm-values/runtime.yaml" +} + +variable "db_instance_class" { + default = "db.t4g.large" } \ No newline at end of file diff --git a/terraform/clouds/azure/kubernetes.tf b/terraform/clouds/azure/kubernetes.tf deleted file mode 100644 index c99c595..0000000 --- a/terraform/clouds/azure/kubernetes.tf +++ /dev/null @@ -1,6 +0,0 @@ -provider "kubernetes" { - host = module.aks.cluster_fqdn - cluster_ca_certificate = base64decode(module.aks.cluster_ca_certificate) - client_certificate = base64decode(module.aks.client_certificate) - client_key = base64decode(module.aks.client_key) -} \ No newline at end of file diff --git a/terraform/clouds/azure/locals.tf b/terraform/clouds/azure/locals.tf index 04dc0cc..657bd3d 100644 --- a/terraform/clouds/azure/locals.tf +++ b/terraform/clouds/azure/locals.tf @@ -4,5 +4,5 @@ locals { name = var.create_resource_group ? azurerm_resource_group.main[0].name : var.resource_group_name location = var.location } - db_url = format("postgresql://console:%s@%s:5432/console", random_password.password.result, module.postgresql.server_fqdn) + db_url = format("postgresql://console:%s@%s:5432/console", random_password.password.result, try(module.postgresql[0].server_fqdn, "")) } \ No newline at end of file diff --git a/terraform/clouds/azure/outputs.tf b/terraform/clouds/azure/outputs.tf index 56850c6..41f2c0b 100644 --- a/terraform/clouds/azure/outputs.tf +++ b/terraform/clouds/azure/outputs.tf @@ -13,4 +13,8 @@ output "db" { output "db_url" { value = local.db_url sensitive = true +} + +output "runtime_ready" { + value = helm_release.runtime } \ No newline at end of file diff --git a/terraform/clouds/azure/postgres.tf b/terraform/clouds/azure/postgres.tf index 045aa95..ad3bb36 100644 --- a/terraform/clouds/azure/postgres.tf +++ b/terraform/clouds/azure/postgres.tf @@ -2,18 +2,19 @@ resource "random_password" "password" { length = 20 min_lower = 1 min_numeric = 1 - min_special = 1 min_upper = 1 + special = false } module "postgresql" { + count = var.create_db ? 1 : 0 source = "Azure/postgresql/azurerm" resource_group_name = local.resource_group.name location = local.resource_group.location server_name = var.postgres_name - sku_name = "GP_Gen5_2" + sku_name = var.db_sku storage_mb = 5120 auto_grow_enabled = true backup_retention_days = 7 diff --git a/terraform/clouds/azure/runtime.tf b/terraform/clouds/azure/runtime.tf index a72909d..e0aa4f8 100644 --- a/terraform/clouds/azure/runtime.tf +++ b/terraform/clouds/azure/runtime.tf @@ -1,18 +1,9 @@ -provider "helm" { - kubernetes { - host = module.aks.cluster_fqdn - cluster_ca_certificate = base64decode(module.aks.cluster_ca_certificate) - client_certificate = base64decode(module.aks.client_certificate) - client_key = base64decode(module.aks.client_key) - } -} - resource "helm_release" "runtime" { name = "runtime" namespace = "plural-runtime" chart = "runtime" repository = "https://pluralsh.github.io/bootstrap" - version = "0.1.3" + version = "0.1.5" create_namespace = true timeout = 300 values = [ diff --git a/terraform/clouds/azure/variables.tf b/terraform/clouds/azure/variables.tf index 37b3190..d022ede 100644 --- a/terraform/clouds/azure/variables.tf +++ b/terraform/clouds/azure/variables.tf @@ -3,6 +3,11 @@ variable "cluster_name" { default = "plural" } +variable "create_db" { + type = bool + default = true +} + variable "kubernetes_version" { type = string default = "1.27.3" @@ -43,6 +48,10 @@ variable "postgres_name" { default = "plural" } +variable "db_sku" { + default = "GP_Gen5_2" +} + variable "install_runtime" { type = bool default = true diff --git a/terraform/clouds/gcp/gke.tf b/terraform/clouds/gcp/gke.tf index 04639dc..6897c50 100644 --- a/terraform/clouds/gcp/gke.tf +++ b/terraform/clouds/gcp/gke.tf @@ -6,6 +6,7 @@ module "gke" { project_id = var.project_id name = var.cluster_name regional = true + grant_registry_access = true region = var.region network = module.gcp-network.network_name subnetwork = module.gcp-network.subnets_names[0] diff --git a/terraform/clouds/gcp/kubernetes.tf b/terraform/clouds/gcp/kubernetes.tf deleted file mode 100644 index 6b53c1d..0000000 --- a/terraform/clouds/gcp/kubernetes.tf +++ /dev/null @@ -1,7 +0,0 @@ -data "google_client_config" "default" {} - -provider "kubernetes" { - host = "https://${module.gke.endpoint}" - token = data.google_client_config.default.access_token - cluster_ca_certificate = base64decode(module.gke.ca_certificate) -} \ No newline at end of file diff --git a/terraform/clouds/gcp/locals.tf b/terraform/clouds/gcp/locals.tf index e43d9f8..1a08442 100644 --- a/terraform/clouds/gcp/locals.tf +++ b/terraform/clouds/gcp/locals.tf @@ -1,3 +1,3 @@ locals { - db_url = format("postgresql://console:%s@%s:5432/plural", random_password.password.result, module.pg.dns_name) + db_url = format("postgresql://console:%s@%s:5432/console", random_password.password.result, try(module.pg[0].private_ip_address, "")) } \ No newline at end of file diff --git a/terraform/clouds/gcp/network.tf b/terraform/clouds/gcp/network.tf index be415a4..aec4a58 100644 --- a/terraform/clouds/gcp/network.tf +++ b/terraform/clouds/gcp/network.tf @@ -8,7 +8,7 @@ module "gcp-network" { subnets = [ { subnet_name = var.subnetwork - subnet_ip = "10.0.0.0/17" + subnet_ip = var.subnet_cidr subnet_region = var.region }, ] @@ -17,12 +17,28 @@ module "gcp-network" { (var.subnetwork) = [ { range_name = var.ip_range_pods_name - ip_cidr_range = "192.168.0.0/18" + ip_cidr_range = var.pods_cidr }, { range_name = var.ip_range_services_name - ip_cidr_range = "192.168.64.0/18" + ip_cidr_range = var.services_cidr }, ] } -} \ No newline at end of file +} + +resource "google_compute_global_address" "private_ip_alloc" { + name = var.allocated_range + purpose = "VPC_PEERING" + address_type = "INTERNAL" + prefix_length = 16 + network = module.gcp-network.network_id + project = var.project_id +} + + +resource "google_service_networking_connection" "postgres" { + network = module.gcp-network.network_id + service = "servicenetworking.googleapis.com" + reserved_peering_ranges = [google_compute_global_address.private_ip_alloc.name] +} diff --git a/terraform/clouds/gcp/outputs.tf b/terraform/clouds/gcp/outputs.tf index 297833e..9f7d904 100644 --- a/terraform/clouds/gcp/outputs.tf +++ b/terraform/clouds/gcp/outputs.tf @@ -13,4 +13,8 @@ output "db" { output "db_url" { value = local.db_url sensitive = true +} + +output "runtime_ready" { + value = helm_release.runtime } \ No newline at end of file diff --git a/terraform/clouds/gcp/postgres.tf b/terraform/clouds/gcp/postgres.tf index 6542d54..2139cee 100644 --- a/terraform/clouds/gcp/postgres.tf +++ b/terraform/clouds/gcp/postgres.tf @@ -2,22 +2,23 @@ resource "random_password" "password" { length = 20 min_lower = 1 min_numeric = 1 - min_special = 1 min_upper = 1 + special = false } module "pg" { + count = var.create_db ? 1 : 0 source = "GoogleCloudPlatform/sql-db/google//modules/postgresql" version = "18.1.0" name = var.db_name - random_instance_name = true + random_instance_name = false project_id = var.project_id database_version = "POSTGRES_14" region = var.region // Master configurations - tier = "db-custom-16-61440" + tier = var.db_size availability_type = "REGIONAL" maintenance_window_day = 7 maintenance_window_hour = 12 @@ -32,10 +33,12 @@ module "pg" { } ip_configuration = { - ipv4_enabled = false - psc_enabled = true - psc_allowed_consumer_projects = [var.project_id] - require_ssl = true + ipv4_enabled = true + private_network = module.gcp-network.network_id + psc_enabled = false + require_ssl = false + allocated_ip_range = var.allocated_range + ssl_mode = "ENCRYPTED_ONLY" } backup_configuration = { @@ -57,6 +60,7 @@ module "pg" { depends_on = [ google_project_service.sql, - google_project_service.servicenetworking + google_project_service.servicenetworking, + google_service_networking_connection.postgres ] } \ No newline at end of file diff --git a/terraform/clouds/gcp/runtime.tf b/terraform/clouds/gcp/runtime.tf index 83c336a..c95aa9c 100644 --- a/terraform/clouds/gcp/runtime.tf +++ b/terraform/clouds/gcp/runtime.tf @@ -1,19 +1,10 @@ -data "google_client_config" "current" {} - -provider "helm" { - kubernetes { - host = module.gke.endpoint - cluster_ca_certificate = base64decode(module.gke.ca_certificate) - token = data.google_client_config.current.access_token - } -} resource "helm_release" "runtime" { name = "runtime" namespace = "plural-runtime" chart = "runtime" repository = "https://pluralsh.github.io/bootstrap" - version = "0.1.3" + version = "0.1.5" create_namespace = true timeout = 300 values = [ diff --git a/terraform/clouds/gcp/variables.tf b/terraform/clouds/gcp/variables.tf index 1fe7eab..1e39376 100644 --- a/terraform/clouds/gcp/variables.tf +++ b/terraform/clouds/gcp/variables.tf @@ -3,6 +3,11 @@ variable "cluster_name" { default = "plural" } +variable "create_db" { + type = bool + default = true +} + variable "deletion_protection" { type = bool default = true @@ -32,6 +37,26 @@ variable "subnetwork" { default = "plural-subnet" } +variable "subnet_cidr" { + default = "10.0.0.0/17" +} + +variable "pods_cidr" { + default = "192.168.0.0/18" +} + +variable "allocated_range" { + default = "google-managed-services-default" +} + +variable "db_size" { + default = "db-custom-4-8192" +} + +variable "services_cidr" { + default = "192.168.64.0/18" +} + variable "ip_range_pods_name" { description = "The secondary ip range to use for pods" default = "ip-range-pods" @@ -55,4 +80,9 @@ variable "install_runtime" { variable "runtime_values_file" { type = string default = "../../helm-values/runtime.yaml" +} + +variable "console_values_file" { + type = string + default = "../../helm-values/console.yaml" } \ No newline at end of file diff --git a/test/.terraform.lock.hcl b/test/.terraform.lock.hcl index 343428a..51cd30a 100644 --- a/test/.terraform.lock.hcl +++ b/test/.terraform.lock.hcl @@ -81,6 +81,25 @@ provider "registry.terraform.io/hashicorp/kubernetes" { ] } +provider "registry.terraform.io/hashicorp/local" { + version = "2.4.1" + hashes = [ + "h1:gpp25uNkYJYzJVnkyRr7RIBVfwLs9GSq2HNnFpTRBg0=", + "zh:244b445bf34ddbd167731cc6c6b95bbed231dc4493f8cc34bd6850cfe1f78528", + "zh:3c330bdb626123228a0d1b1daa6c741b4d5d484ab1c7ae5d2f48d4c9885cc5e9", + "zh:5ff5f9b791ddd7557e815449173f2db38d338e674d2d91800ac6e6d808de1d1d", + "zh:70206147104f4bf26ae67d730c995772f85bf23e28c2c2e7612c74f4dae3c46f", + "zh:75029676993accd6bef933c196b2fad51a9ec8a69a847dbbe96ec8ebf7926cdc", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7d48d5999fe1fcdae9295a7c3448ac1541f5a24c474bd82df6d4fa3732483f2b", + "zh:b766b38b027f0f84028244d1c2f990431a37d4fc3ac645962924554016507e77", + "zh:bfc7ad301dada204cf51c59d8bd6a9a87de5fddb42190b4d6ba157d6e08a1f10", + "zh:c902b527702a8c5e2c25a6637d07bbb1690cb6c1e63917a5f6dc460efd18d43f", + "zh:d68ae0e1070cf429c46586bc87580c3ed113f76241da2b6e4f1a8348126b3c46", + "zh:f4903fd89f7c92a346ae9e666c2d0b6884c4474ae109e9b4bd15e7efaa4bfc29", + ] +} + provider "registry.terraform.io/hashicorp/null" { version = "3.2.2" constraints = "~> 3.1" diff --git a/test/main.tf b/test/main.tf index 7046178..bea615e 100644 --- a/test/main.tf +++ b/test/main.tf @@ -5,3 +5,31 @@ module "gcp" { runtime_values_file = "../helm-values/runtime.yaml" deletion_protection = false } + +resource "null_resource" "console" { + provisioner "local-exec" { + command = "plural cd control-plane-values --name bootstrap-test --dsn \"${module.gcp.db_url}\" --domain plrl.onplural.sh --file console.yaml" + working_dir = "${path.module}/../helm-values" + } +} + +# hack around a helm provider bug +data "local_sensitive_file" "console" { + filename = "${path.module}/../helm-values/console.yaml" + depends_on = [ null_resource.console ] +} + +resource "helm_release" "console" { + name = "console" + namespace = "plrl-console" + chart = "console" + repository = "https://pluralsh.github.io/console" + version = "0.1.15" + create_namespace = true + timeout = 300 + values = [ + data.local_sensitive_file.console.content + ] + + depends_on = [ null_resource.console, module.gcp.cluster ] +} \ No newline at end of file diff --git a/test/provider.tf b/test/provider.tf index 949a0fb..97063fe 100644 --- a/test/provider.tf +++ b/test/provider.tf @@ -16,4 +16,20 @@ terraform { } } required_version = ">= 0.13" +} + +data "google_client_config" "current" {} + +# provider "kubernetes" { +# host = "https://${module.gcp.cluster.endpoint}" +# token = data.google_client_config.default.access_token +# cluster_ca_certificate = base64decode(module.gcp.cluster.ca_certificate) +# } + +provider "helm" { + kubernetes { + host = module.gcp.cluster.endpoint + cluster_ca_certificate = base64decode(module.gcp.cluster.ca_certificate) + token = data.google_client_config.current.access_token + } } \ No newline at end of file